docs: documentation and schema for the new TPM Proxy model

QEMU 4.1.0 introduced a new device type called TPM Proxy, currently
implemented by PPC64 guests via a new virtual device called
'spapr-tpm-proxy' (see QEMU 0fb6bd073230 for more info).

The TPM Proxy device interacts with a TPM Resource Manager, a host
device capable of multiplexing the host TPM with multiple processes.
This allows multiple guests to access some TPM features at the
same time. Note that this mode of operation does not provide
full TPM features to be available for the guest - for that case
the guest still needs to assign a vTPM device (tpm-spapr for
PPC64 guests). Although redundant, there is currently no technical
limitation for a guest to assign both a vTPM and a TPM Proxy at the
same time.

This patch adds documentation and schema for a new TPM model
type called 'spapr-tpm-proxy' that creates this new TPM Proxy
device. This model is valid only for the 'passthrough' backend.
An example of a TPM Proxy device connected to a TPM Resource Manager
'/dev/tpmrm0' will look like this:

<tpm model='spapr-tpm-proxy'>
  <backend type='passthrough'>
    <device path='/dev/tpmrm0'/>
  </backend>
</tpm>
Tested-by: NSatheesh Rajendran <sathnaga@linux.vnet.ibm.com>
Reviewed-by: NStefan Berger <stefanb@linux.ibm.com>
Signed-off-by: NDaniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

docs/formatdomain.html.in

@@ -8849,6 +8849,18 @@ qemu-kvm -net nic,model=? /dev/null
           backend device is a TPM 2.0. <span class="since">Since 6.1.0</span>,
           pSeries guests on PPC64 are supported and the default is
           <code>tpm-spapr</code>.
+
+          <span class="since">Since 6.5.0</span>, a new model called
+          <code>spapr-tpm-proxy</code> was added for pSeries guests. This model
+          only works with the <code>passthrough</code> backend. It creates a
+          TPM Proxy device that communicates with an existing TPM Resource Manager
+          in the host, for example <code>/dev/tpmrm0</code>, enabling the guest to
+          run in secure virtual machine mode with the help of an Ultravisor. Adding
+          a TPM Proxy to a pSeries guest brings no security benefits unless the guest
+          is running on a PPC64 host that has an Ultravisor and a TPM Resource Manager.
+          Only one TPM Proxy device is allowed per guest, but a TPM Proxy device can
+          be added together with
+          other TPM devices.
         </p>
       </dd>
       <dt><code>backend</code></dt>
@@ -8861,7 +8873,7 @@ qemu-kvm -net nic,model=? /dev/null
           <dt><code>passthrough</code></dt>
           <dd>
             <p>
-              Use the host's TPM device.
+              Use the host's TPM or TPM Resource Manager device.
             </p>
             <p>
               This backend type requires exclusive access to a TPM device on
@@ -8869,6 +8881,11 @@ qemu-kvm -net nic,model=? /dev/null
               qualified file name is specified by path attribute of the
               <code>source</code> element. If no file name is specified then
               /dev/tpm0 is automatically used.
+
+              <span class="since">Since 6.5.0</span>, when choosing the
+              <code>spapr-tpm-proxy</code> model, the file name specified is
+              expected to be a TPM Resource Manager device, e.g.
+              <code>/dev/tpmrm0</code>.
             </p>
           </dd>
         </dl>

docs/schemas/domaincommon.rng

@@ -4618,6 +4618,7 @@
             <value>tpm-tis</value>
             <value>tpm-crb</value>
             <value>tpm-spapr</value>
+            <value>spapr-tpm-proxy</value>
           </choice>
         </attribute>
       </optional>