[PATCH] qemu: Extend qemu.conf with PCR banks to activate during 'TPM manufacturing'
Daniel P. Berrangé
berrange at redhat.com
Thu Oct 28 18:16:09 UTC 2021
On Thu, Oct 28, 2021 at 01:51:33PM -0400, Stefan Berger wrote:
>
> On 10/28/21 07:04, Daniel P. Berrangé wrote:
> > On Wed, Oct 27, 2021 at 05:48:19PM -0400, Stefan Berger wrote:
> > > On 10/27/21 14:17, Marc-André Lureau wrote:
> > > > Hi
> > > >
> > > > On Wed, Oct 27, 2021 at 9:00 PM Stefan Berger <stefanb at linux.ibm.com> wrote:
> > > > > Extend qemu.conf with a configration option swtpm_active_pcr_banks that
> > > > > allows a user to set a comma-separated list of PCR banks to activate
> > > > > during 'TPM manufacturing'. Valid PCR banks are sha1,sha256,sha384 and
> > > > > sha512.
> > > > >
> > > > Why not put this option in swtpm_setup.conf instead?
> > > That is another option but it depends on when one wants to see the effect or
> > > how one wants to control it. With newer libvirt or newer swtpm?
> > The obvious reason for putting it in swtpm_setup.conf is that it also
> > benefits people using swtpm in a non-libvirt scenario.
> >
> > IMHO, we should put it in swtpm_setup.conf, and *also* have a build
> > time option in swtpm to configure the built-in default.
> >
> > IOW, I'd expect RHEL-9 RPM swtpm.spec to pass
> >
> > %configure --default-pcr-banks=sha256
> >
> > and then have the swtpm_setup.conf option to allow admins to override
> > the distro default if they need a weaker setup on a host.
>
> I now have a pending PR to swtpm that does this modulo using
> --enable-default-pcr-banks=sha256. The selection of the PCR banks to
> activate can then be done via swtpm_setup.conf active_pcr_banks = <list of
> PCR banks> entry, if provided, otherwise it's back to the configure line
> default.
>
> https://github.com/stefanberger/swtpm/pull/615
Great, that looks good.
> > On the libvirt side, I think we could have a domain XML config option
> > for PCR banks, to allow the built-in default or admin local default to
> > be override per-VM.
>
> Is there an example of an attribute that can only be set once in the domain
> XML and cannot be modified after? The choice of active PCR banks is limited
> to 'TPM manufacturing' time, which means swtpm_setup runs once only when the
> swtpm's state directory does not exist because later it would overwrite the
> entire state and erase all keys etc.. Later manipulations of the PCR banks
> would have to be done using the firmware menu, which exist in EDK2, SeaBIOS
> and SLOF.
Yeah, it is a little unusual, but then I guess we have the similarish
with other firmware selection, where setting "secure=yes|no" determines
which OVMF binary we pick to use.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list