[libvirt] Encrypted vTPM state
Stefan Berger
stefanb at linux.ibm.com
Thu Jun 27 16:15:12 UTC 2019
Hello!
Marc-André told me there was interest in encrypting the vTPM state.
I do have some patches along these lines from a long time ago that I
haven't upstreamed. I'd be curious about some feedback on some corner
stones of the design to support this:
- Encryption of the vTPM state must be added when a vTPM's XML is
created. It's not possible to convert existing not-encrypted vTPM state
to encrypted vTPM state. This is due to a limitation of 'swtpm.'
- vTPM state encryption would be based on libvirt's Secret support. I
assume the secrets can migrate along the domain XML.
- The XML for vTPM state encryption is similar to XML used for 'luks':
https://libvirt.org/formatstorageencryption.html#example
- The XML for an encrypted vTPM state could look like this:
<devices>
[...]
<tpm model='tpm-tis'>
<backend type='emulator' version='2.0'>
<encryption format='vtpm'>
<secret type='passphrase'
uuid='32ee7e76-2178-47a1-ab7b-269e6e348015'/>
</encryption>
</backend>
</tpm>
</devices>
Here the user is referencing an already existing Secret. This secret
would NOT be automatically undefined when a VM is undefined.
- Another possibility may be this XML here:
<devices>
[...]
<tpm model='tpm-tis'>
<backend type='emulator' version='2.0'>
<encryption format='default'/>
</backend>
</tpm>
</devices>
In this case the Secret would be automatically generated and this domain
XML be rewritten to look like the one in the first example. The domain
XML would then reference the created secret via usage=vtpm-<vmuuid>,
which would be an indication that this secret can be deleted when the VM
is undefined.
- The Secret XML to be passed to virsh secret-define would look like this:
<secret ephemeral='no' private='yes'>
<description>vTPM passphrase example</description>
<usage type='vtpm'>
<name>vtpm_example</name>
</usage>
</secret>
Regards,
Stefan
More information about the libvir-list
mailing list