[PATCH] qemu: Extend qemu.conf with PCR banks to activate during 'TPM manufacturing'

Marc-André Lureau marcandre.lureau at redhat.com
Wed Oct 27 18:17:54 UTC 2021 

Hi

On Wed, Oct 27, 2021 at 9:00 PM Stefan Berger <stefanb at linux.ibm.com> wrote:
>
> Extend qemu.conf with a configration option swtpm_active_pcr_banks that
> allows a user to set a comma-separated list of PCR banks to activate
> during 'TPM manufacturing'. Valid PCR banks are sha1,sha256,sha384 and
> sha512.
>

Why not put this option in swtpm_setup.conf instead?

> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2016599
>
> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> ---
>  src/qemu/qemu.conf   | 8 ++++++++
>  src/qemu/qemu_conf.c | 6 ++++++
>  src/qemu/qemu_conf.h | 1 +
>  src/qemu/qemu_tpm.c  | 8 ++++++++
>  4 files changed, 23 insertions(+)
>
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 71fd125699..7aa151ed55 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -915,6 +915,14 @@
>  #swtpm_user = "tss"
>  #swtpm_group = "tss"
>
> +# The PCR banks to activate during 'TPM manufacturing' before a swtpm instance
> +# is started the first time.
> +#
> +# A comma-separated list without spaces containing sha1,sha256,sha384, or
> +# sha512. The default is 'sha256'.
> +#
> +# swtpm_active_pcr_banks = "sha256,sha384"
> +
>  # For debugging and testing purposes it's sometimes useful to be able to disable
>  # libvirt behaviour based on the capabilities of the qemu process. This option
>  # allows to do so. DO _NOT_ use in production and beaware that the behaviour
> diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
> index 0451bc70ac..a62525385e 100644
> --- a/src/qemu/qemu_conf.c
> +++ b/src/qemu/qemu_conf.c
> @@ -384,6 +384,8 @@ static void virQEMUDriverConfigDispose(void *obj)
>      g_strfreev(cfg->capabilityfilters);
>
>      g_free(cfg->deprecationBehavior);
> +
> +    g_free(cfg->swtpmActivePcrBanks);
>  }
>
>
> @@ -1030,6 +1032,10 @@ virQEMUDriverConfigLoadSWTPMEntry(virQEMUDriverConfig *cfg,
>      if (swtpm_group && virGetGroupID(swtpm_group, &cfg->swtpm_group) < 0)
>          return -1;
>
> +    if (virConfGetValueString(conf, "swtpm_active_pcr_banks",
> +                              &cfg->swtpmActivePcrBanks) < 0)
> +        return -1;
> +
>      return 0;
>  }
>
> diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
> index 2f64e39a18..37461d9e31 100644
> --- a/src/qemu/qemu_conf.h
> +++ b/src/qemu/qemu_conf.h
> @@ -219,6 +219,7 @@ struct _virQEMUDriverConfig {
>
>      uid_t swtpm_user;
>      gid_t swtpm_group;
> +    char *swtpmActivePcrBanks;
>
>      char **capabilityfilters;
>
> diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
> index e1b08a66c5..69fd1e67e3 100644
> --- a/src/qemu/qemu_tpm.c
> +++ b/src/qemu/qemu_tpm.c
> @@ -448,6 +448,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
>                          bool privileged,
>                          uid_t swtpm_user,
>                          gid_t swtpm_group,
> +                        const char *swtpmActivePcrBanks,
>                          const char *logfile,
>                          const virDomainTPMVersion tpmversion,
>                          const unsigned char *secretuuid,
> @@ -512,6 +513,9 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
>      }
>
>      if (!incomingMigration) {
> +        if (!swtpmActivePcrBanks)
> +            swtpmActivePcrBanks = "sha256";
> +
>          virCommandAddArgList(cmd,
>                               "--tpm-state", storagepath,
>                               "--vmid", vmid,
> @@ -521,6 +525,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
>                               "--create-platform-cert",
>                               "--lock-nvram",
>                               "--not-overwrite",
> +                             "--pcr-banks", swtpmActivePcrBanks,
>                               NULL);
>      } else {
>          virCommandAddArgList(cmd,
> @@ -568,6 +573,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
>                              bool privileged,
>                              uid_t swtpm_user,
>                              gid_t swtpm_group,
> +                            const char *swtpmActivePcrBanks,
>                              const char *swtpmStateDir,
>                              const char *shortName,
>                              bool incomingMigration)
> @@ -593,6 +599,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
>      if (created &&
>          qemuTPMEmulatorRunSetup(tpm->data.emulator.storagepath, vmname, vmuuid,
>                                  privileged, swtpm_user, swtpm_group,
> +                                swtpmActivePcrBanks,
>                                  tpm->data.emulator.logfile, tpm->version,
>                                  secretuuid, incomingMigration) < 0)
>          goto error;
> @@ -812,6 +819,7 @@ qemuExtTPMStartEmulator(virQEMUDriver *driver,
>                                              driver->privileged,
>                                              cfg->swtpm_user,
>                                              cfg->swtpm_group,
> +                                            cfg->swtpmActivePcrBanks,
>                                              cfg->swtpmStateDir, shortName,
>                                              incomingMigration)))
>          return -1;
> --
> 2.31.1
>

More information about the libvir-list mailing list