On Tue, Nov 02, 2021 at 10:38:05AM +0100, Michal Prívozník wrote:
On 11/1/21 6:23 PM, Stefan Berger wrote:
Extend the TPM domain XML with an attribute active_pcr_banks that allows a user to specify the PCR banks to activate before starting a VM. A comma- separated list of PCR banks with the choices of sha1, sha256, sha384 and sha512 is allowed. When the XML attribute is provided, the set of active PCR banks is 'enforced' by running swtpm_setup before every start of the VM. The activation requires that swtpm_setup v0.7 or later is installed and may not have any effect otherwise.
<tpm model='tpm-tis'> <backend type='emulator' version='2.0' active_pcr_banks='sha256,sha384'/> </tpm>
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2016599
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- docs/formatdomain.rst | 12 ++- docs/schemas/basictypes.rng | 6 ++ docs/schemas/domaincommon.rng | 5 ++ src/conf/domain_conf.c | 21 ++++- src/conf/domain_conf.h | 1 + src/qemu/qemu_tpm.c | 80 +++++++++++++++++++ src/util/virtpm.c | 1 + src/util/virtpm.h | 1 + tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 2 +- .../tpm-emulator-tpm2.x86_64-latest.xml | 2 +- 10 files changed, 127 insertions(+), 4 deletions(-)
diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index 0651975c88..8785a7a682 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -7537,7 +7537,7 @@ Example: usage of the TPM Emulator ... <devices> <tpm model='tpm-tis'> - <backend type='emulator' version='2.0'> + <backend type='emulator' version='2.0' active_pcr_banks='sha256'> <encryption secret='6dd3e4a5-1d76-44ce-961f-f119f5aad935'/> </backend> </tpm> @@ -7598,6 +7598,16 @@ Example: usage of the TPM Emulator This attribute only works with the ``emulator`` backend. The accepted values are ``yes`` and ``no``. :since:`Since 7.0.0`
+``active_pcr_banks`` + The ``active_pcr_banks`` attribute indicates the names of the PCR banks + of a TPM 2.0 to activate. A comma separated list of PCR banks' names + must be provided. Valid names are for example sha1, sha256, sha384, and + sha512. If this attribute is provided, the set of PCR banks are activated + before every start of a VM and this step is logged in the swtpm's log. + This attribute requires that swtpm_setup v0.7 or later is installed + and may not have any effect otherwise. This attribute only works with the + ``emulator`` backend. since:`Since 7.10.0` + ``encryption`` The ``encryption`` element allows the state of a TPM emulator to be encrypted. The ``secret`` must reference a secret object that holds the diff --git a/docs/schemas/basictypes.rng b/docs/schemas/basictypes.rng index a221ff6295..3bd1eebdc4 100644 --- a/docs/schemas/basictypes.rng +++ b/docs/schemas/basictypes.rng @@ -88,6 +88,12 @@ </choice> </define>
+ <define name="pcrBankList"> + <data type="string"> + <param name="pattern">(sha1|sha256|sha384|sha512){1}(,(sha1|sha256|sha384|sha512)){0,3}</param> + </data> + </define> +
Honestly, I'm not a big fan of comma separated lists. I think we could do with nested elements, repeated for each option. But I'll let others decide that.
Yes, the golden rule of XML design is that you should not have to write a second parser to interpret the value of an attribute / element. Any structure should be represented in the XML design itself. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|