On Mon, Sep 23, 2024 at 01:30:50PM -0400, Stefan Berger wrote: > > > On 9/23/24 12:55 PM, Daniel P. Berrangé wrote: > > On Fri, Sep 20, 2024 at 10:00:40AM -0400, Stefan Berger wrote: > > > > > > > > > On 9/20/24 8:55 AM, Daniel P. Berrangé wrote: > > > > Instead I think there should be a defined standard for how an distro > > > > package, or host sysadmin, would "drop in" a profile definition to > > > > a well defined directory, where upon we can reference it by name in > > > > libvirt, > > > > > > > > eg define two dirs > > > > > > > > /usr/share/swptm/profiles/<name>.json (for os distro) > > > > /etc/swptm/profiles/<name>.json (for local deployment) > > > > > > With the above: > > > > > > <profile name='null' type='built-in'/> > > > <profile name='default-v1' type='built-in'/> > > > <profile name='custom' type='built-in' remove_disabled='check'/> > > > > > > <profile name='restricted' type='distro'/> --> name is a filename now > > > <profile name='test' type='local' remove_disabled='check'/> --> name is a > > > filename now > > > > Do we really need to express a "type" attribute ? How about if > > swtpm itself were to load profiles from the /usr/share/swtpm > > and /etc/swtpm directories, so that from a users' POV there > > is no distinction between built-in & file defined profiles ? > > > > I guess you want to resolve naming clashes. A couple of options > > > > - <name>.json in /etc/ overrides <name>.json in /usr/ > > which overrides <name> built-in. > > > > I think this makes it easier for a user to choose from: > > <profile builtin="null"/> > <profile builtin="default-v1"/> > <profile builtin=custom" remove_disabled='check'/> > <profile distro='restricted'/> > <profile local='test' remove_disabled='check'/> I think that creates unneccessary upgrade drama. Consider that new swtpm defines a new built-in profile "default-v3", but your current host does not have "default-v3" as a built-in profile. You should be able to define that as a local profile or system profile with the same name, and have an upgrade path to future swtpm which has it as a built-in profile *without* having to change the XML. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
