tpm2-abrmd vs /dev/tpmrm0 #830
Comments
|
You won't see any issues with FAPI or the tss2 prefixes tools IIUC. However, if you use the tpm2_policy tools you'll have issues with the session being flushed from the tpm between commands. |
|
@williamcroberts thankyou, it means we can use tpmrm and what is tom2_policy ? please can you provide more info. is that a typo? tpm2_policy and I will be using tss2_provision and tpm2_clear. apart from "tcti"="device:/dev/tpm0" , anywhere else we have to pass /dev/tpmrm0 , any supporting documents we have to set the tpmrm with tpm-tss. |
Apparently my phone likes to autocorrect tpm to tom.
Yes and no worries with those tools.
IIUC tss2_ tools just use the FAPI config, tpm2_ tools use the --tcti option, but you usually don't have to specify it. The search pattern will discover it automatically. |
|
After copying tm2-tools and tpm2-tss libs to the device i tried this. why tss2_provison asking for Authorize /HE "Endorsement Hierarchy" ? I am running as root.
|
|
The TPM is its own separate device it doesn't care what your permissions are from the operating system. To create the EK which is part of tss2_provision, you need endorsement hierarchy authorization so I'm not sure how you do that in fapi/tss2 prefixes tools its probably some command line parameter. |
|
@williamcroberts will be closing the issue I have setup the qemu and swtpm and validated the tpmrm can be used , without abrmd. |
Treat them like `/dev/tpm[0-9]*` devices.
It seems that `/dev/tpm[0-9]*` allows direct access to the TPM device
while `/dev/tpmrm[0-9]*` mediates access through a "resource manager"
inside of the kernel (for example, to facilitate concurrent access).
Alternatively, it looks like the resource management can be done in
userspace through tpm2-abrmd, the "TPM2 Access Broker & Resource
Management Daemon", which also supports older kernels (Linux 3.x vs
4.12) [1] [2] [3].
udev rules from tpm2-tss 4.1.3[4]:
# tpm devices can only be accessed by the tss user but the tss
# group members can access tpmrm devices
KERNEL=="tpm[0-9]*", TAG+="systemd", MODE="0660", OWNER="tss"
KERNEL=="tpmrm[0-9]*", TAG+="systemd", MODE="0660", GROUP="tss"
This is a follow-up to netblue30#6718.
Misc: This was noticed on netblue30#6700.
Relates to netblue30#6390.
[1] https://github.com/tpm2-software/tpm2-abrmd
[2] tpm2-software/tpm2-abrmd#830
[3] tpm2-software/tpm2-tss-engine#149
[4] https://github.com/tpm2-software/tpm2-tss/blob/4.1.3/dist/tpm-udev.rules
Treat them like `/dev/tpm[0-9]*` devices.
It seems that `/dev/tpm[0-9]*` allows direct access to the TPM device
while `/dev/tpmrm[0-9]*` mediates access through a "resource manager"
inside of the kernel (for example, to facilitate concurrent access).
Alternatively, it looks like the resource management can be done in
userspace through tpm2-abrmd, the "TPM2 Access Broker & Resource
Management Daemon", which also supports older kernels (Linux 3.x vs
4.12) [1] [2] [3].
udev rules from tpm2-tss 4.1.3[4]:
# tpm devices can only be accessed by the tss user but the tss
# group members can access tpmrm devices
KERNEL=="tpm[0-9]*", TAG+="systemd", MODE="0660", OWNER="tss"
KERNEL=="tpmrm[0-9]*", TAG+="systemd", MODE="0660", GROUP="tss"
This is a follow-up to #6718.
Misc: This was noticed on #6700.
Relates to #6390.
[1] https://github.com/tpm2-software/tpm2-abrmd
[2] tpm2-software/tpm2-abrmd#830
[3] tpm2-software/tpm2-tss-engine#149
[4] https://github.com/tpm2-software/tpm2-tss/blob/4.1.3/dist/tpm-udev.rules
Hello all,
what is the difference between tpm2-abrmd vs /dev/tpmrm0, can we use existing tpmrm instead of abrmd, if yes please provide any reference document to configure the tpmrm with tpm2-tss, tpm2tools.
Goal is to achieve create key, encrypt and decrypt 128 bytes data using FAPI APIs.
I have complied tpm2-tss and tpm2-tools on our Linux Rhel system, tpm2-abrmd have some extra dependences to compile so planning to use tpmrm.
The text was updated successfully, but these errors were encountered: