[v4] swtpm: Add support for profiles

[PATCH v4 05/11] schema: Extend schema for TPM emulator profile node

Posted by Stefan Berger 1 week, 2 days ago

Extend the schema for the TPM emulator profile node. Require that the
profile the user provides is described in a 'source' attribute. An optional
remove_disabled attribute is also supported for swtpm to automatically
remove algorithms from the 'custom' profile if they are disabled by FIPS
mode on the host.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/conf/schemas/domaincommon.rng | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincommon.rng
index 8360eeae3f..d94ff9b4c3 100644
--- a/src/conf/schemas/domaincommon.rng
+++ b/src/conf/schemas/domaincommon.rng
@@ -5924,6 +5924,7 @@
             <ref name="tpm-backend-emulator-encryption"/>
             <ref name="tpm-backend-emulator-active-pcr-banks"/>
             <ref name="tpm-backend-emulator-source"/>
+            <ref name="tpm-backend-emulator-profile"/>
           </interleave>
           <optional>
             <attribute name="persistent_state">
@@ -6046,6 +6047,30 @@
     </optional>
   </define>
 
+  <define name="profileName">
+    <data type="string">
+      <param name="pattern">[A-Za-z0-9.\-:]+</param>
+    </data>
+  </define>
+
+  <define name="tpm-backend-emulator-profile">
+    <optional>
+      <element name="profile">
+        <attribute name="source">
+          <ref name="profileName"/>
+        </attribute>
+        <optional>
+          <attribute name="remove_disabled">
+            <choice>
+              <value>check</value>
+              <value>fips-host</value>
+            </choice>
+          </attribute>
+        </optional>
+      </element>
+    </optional>
+  </define>
+
   <define name="vsock">
     <element name="vsock">
       <optional>
-- 
2.47.0

Re: [PATCH v4 05/11] schema: Extend schema for TPM emulator profile node

Posted by Michal Prívozník 1 week, 1 day ago

On 11/13/24 18:39, Stefan Berger wrote:
> Extend the schema for the TPM emulator profile node. Require that the
> profile the user provides is described in a 'source' attribute. An optional
> remove_disabled attribute is also supported for swtpm to automatically
> remove algorithms from the 'custom' profile if they are disabled by FIPS
> mode on the host.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  src/conf/schemas/domaincommon.rng | 25 +++++++++++++++++++++++++
>  1 file changed, 25 insertions(+)
> 
> diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincommon.rng
> index 8360eeae3f..d94ff9b4c3 100644
> --- a/src/conf/schemas/domaincommon.rng
> +++ b/src/conf/schemas/domaincommon.rng
> @@ -5924,6 +5924,7 @@
>              <ref name="tpm-backend-emulator-encryption"/>
>              <ref name="tpm-backend-emulator-active-pcr-banks"/>
>              <ref name="tpm-backend-emulator-source"/>
> +            <ref name="tpm-backend-emulator-profile"/>
>            </interleave>
>            <optional>
>              <attribute name="persistent_state">
> @@ -6046,6 +6047,30 @@
>      </optional>
>    </define>
>  
> +  <define name="profileName">
> +    <data type="string">
> +      <param name="pattern">[A-Za-z0-9.\-:]+</param>
> +    </data>
> +  </define>
> +
> +  <define name="tpm-backend-emulator-profile">
> +    <optional>
> +      <element name="profile">
> +        <attribute name="source">
> +          <ref name="profileName"/>
> +        </attribute>
> +        <optional>
> +          <attribute name="remove_disabled">

How about "removeDisabled" instead? I think camelCase is preferred when
it comes to multiple worded attributes.

> +            <choice>
> +              <value>check</value>
> +              <value>fips-host</value>
> +            </choice>
> +          </attribute>
> +        </optional>
> +      </element>
> +    </optional>
> +  </define>
> +
>    <define name="vsock">
>      <element name="vsock">
>        <optional>

Michal