1*4882a593Smuzhiyun============================================= 2*4882a593SmuzhiyunVirtual TPM Proxy Driver for Linux Containers 3*4882a593Smuzhiyun============================================= 4*4882a593Smuzhiyun 5*4882a593Smuzhiyun| Authors: 6*4882a593Smuzhiyun| Stefan Berger <stefanb@linux.vnet.ibm.com> 7*4882a593Smuzhiyun 8*4882a593SmuzhiyunThis document describes the virtual Trusted Platform Module (vTPM) 9*4882a593Smuzhiyunproxy device driver for Linux containers. 10*4882a593Smuzhiyun 11*4882a593SmuzhiyunIntroduction 12*4882a593Smuzhiyun============ 13*4882a593Smuzhiyun 14*4882a593SmuzhiyunThe goal of this work is to provide TPM functionality to each Linux 15*4882a593Smuzhiyuncontainer. This allows programs to interact with a TPM in a container 16*4882a593Smuzhiyunthe same way they interact with a TPM on the physical system. Each 17*4882a593Smuzhiyuncontainer gets its own unique, emulated, software TPM. 18*4882a593Smuzhiyun 19*4882a593SmuzhiyunDesign 20*4882a593Smuzhiyun====== 21*4882a593Smuzhiyun 22*4882a593SmuzhiyunTo make an emulated software TPM available to each container, the container 23*4882a593Smuzhiyunmanagement stack needs to create a device pair consisting of a client TPM 24*4882a593Smuzhiyuncharacter device ``/dev/tpmX`` (with X=0,1,2...) and a 'server side' file 25*4882a593Smuzhiyundescriptor. The former is moved into the container by creating a character 26*4882a593Smuzhiyundevice with the appropriate major and minor numbers while the file descriptor 27*4882a593Smuzhiyunis passed to the TPM emulator. Software inside the container can then send 28*4882a593SmuzhiyunTPM commands using the character device and the emulator will receive the 29*4882a593Smuzhiyuncommands via the file descriptor and use it for sending back responses. 30*4882a593Smuzhiyun 31*4882a593SmuzhiyunTo support this, the virtual TPM proxy driver provides a device ``/dev/vtpmx`` 32*4882a593Smuzhiyunthat is used to create device pairs using an ioctl. The ioctl takes as 33*4882a593Smuzhiyunan input flags for configuring the device. The flags for example indicate 34*4882a593Smuzhiyunwhether TPM 1.2 or TPM 2 functionality is supported by the TPM emulator. 35*4882a593SmuzhiyunThe result of the ioctl are the file descriptor for the 'server side' 36*4882a593Smuzhiyunas well as the major and minor numbers of the character device that was created. 37*4882a593SmuzhiyunBesides that the number of the TPM character device is returned. If for 38*4882a593Smuzhiyunexample ``/dev/tpm10`` was created, the number (``dev_num``) 10 is returned. 39*4882a593Smuzhiyun 40*4882a593SmuzhiyunOnce the device has been created, the driver will immediately try to talk 41*4882a593Smuzhiyunto the TPM. All commands from the driver can be read from the file descriptor 42*4882a593Smuzhiyunreturned by the ioctl. The commands should be responded to immediately. 43*4882a593Smuzhiyun 44*4882a593SmuzhiyunUAPI 45*4882a593Smuzhiyun==== 46*4882a593Smuzhiyun 47*4882a593Smuzhiyun.. kernel-doc:: include/uapi/linux/vtpm_proxy.h 48*4882a593Smuzhiyun 49*4882a593Smuzhiyun.. kernel-doc:: drivers/char/tpm/tpm_vtpm_proxy.c 50*4882a593Smuzhiyun :functions: vtpmx_ioc_new_dev 51