[RFC PATCH v1 5/6] docs: Add documentation for the TPM backend profile node

Add documentation for the TPM backend profile node and point the reader to further documentation about TPM profiles available in the swtpm and TPMLIB_SetProfile man pages. Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com&gt; --- docs/formatdomain.rst | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index 4336cff3ac..abb16df6fc 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -8119,6 +8119,7 @@ Example: usage of the TPM Emulator <active_pcr_banks> <sha256/> </active_pcr_banks> + <profile remove_disabled='check'>{"Name":"custom"}</profile> </backend> </tpm> </devices> @@ -8191,6 +8192,25 @@ Example: usage of the TPM Emulator and may not have any effect otherwise. The selection of PCR banks only works with the ``emulator`` backend. :since:`Since 7.10.0` +``profile`` + The ``profile`` node is used to set a profile for a TPM 2.0. This profile + will be set when the TPM is initially created and after that cannot be + changed anymore. If no profile is provided, then swtpm will use the latest + 'default' profile. The 'null' profile provides backwards compatibility with + libtpms v0.9 but also restricts the user to use only TPM features that were + available at the time of libtpms v0.9. The 'custom' profile is the only + profile that a user can modify and where the ``remove_disabled`` attribute + has any effect. This attribute is particularly useful when a host is running + in FIPS mode and therefore some crypto algorithms (camellia, tdes, + unpadded RSA encryption, and others) are disabled. When it is set to + ``check`` (recommended) then only those algorithms that are currently + disabled will automatically be removed from the 'custom' profile, while + when it is set to ``fips-host`` then all potentially disabled algorithms + will be removed. :since:`Since 10.???.0` + + For further information about TPM profiles see the man pages for ``swtpm`` + (swtpm v0.10) and libtpms's ``TPMLIB_SetProfile`` (libtpms v0.10). + ``encryption`` The ``encryption`` element allows the state of a TPM emulator to be encrypted. The ``secret`` must reference a secret object that holds the -- 2.46.0