Re: [PATCH] qemu: Extend qemu.conf with PCR banks to activate during 'TPM manufacturing'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Oct 27, 2021 at 05:48:19PM -0400, Stefan Berger wrote:
> 
> On 10/27/21 14:17, Marc-André Lureau wrote:
> > Hi
> > 
> > On Wed, Oct 27, 2021 at 9:00 PM Stefan Berger <stefanb@xxxxxxxxxxxxx> wrote:
> > > Extend qemu.conf with a configration option swtpm_active_pcr_banks that
> > > allows a user to set a comma-separated list of PCR banks to activate
> > > during 'TPM manufacturing'. Valid PCR banks are sha1,sha256,sha384 and
> > > sha512.
> > > 
> > Why not put this option in swtpm_setup.conf instead?
> 
> That is another option but it depends on when one wants to see the effect or
> how one wants to control it. With newer libvirt or newer swtpm?

The obvious reason for putting it in swtpm_setup.conf is that it also
benefits people using swtpm in a non-libvirt scenario.

IMHO, we should put it in swtpm_setup.conf, and *also* have a build
time option in swtpm to configure the built-in default.

IOW, I'd expect RHEL-9 RPM swtpm.spec to pass

  %configure --default-pcr-banks=sha256

and then have the swtpm_setup.conf option to allow admins to override
the distro default if they need a weaker setup on a host.


On the libvirt side, I think we could have a domain XML config option
for PCR banks, to allow the built-in default or admin local default to
be override per-VM.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux