noon
Extend qemu.conf with a configration option swtpm_active_pcr_banks that
allows a user to set a comma-separated list of PCR banks to activate
during 'TPM manufacturing'. Valid PCR banks are sha1,sha256,sha384 and
sha512.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2016599
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
---
src/qemu/qemu.conf | 8 ++++++++
src/qemu/qemu_conf.c | 6 ++++++
src/qemu/qemu_conf.h | 1 +
src/qemu/qemu_tpm.c | 8 ++++++++
4 files changed, 23 insertions(+)
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 71fd125699..7aa151ed55 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -915,6 +915,14 @@
#swtpm_user = "tss"
#swtpm_group = "tss"
+# The PCR banks to activate during 'TPM manufacturing' before a swtpm instance
+# is started the first time.
+#
+# A comma-separated list without spaces containing sha1,sha256,sha384, or
+# sha512. The default is 'sha256'.
+#
+# swtpm_active_pcr_banks = "sha256,sha384"
+
# For debugging and testing purposes it's sometimes useful to be able to disable
# libvirt behaviour based on the capabilities of the qemu process. This option
# allows to do so. DO _NOT_ use in production and beaware that the behaviour
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 0451bc70ac..a62525385e 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -384,6 +384,8 @@ static void virQEMUDriverConfigDispose(void *obj)
g_strfreev(cfg->capabilityfilters);
g_free(cfg->deprecationBehavior);
+
+ g_free(cfg->swtpmActivePcrBanks);
}
@@ -1030,6 +1032,10 @@ virQEMUDriverConfigLoadSWTPMEntry(virQEMUDriverConfig *cfg,
if (swtpm_group && virGetGroupID(swtpm_group, &cfg->swtpm_group) <
0)
return -1;
+ if (virConfGetValueString(conf, "swtpm_active_pcr_banks",
+ &cfg->swtpmActivePcrBanks) < 0)
+ return -1;
+
return 0;
}
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index 2f64e39a18..37461d9e31 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -219,6 +219,7 @@ struct _virQEMUDriverConfig {
uid_t swtpm_user;
gid_t swtpm_group;
+ char *swtpmActivePcrBanks;
char **capabilityfilters;
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index e1b08a66c5..69fd1e67e3 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -448,6 +448,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
bool privileged,
uid_t swtpm_user,
gid_t swtpm_group,
+ const char *swtpmActivePcrBanks,
const char *logfile,
const virDomainTPMVersion tpmversion,
const unsigned char *secretuuid,
@@ -512,6 +513,9 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
}
if (!incomingMigration) {
+ if (!swtpmActivePcrBanks)
+ swtpmActivePcrBanks = "sha256";
+
virCommandAddArgList(cmd,
"--tpm-state", storagepath,
"--vmid", vmid,
@@ -521,6 +525,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
"--create-platform-cert",
"--lock-nvram",
"--not-overwrite",
+ "--pcr-banks", swtpmActivePcrBanks,
NULL);
} else {
virCommandAddArgList(cmd,
@@ -568,6 +573,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
bool privileged,
uid_t swtpm_user,
gid_t swtpm_group,
+ const char *swtpmActivePcrBanks,
const char *swtpmStateDir,
const char *shortName,
bool incomingMigration)
@@ -593,6 +599,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
if (created &&
qemuTPMEmulatorRunSetup(tpm->data.emulator.storagepath, vmname, vmuuid,
privileged, swtpm_user, swtpm_group,
+ swtpmActivePcrBanks,
tpm->data.emulator.logfile, tpm->version,
secretuuid, incomingMigration) < 0)
goto error;
@@ -812,6 +819,7 @@ qemuExtTPMStartEmulator(virQEMUDriver *driver,
driver->privileged,
cfg->swtpm_user,
cfg->swtpm_group,
+ cfg->swtpmActivePcrBanks,
cfg->swtpmStateDir, shortName,
incomingMigration)))
return -1;
--
2.31.1