1 files changed, 71 insertions, 0 deletions
diff --git a/Documentation/tpm/tpm_vtpm_proxy.txt b/Documentation/tpm/tpm_vtpm_proxy.txt
new file mode 100644
index 000000000000..30d19022f869
--- /dev/null
+++ b/Documentation/tpm/tpm_vtpm_proxy.txt
@@ -0,0 +1,71 @@
+Virtual TPM Proxy Driver for Linux Containers
+Authors: Stefan Berger (IBM)
+This document describes the virtual Trusted Platform Module (vTPM)
+proxy device driver for Linux containers.
+INTRODUCTION
+------------
+The goal of this work is to provide TPM functionality to each Linux
+container. This allows programs to interact with a TPM in a container
+the same way they interact with a TPM on the physical system. Each
+container gets its own unique, emulated, software TPM.
+DESIGN
+------
+To make an emulated software TPM available to each container, the container
+management stack needs to create a device pair consisting of a client TPM
+character device /dev/tpmX (with X=0,1,2...) and a 'server side' file
+descriptor. The former is moved into the container by creating a character
+device with the appropriate major and minor numbers while the file descriptor
+is passed to the TPM emulator. Software inside the container can then send
+TPM commands using the character device and the emulator will receive the
+commands via the file descriptor and use it for sending back responses.
+To support this, the virtual TPM proxy driver provides a device /dev/vtpmx
+that is used to create device pairs using an ioctl. The ioctl takes as
+an input flags for configuring the device. The flags  for example indicate
+whether TPM 1.2 or TPM 2 functionality is supported by the TPM emulator.
+The result of the ioctl are the file descriptor for the 'server side'
+as well as the major and minor numbers of the character device that was created.
+Besides that the number of the TPM character device is return. If for
+example /dev/tpm10 was created, the number (dev_num) 10 is returned.
+The following is the data structure of the TPM_PROXY_IOC_NEW_DEV ioctl:
+struct vtpm_proxy_new_dev {
+        __u32 flags;         /* input */
+        __u32 tpm_num;       /* output */
+        __u32 fd;            /* output */
+        __u32 major;         /* output */
+        __u32 minor;         /* output */
+};
+Note that if unsupported flags are passed to the device driver, the ioctl will
+fail and errno will be set to EOPNOTSUPP. Similarly, if an unsupported ioctl is
+called on the device driver, the ioctl will fail and errno will be set to
+ENOTTY.
+See /usr/include/linux/vtpm_proxy.h for definitions related to the public interface
+of this vTPM device driver.
+Once the device has been created, the driver will immediately try to talk
+to the TPM. All commands from the driver can be read from the file descriptor
+returned by the ioctl. The commands should be responded to immediately.
+Depending on the version of TPM the following commands will be sent by the
+driver:
+- TPM 1.2:
+  - the driver will send a TPM_Startup command to the TPM emulator
+  - the driver will send commands to read the command durations and
+    interface timeouts from the TPM emulator
+- TPM 2:
+  - the driver will send a TPM2_Startup command to the TPM emulator
+The TPM device /dev/tpmX will only appear if all of the relevant commands
+were responded to properly.

diff --git a/Documentation/tpm/tpm_vtpm_proxy.txt b/Documentation/tpm/tpm_vtpm_proxy.txt new file mode 100644 index 000000000000..30d19022f869 --- /dev/null +++ b/Documentation/tpm/tpm_vtpm_proxy.txt
@@ -0,0 +1,71 @@
	1	Virtual TPM Proxy Driver for Linux Containers
	2
	3	Authors: Stefan Berger (IBM)
	4
	5	This document describes the virtual Trusted Platform Module (vTPM)
	6	proxy device driver for Linux containers.
	7
	8	INTRODUCTION
	9	------------
	10
	11	The goal of this work is to provide TPM functionality to each Linux
	12	container. This allows programs to interact with a TPM in a container
	13	the same way they interact with a TPM on the physical system. Each
	14	container gets its own unique, emulated, software TPM.
	15
	16
	17	DESIGN
	18	------
	19
	20	To make an emulated software TPM available to each container, the container
	21	management stack needs to create a device pair consisting of a client TPM
	22	character device /dev/tpmX (with X=0,1,2...) and a 'server side' file
	23	descriptor. The former is moved into the container by creating a character
	24	device with the appropriate major and minor numbers while the file descriptor
	25	is passed to the TPM emulator. Software inside the container can then send
	26	TPM commands using the character device and the emulator will receive the
	27	commands via the file descriptor and use it for sending back responses.
	28
	29	To support this, the virtual TPM proxy driver provides a device /dev/vtpmx
	30	that is used to create device pairs using an ioctl. The ioctl takes as
	31	an input flags for configuring the device. The flags for example indicate
	32	whether TPM 1.2 or TPM 2 functionality is supported by the TPM emulator.
	33	The result of the ioctl are the file descriptor for the 'server side'
	34	as well as the major and minor numbers of the character device that was created.
	35	Besides that the number of the TPM character device is return. If for
	36	example /dev/tpm10 was created, the number (dev_num) 10 is returned.
	37
	38	The following is the data structure of the TPM_PROXY_IOC_NEW_DEV ioctl:
	39
	40	struct vtpm_proxy_new_dev {
	41	__u32 flags; /* input */
	42	__u32 tpm_num; /* output */
	43	__u32 fd; /* output */
	44	__u32 major; /* output */
	45	__u32 minor; /* output */
	46	};
	47
	48	Note that if unsupported flags are passed to the device driver, the ioctl will
	49	fail and errno will be set to EOPNOTSUPP. Similarly, if an unsupported ioctl is
	50	called on the device driver, the ioctl will fail and errno will be set to
	51	ENOTTY.
	52
	53	See /usr/include/linux/vtpm_proxy.h for definitions related to the public interface
	54	of this vTPM device driver.
	55
	56	Once the device has been created, the driver will immediately try to talk
	57	to the TPM. All commands from the driver can be read from the file descriptor
	58	returned by the ioctl. The commands should be responded to immediately.
	59
	60	Depending on the version of TPM the following commands will be sent by the
	61	driver:
	62
	63	- TPM 1.2:
	64	- the driver will send a TPM_Startup command to the TPM emulator
	65	- the driver will send commands to read the command durations and
	66	interface timeouts from the TPM emulator
	67	- TPM 2:
	68	- the driver will send a TPM2_Startup command to the TPM emulator
	69
	70	The TPM device /dev/tpmX will only appear if all of the relevant commands
	71	were responded to properly.