[libvirt] [PATCH v7 00/19] Add support for vTPM state encryption
Daniel P. Berrangé
berrange at redhat.com
Fri Jul 26 09:36:06 UTC 2019
On Thu, Jul 25, 2019 at 02:21:56PM -0400, Stefan Berger wrote:
> This series of patches addresses the RFE in BZ 172830:
> https://bugzilla.redhat.com/show_bug.cgi?id=1728030
>
> This series of patches adds support for vTPM state encryption by passing
> the read-end of a pipe's file descriptor to 'swtpm_setup' and 'swtpm'
> where they can read a passphrase from and derive a key from that passphrase.
>
> The TPM's domain XML looks to enable state encryption looks like this:
>
> <tpm model='tpm-tis'>
> <backend type='emulator' version='1.2'>
> <encryption secret='2c9ceaba-c6ef-4f38-86fd-6e3adb2df5cd'/>
> </backend>
> </tpm>
>
> The vTPM secret holding the passphrase looks like this:
>
> <secret ephemeral='no' private='yes'>
> <uuid>2c9ceaba-c6ef-4f38-86fd-6e3adb2df5cd</uuid>
> <description>vTPM passphrase example</description>
> <usage type='vtpm'>
> <name>vtpm_example</name>
> </usage>
> </secret>
>
>
> The swtpm v0.2 is needed that supports the command line option
> --print-capabilities returning a JSON object that identifies features added
> since v0.1. One such features is the possibility to pass a passphrase via a
> file descriptor.
>
> The patches do some refactoring of existing code on the way.
This series is now pushed to GIT, thanks for your work on it
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list