[PATCH v2 2/2] qemu: tpm: Extend TPM domain XML with PCR banks to activate
Daniel P. Berrangé
berrange at redhat.com
Tue Nov 2 09:57:56 UTC 2021
On Tue, Nov 02, 2021 at 10:38:05AM +0100, Michal Prívozník wrote:
> On 11/1/21 6:23 PM, Stefan Berger wrote:
> > Extend the TPM domain XML with an attribute active_pcr_banks that allows
> > a user to specify the PCR banks to activate before starting a VM. A comma-
> > separated list of PCR banks with the choices of sha1, sha256, sha384 and
> > sha512 is allowed. When the XML attribute is provided, the set of active
> > PCR banks is 'enforced' by running swtpm_setup before every start of the
> > VM. The activation requires that swtpm_setup v0.7 or later is installed
> > and may not have any effect otherwise.
> >
> > <tpm model='tpm-tis'>
> > <backend type='emulator' version='2.0' active_pcr_banks='sha256,sha384'/>
> > </tpm>
> >
> > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2016599
> >
> > Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> > ---
> > docs/formatdomain.rst | 12 ++-
> > docs/schemas/basictypes.rng | 6 ++
> > docs/schemas/domaincommon.rng | 5 ++
> > src/conf/domain_conf.c | 21 ++++-
> > src/conf/domain_conf.h | 1 +
> > src/qemu/qemu_tpm.c | 80 +++++++++++++++++++
> > src/util/virtpm.c | 1 +
> > src/util/virtpm.h | 1 +
> > tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 2 +-
> > .../tpm-emulator-tpm2.x86_64-latest.xml | 2 +-
> > 10 files changed, 127 insertions(+), 4 deletions(-)
> >
> > diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
> > index 0651975c88..8785a7a682 100644
> > --- a/docs/formatdomain.rst
> > +++ b/docs/formatdomain.rst
> > @@ -7537,7 +7537,7 @@ Example: usage of the TPM Emulator
> > ...
> > <devices>
> > <tpm model='tpm-tis'>
> > - <backend type='emulator' version='2.0'>
> > + <backend type='emulator' version='2.0' active_pcr_banks='sha256'>
> > <encryption secret='6dd3e4a5-1d76-44ce-961f-f119f5aad935'/>
> > </backend>
> > </tpm>
> > @@ -7598,6 +7598,16 @@ Example: usage of the TPM Emulator
> > This attribute only works with the ``emulator`` backend. The accepted values
> > are ``yes`` and ``no``. :since:`Since 7.0.0`
> >
> > +``active_pcr_banks``
> > + The ``active_pcr_banks`` attribute indicates the names of the PCR banks
> > + of a TPM 2.0 to activate. A comma separated list of PCR banks' names
> > + must be provided. Valid names are for example sha1, sha256, sha384, and
> > + sha512. If this attribute is provided, the set of PCR banks are activated
> > + before every start of a VM and this step is logged in the swtpm's log.
> > + This attribute requires that swtpm_setup v0.7 or later is installed
> > + and may not have any effect otherwise. This attribute only works with the
> > + ``emulator`` backend. since:`Since 7.10.0`
> > +
> > ``encryption``
> > The ``encryption`` element allows the state of a TPM emulator to be
> > encrypted. The ``secret`` must reference a secret object that holds the
> > diff --git a/docs/schemas/basictypes.rng b/docs/schemas/basictypes.rng
> > index a221ff6295..3bd1eebdc4 100644
> > --- a/docs/schemas/basictypes.rng
> > +++ b/docs/schemas/basictypes.rng
> > @@ -88,6 +88,12 @@
> > </choice>
> > </define>
> >
> > + <define name="pcrBankList">
> > + <data type="string">
> > + <param name="pattern">(sha1|sha256|sha384|sha512){1}(,(sha1|sha256|sha384|sha512)){0,3}</param>
> > + </data>
> > + </define>
> > +
>
> Honestly, I'm not a big fan of comma separated lists. I think we could
> do with nested elements, repeated for each option. But I'll let others
> decide that.
Yes, the golden rule of XML design is that you should not have to write
a second parser to interpret the value of an attribute / element. Any
structure should be represented in the XML design itself.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list