Extend qemu.conf with a configration option swtpm_active_pcr_banks that allows a user to set a comma-separated list of PCR banks to activate during 'TPM manufacturing'. Valid PCR banks are sha1,sha256,sha384 and sha512. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2016599 Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> --- src/qemu/qemu.conf | 8 ++++++++ src/qemu/qemu_conf.c | 6 ++++++ src/qemu/qemu_conf.h | 1 + src/qemu/qemu_tpm.c | 8 ++++++++ 4 files changed, 23 insertions(+) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 71fd125699..7aa151ed55 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -915,6 +915,14 @@ #swtpm_user = "tss" #swtpm_group = "tss" +# The PCR banks to activate during 'TPM manufacturing' before a swtpm instance +# is started the first time. +# +# A comma-separated list without spaces containing sha1,sha256,sha384, or +# sha512. The default is 'sha256'. +# +# swtpm_active_pcr_banks = "sha256,sha384" + # For debugging and testing purposes it's sometimes useful to be able to disable # libvirt behaviour based on the capabilities of the qemu process. This option # allows to do so. DO _NOT_ use in production and beaware that the behaviour diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 0451bc70ac..a62525385e 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -384,6 +384,8 @@ static void virQEMUDriverConfigDispose(void *obj) g_strfreev(cfg->capabilityfilters); g_free(cfg->deprecationBehavior); + + g_free(cfg->swtpmActivePcrBanks); } @@ -1030,6 +1032,10 @@ virQEMUDriverConfigLoadSWTPMEntry(virQEMUDriverConfig *cfg, if (swtpm_group && virGetGroupID(swtpm_group, &cfg->swtpm_group) < 0) return -1; + if (virConfGetValueString(conf, "swtpm_active_pcr_banks", + &cfg->swtpmActivePcrBanks) < 0) + return -1; + return 0; } diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index 2f64e39a18..37461d9e31 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -219,6 +219,7 @@ struct _virQEMUDriverConfig { uid_t swtpm_user; gid_t swtpm_group; + char *swtpmActivePcrBanks; char **capabilityfilters; diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index e1b08a66c5..69fd1e67e3 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -448,6 +448,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath, bool privileged, uid_t swtpm_user, gid_t swtpm_group, + const char *swtpmActivePcrBanks, const char *logfile, const virDomainTPMVersion tpmversion, const unsigned char *secretuuid, @@ -512,6 +513,9 @@ qemuTPMEmulatorRunSetup(const char *storagepath, } if (!incomingMigration) { + if (!swtpmActivePcrBanks) + swtpmActivePcrBanks = "sha256"; + virCommandAddArgList(cmd, "--tpm-state", storagepath, "--vmid", vmid, @@ -521,6 +525,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath, "--create-platform-cert", "--lock-nvram", "--not-overwrite", + "--pcr-banks", swtpmActivePcrBanks, NULL); } else { virCommandAddArgList(cmd, @@ -568,6 +573,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm, bool privileged, uid_t swtpm_user, gid_t swtpm_group, + const char *swtpmActivePcrBanks, const char *swtpmStateDir, const char *shortName, bool incomingMigration) @@ -593,6 +599,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm, if (created && qemuTPMEmulatorRunSetup(tpm->data.emulator.storagepath, vmname, vmuuid, privileged, swtpm_user, swtpm_group, + swtpmActivePcrBanks, tpm->data.emulator.logfile, tpm->version, secretuuid, incomingMigration) < 0) goto error; @@ -812,6 +819,7 @@ qemuExtTPMStartEmulator(virQEMUDriver *driver, driver->privileged, cfg->swtpm_user, cfg->swtpm_group, + cfg->swtpmActivePcrBanks, cfg->swtpmStateDir, shortName, incomingMigration))) return -1; -- 2.31.1
