On Fri, Jan 6, 2023, 15:55 Ken Goldman <kgold@xxxxxxxxxxxxx> wrote: > > On 12/28/2022 5:48 PM, James Bottomley wrote: > > The main thing you have to do is connect to the TPM not through the > > resource manager so the policy session survives multiple commands > > > > export TPM_DEVICE=/dev/tpm0 > > Just FYI, as James says, command line utilities interact with the > resource manager. When I want to run command line programs through the > resource manager, I use a proxy to keep the /dev/tpmrm0 session connected. > > https://github.com/kgoldman/ibmtss/blob/master/utils/tpmproxy.c holds an > open source proxy. > If you need to do this in production that tpmproxy allows anyone to connect to it. So while it's open it would circumvent the permissions on /dev/tpmrm0. You can just use tpm2-tools, which uses contexts and avoids this problem.
