Re: [PATCH] qemu: Extend qemu.conf with PCR banks to activate during 'TPM manufacturing'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 10/28/21 14:16, Daniel P. Berrangé wrote:
On Thu, Oct 28, 2021 at 01:51:33PM -0400, Stefan Berger wrote:

On the libvirt side, I think we could have a domain XML config option
for PCR banks, to allow the built-in default or admin local default to
be override per-VM.
Is there an example of an attribute that can only be set once in the domain
XML and cannot be modified after? The choice of active PCR banks is limited
to 'TPM manufacturing' time, which means swtpm_setup runs once only when the
swtpm's state directory does not exist because later it would overwrite the
entire state and erase all keys etc.. Later manipulations of the PCR banks
would have to be done using the firmware menu, which exist in EDK2, SeaBIOS
and SLOF.
Yeah, it is a little unusual, but then I guess we have the similarish
with other firmware selection, where setting "secure=yes|no" determines
which OVMF binary we pick to use.


I will probably add a new feature (for swtpm v0.7) to be able to reconfigure the active pcr banks. The availability of this feature can be detected by libvirt via the JSON that swtpm_setup --print-capabilities returns (as usual). Now the problems are:

- What to do when an older version of swtpm package is installed regarding the contents of the XML? Reject the pcr banks one can declare in the domain XML? The other option would be to allow the XML but not to react to it at all and document that one needs swptm v0.7 or later which will probably be the case in most setups sooner or later.

- How would one track changes to the XML versus the state of the swtpm? At the moment I would run the reconfigure script ever time if a set of active PCR banks was given in the XML and it would log like shown below. Should we just turn off the logging (no --log <filename> option) for when doing the '--reconfigure'? Or still log it? Or could we assume the user will remove the active PCR banks description from the XML to avoid the running of swtpm_setup every time to reconfigure (probably not)?

$ swtpm_setup --tpmstate ./ --tpm2 --reconfigure --pcr-banks sha1
Starting vTPM reconfiguration as stefanb:stefanb @ Fri 29 Oct 2021 03:23:59 PM EDT
TPM is listening on Unix socket.
Successfully activated PCR banks sha1 among sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Fri 29 Oct 2021 03:23:59 PM EDT

The only concern is a log full of these messages.


The alternative is to configuring the active PCR banks on the swtpm_setup level via swtpm_setup.conf and default compile-time options and leave the reconfiguration to using the firmware...

  Stefan





[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux