On Wed, Mar 22, 2023 at 10:15:33AM +0100, Jörg Rödel wrote: > There is of course work building on linux-svsm out there, too. It would > be interesting to get an overview of that. We are already looking into > porting over the attestation code IBM wrote for linux-svsm (although we > would prefer IBM submitting it :) ). The vTPM code out there can not be > ported over as-is, as COCONUT will not link a whole TPM library in its > code-base. But maybe it can be the base for a separate vTPM binary run > by COCONUT. For whichever SVSM impl becomes the dominant, the vTPM support with persistence, is something I see as a critical component. It lets the guest OS boot process at least be largely decoupled from the CVM attestation process, and instead rely on the pre-existing support for TPMs, SecureBoot & secret sealing which is common to bare metal and non-confidential VM deployments alike. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
