[PATCH v2] qemu: tpm: Run swtpm_setup --create-config-files in session mode
Daniel P. Berrangé
berrange at redhat.com
Fri Oct 8 14:52:18 UTC 2021
On Fri, Oct 08, 2021 at 09:56:35AM -0400, Stefan Berger wrote:
> Using swtpm v0.7.0 we can run swtpm_setup to create default config files
> for swtpm_setup and swtpm-localca in session mode. Now a user can start
> a VM with an attached TPM without having to run this program on the
> command line before. This program needs to run once.
>
> This patch addresses the issue raised in
> https://bugzilla.redhat.com/show_bug.cgi?id=2010649
BTW, I notice the this tool creates certs under $HOME/.config/var
with an expiry date of +10 years.
Now that sounds like a long time, and indeed it is a long time,
but then I look at the support lifetime of RHEL... Hopefully
bare metal hardware won't last for the whole 10 years without
being replaced, but with nested virt the "hosts" could be VMs
that get moved to new hardware.
So what's the story if a host hits the 10 year mark for the
swtpm certs ? Presumably swtpm is validating these dates
and will refuse to launch the TPM for the VMs on the host ?
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list