Re: [PATCH] qemu: Extend qemu.conf with PCR banks to activate during 'TPM manufacturing'
On Wed, Oct 27, 2021 at 05:48:19PM -0400, Stefan Berger wrote:
On 10/27/21 14:17, Marc-André Lureau wrote:
> Hi
>
> On Wed, Oct 27, 2021 at 9:00 PM Stefan Berger <stefanb(a)linux.ibm.com> wrote:
> > Extend qemu.conf with a configration option swtpm_active_pcr_banks that
> > allows a user to set a comma-separated list of PCR banks to activate
> > during 'TPM manufacturing'. Valid PCR banks are sha1,sha256,sha384 and
> > sha512.
> >
> Why not put this option in swtpm_setup.conf instead?
That is another option but it depends on when one wants to see the effect or
how one wants to control it. With newer libvirt or newer swtpm?
The obvious reason for putting it in swtpm_setup.conf is that it also
benefits people using swtpm in a non-libvirt scenario.
IMHO, we should put it in swtpm_setup.conf, and *also* have a build
time option in swtpm to configure the built-in default.
IOW, I'd expect RHEL-9 RPM swtpm.spec to pass
%configure --default-pcr-banks=sha256
and then have the swtpm_setup.conf option to allow admins to override
the distro default if they need a weaker setup on a host.
On the libvirt side, I think we could have a domain XML config option
for PCR banks, to allow the built-in default or admin local default to
be override per-VM.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|