Re: [PATCH v4 00/11] swtpm: Add support for profiles

On 11/13/24 18:39, Stefan Berger wrote: > Upcoming libtpms v0.10 and swtpm v0.10 will have TPM profile support that > allows to restrict a TPM's provided set of crypto algorithms and commands > and through which backwards compatibility and migration from newer versions > of libtpms to older ones (up to libtpms v0.9) is supported. For the latter > to work it is necessary that the user chooses the right ('null') profile. > > This series adds support for passing a profile choice to swtpm_setup by > setting it in the domain XML using the <profile/> XML node. An optional > attribute 'remove_disabled' can be set in this node and accepts two values: > > "check": test a few crypto algorithms (tdes, camellia, unpadded encryption, > and others) for whether they are currently disabled due to FIPS > mode on the host and remove these algorithms in the 'custom' > profile if they are disabled; > "fips-host": do not test but remove all the possibly disabled crypto > algorithms (from list above) > > Also extend the documentation but point the user to swtpm and libtpms > documentation for further details. > > Follow Deniel's suggestions there's now a PR for swtpm_setup to support > searching for profiles though a configurable local directory, distro > directory and if no profile could be found there (with appended > ".json" suffix) it will fall back to try to use a built-in profile by > the provided name: https://github.com/stefanberger/swtpm/pull/918 > > Stefan > > v4: > - Renamed previous 'name' attribute in profile XML node to 'source' > to indicate that the profile was created from some sort of 'source'. > The 'name' is now set from the name of the profile read from the > swtpm instance's state once it has been created. > > v3: > - 2/10: Adjustments to due rebase > - Applied Marc-André's R-b tags > - 10/10: Read back profile name from swtpm and adjust it in emulator defs > > Stefan Berger (11): > conf: Move TPM emulator parameters into own struct > qemu: Pass virQEMUDriverConfig rather than some of its fields > util: Add parsing support for swtpm_setup's cmdarg-profile capability > conf: Define enum virDomainTPMProfileRemoveDisabled > schema: Extend schema for TPM emulator profile node > conf: Add support for profile parameter on TPM emulator in domain XML > docs: Add documentation for the TPM backend profile node > qemu: Extend swtpm_setup command line to set a profile by its name > qemu: Move adding of keys to swtpm command line into own function > qemu: Move adding --tpmstate to swtpm command line into own function > qemu: Read back the profile name after creation of a TPM instance > > docs/formatdomain.rst | 32 +++ > src/conf/domain_conf.c | 47 ++++ > src/conf/domain_conf.h | 38 ++-- > src/conf/domain_validate.c | 7 + > src/conf/schemas/domaincommon.rng | 32 +++ > src/conf/virconftypes.h | 2 + > src/qemu/qemu_extdevice.c | 5 +- > src/qemu/qemu_tpm.c | 344 ++++++++++++++++++++---------- > src/qemu/qemu_tpm.h | 3 +- > src/util/virtpm.c | 2 + > src/util/virtpm.h | 2 + > tests/testutilsqemu.c | 1 + > 12 files changed, 386 insertions(+), 129 deletions(-) > This adds new XML element and attributes but is lacking corresponding tests/qemuxmlconfdata/ addition to show parser/formatter working. I've uploaded my suggestions here: https://gitlab.com/MichalPrivoznik/libvirt/-/commits/review_swtpm?ref_typ... If you are fine with them, I can squash those fixup commits and merge.

Michal