Re: [Ibmtpm20tss-users] [openssl-tpm2-engine] ibmtss

Ken Goldman <kgold@...>
 

On 1/3/2019 3:59 PM, Doug Fraser wrote:
Hello All.
On UDEV rules....
(depending on where I search, different answers)
I am currently setting both /dev/tpm0 and /dev/tpmrm0 to mode 0666
I don't care who the owner or group is, since I am not running SUID tss
Is this inherently wrong-headed to be working this way?
Way back, the wisdom was to set some group protection (i.e.,
a group of trusted applications) on /dev/tpmxxx.

Using /dev/tpmrm0 protects against an application locking the
TPM and/or using all the resources.

However, even when using /dev/tpmrm0, might one want to protect
against an application extending PCR 10, for example?

Another - does /tpmrm0 protect against an application doing
the write() but never the read(), and thus blocking the device?

Join openssl-tpm2-engine@groups.io to automatically receive all group messages.