From: Axel H. <axe...@my...> - 2005-12-20 23:08:44
|
Kylie, > I don't fully understand the locality feature myself as far as when or > how something from the OS can request it. The 1.2 driver in the tpmdd > cvs has support for requesting localities internally but I have no idea > how this is supposed to be exported to the OS. In fact the last I looked > I think I came to the conclusion that the regular OS should not have > access to localities other than the normal one. > Please let me know if you get clarification on this. Thanks for the answer. Well, lets start some guessing about how this could be ment to work then. If anybody else here = on the lists has some input, it's really appreciated. I'm getting really curious about this magic function.... :) Having some PCRs that cannot be messed up by applications or even by the OS appear interesing. = So, what interface does the tpmdd offer? What could the = kernel do to handle this? Possibly define some additional flags associated with every process indicating details = about how trustworthy it is. In this case tpmdd could simply check these flags and set up the locality settings. = Otherwise some kind of hook would be required in the kernel that is called for every command send to the TPM. = but this seem to cause too much overehead. = But this leaves the problem that there must be some = managing app that can be used to declare the = trustworthyness of processes. Could be based on the hash values of all binaries. Somehow the kernel needs to decide this - which finally means some admin must define this. = Well, seems a lot of stuff that currently "beyond the scope of this specification". = -- = Axel |