Add documentation for the TPM backend profile node and point the reader to further documentation about TPM profiles available in the swtpm man page. Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> --- docs/formatdomain.rst | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index c50744b57b..6539f620fa 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -8131,6 +8131,7 @@ Example: usage of the TPM Emulator <active_pcr_banks> <sha256/> </active_pcr_banks> + <profile source='local:restricted' remove_disabled='check'/> </backend> </tpm> </devices> @@ -8225,6 +8226,35 @@ Example: usage of the TPM Emulator and may not have any effect otherwise. The selection of PCR banks only works with the ``emulator`` backend. :since:`Since 7.10.0` +``profile`` + The ``profile`` node is used to set a profile for a TPM 2.0 given in the + source attribute. This profile will be set when the TPM is initially + created and after that cannot be changed anymore. If no profile is provided, + then swtpm will use the latest built-in 'default' profile or the default + profile set in swtpm_setup.conf. Otherwise swtpm_setup will search for a + profile with the given name with appended .json suffix in a configurable + local and then in a distro directory. If none could be found in either, it + will fall back trying to use a built-in one. + + The built-in 'null' profile provides backwards compatibility with + libtpms v0.9 but also restricts the user to use only TPM features that were + available at the time of libtpms v0.9. The built-in 'custom' profile is the + only profile that a user can modify and where the ``remove_disabled`` + attribute has any effect. This attribute is particularly useful when a host + is running in FIPS mode and therefore some crypto algorithms (camellia, + tdes, unpadded RSA encryption, 1024-bit RSA keys, and others) are + disabled. When it is set to ``check`` (recommended) then only those + algorithms that are currently disabled will automatically be removed from + the 'custom' profile, while when it is set to ``fips-host`` then all + potentially disabled algorithms will be removed. :since:`Since 10.??.0` + + TPM profiles provided by a distro can be referenced with the 'distro:' + prefix. Locally created TPM profiles can be referenced with the + 'local:' prefix. + + For further information about TPM profiles see the man pages for ``swtpm`` + (swtpm v0.10). + ``encryption`` The ``encryption`` element allows the state of a TPM emulator to be encrypted. The ``secret`` must reference a secret object that holds the -- 2.47.0