Hi
On Wed, Nov 13, 2024 at 9:40 PM Stefan Berger <stefanb(a)linux.ibm.com> wrote:
Upcoming libtpms v0.10 and swtpm v0.10 will have TPM profile support that
allows to restrict a TPM's provided set of crypto algorithms and commands
and through which backwards compatibility and migration from newer versions
of libtpms to older ones (up to libtpms v0.9) is supported. For the latter
to work it is necessary that the user chooses the right ('null') profile.
This series adds support for passing a profile choice to swtpm_setup by
setting it in the domain XML using the <profile/> XML node. An optional
attribute 'remove_disabled' can be set in this node and accepts two values:
"check": test a few crypto algorithms (tdes, camellia, unpadded encryption,
and others) for whether they are currently disabled due to FIPS
mode on the host and remove these algorithms in the 'custom'
profile if they are disabled;
"fips-host": do not test but remove all the possibly disabled crypto
algorithms (from list above)
Also extend the documentation but point the user to swtpm and libtpms
documentation for further details.
Follow Deniel's suggestions there's now a PR for swtpm_setup to support
searching for profiles though a configurable local directory, distro
directory and if no profile could be found there (with appended
".json" suffix) it will fall back to try to use a built-in profile by
the provided name:
https://github.com/stefanberger/swtpm/pull/918
Stefan
v4:
- Renamed previous 'name' attribute in profile XML node to 'source'
to indicate that the profile was created from some sort of 'source'.
The 'name' is now set from the name of the profile read from the
swtpm instance's state once it has been created.
This difference between 'source' and 'name' is not described in the
domain xml documentation.
Also the doc still has 10.??.0.
thanks