Re: [PATCH v2 2/2] qemu: tpm: Extend TPM domain XML with PCR banks to activate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 02, 2021 at 10:38:05AM +0100, Michal Prívozník wrote:
> On 11/1/21 6:23 PM, Stefan Berger wrote:
> > Extend the TPM domain XML with an attribute active_pcr_banks that allows
> > a user to specify the PCR banks to activate before starting a VM. A comma-
> > separated list of PCR banks with the choices of sha1, sha256, sha384 and
> > sha512 is allowed. When the XML attribute is provided, the set of active
> > PCR banks is 'enforced' by running swtpm_setup before every start of the
> > VM. The activation requires that swtpm_setup v0.7 or later is installed
> > and may not have any effect otherwise.
> > 
> > <tpm model='tpm-tis'>
> >   <backend type='emulator' version='2.0' active_pcr_banks='sha256,sha384'/>
> > </tpm>
> > 
> > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2016599
> > 
> > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> > ---
> >  docs/formatdomain.rst                         | 12 ++-
> >  docs/schemas/basictypes.rng                   |  6 ++
> >  docs/schemas/domaincommon.rng                 |  5 ++
> >  src/conf/domain_conf.c                        | 21 ++++-
> >  src/conf/domain_conf.h                        |  1 +
> >  src/qemu/qemu_tpm.c                           | 80 +++++++++++++++++++
> >  src/util/virtpm.c                             |  1 +
> >  src/util/virtpm.h                             |  1 +
> >  tests/qemuxml2argvdata/tpm-emulator-tpm2.xml  |  2 +-
> >  .../tpm-emulator-tpm2.x86_64-latest.xml       |  2 +-
> >  10 files changed, 127 insertions(+), 4 deletions(-)
> > 
> > diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
> > index 0651975c88..8785a7a682 100644
> > --- a/docs/formatdomain.rst
> > +++ b/docs/formatdomain.rst
> > @@ -7537,7 +7537,7 @@ Example: usage of the TPM Emulator
> >       ...
> >       <devices>
> >         <tpm model='tpm-tis'>
> > -         <backend type='emulator' version='2.0'>
> > +         <backend type='emulator' version='2.0' active_pcr_banks='sha256'>
> >             <encryption secret='6dd3e4a5-1d76-44ce-961f-f119f5aad935'/>
> >           </backend>
> >         </tpm>
> > @@ -7598,6 +7598,16 @@ Example: usage of the TPM Emulator
> >     This attribute only works with the ``emulator`` backend. The accepted values
> >     are ``yes`` and ``no``. :since:`Since 7.0.0`
> >  
> > +``active_pcr_banks``
> > +   The ``active_pcr_banks`` attribute indicates the names of the PCR banks
> > +   of a TPM 2.0 to activate. A comma separated list of PCR banks' names
> > +   must be provided. Valid names are for example sha1, sha256, sha384, and
> > +   sha512. If this attribute is provided, the set of PCR banks are activated
> > +   before every start of a VM and this step is logged in the swtpm's log.
> > +   This attribute requires that swtpm_setup v0.7 or later is installed
> > +   and may not have any effect otherwise. This attribute only works with the
> > +   ``emulator`` backend. since:`Since 7.10.0`
> > +
> >  ``encryption``
> >     The ``encryption`` element allows the state of a TPM emulator to be
> >     encrypted. The ``secret`` must reference a secret object that holds the
> > diff --git a/docs/schemas/basictypes.rng b/docs/schemas/basictypes.rng
> > index a221ff6295..3bd1eebdc4 100644
> > --- a/docs/schemas/basictypes.rng
> > +++ b/docs/schemas/basictypes.rng
> > @@ -88,6 +88,12 @@
> >      </choice>
> >    </define>
> >  
> > +  <define name="pcrBankList">
> > +    <data type="string">
> > +      <param name="pattern">(sha1|sha256|sha384|sha512){1}(,(sha1|sha256|sha384|sha512)){0,3}</param>
> > +    </data>
> > +  </define>
> > +
> 
> Honestly, I'm not a big fan of comma separated lists. I think we could
> do with nested elements, repeated for each option. But I'll let others
> decide that.

Yes, the golden rule of XML design is that you should not have to write
a second parser to interpret the value of an attribute / element. Any
structure should be represented in the XML design itself.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux