Thank you for the answer.
I've done some investigation and found that passing device /dev/tpmrm0 to the
containers will do the job. Also problem with tpm_clear can be solved by resrtiction owner
access to the tpm. So each container can use keys in TPM but talk to owner if any changes
I have another question: According to the documentation - TPM is having unique
endoresement key, embedded to the device during manufacturing. So each module can be
identified by this key.
How can I retrieve this key embedded to the TPM module?
From: Tadeusz Struk <tadeusz.struk(a)intel.com>
Sent: Friday, June 5, 2020 8:16 PM
To: Oleksii Moisieiev <Oleksii_Moisieiev(a)epam.com>; tpm2(a)lists.01.org
Subject: Re: [tpm2] Sharing TPM 2.0 between containers with access policy
On 6/5/20 12:52 AM, Oleksii Moisieiev wrote:
I have an embedded device, with Docker containers based architecture.
This device is operating by software, installed in separate containers.
I would like to share TPM2.0 access between this containers with the
1) Forbid Clear TPM command for the containers;
2) Each container should have an access only to the set of keys it owns.
3) Each container can create keys, but not overwrite existing keys that
does not related to this container.
According to the "TCG TSS 2.0 TAB and Resource Manager Specification" -
TPM Resource manager doesn't implement access restrictions right now.
I think you could run a separate instance of RM in per container to get
2 & 3. As for 1, this would need to be prevented on a platform
configuration level, like in BIOS or equivalent.