[PATCH v2] qemu: tpm: Run swtpm_setup --create-config-files in session mode
Stefan Berger
stefanb at linux.ibm.com
Fri Oct 8 14:56:06 UTC 2021
On 10/8/21 10:52 AM, Daniel P. Berrangé wrote:
> On Fri, Oct 08, 2021 at 09:56:35AM -0400, Stefan Berger wrote:
>> Using swtpm v0.7.0 we can run swtpm_setup to create default config files
>> for swtpm_setup and swtpm-localca in session mode. Now a user can start
>> a VM with an attached TPM without having to run this program on the
>> command line before. This program needs to run once.
>>
>> This patch addresses the issue raised in
>> https://bugzilla.redhat.com/show_bug.cgi?id=2010649
> BTW, I notice the this tool creates certs under $HOME/.config/var
> with an expiry date of +10 years.
>
> Now that sounds like a long time, and indeed it is a long time,
> but then I look at the support lifetime of RHEL... Hopefully
> bare metal hardware won't last for the whole 10 years without
> being replaced, but with nested virt the "hosts" could be VMs
> that get moved to new hardware.
>
> So what's the story if a host hits the 10 year mark for the
> swtpm certs ? Presumably swtpm is validating these dates
> and will refuse to launch the TPM for the VMs on the host ?
It doesn't.
>
>
> Regards,
> Daniel
More information about the libvir-list
mailing list