On 11/1/21 6:23 PM, Stefan Berger wrote:
> Extend the TPM domain XML with an attribute active_pcr_banks that allows
> a user to specify the PCR banks to activate before starting a VM. A comma-
> separated list of PCR banks with the choices of sha1, sha256, sha384 and
> sha512 is allowed. When the XML attribute is provided, the set of active
> PCR banks is 'enforced' by running swtpm_setup before every start of the
> VM. The activation requires that swtpm_setup v0.7 or later is installed
> and may not have any effect otherwise.
>
> <tpm model='tpm-tis'>
> <backend type='emulator' version='2.0'
active_pcr_banks='sha256,sha384'/>
> </tpm>
>
> Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=2016599
>
> Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
> ---
> docs/formatdomain.rst | 12 ++-
> docs/schemas/basictypes.rng | 6 ++
> docs/schemas/domaincommon.rng | 5 ++
> src/conf/domain_conf.c | 21 ++++-
> src/conf/domain_conf.h | 1 +
> src/qemu/qemu_tpm.c | 80 +++++++++++++++++++
> src/util/virtpm.c | 1 +
> src/util/virtpm.h | 1 +
> tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 2 +-
> .../tpm-emulator-tpm2.x86_64-latest.xml | 2 +-
> 10 files changed, 127 insertions(+), 4 deletions(-)
>
> diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
> index 0651975c88..8785a7a682 100644
> --- a/docs/formatdomain.rst
> +++ b/docs/formatdomain.rst
> @@ -7537,7 +7537,7 @@ Example: usage of the TPM Emulator
> ...
> <devices>
> <tpm model='tpm-tis'>
> - <backend type='emulator' version='2.0'>
> + <backend type='emulator' version='2.0'
active_pcr_banks='sha256'>
> <encryption
secret='6dd3e4a5-1d76-44ce-961f-f119f5aad935'/>
> </backend>
> </tpm>
> @@ -7598,6 +7598,16 @@ Example: usage of the TPM Emulator
> This attribute only works with the ``emulator`` backend. The accepted values
> are ``yes`` and ``no``. :since:`Since 7.0.0`
>
> +``active_pcr_banks``
> + The ``active_pcr_banks`` attribute indicates the names of the PCR banks
> + of a TPM 2.0 to activate. A comma separated list of PCR banks' names
> + must be provided. Valid names are for example sha1, sha256, sha384, and
> + sha512. If this attribute is provided, the set of PCR banks are activated
> + before every start of a VM and this step is logged in the swtpm's log.
> + This attribute requires that swtpm_setup v0.7 or later is installed
> + and may not have any effect otherwise. This attribute only works with the
> + ``emulator`` backend. since:`Since 7.10.0`
> +
> ``encryption``
> The ``encryption`` element allows the state of a TPM emulator to be
> encrypted. The ``secret`` must reference a secret object that holds the
> diff --git a/docs/schemas/basictypes.rng b/docs/schemas/basictypes.rng
> index a221ff6295..3bd1eebdc4 100644
> --- a/docs/schemas/basictypes.rng
> +++ b/docs/schemas/basictypes.rng
> @@ -88,6 +88,12 @@
> </choice>
> </define>
>
> + <define name="pcrBankList">
> + <data type="string">
> + <param
name="pattern">(sha1|sha256|sha384|sha512){1}(,(sha1|sha256|sha384|sha512)){0,3}</param>
> + </data>
> + </define>
> +
Honestly, I'm not a big fan of comma separated lists. I think we could
do with nested elements, repeated for each option. But I'll let others
decide that.
Yes, the golden rule of XML design is that you should not have to write
a second parser to interpret the value of an attribute / element. Any
structure should be represented in the XML design itself.
Regards,
Daniel
--
|: