Re: [PATCH v1 1/8] docs: documentation and schema for the new TPM Proxy device

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/8/20 8:06 AM, Daniel Henrique Barboza wrote:
QEMU 4.1.0 introduced a new device type called TPM Proxy, currently
implemented by PPC64 guests via a new virtual device called
'spapr-tpm-proxy' (see QEMU 0fb6bd073230 for more info).

The TPM Proxy device interacts with a TPM Resource Manager, a host
device capable of multiplexing the host TPM with multiple processes.
This allows multiple guests to access some TPM features at the
same time. Note that this mode of operation does not provide
full TPM features to be available for the guest - for that case
the guest still needs to assign a vTPM device (tpm-spapr for
PPC64 guests). Although redundant, there is currently no technical
limitation for a guest to assign both a vTPM and a TPM Proxy at the
same time.

This patch adds documentation and schema for the new TPM Proxy device.
An example of a TPM Proxy device connected to a TPM Resource Manager
'/dev/tpmrm0' will look like this:

   <tpmproxy model='spapr-tpm-proxy'>
     <device path='/dev/tpmrm0'/>
   </tpmproxy>

Signed-off-by: Daniel Henrique Barboza <danielhb413@xxxxxxxxx>
---
  docs/formatdomain.html.in     | 42 +++++++++++++++++++++++++++++++++++
  docs/schemas/domaincommon.rng | 18 +++++++++++++++
  2 files changed, 60 insertions(+)

diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 23eb029234..650e2a8c6e 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -8849,6 +8849,48 @@ qemu-kvm -net nic,model=? /dev/null
        </dd>
      </dl>
+ <h4><a id="elementsTpmProxy">TPM Proxy device</a></h4>
+
+    <p>
+      The TPM Proxy device allows a QEMU guest to interact with an
+      existing TPM Resource Manager in the host. A TPM Resource Manager
+      enables a TPM device to be securely multiplexed across several
+      guests. Only one TPM Proxy device is allowed per guest.


I think you should mention SVMs here and that this is what this extension is used for or are there other uses than secure VMs?


+    </p>
+    <p>
+      A guest using the TPM Proxy device does not have access to all the
+      features a TPM device provides. This means that a guest can have both
+      a TPM Proxy and a TPM device assigned at the same time.


And this TPM Proxy device only enables the H_COMM_TPM hypercall rather than talking to /dev/tpm(rm)0 inside the SVM. I think this should be clarified because otherwise people might confuse it with the passthrough device that does expose /dev/tpm0 inside the VM for example.


+    </p>
+    <p>
+      The TPM Proxy device is currently available only for pSeries guests.
+      <span class="since">since 6.4.0</span>
+    </p>
+    <p>
+     Example: usage of the TPM Proxy device
+    </p>
+<pre>
+...
+&lt;devices&gt;
+  &lt;tpmproxy model='spapr-tpm-proxy'&gt;
+    &lt;device path='/dev/tpmrm0'/&gt;
+  &lt;/tpmproxy&gt;
+&lt;/devices&gt;
+...
+</pre>
+
+    <dl>
+      <dt><code>model</code></dt>
+      <dd>
+        <p>
+          The <code>model</code> attribute specifies what device
+          model QEMU provides to the guest. If no model name is provided,
+          <code>spapr-tpm-proxy</code> will automatically be chosen for
+          PPC64 architectures.
+        </p>
+      </dd>
+    </dl>
+
      <h4><a id="elementsNVRAM">NVRAM device</a></h4>
      <p>
        nvram device is always added to pSeries guest on PPC64, and its address
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 9d60b090f3..44bbd92244 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -4676,6 +4676,23 @@
      </optional>
    </define>
+ <define name="tpmproxy">
+    <element name="tpmproxy">
+      <optional>
+        <attribute name="model">
+          <choice>
+            <value>spapr-tpm-proxy</value>
+          </choice>
+        </attribute>
+      </optional>
+      <element name="device">
+        <attribute name="path">
+          <ref name="filePath"/>
+        </attribute>
+      </element>
+    </element>
+  </define>
+
    <define name="vsock">
      <element name="vsock">
        <optional>
@@ -5279,6 +5296,7 @@
              <ref name="tpm"/>
              <ref name="shmem"/>
              <ref name="memorydev"/>
+            <ref name="tpmproxy"/>
            </choice>
          </zeroOrMore>
          <optional>





[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux