Re: [RFC PATCH v1 3/6] schema: Extend schema for TPM emulator profile node
On Fri, Sep 20, 2024 at 10:00:40AM -0400, Stefan Berger wrote:
On 9/20/24 8:55 AM, Daniel P. Berrangé wrote:
> Instead I think there should be a defined standard for how an distro
> package, or host sysadmin, would "drop in" a profile definition to
> a well defined directory, where upon we can reference it by name in
> libvirt,
>
> eg define two dirs
>
> /usr/share/swptm/profiles/<name>.json (for os distro)
> /etc/swptm/profiles/<name>.json (for local deployment)
With the above:
<profile name='null' type='built-in'/>
<profile name='default-v1' type='built-in'/>
<profile name='custom' type='built-in'
remove_disabled='check'/>
<profile name='restricted' type='distro'/> --> name is a
filename now
<profile name='test' type='local' remove_disabled='check'/>
--> name is a
filename now
Do we really need to express a "type" attribute ? How about if
swtpm itself were to load profiles from the /usr/share/swtpm
and /etc/swtpm directories, so that from a users' POV there
is no distinction between built-in & file defined profiles ?
I guess you want to resolve naming clashes. A couple of options
- <name>.json in /etc/ overrides <name>.json in /usr/
which overrides <name> built-in.
- <name>.json in /etc is ignored if it clashes with <name>.json
in /usr or built-in
- swtpm gives the profile name a prefix itself, based
on where it came from eg "system:blah" or "local:blah"
for /usr/ and /etc respectively.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|