Re: [PATCH v4 04/23] conf: Extend TPM XML parser with encryption support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Jul 11, 2019 at 03:41:32PM -0400, Stefan Berger wrote:
> Extend the TPM device XML parser and XML generator with emulator
> state encryption support.
> 
> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
> ---
>  src/conf/domain_conf.c | 40 +++++++++++++++++++++++++++++++++++++++-
>  src/conf/domain_conf.h |  1 +
>  2 files changed, 40 insertions(+), 1 deletion(-)
> 
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index 3323c9a5b1..df6238c299 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -2950,6 +2950,7 @@ void virDomainTPMDefFree(virDomainTPMDefPtr def)
>          virDomainChrSourceDefClear(&def->data.emulator.source);
>          VIR_FREE(def->data.emulator.storagepath);
>          VIR_FREE(def->data.emulator.logfile);
> +        virStorageEncryptionFree(def->data.emulator.encryption);
>          break;
>      case VIR_DOMAIN_TPM_TYPE_LAST:
>          break;
> @@ -13048,6 +13049,16 @@ virDomainSmartcardDefParseXML(virDomainXMLOptionPtr xmlopt,
>   * <tpm model='tpm-tis'>
>   *   <backend type='emulator' version='2'/>
>   * </tpm>
> + *
> + * Emulator state encryption is supported with the following:
> + *
> + * <tpm model='tpm-tis'>
> + *   <backend type='emulator' version='2'>
> + *     <encryption format='vtpm'>
> + *        <secret type='passphrase' uuid='32ee7e76-2178-47a1-ab7b-269e6e348015'/>
> + *     </encryption>
> + *   </backend>
> + * </tpm>

Again this feels rather odd to me - we're just providing a password to
the swtpm process. We don't need to have a choice of encyption formats
in the XML - the way this is implemented allows you to specify lusk or
qcow2 for encryption which is rather meaningless here, and likewise
allows vtpm for disk encryption.

We should just be referencing the secret without this extra level of
XML nesting eg

   <encrypt secret=".....uuid..."/>

and avoid use of virStorageEncryption entirely.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux