On Thu, Jul 25, 2019 at 02:21:56PM -0400, Stefan Berger wrote:
This series of patches addresses the RFE in BZ 172830: https://bugzilla.redhat.com/show_bug.cgi?id=1728030
This series of patches adds support for vTPM state encryption by passing the read-end of a pipe's file descriptor to 'swtpm_setup' and 'swtpm' where they can read a passphrase from and derive a key from that passphrase.
The TPM's domain XML looks to enable state encryption looks like this:
<tpm model='tpm-tis'> <backend type='emulator' version='1.2'> <encryption secret='2c9ceaba-c6ef-4f38-86fd-6e3adb2df5cd'/> </backend> </tpm>
The vTPM secret holding the passphrase looks like this:
<secret ephemeral='no' private='yes'> <uuid>2c9ceaba-c6ef-4f38-86fd-6e3adb2df5cd</uuid> <description>vTPM passphrase example</description> <usage type='vtpm'> <name>vtpm_example</name> </usage> </secret>
The swtpm v0.2 is needed that supports the command line option --print-capabilities returning a JSON object that identifies features added since v0.1. One such features is the possibility to pass a passphrase via a file descriptor.
The patches do some refactoring of existing code on the way.
This series is now pushed to GIT, thanks for your work on it Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|