[PATCH v2] qemu: tpm: Run swtpm_setup --create-config-files in session mode

Fri Oct 8 16:19:02 UTC 2021

On 10/8/21 10:56 AM, Stefan Berger wrote:
>
> On 10/8/21 10:52 AM, Daniel P. Berrangé wrote:
>> On Fri, Oct 08, 2021 at 09:56:35AM -0400, Stefan Berger wrote:
>>> Using swtpm v0.7.0 we can run swtpm_setup to create default config 
>>> files
>>> for swtpm_setup and swtpm-localca in session mode. Now a user can start
>>> a VM with an attached TPM without having to run this program on the
>>> command line before. This program needs to run once.
>>>
>>> This patch addresses the issue raised in
>>> https://bugzilla.redhat.com/show_bug.cgi?id=2010649
>> BTW, I notice the this tool creates certs under $HOME/.config/var
>> with an expiry date of +10 years.
>>
>> Now that sounds like a long time, and indeed it is a long time,
>> but then I look at the support lifetime of RHEL... Hopefully
>> bare metal hardware won't last for the whole 10 years without
>> being replaced, but with nested virt the "hosts" could be VMs
>> that get moved to new hardware.
>>
>> So what's the story if a host hits the 10 year mark for the
>> swtpm certs ? Presumably swtpm is validating these dates
>> and will refuse to launch the TPM for the VMs on the host ?
> It doesn't.

I am switching to non-expiring certificates now which should help 
address this issue for future CAs.

These CAs 'created on the fly' were thought of merely as a convenience 
for the user and someone more serious about the TPM CAs would create 
them on their own and use appropriate dates for the expiration and 
manage these certificates before they expire. In a larger setting all 
hosts should share a fairly well-known TPM CA so that all vTPMs' 
certificates are signed with the same CA and certificate validators 
don't need to have n hosts' certs but just '1'. However, that requires 
setup by an admin rather than relying on CAs 'created on the fly'.

Thanks for the feedback

     Stefan

>>
>>
>> Regards,
>> Daniel
>
>