On 11/3/21 6:04 PM, Stefan Berger wrote:
Extend the TPM backend XML with a node 'active_pcr_banks' that allows a user to specify the PCR banks to activate before starting a VM. Valid choices for PCR banks are sha1, sha256, sha384 and sha512. When the XML node is provided, the set of active PCR banks is 'enforced' by running swtpm_setup before every start of the VM. The activation requires that swtpm_setup v0.7 or later is installed and may not have any effect otherwise.
<tpm model='tpm-tis'> <backend type='emulator' version='2.0'> <active_pcr_banks> <sha256/> <sha384/> </active_pcr_banks> </backend> </tpm>
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2016599
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- docs/formatdomain.rst | 12 +++ docs/schemas/domaincommon.rng | 30 ++++++ src/conf/domain_conf.c | 50 +++++++++- src/conf/domain_conf.h | 11 +++ src/libvirt_private.syms | 2 + src/qemu/qemu_tpm.c | 98 +++++++++++++++++++ src/util/virtpm.c | 1 + src/util/virtpm.h | 1 + tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 7 +- .../tpm-emulator-tpm2.x86_64-latest.xml | 7 +- 10 files changed, 215 insertions(+), 4 deletions(-)
diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index 0651975c88..eb8c973cf1 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -7539,6 +7539,9 @@ Example: usage of the TPM Emulator <tpm model='tpm-tis'> <backend type='emulator' version='2.0'> <encryption secret='6dd3e4a5-1d76-44ce-961f-f119f5aad935'/> + <active_pcr_banks> + <sha256/> + </active_pcr_banks> </backend> </tpm> </devices> @@ -7598,6 +7601,15 @@ Example: usage of the TPM Emulator This attribute only works with the ``emulator`` backend. The accepted values are ``yes`` and ``no``. :since:`Since 7.0.0`
+``active_pcr_banks`` + The ``active_pcr_banks`` node is used to define which of the PCR banks + of a TPM 2.0 to activate. Valid names are for example sha1, sha256, sha384, + and sha512. If this node is provided, the set of PCR banks are activated + before every start of a VM and this step is logged in the swtpm's log. + This attribute requires that swtpm_setup v0.7 or later is installed + and may not have any effect otherwise. The selection of PCR banks only works + with the ``emulator`` backend. since:`Since 7.10.0` + ``encryption`` The ``encryption`` element allows the state of a TPM emulator to be encrypted. The ``secret`` must reference a secret object that holds the diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 67df13d90d..4fe3e04af5 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -5323,6 +5323,7 @@ <value>emulator</value> </attribute> <ref name="tpm-backend-emulator-encryption"/> + <ref name="tpm-backend-emulator-active-pcr-banks"/> <optional> <attribute name="persistent_state"> <choice> @@ -5366,6 +5367,35 @@ </optional> </define>
+ <define name="tpm-backend-emulator-active-pcr-banks"> + <optional> + <element name="active_pcr_banks"> + <interleave> + <optional> + <element name="sha1"> + <text/>
We don't really expect any content for these elements. so s/text/empty/.
+ </element> + </optional> + <optional> + <element name="sha256"> + <text/> + </element> + </optional> + <optional> + <element name="sha384"> + <text/> + </element> + </optional> + <optional> + <element name="sha512"> + <text/> + </element> + </optional> + </interleave> + </element> + </optional> + </define> +
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> and pushed. Thank you. Michal