[PATCH v2 1/8] docs: documentation and schema for the new TPM Proxy model

Daniel Henrique Barboza danielhb413 at gmail.com
Wed May 13 15:30:01 UTC 2020 


On 5/13/20 11:28 AM, Stefan Berger wrote:
> On 5/13/20 10:10 AM, Daniel Henrique Barboza wrote:
>> QEMU 4.1.0 introduced a new device type called TPM Proxy, currently
>> implemented by PPC64 guests via a new virtual device called
>> 'spapr-tpm-proxy' (see QEMU 0fb6bd073230 for more info).
>>
>> The TPM Proxy device interacts with a TPM Resource Manager, a host
>> device capable of multiplexing the host TPM with multiple processes.
>> This allows multiple guests to access some TPM features at the
>> same time. Note that this mode of operation does not provide
>> full TPM features to be available for the guest - for that case
>> the guest still needs to assign a vTPM device (tpm-spapr for
>> PPC64 guests). Although redundant, there is currently no technical
>> limitation for a guest to assign both a vTPM and a TPM Proxy at the
>> same time.
>>
>> This patch adds documentation and schema for a new TPM model
>> type called 'spapr-tpm-proxy' that creates this new TPM Proxy
>> device. This model is valid only for the 'passthrough' backend.
>> An example of a TPM Proxy device connected to a TPM Resource Manager
>> '/dev/tpmrm0' will look like this:
>>
>> <tpm model='spapr-tpm-proxy'>
>>    <backend type='passthrough'>
>>      <device path='/dev/tpmrm0'/>
>>    </backend>
>> </tpm>
>>
>> Signed-off-by: Daniel Henrique Barboza <danielhb413 at gmail.com>
>> ---
>>   docs/formatdomain.html.in     | 16 +++++++++++++++-
>>   docs/schemas/domaincommon.rng |  1 +
>>   2 files changed, 16 insertions(+), 1 deletion(-)
>>
>> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
>> index 23eb029234..ccbb696058 100644
>> --- a/docs/formatdomain.html.in
>> +++ b/docs/formatdomain.html.in
>> @@ -8792,6 +8792,15 @@ qemu-kvm -net nic,model=? /dev/null
>>             backend device is a TPM 2.0. <span class="since">Since 6.1.0</span>,
>>             pSeries guests on PPC64 are supported and the default is
>>             <code>tpm-spapr</code>.
>> +
>> +          <span class="since">Since 6.4.0</span>, a new model called
>> +          <code>spapr-tpm-proxy</code> was added for pSeries guests. This model
> 
> 
> I think you should mention its application is restricted to 'secure VM' here since this seems to be what it is used for. A normal 'pSeries guest' won't make use of it, or would it?


What about this:


           <span class="since">Since 6.4.0</span>, a new model called
           <code>spapr-tpm-proxy</code> was added for pSeries guests. This model
           only works with the 'passthrough' backend. It creates a TPM Proxy
           device that communicates with an existing TPM Resource Manager
           in the host, for example /dev/tpmrm0, to enable secure VM support for
           the guest. Only one TPM Proxy device is allowed per guest, but a TPM Proxy
           device can be added together with other TPM devices.



I cut down the bit about what the TPM Resource Manager does to emphasize the intended
use of the device.


Thanks,


DHB

More information about the libvir-list mailing list