On Fri, 2023-01-06 at 16:23 -0600, William Roberts wrote: > On Fri, Jan 6, 2023, 15:55 Ken Goldman <kgold@xxxxxxxxxxxxx> wrote: > > > > On 12/28/2022 5:48 PM, James Bottomley wrote: > > > The main thing you have to do is connect to the TPM not through > > > the > > > resource manager so the policy session survives multiple commands > > > > > > export TPM_DEVICE=/dev/tpm0 > > > > Just FYI, as James says, command line utilities interact with the > > resource manager. When I want to run command line programs through > > the > > resource manager, I use a proxy to keep the /dev/tpmrm0 session > > connected. > > > > https://github.com/kgoldman/ibmtss/blob/master/utils/tpmproxy.c hol > > ds an > > open source proxy. > > > > If you need to do this in production that tpmproxy allows anyone to > connect to it. So while it's open it would circumvent the permissions > on /dev/tpmrm0. You can just use tpm2-tools, which uses contexts and > avoids this problem. The specific issue with this is that using contexts, no-one could figure out a way to pass the session into the kernel: https://lore.kernel.org/linux-integrity/CADg8p94kTNkoByjLhEij3KkigLxhwU8PxnO82cRaO0Ejh7T3Zg@xxxxxxxxxxxxxx/ How should this be done? James
