提交 f1d7d6c2 编写于 作者: D Daniel Henrique Barboza 提交者: Ján Tomko

docs: documentation and schema for the new TPM Proxy model

QEMU 4.1.0 introduced a new device type called TPM Proxy, currently
implemented by PPC64 guests via a new virtual device called
'spapr-tpm-proxy' (see QEMU 0fb6bd073230 for more info).

The TPM Proxy device interacts with a TPM Resource Manager, a host
device capable of multiplexing the host TPM with multiple processes.
This allows multiple guests to access some TPM features at the
same time. Note that this mode of operation does not provide
full TPM features to be available for the guest - for that case
the guest still needs to assign a vTPM device (tpm-spapr for
PPC64 guests). Although redundant, there is currently no technical
limitation for a guest to assign both a vTPM and a TPM Proxy at the
same time.

This patch adds documentation and schema for a new TPM model
type called 'spapr-tpm-proxy' that creates this new TPM Proxy
device. This model is valid only for the 'passthrough' backend.
An example of a TPM Proxy device connected to a TPM Resource Manager
'/dev/tpmrm0' will look like this:

<tpm model='spapr-tpm-proxy'>
  <backend type='passthrough'>
    <device path='/dev/tpmrm0'/>
  </backend>
</tpm>
Tested-by: NSatheesh Rajendran <sathnaga@linux.vnet.ibm.com>
Reviewed-by: NStefan Berger <stefanb@linux.ibm.com>
Signed-off-by: NDaniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>
上级 461ddf50
...@@ -8849,6 +8849,18 @@ qemu-kvm -net nic,model=? /dev/null ...@@ -8849,6 +8849,18 @@ qemu-kvm -net nic,model=? /dev/null
backend device is a TPM 2.0. <span class="since">Since 6.1.0</span>, backend device is a TPM 2.0. <span class="since">Since 6.1.0</span>,
pSeries guests on PPC64 are supported and the default is pSeries guests on PPC64 are supported and the default is
<code>tpm-spapr</code>. <code>tpm-spapr</code>.
<span class="since">Since 6.5.0</span>, a new model called
<code>spapr-tpm-proxy</code> was added for pSeries guests. This model
only works with the <code>passthrough</code> backend. It creates a
TPM Proxy device that communicates with an existing TPM Resource Manager
in the host, for example <code>/dev/tpmrm0</code>, enabling the guest to
run in secure virtual machine mode with the help of an Ultravisor. Adding
a TPM Proxy to a pSeries guest brings no security benefits unless the guest
is running on a PPC64 host that has an Ultravisor and a TPM Resource Manager.
Only one TPM Proxy device is allowed per guest, but a TPM Proxy device can
be added together with
other TPM devices.
</p> </p>
</dd> </dd>
<dt><code>backend</code></dt> <dt><code>backend</code></dt>
...@@ -8861,7 +8873,7 @@ qemu-kvm -net nic,model=? /dev/null ...@@ -8861,7 +8873,7 @@ qemu-kvm -net nic,model=? /dev/null
<dt><code>passthrough</code></dt> <dt><code>passthrough</code></dt>
<dd> <dd>
<p> <p>
Use the host's TPM device. Use the host's TPM or TPM Resource Manager device.
</p> </p>
<p> <p>
This backend type requires exclusive access to a TPM device on This backend type requires exclusive access to a TPM device on
...@@ -8869,6 +8881,11 @@ qemu-kvm -net nic,model=? /dev/null ...@@ -8869,6 +8881,11 @@ qemu-kvm -net nic,model=? /dev/null
qualified file name is specified by path attribute of the qualified file name is specified by path attribute of the
<code>source</code> element. If no file name is specified then <code>source</code> element. If no file name is specified then
/dev/tpm0 is automatically used. /dev/tpm0 is automatically used.
<span class="since">Since 6.5.0</span>, when choosing the
<code>spapr-tpm-proxy</code> model, the file name specified is
expected to be a TPM Resource Manager device, e.g.
<code>/dev/tpmrm0</code>.
</p> </p>
</dd> </dd>
</dl> </dl>
......
...@@ -4618,6 +4618,7 @@ ...@@ -4618,6 +4618,7 @@
<value>tpm-tis</value> <value>tpm-tis</value>
<value>tpm-crb</value> <value>tpm-crb</value>
<value>tpm-spapr</value> <value>tpm-spapr</value>
<value>spapr-tpm-proxy</value>
</choice> </choice>
</attribute> </attribute>
</optional> </optional>
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册