Re: [PATCH v2 2/2] qemu: tpm: Extend TPM domain XML with PCR banks to activate
On 11/2/21 05:38, Michal Prívozník wrote:
On 11/1/21 6:23 PM, Stefan Berger wrote:
So this runs reconfigure on every cold boot of a guest. I wonder whether
there's a way to run it just once, when activePcrBanks have changed.
For instance, in qemuDomainDefineXMLFlags() the @oldDef is set to the
old domain definition and maybe we can use that to compare
activePcrBanks and run reconfigure at that time? That won't cover
transient domains though, nor it would cover domains which are
persistent but are started with a different XML (yes, as horrible as it
sounds you can 'virsh define dom1.xml && virsh create dom2.xml' where
dom1.xml and dom2.xml have nothing in common except domain <name/> and
<uuid/>).
I think to 'enforce' what is shown in the XML is the simplest solution.
Whatever the user may have done inside the VM, such as used firmware
menu to reconfigure the active PCR banks doesn't matter since what will
be enforced next time when the VM is cold-started is what is shown in
the XML. Otherwise it's documented how it behaves.
Stefan