On 11/13/24 18:39, Stefan Berger wrote:
> Upcoming libtpms v0.10 and swtpm v0.10 will have TPM profile support that
> allows to restrict a TPM's provided set of crypto algorithms and commands
> and through which backwards compatibility and migration from newer versions
> of libtpms to older ones (up to libtpms v0.9) is supported. For the latter
> to work it is necessary that the user chooses the right ('null') profile.
>
> This series adds support for passing a profile choice to swtpm_setup by
> setting it in the domain XML using the <profile/> XML node. An optional
> attribute 'remove_disabled' can be set in this node and accepts two values:
>
> "check": test a few crypto algorithms (tdes, camellia, unpadded encryption,
> and others) for whether they are currently disabled due to FIPS
> mode on the host and remove these algorithms in the 'custom'
> profile if they are disabled;
> "fips-host": do not test but remove all the possibly disabled crypto
> algorithms (from list above)
>
> Also extend the documentation but point the user to swtpm and libtpms
> documentation for further details.
>
> Follow Deniel's suggestions there's now a PR for swtpm_setup to support
> searching for profiles though a configurable local directory, distro
> directory and if no profile could be found there (with appended
> ".json" suffix) it will fall back to try to use a built-in profile by
> the provided name: https://github.com/stefanberger/swtpm/pull/918
>
> Stefan
>
> v4:
> - Renamed previous 'name' attribute in profile XML node to 'source'
> to indicate that the profile was created from some sort of 'source'.
> The 'name' is now set from the name of the profile read from the
> swtpm instance's state once it has been created.
>
> v3:
> - 2/10: Adjustments to due rebase
> - Applied Marc-André's R-b tags
> - 10/10: Read back profile name from swtpm and adjust it in emulator defs
>
> Stefan Berger (11):
> conf: Move TPM emulator parameters into own struct
> qemu: Pass virQEMUDriverConfig rather than some of its fields
> util: Add parsing support for swtpm_setup's cmdarg-profile capability
> conf: Define enum virDomainTPMProfileRemoveDisabled
> schema: Extend schema for TPM emulator profile node
> conf: Add support for profile parameter on TPM emulator in domain XML
> docs: Add documentation for the TPM backend profile node
> qemu: Extend swtpm_setup command line to set a profile by its name
> qemu: Move adding of keys to swtpm command line into own function
> qemu: Move adding --tpmstate to swtpm command line into own function
> qemu: Read back the profile name after creation of a TPM instance
>
> docs/formatdomain.rst | 32 +++
> src/conf/domain_conf.c | 47 ++++
> src/conf/domain_conf.h | 38 ++--
> src/conf/domain_validate.c | 7 +
> src/conf/schemas/domaincommon.rng | 32 +++
> src/conf/virconftypes.h | 2 +
> src/qemu/qemu_extdevice.c | 5 +-
> src/qemu/qemu_tpm.c | 344 ++++++++++++++++++++----------
> src/qemu/qemu_tpm.h | 3 +-
> src/util/virtpm.c | 2 +
> src/util/virtpm.h | 2 +
> tests/testutilsqemu.c | 1 +
> 12 files changed, 386 insertions(+), 129 deletions(-)
>
This adds new XML element and attributes but is lacking corresponding
tests/qemuxmlconfdata/ addition to show parser/formatter working.
I've uploaded my suggestions here:
https://gitlab.com/MichalPrivoznik/libvirt/-/commits/review_swtpm?ref_type=heads
If you are fine with them, I can squash those fixup commits and merge.
Michal
