On 9/23/24 12:55 PM, Daniel P. Berrangé wrote:
On Fri, Sep 20, 2024 at 10:00:40AM -0400, Stefan Berger wrote:
On 9/20/24 8:55 AM, Daniel P. Berrangé wrote:
Instead I think there should be a defined standard for how an distro
package, or host sysadmin, would "drop in" a profile definition to
a well defined directory, where upon we can reference it by name in
libvirt,
eg define two dirs
/usr/share/swptm/profiles/<name>.json (for os distro)
/etc/swptm/profiles/<name>.json (for local deployment)
With the above:
<profile name='null' type='built-in'/>
<profile name='default-v1' type='built-in'/>
<profile name='custom' type='built-in' remove_disabled='check'/>
<profile name='restricted' type='distro'/> --> name is a filename now
<profile name='test' type='local' remove_disabled='check'/> --> name is a
filename now
Do we really need to express a "type" attribute ? How about if
swtpm itself were to load profiles from the /usr/share/swtpm
and /etc/swtpm directories, so that from a users' POV there
is no distinction between built-in & file defined profiles ?
I guess you want to resolve naming clashes. A couple of options
- <name>.json in /etc/ overrides <name>.json in /usr/
which overrides <name> built-in.
I think this makes it easier for a user to choose from:
<profile builtin="null"/>
<profile builtin="default-v1"/>
<profile builtin=custom" remove_disabled='check'/>
<profile distro='restricted'/>
<profile local='test' remove_disabled='check'/>
- <name>.json in /etc is ignored if it clashes with <name>.json
in /usr or built-in
- swtpm gives the profile name a prefix itself, based
on where it came from eg "system:blah" or "local:blah"
for /usr/ and /etc respectively.
With regards,
Daniel
