[PATCH v2 2/2] qemu: tpm: Extend TPM domain XML with PCR banks to activate
Stefan Berger
stefanb at linux.ibm.com
Thu Nov 4 13:01:06 UTC 2021
On 11/2/21 05:38, Michal Prívozník wrote:
> On 11/1/21 6:23 PM, Stefan Berger wrote:
>
> So this runs reconfigure on every cold boot of a guest. I wonder whether
> there's a way to run it just once, when activePcrBanks have changed.
> For instance, in qemuDomainDefineXMLFlags() the @oldDef is set to the
> old domain definition and maybe we can use that to compare
> activePcrBanks and run reconfigure at that time? That won't cover
> transient domains though, nor it would cover domains which are
> persistent but are started with a different XML (yes, as horrible as it
> sounds you can 'virsh define dom1.xml && virsh create dom2.xml' where
> dom1.xml and dom2.xml have nothing in common except domain <name/> and
> <uuid/>).
I think to 'enforce' what is shown in the XML is the simplest solution.
Whatever the user may have done inside the VM, such as used firmware
menu to reconfigure the active PCR banks doesn't matter since what will
be enforced next time when the VM is cold-started is what is shown in
the XML. Otherwise it's documented how it behaves.
Stefan
More information about the libvir-list
mailing list