On Fri, Sep 20, 2024 at 10:00:40AM -0400, Stefan Berger wrote:
On 9/20/24 8:55 AM, Daniel P. Berrangé wrote:
Instead I think there should be a defined standard for how an distro package, or host sysadmin, would "drop in" a profile definition to a well defined directory, where upon we can reference it by name in libvirt,
eg define two dirs
/usr/share/swptm/profiles/<name>.json (for os distro) /etc/swptm/profiles/<name>.json (for local deployment)
With the above:
<profile name='null' type='built-in'/> <profile name='default-v1' type='built-in'/> <profile name='custom' type='built-in' remove_disabled='check'/>
<profile name='restricted' type='distro'/> --> name is a filename now <profile name='test' type='local' remove_disabled='check'/> --> name is a filename now
Do we really need to express a "type" attribute ? How about if swtpm itself were to load profiles from the /usr/share/swtpm and /etc/swtpm directories, so that from a users' POV there is no distinction between built-in & file defined profiles ? I guess you want to resolve naming clashes. A couple of options - <name>.json in /etc/ overrides <name>.json in /usr/ which overrides <name> built-in. - <name>.json in /etc is ignored if it clashes with <name>.json in /usr or built-in - swtpm gives the profile name a prefix itself, based on where it came from eg "system:blah" or "local:blah" for /usr/ and /etc respectively. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|