Hi On Wed, Nov 13, 2024 at 9:40 PM Stefan Berger <stefanb@xxxxxxxxxxxxx> wrote: > > Upcoming libtpms v0.10 and swtpm v0.10 will have TPM profile support that > allows to restrict a TPM's provided set of crypto algorithms and commands > and through which backwards compatibility and migration from newer versions > of libtpms to older ones (up to libtpms v0.9) is supported. For the latter > to work it is necessary that the user chooses the right ('null') profile. > > This series adds support for passing a profile choice to swtpm_setup by > setting it in the domain XML using the <profile/> XML node. An optional > attribute 'remove_disabled' can be set in this node and accepts two values: > > "check": test a few crypto algorithms (tdes, camellia, unpadded encryption, > and others) for whether they are currently disabled due to FIPS > mode on the host and remove these algorithms in the 'custom' > profile if they are disabled; > "fips-host": do not test but remove all the possibly disabled crypto > algorithms (from list above) > > Also extend the documentation but point the user to swtpm and libtpms > documentation for further details. > > Follow Deniel's suggestions there's now a PR for swtpm_setup to support > searching for profiles though a configurable local directory, distro > directory and if no profile could be found there (with appended > ".json" suffix) it will fall back to try to use a built-in profile by > the provided name: https://github.com/stefanberger/swtpm/pull/918 > > Stefan > > v4: > - Renamed previous 'name' attribute in profile XML node to 'source' > to indicate that the profile was created from some sort of 'source'. > The 'name' is now set from the name of the profile read from the > swtpm instance's state once it has been created. This difference between 'source' and 'name' is not described in the domain xml documentation. Also the doc still has 10.??.0. thanks