On Fri, Oct 18, 2024 at 04:24:04PM -0400, Stefan Berger wrote:
> Upcoming libtpms v0.10 and swtpm v0.10 will have TPM profile support that
> allows to restrict a TPM's provided set of crypto algorithms and commands
> and through which backwards compatibility and migration from newer versions
> of libtpms to older ones (up to libtpms v0.9) is supported. For the latter
> to work it is necessary that the user chooses the right ('null') profile.
>
> This series adds support for passing a profile choice to swtpm_setup by
> setting it in the domain XML using the <profile/> XML node. An optional
> attribute 'remove_disabled' can be set in this node and accepts two values:
>
> "check": test a few crypto algorithms (tdes, camellia, unpadded encryption,
> and others) for whether they are currently disabled due to FIPS
> mode on the host and remove these algorithms in the 'custom'
> profile if they are disabled;
> "fips-host": do not test but remove all the possibly disabled crypto
> algorithms (from list above)
>
> Also extend the documentation but point the user to swtpm and libtpms
> documentation for further details.
>
> Follow Deniel's suggestions there's now a PR for swtpm_setup to support
> searching for profiles though a configurable local directory, distro
> directory and if no profile could be found there (with appended
> ".json" suffix) it will fall back to try to use a built-in profile by
> the provided name: https://github.com/stefanberger/swtpm/pull/918
>
> Stefan
>
> v3:
> - 2/10: Adjustments to due rebase
> - Applied Marc-André's R-b tags
> - 10/10: Read back profile name from swtpm and adjust it in emulator defs
>
> Stefan Berger (10):
> conf: Move TPM emulator parameters into own struct
> qemu: Pass virQEMUDriverConfig rather than some of its fields
> util: Add parsing support for swtpm_setup's cmdarg-profile capability
> conf: Define enum virDomainTPMProfileRemoveDisabled
> schema: Extend schema for TPM emulator profile node
> conf: Add support for profile parameter on TPM emulator in domain XML
> docs: Add documentation for the TPM backend profile node
> qemu: Extend swtpm_setup command line to set a profile by its name
> qemu: Move adding of keys to swtpm command line into own function
> qemu: Read the profile name after creation of TPM instance
>
> docs/formatdomain.rst | 30 +++
> src/conf/domain_conf.c | 43 +++++
> src/conf/domain_conf.h | 35 ++--
> src/conf/domain_validate.c | 7 +
> src/conf/schemas/domaincommon.rng | 25 +++
> src/conf/virconftypes.h | 2 +
> src/qemu/qemu_extdevice.c | 5 +-
> src/qemu/qemu_tpm.c | 310 ++++++++++++++++++++----------
> src/qemu/qemu_tpm.h | 3 +-
> src/util/virtpm.c | 2 +
> src/util/virtpm.h | 2 +
> tests/testutilsqemu.c | 1 +
> 12 files changed, 355 insertions(+), 110 deletions(-)
The new XML schema doesn't affect QEMU CLI args, so we don't need a
QEMU argv test file, but we should still have an XML test file to
validate the parsing & formatting of the new fields.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
