docs/trusted-computing.md
LinuxKit has support for using Trusted Computing Platform Modules (tpm) chips.
Supporting tpm requires support at three levels:
You need to have a tpm chip installed in your computer to use tpm. Alternatively, you can use one of the virtual tpms implemented in software, provided that either:
As of PR 2234, the in-tree linux kernel modules that support tpm are shipped with LinuxKit by default.
The shipped modules support both tpm chip versions 1.2 and tpm 2.0.
The software stack (TSS) functions differently between tpm versions 1.2 and 2.0.
In tss 1.2, the character device /dev/tpm0 is meant to be addresses only by a single process. All other clients are expected to communicate with this single client that handles multiplexing of requests and various other low-level functionality.
The single client normally used is TrouSerS. It creates a daemon, tcsd, that communicates with the character device (and via the character device and the kernel module to the actual tpm).
tcsd in turn listens on localhost:30003 for tpm commands. All other clients are expected to communicate via tcp to tcsd.
LinuxKit provides the linuxkit/tss image which includes:
tcsdtpm_* toolsTo make a tcsd available to your LinuxKit image, just include it:
services:
- name: tss
image: linuxkit/tss:<hash>
For a full example, see tpm.yml
In tss 2.0, the character device /dev/tpmrm0 can be addressed by as many processes, in parallel, as desired. All of the multiplexing and low-level services are built into the kernel module.
To use a tpm 2.0 device, you do not need any special tss container. You just need an container that:
/dev in/dev/tpmrm0The image linuxkit/tss ships with the version 1.2 tcsd and the tpm_* tools for tpm version 1.2. The tools for tpm version 2.0 tpm2_* and its attendant libs are not included in the image.
We intend to release a tss 2.0 compatible image in the near future. In the meantime, nothing prevents you from using and compiling your own tss and including it in a LinuxKit image.