Hi On Wed, Oct 27, 2021 at 9:00 PM Stefan Berger <stefanb@xxxxxxxxxxxxx> wrote: > > Extend qemu.conf with a configration option swtpm_active_pcr_banks that > allows a user to set a comma-separated list of PCR banks to activate > during 'TPM manufacturing'. Valid PCR banks are sha1,sha256,sha384 and > sha512. > Why not put this option in swtpm_setup.conf instead? > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2016599 > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> > --- > src/qemu/qemu.conf | 8 ++++++++ > src/qemu/qemu_conf.c | 6 ++++++ > src/qemu/qemu_conf.h | 1 + > src/qemu/qemu_tpm.c | 8 ++++++++ > 4 files changed, 23 insertions(+) > > diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf > index 71fd125699..7aa151ed55 100644 > --- a/src/qemu/qemu.conf > +++ b/src/qemu/qemu.conf > @@ -915,6 +915,14 @@ > #swtpm_user = "tss" > #swtpm_group = "tss" > > +# The PCR banks to activate during 'TPM manufacturing' before a swtpm instance > +# is started the first time. > +# > +# A comma-separated list without spaces containing sha1,sha256,sha384, or > +# sha512. The default is 'sha256'. > +# > +# swtpm_active_pcr_banks = "sha256,sha384" > + > # For debugging and testing purposes it's sometimes useful to be able to disable > # libvirt behaviour based on the capabilities of the qemu process. This option > # allows to do so. DO _NOT_ use in production and beaware that the behaviour > diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c > index 0451bc70ac..a62525385e 100644 > --- a/src/qemu/qemu_conf.c > +++ b/src/qemu/qemu_conf.c > @@ -384,6 +384,8 @@ static void virQEMUDriverConfigDispose(void *obj) > g_strfreev(cfg->capabilityfilters); > > g_free(cfg->deprecationBehavior); > + > + g_free(cfg->swtpmActivePcrBanks); > } > > > @@ -1030,6 +1032,10 @@ virQEMUDriverConfigLoadSWTPMEntry(virQEMUDriverConfig *cfg, > if (swtpm_group && virGetGroupID(swtpm_group, &cfg->swtpm_group) < 0) > return -1; > > + if (virConfGetValueString(conf, "swtpm_active_pcr_banks", > + &cfg->swtpmActivePcrBanks) < 0) > + return -1; > + > return 0; > } > > diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h > index 2f64e39a18..37461d9e31 100644 > --- a/src/qemu/qemu_conf.h > +++ b/src/qemu/qemu_conf.h > @@ -219,6 +219,7 @@ struct _virQEMUDriverConfig { > > uid_t swtpm_user; > gid_t swtpm_group; > + char *swtpmActivePcrBanks; > > char **capabilityfilters; > > diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c > index e1b08a66c5..69fd1e67e3 100644 > --- a/src/qemu/qemu_tpm.c > +++ b/src/qemu/qemu_tpm.c > @@ -448,6 +448,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath, > bool privileged, > uid_t swtpm_user, > gid_t swtpm_group, > + const char *swtpmActivePcrBanks, > const char *logfile, > const virDomainTPMVersion tpmversion, > const unsigned char *secretuuid, > @@ -512,6 +513,9 @@ qemuTPMEmulatorRunSetup(const char *storagepath, > } > > if (!incomingMigration) { > + if (!swtpmActivePcrBanks) > + swtpmActivePcrBanks = "sha256"; > + > virCommandAddArgList(cmd, > "--tpm-state", storagepath, > "--vmid", vmid, > @@ -521,6 +525,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath, > "--create-platform-cert", > "--lock-nvram", > "--not-overwrite", > + "--pcr-banks", swtpmActivePcrBanks, > NULL); > } else { > virCommandAddArgList(cmd, > @@ -568,6 +573,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm, > bool privileged, > uid_t swtpm_user, > gid_t swtpm_group, > + const char *swtpmActivePcrBanks, > const char *swtpmStateDir, > const char *shortName, > bool incomingMigration) > @@ -593,6 +599,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm, > if (created && > qemuTPMEmulatorRunSetup(tpm->data.emulator.storagepath, vmname, vmuuid, > privileged, swtpm_user, swtpm_group, > + swtpmActivePcrBanks, > tpm->data.emulator.logfile, tpm->version, > secretuuid, incomingMigration) < 0) > goto error; > @@ -812,6 +819,7 @@ qemuExtTPMStartEmulator(virQEMUDriver *driver, > driver->privileged, > cfg->swtpm_user, > cfg->swtpm_group, > + cfg->swtpmActivePcrBanks, > cfg->swtpmStateDir, shortName, > incomingMigration))) > return -1; > -- > 2.31.1 >