On Thu Aug 3, 2023 at 3:46 PM EEST, Stefan Berger wrote: > > > On 8/3/23 05:06, Jarkko Sakkinen wrote: > > On Thu Aug 3, 2023 at 11:25 AM EEST, Jarkko Sakkinen wrote: > >> Hi, > >> > >> I have a working PoC for boot-time initialization of vtpm inside > >> tpm_vtpm_proxy. ATM, it uses the Linux firmware interface to load a ELF > >> binary for the vtpm, and delivers a communication end for the helper > >> process. > >> > >> It is a great feature with the current narrow scope for continuous > >> integration. Obviously the scope could be later on extended to e.g. > > Since VMs with vTPMs exist, which CI/CD environment would one use this in? > > Where does the binary for the vtpm live when it's loaded with the firmware interface? Obviously vtpm is identified by a filename. The rest of the details are in the Linux firmware documentation. > >> from unencrypted plain text to a vTPM living inside SGX enclave. > > I would run swtpm inside an SGX enclave using Gramine. Having a zero configuration and also zero dependency mechanism for trivial kernel testing is an objective benefit. > Where does the binary for the vtpm live when it's loaded with the firmware interface? Either in initrd or with the help of CONFIG_EXTRA_FIRMWARE_* in vmlinux. > >> from unencrypted plain text to a vTPM living inside SGX enclave. > > I would run swtpm inside an SGX enclave using Gramine. Why would do you want to enforce the use of swtpm? BR, Jarkko
