On Wed, Oct 27, 2021 at 05:48:19PM -0400, Stefan Berger wrote: > > On 10/27/21 14:17, Marc-André Lureau wrote: > > Hi > > > > On Wed, Oct 27, 2021 at 9:00 PM Stefan Berger <stefanb@xxxxxxxxxxxxx> wrote: > > > Extend qemu.conf with a configration option swtpm_active_pcr_banks that > > > allows a user to set a comma-separated list of PCR banks to activate > > > during 'TPM manufacturing'. Valid PCR banks are sha1,sha256,sha384 and > > > sha512. > > > > > Why not put this option in swtpm_setup.conf instead? > > That is another option but it depends on when one wants to see the effect or > how one wants to control it. With newer libvirt or newer swtpm? The obvious reason for putting it in swtpm_setup.conf is that it also benefits people using swtpm in a non-libvirt scenario. IMHO, we should put it in swtpm_setup.conf, and *also* have a build time option in swtpm to configure the built-in default. IOW, I'd expect RHEL-9 RPM swtpm.spec to pass %configure --default-pcr-banks=sha256 and then have the swtpm_setup.conf option to allow admins to override the distro default if they need a weaker setup on a host. On the libvirt side, I think we could have a domain XML config option for PCR banks, to allow the built-in default or admin local default to be override per-VM. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
