Re: [PATCH v2 1/8] docs: documentation and schema for the new TPM Proxy model

On 5/13/20 11:28 AM, Stefan Berger wrote: > On 5/13/20 10:10 AM, Daniel Henrique Barboza wrote: >> QEMU 4.1.0 introduced a new device type called TPM Proxy, currently >> implemented by PPC64 guests via a new virtual device called >> 'spapr-tpm-proxy' (see QEMU 0fb6bd073230 for more info). >> >> The TPM Proxy device interacts with a TPM Resource Manager, a host >> device capable of multiplexing the host TPM with multiple processes. >> This allows multiple guests to access some TPM features at the >> same time. Note that this mode of operation does not provide >> full TPM features to be available for the guest - for that case >> the guest still needs to assign a vTPM device (tpm-spapr for >> PPC64 guests). Although redundant, there is currently no technical >> limitation for a guest to assign both a vTPM and a TPM Proxy at the >> same time. >> >> This patch adds documentation and schema for a new TPM model >> type called 'spapr-tpm-proxy' that creates this new TPM Proxy >> device. This model is valid only for the 'passthrough' backend. >> An example of a TPM Proxy device connected to a TPM Resource Manager >> '/dev/tpmrm0' will look like this: >> >> <tpm model='spapr-tpm-proxy'> >>    <backend type='passthrough'> >>      <device path='/dev/tpmrm0'/> >>    </backend> >> </tpm> >> >> Signed-off-by: Daniel Henrique Barboza <danielhb413(a)gmail.com&gt; >> --- >>   docs/formatdomain.html.in     | 16 +++++++++++++++- >>   docs/schemas/domaincommon.rng |  1 + >>   2 files changed, 16 insertions(+), 1 deletion(-) >> >> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in >> index 23eb029234..ccbb696058 100644 >> --- a/docs/formatdomain.html.in >> +++ b/docs/formatdomain.html.in >> @@ -8792,6 +8792,15 @@ qemu-kvm -net nic,model=? /dev/null >>             backend device is a TPM 2.0. <span class="since">Since >> 6.1.0</span>, >>             pSeries guests on PPC64 are supported and the default is >>             <code>tpm-spapr</code>. >> + >> +          <span class="since">Since 6.4.0</span>, a new model called >> +          <code>spapr-tpm-proxy</code> was added for pSeries >> guests. This model > > > I think you should mention its application is restricted to 'secure > VM' here since this seems to be what it is used for. A normal > 'pSeries guest' won't make use of it, or would it? What about this:           <span class="since">Since 6.4.0</span>, a new model called           <code>spapr-tpm-proxy</code> was added for pSeries guests. This model           only works with the 'passthrough' backend. It creates a TPM Proxy           device that communicates with an existing TPM Resource Manager           in the host, for example /dev/tpmrm0, to enable secure VM support for           the guest. Only one TPM Proxy device is allowed per guest, but a TPM Proxy           device can be added together with other TPM devices. I cut down the bit about what the TPM Resource Manager does to emphasize the intended use of the device.

Thanks, DHB