[PATCH] qemu: Extend qemu.conf with PCR banks to activate during 'TPM manufacturing'

Fri Oct 29 19:34:40 UTC 2021

On 10/28/21 14:16, Daniel P. Berrangé wrote:
> On Thu, Oct 28, 2021 at 01:51:33PM -0400, Stefan Berger wrote:
>
>>> On the libvirt side, I think we could have a domain XML config option
>>> for PCR banks, to allow the built-in default or admin local default to
>>> be override per-VM.
>> Is there an example of an attribute that can only be set once in the domain
>> XML and cannot be modified after? The choice of active PCR banks is limited
>> to 'TPM manufacturing' time, which means swtpm_setup runs once only when the
>> swtpm's state directory does not exist because later it would overwrite the
>> entire state and erase all keys etc.. Later manipulations of the PCR banks
>> would have to be done using the firmware menu, which exist in EDK2, SeaBIOS
>> and SLOF.
> Yeah, it is a little unusual, but then I guess we have the similarish
> with other firmware selection, where setting "secure=yes|no" determines
> which OVMF binary we pick to use.

I will probably add a new feature (for swtpm v0.7) to be able to 
reconfigure the active pcr banks. The availability of this feature can 
be detected by libvirt via the JSON that swtpm_setup 
--print-capabilities returns (as usual). Now the problems are:

- What to do when an older version of swtpm package is installed 
regarding the contents of the XML? Reject the pcr banks one can declare 
in the domain XML? The other option would be to allow the XML but not to 
react to it at all and document that one needs swptm v0.7 or later which 
will probably be the case in most setups sooner or later.

- How would one track changes to the XML versus the state of the swtpm? 
At the moment I would run the reconfigure script ever time if a set of 
active PCR banks was given in the XML and it would log like shown below. 
Should we just turn off the logging (no --log <filename> option) for 
when doing the '--reconfigure'? Or still log it? Or could we assume the 
user will remove the active PCR banks description from the XML to avoid 
the running of swtpm_setup every time to reconfigure (probably not)?

$ swtpm_setup --tpmstate ./ --tpm2 --reconfigure --pcr-banks sha1
Starting vTPM reconfiguration as stefanb:stefanb @ Fri 29 Oct 2021 
03:23:59 PM EDT
TPM is listening on Unix socket.
Successfully activated PCR banks sha1 among sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Fri 29 Oct 2021 03:23:59 PM EDT

The only concern is a log full of these messages.

The alternative is to configuring the active PCR banks on the 
swtpm_setup level via swtpm_setup.conf and default compile-time options 
and leave the reconfiguration to using the firmware...

   Stefan