[PATCH v3 2/2] qemu: tpm: Extend TPM domain XML with PCR banks to activate
Michal Prívozník
mprivozn at redhat.com
Fri Nov 5 08:24:09 UTC 2021
On 11/3/21 6:04 PM, Stefan Berger wrote:
> Extend the TPM backend XML with a node 'active_pcr_banks' that allows a
> user to specify the PCR banks to activate before starting a VM. Valid
> choices for PCR banks are sha1, sha256, sha384 and sha512. When the XML
> node is provided, the set of active PCR banks is 'enforced' by running
> swtpm_setup before every start of the VM. The activation requires that
> swtpm_setup v0.7 or later is installed and may not have any effect
> otherwise.
>
> <tpm model='tpm-tis'>
> <backend type='emulator' version='2.0'>
> <active_pcr_banks>
> <sha256/>
> <sha384/>
> </active_pcr_banks>
> </backend>
> </tpm>
>
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2016599
>
> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> ---
> docs/formatdomain.rst | 12 +++
> docs/schemas/domaincommon.rng | 30 ++++++
> src/conf/domain_conf.c | 50 +++++++++-
> src/conf/domain_conf.h | 11 +++
> src/libvirt_private.syms | 2 +
> src/qemu/qemu_tpm.c | 98 +++++++++++++++++++
> src/util/virtpm.c | 1 +
> src/util/virtpm.h | 1 +
> tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 7 +-
> .../tpm-emulator-tpm2.x86_64-latest.xml | 7 +-
> 10 files changed, 215 insertions(+), 4 deletions(-)
>
> diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
> index 0651975c88..eb8c973cf1 100644
> --- a/docs/formatdomain.rst
> +++ b/docs/formatdomain.rst
> @@ -7539,6 +7539,9 @@ Example: usage of the TPM Emulator
> <tpm model='tpm-tis'>
> <backend type='emulator' version='2.0'>
> <encryption secret='6dd3e4a5-1d76-44ce-961f-f119f5aad935'/>
> + <active_pcr_banks>
> + <sha256/>
> + </active_pcr_banks>
> </backend>
> </tpm>
> </devices>
> @@ -7598,6 +7601,15 @@ Example: usage of the TPM Emulator
> This attribute only works with the ``emulator`` backend. The accepted values
> are ``yes`` and ``no``. :since:`Since 7.0.0`
>
> +``active_pcr_banks``
> + The ``active_pcr_banks`` node is used to define which of the PCR banks
> + of a TPM 2.0 to activate. Valid names are for example sha1, sha256, sha384,
> + and sha512. If this node is provided, the set of PCR banks are activated
> + before every start of a VM and this step is logged in the swtpm's log.
> + This attribute requires that swtpm_setup v0.7 or later is installed
> + and may not have any effect otherwise. The selection of PCR banks only works
> + with the ``emulator`` backend. since:`Since 7.10.0`
> +
> ``encryption``
> The ``encryption`` element allows the state of a TPM emulator to be
> encrypted. The ``secret`` must reference a secret object that holds the
> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
> index 67df13d90d..4fe3e04af5 100644
> --- a/docs/schemas/domaincommon.rng
> +++ b/docs/schemas/domaincommon.rng
> @@ -5323,6 +5323,7 @@
> <value>emulator</value>
> </attribute>
> <ref name="tpm-backend-emulator-encryption"/>
> + <ref name="tpm-backend-emulator-active-pcr-banks"/>
> <optional>
> <attribute name="persistent_state">
> <choice>
> @@ -5366,6 +5367,35 @@
> </optional>
> </define>
>
> + <define name="tpm-backend-emulator-active-pcr-banks">
> + <optional>
> + <element name="active_pcr_banks">
> + <interleave>
> + <optional>
> + <element name="sha1">
> + <text/>
We don't really expect any content for these elements. so s/text/empty/.
> + </element>
> + </optional>
> + <optional>
> + <element name="sha256">
> + <text/>
> + </element>
> + </optional>
> + <optional>
> + <element name="sha384">
> + <text/>
> + </element>
> + </optional>
> + <optional>
> + <element name="sha512">
> + <text/>
> + </element>
> + </optional>
> + </interleave>
> + </element>
> + </optional>
> + </define>
> +
Reviewed-by: Michal Privoznik <mprivozn at redhat.com>
and pushed. Thank you.
Michal
More information about the libvir-list
mailing list