[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 0/7] Provide support for the software TPM emulat
|
From: |
Daniel P. Berrange |
|
Subject: |
Re: [Qemu-devel] [PATCH 0/7] Provide support for the software TPM emulator |
|
Date: |
Mon, 3 Apr 2017 18:07:38 +0100 |
|
User-agent: |
Mutt/1.7.1 (2016-10-04) |
On Fri, Mar 31, 2017 at 04:10:09PM +0300, Amarnath Valluri wrote:
> Briefly, Theses set of patches introduces:
> - new TPM backend driver to support software TPM emulators(swtpm(1)).
> - and few supported fixes/enhancements/cleanup to existing tpm backend code.
>
> The similar idea was initiated earliar(2) by Stefan Berger(CCed) with slightly
> different approach, using CUSE. As swtpm has excellent support for unix domain
> sockets, hence this implementation uses unix domain sockets to communicate
> with
> swtpm.
>
> When Qemu is configured with 'emulator' tpm backend, it spawns 'swtpm' and
> communicates its via Unix domain sockets.
I'm not convinced that having QEMU spawning swtpm itself is a desirable
approach, as it means QEMU needs to have all the privileges that swtpm
will need, so that swtpm can inherit them. At the very least I think we
need to have a way to disable this spawning, so it can connect to a
pre-existing swtpm process that's been spawned ahead of time. This will
let us have stricter privilege separation.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
Re: [Qemu-devel] [PATCH 0/7] Provide support for the software TPM emulator, Dr. David Alan Gilbert, 2017/04/03
Re: [Qemu-devel] [PATCH 0/7] Provide support for the software TPM emulator, Stefan Berger, 2017/04/04
Re: [Qemu-devel] [PATCH 0/7] Provide support for the software TPM emulator, Amarnath Valluri, 2017/04/05