[RFC PATCH v1 0/6] swtpm: Add support for profiles

Stefan Berger posted 6 patches 2 weeks, 2 days ago
There is a newer version of this series
docs/formatdomain.rst             | 20 ++++++++++++++++
src/conf/domain_conf.c            | 39 +++++++++++++++++++++++++++++++
src/conf/domain_conf.h            | 11 +++++++++
src/conf/domain_validate.c        |  7 ++++++
src/conf/schemas/basictypes.rng   |  6 +++++
src/conf/schemas/domaincommon.rng | 17 ++++++++++++++
src/qemu/qemu_tpm.c               | 26 +++++++++++++++++++--
src/util/virtpm.c                 |  1 +
src/util/virtpm.h                 |  1 +
tests/testutilsqemu.c             |  1 +
10 files changed, 127 insertions(+), 2 deletions(-)
[RFC PATCH v1 0/6] swtpm: Add support for profiles
Posted by Stefan Berger 2 weeks, 2 days ago
Upcoming libtpms v0.10 and swtpm v0.10 will have TPM profile support that
allows to restrict a TPM's provided set of crypto algorithms and commands
and through which backwards compatibility and migration from newer versions
of libtpms to older ones (up to libtpms v0.9) is supported. For the latter
to work it is necessary that the user chooses the right profile.

This series adds support for passing a profile choice to swtpm_setup by
setting it in the domain XML using the <profile/> XML node. An optional
attribute 'remove_disabled' can be set in this node and accepts two values:

"check": test a few crypto algorithms (tdes, camellia, unpadded encryption,
         and others) for whether they are currently disabled due to FIPS
         mode on the host and remove these algorithms in the 'custom'
         profile if they are disabled; 
"fips-host": do not test but remove all potentially disabled crypto
             algorithms

Also extend the documentation but point the user to swtpm and libtpms
documentation for further details.

    Stefan


Stefan Berger (6):
  util: Add parsing support for swtpm_setup's cmdarg-profile capability
  conf: Define enum virDomainTPMProfileRemoveDisabled
  schema: Extend schema for TPM emulator profile node
  conf: Add support for profile parameter on TPM emulator in domain XML
  docs: Add documentation for the TPM backend profile node
  qemu: Run swtpm_setup with --profile option if profile given

 docs/formatdomain.rst             | 20 ++++++++++++++++
 src/conf/domain_conf.c            | 39 +++++++++++++++++++++++++++++++
 src/conf/domain_conf.h            | 11 +++++++++
 src/conf/domain_validate.c        |  7 ++++++
 src/conf/schemas/basictypes.rng   |  6 +++++
 src/conf/schemas/domaincommon.rng | 17 ++++++++++++++
 src/qemu/qemu_tpm.c               | 26 +++++++++++++++++++--
 src/util/virtpm.c                 |  1 +
 src/util/virtpm.h                 |  1 +
 tests/testutilsqemu.c             |  1 +
 10 files changed, 127 insertions(+), 2 deletions(-)

-- 
2.46.0