Re: [PATCH v2 2/2] qemu: tpm: Extend TPM domain XML with PCR banks to activate

On 11/1/21 6:23 PM, Stefan Berger wrote: > Extend the TPM domain XML with an attribute active_pcr_banks that allows > a user to specify the PCR banks to activate before starting a VM. A comma- > separated list of PCR banks with the choices of sha1, sha256, sha384 and > sha512 is allowed. When the XML attribute is provided, the set of active > PCR banks is 'enforced' by running swtpm_setup before every start of the > VM. The activation requires that swtpm_setup v0.7 or later is installed > and may not have any effect otherwise. > > <tpm model='tpm-tis'> > <backend type='emulator' version='2.0' active_pcr_banks='sha256,sha384'/> > </tpm> > > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2016599 > > Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com&gt; > --- > docs/formatdomain.rst | 12 ++- > docs/schemas/basictypes.rng | 6 ++ > docs/schemas/domaincommon.rng | 5 ++ > src/conf/domain_conf.c | 21 ++++- > src/conf/domain_conf.h | 1 + > src/qemu/qemu_tpm.c | 80 +++++++++++++++++++ > src/util/virtpm.c | 1 + > src/util/virtpm.h | 1 + > tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 2 +- > .../tpm-emulator-tpm2.x86_64-latest.xml | 2 +- > 10 files changed, 127 insertions(+), 4 deletions(-) > > diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst > index 0651975c88..8785a7a682 100644 > --- a/docs/formatdomain.rst > +++ b/docs/formatdomain.rst > @@ -7537,7 +7537,7 @@ Example: usage of the TPM Emulator > ... > <devices> > <tpm model='tpm-tis'> > - <backend type='emulator' version='2.0'> > + <backend type='emulator' version='2.0' active_pcr_banks='sha256'> > <encryption secret='6dd3e4a5-1d76-44ce-961f-f119f5aad935'/> > </backend> > </tpm> > @@ -7598,6 +7598,16 @@ Example: usage of the TPM Emulator > This attribute only works with the ``emulator`` backend. The accepted values > are ``yes`` and ``no``. :since:`Since 7.0.0` > > +``active_pcr_banks`` > + The ``active_pcr_banks`` attribute indicates the names of the PCR banks > + of a TPM 2.0 to activate. A comma separated list of PCR banks' names > + must be provided. Valid names are for example sha1, sha256, sha384, and > + sha512. If this attribute is provided, the set of PCR banks are activated > + before every start of a VM and this step is logged in the swtpm's log. > + This attribute requires that swtpm_setup v0.7 or later is installed > + and may not have any effect otherwise. This attribute only works with the > + ``emulator`` backend. since:`Since 7.10.0` > + > ``encryption`` > The ``encryption`` element allows the state of a TPM emulator to be > encrypted. The ``secret`` must reference a secret object that holds the > diff --git a/docs/schemas/basictypes.rng b/docs/schemas/basictypes.rng > index a221ff6295..3bd1eebdc4 100644 > --- a/docs/schemas/basictypes.rng > +++ b/docs/schemas/basictypes.rng > @@ -88,6 +88,12 @@ > </choice> > </define> > > + <define name="pcrBankList"> > + <data type="string"> > + <param name="pattern">(sha1|sha256|sha384|sha512){1}(,(sha1|sha256|sha384|sha512)){0,3}</param> > + </data> > + </define> > + Honestly, I'm not a big fan of comma separated lists. I think we could do with nested elements, repeated for each option. But I'll let others decide that.