On 11/3/21 6:04 PM, Stefan Berger wrote: > Extend the TPM backend XML with a node 'active_pcr_banks' that allows a > user to specify the PCR banks to activate before starting a VM. Valid > choices for PCR banks are sha1, sha256, sha384 and sha512. When the XML > node is provided, the set of active PCR banks is 'enforced' by running > swtpm_setup before every start of the VM. The activation requires that > swtpm_setup v0.7 or later is installed and may not have any effect > otherwise. > > <tpm model='tpm-tis'> > <backend type='emulator' version='2.0'> > <active_pcr_banks> > <sha256/> > <sha384/> > </active_pcr_banks> > </backend> > </tpm> > > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2016599 > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> > --- > docs/formatdomain.rst | 12 +++ > docs/schemas/domaincommon.rng | 30 ++++++ > src/conf/domain_conf.c | 50 +++++++++- > src/conf/domain_conf.h | 11 +++ > src/libvirt_private.syms | 2 + > src/qemu/qemu_tpm.c | 98 +++++++++++++++++++ > src/util/virtpm.c | 1 + > src/util/virtpm.h | 1 + > tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 7 +- > .../tpm-emulator-tpm2.x86_64-latest.xml | 7 +- > 10 files changed, 215 insertions(+), 4 deletions(-) > > diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst > index 0651975c88..eb8c973cf1 100644 > --- a/docs/formatdomain.rst > +++ b/docs/formatdomain.rst > @@ -7539,6 +7539,9 @@ Example: usage of the TPM Emulator > <tpm model='tpm-tis'> > <backend type='emulator' version='2.0'> > <encryption secret='6dd3e4a5-1d76-44ce-961f-f119f5aad935'/> > + <active_pcr_banks> > + <sha256/> > + </active_pcr_banks> > </backend> > </tpm> > </devices> > @@ -7598,6 +7601,15 @@ Example: usage of the TPM Emulator > This attribute only works with the ``emulator`` backend. The accepted values > are ``yes`` and ``no``. :since:`Since 7.0.0` > > +``active_pcr_banks`` > + The ``active_pcr_banks`` node is used to define which of the PCR banks > + of a TPM 2.0 to activate. Valid names are for example sha1, sha256, sha384, > + and sha512. If this node is provided, the set of PCR banks are activated > + before every start of a VM and this step is logged in the swtpm's log. > + This attribute requires that swtpm_setup v0.7 or later is installed > + and may not have any effect otherwise. The selection of PCR banks only works > + with the ``emulator`` backend. since:`Since 7.10.0` > + > ``encryption`` > The ``encryption`` element allows the state of a TPM emulator to be > encrypted. The ``secret`` must reference a secret object that holds the > diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng > index 67df13d90d..4fe3e04af5 100644 > --- a/docs/schemas/domaincommon.rng > +++ b/docs/schemas/domaincommon.rng > @@ -5323,6 +5323,7 @@ > <value>emulator</value> > </attribute> > <ref name="tpm-backend-emulator-encryption"/> > + <ref name="tpm-backend-emulator-active-pcr-banks"/> > <optional> > <attribute name="persistent_state"> > <choice> > @@ -5366,6 +5367,35 @@ > </optional> > </define> > > + <define name="tpm-backend-emulator-active-pcr-banks"> > + <optional> > + <element name="active_pcr_banks"> > + <interleave> > + <optional> > + <element name="sha1"> > + <text/> We don't really expect any content for these elements. so s/text/empty/. > + </element> > + </optional> > + <optional> > + <element name="sha256"> > + <text/> > + </element> > + </optional> > + <optional> > + <element name="sha384"> > + <text/> > + </element> > + </optional> > + <optional> > + <element name="sha512"> > + <text/> > + </element> > + </optional> > + </interleave> > + </element> > + </optional> > + </define> > + Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx> and pushed. Thank you. Michal