[PATCH] qemu: Extend qemu.conf with PCR banks to activate during 'TPM manufacturing'
Marc-André Lureau
marcandre.lureau at redhat.com
Wed Oct 27 18:17:54 UTC 2021
Hi
On Wed, Oct 27, 2021 at 9:00 PM Stefan Berger <stefanb at linux.ibm.com> wrote:
>
> Extend qemu.conf with a configration option swtpm_active_pcr_banks that
> allows a user to set a comma-separated list of PCR banks to activate
> during 'TPM manufacturing'. Valid PCR banks are sha1,sha256,sha384 and
> sha512.
>
Why not put this option in swtpm_setup.conf instead?
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2016599
>
> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> ---
> src/qemu/qemu.conf | 8 ++++++++
> src/qemu/qemu_conf.c | 6 ++++++
> src/qemu/qemu_conf.h | 1 +
> src/qemu/qemu_tpm.c | 8 ++++++++
> 4 files changed, 23 insertions(+)
>
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 71fd125699..7aa151ed55 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -915,6 +915,14 @@
> #swtpm_user = "tss"
> #swtpm_group = "tss"
>
> +# The PCR banks to activate during 'TPM manufacturing' before a swtpm instance
> +# is started the first time.
> +#
> +# A comma-separated list without spaces containing sha1,sha256,sha384, or
> +# sha512. The default is 'sha256'.
> +#
> +# swtpm_active_pcr_banks = "sha256,sha384"
> +
> # For debugging and testing purposes it's sometimes useful to be able to disable
> # libvirt behaviour based on the capabilities of the qemu process. This option
> # allows to do so. DO _NOT_ use in production and beaware that the behaviour
> diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
> index 0451bc70ac..a62525385e 100644
> --- a/src/qemu/qemu_conf.c
> +++ b/src/qemu/qemu_conf.c
> @@ -384,6 +384,8 @@ static void virQEMUDriverConfigDispose(void *obj)
> g_strfreev(cfg->capabilityfilters);
>
> g_free(cfg->deprecationBehavior);
> +
> + g_free(cfg->swtpmActivePcrBanks);
> }
>
>
> @@ -1030,6 +1032,10 @@ virQEMUDriverConfigLoadSWTPMEntry(virQEMUDriverConfig *cfg,
> if (swtpm_group && virGetGroupID(swtpm_group, &cfg->swtpm_group) < 0)
> return -1;
>
> + if (virConfGetValueString(conf, "swtpm_active_pcr_banks",
> + &cfg->swtpmActivePcrBanks) < 0)
> + return -1;
> +
> return 0;
> }
>
> diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
> index 2f64e39a18..37461d9e31 100644
> --- a/src/qemu/qemu_conf.h
> +++ b/src/qemu/qemu_conf.h
> @@ -219,6 +219,7 @@ struct _virQEMUDriverConfig {
>
> uid_t swtpm_user;
> gid_t swtpm_group;
> + char *swtpmActivePcrBanks;
>
> char **capabilityfilters;
>
> diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
> index e1b08a66c5..69fd1e67e3 100644
> --- a/src/qemu/qemu_tpm.c
> +++ b/src/qemu/qemu_tpm.c
> @@ -448,6 +448,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
> bool privileged,
> uid_t swtpm_user,
> gid_t swtpm_group,
> + const char *swtpmActivePcrBanks,
> const char *logfile,
> const virDomainTPMVersion tpmversion,
> const unsigned char *secretuuid,
> @@ -512,6 +513,9 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
> }
>
> if (!incomingMigration) {
> + if (!swtpmActivePcrBanks)
> + swtpmActivePcrBanks = "sha256";
> +
> virCommandAddArgList(cmd,
> "--tpm-state", storagepath,
> "--vmid", vmid,
> @@ -521,6 +525,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
> "--create-platform-cert",
> "--lock-nvram",
> "--not-overwrite",
> + "--pcr-banks", swtpmActivePcrBanks,
> NULL);
> } else {
> virCommandAddArgList(cmd,
> @@ -568,6 +573,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
> bool privileged,
> uid_t swtpm_user,
> gid_t swtpm_group,
> + const char *swtpmActivePcrBanks,
> const char *swtpmStateDir,
> const char *shortName,
> bool incomingMigration)
> @@ -593,6 +599,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
> if (created &&
> qemuTPMEmulatorRunSetup(tpm->data.emulator.storagepath, vmname, vmuuid,
> privileged, swtpm_user, swtpm_group,
> + swtpmActivePcrBanks,
> tpm->data.emulator.logfile, tpm->version,
> secretuuid, incomingMigration) < 0)
> goto error;
> @@ -812,6 +819,7 @@ qemuExtTPMStartEmulator(virQEMUDriver *driver,
> driver->privileged,
> cfg->swtpm_user,
> cfg->swtpm_group,
> + cfg->swtpmActivePcrBanks,
> cfg->swtpmStateDir, shortName,
> incomingMigration)))
> return -1;
> --
> 2.31.1
>
More information about the libvir-list
mailing list