On December 12, 2019 4:07:26 PM EST, Tadeusz Struk <tadeusz.struk@xxxxxxxxx> wrote: >On 12/12/19 12:54 PM, James Bottomley wrote: >> Not in the modern kernel resource manager world: anyone who is in the >> tpm group can access the tpmrm device and we haven't added a >dangerous >> command filter like we promised we would, so unless they have >actually >> set lockout or platform authorization, they'll find they can execute >it > >The default for the tpm2_* tools with '-T device' switch is to talk to >/dev/tpm0. > >If one would try to run it, by mistake, it would fail with: > >$ tpm2_clear -T device >ERROR:tcti:src/tss2-tcti/tcti-device.c:439:Tss2_Tcti_Device_Init() >Failed to open device file /dev/tpm0: Permission denied > >To point it to /dev/tpmrm0 it would need to be: >$ tpm2_clear -T device:/dev/tpmrm0 And most other toolkits talk to the tpmrm device because the tpm 1.2 daemon based architecture didn't work so well. The point is that if tpm2_clear works on your emulator, it likely works on your real tpm, so making the tests safer to run is not unreasonable. James -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
