Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TPM active PCR banks & domain firmware type #977

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

TPM active PCR banks & domain firmware type #977

wants to merge 2 commits into from

Conversation

daniel-weisse
Copy link

This PR comes in 2 parts

  1. Allow setting the active PCR banks of a domain's TPM
    This setting is currently missing from the TPM definition and causes some issues when using the TPM attestation functionality.
    This PR expands the TPM definition to allow users the choice of which PCR banks to set active.

  2. Allow choosing a domain's firmware type
    To make proper use of the TPM, e.g. measured-boot/secure-boot, we need EFI firmware.
    Correctly setting up EFI is currently a bit messy using the terraform provider since simply setting OS.Firmware is not supported.
    Using libvirt directly, one would simply define the following to achieve a functional efi setup:

    <os firmware='efi'>
   ...
</os>

    See the libvirt bootloader XML definition for more details.

    With this PR users can set a new option, firmware_type, to efi to achieve the same behavior.

    Personally, I would prefer renaming the current firmware option to the more appropriate loader, so we can simply name the new firmware_type option firmware.
    But I am not sure if such a thing should be done in this PR as this will likely break existing configurations relying on it.

I am also open to splitting this PR in two parts if so desired.

Example definition:

resource "libvirt_domain" "example" {
  count   = 1
  memory  = 2048
  vcpu    = 2
  machine = "q35"
  fimrware_type = "efi"
  tpm {
    backend_type    = "emulator"
    backend_version = "2.0"
    backend_active_pcr_banks {
      sha1   = true
      sha256 = true
      sha384 = true
      sha512 = true
    }
  }
}

For reference, this is the xslt I am currently using as a workaround to achieve the functionality of this PR.

<xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
  <xsl:output omit-xml-declaration="yes" indent="yes"/>
    <xsl:template match="node()|@*">
        <xsl:copy>
            <xsl:apply-templates select="node()|@*"/>
        </xsl:copy>
    </xsl:template>
    <xsl:template match="os">
        <os firmware="efi">
            <xsl:apply-templates select="@*|node()"/>
        </os>
    </xsl:template>
    <xsl:template match="/domain/devices/tpm/backend">
    <xsl:copy>
        <xsl:apply-templates select="node()|@*"/>
        <xsl:element name ="active_pcr_banks">
            <xsl:element name="sha1"></xsl:element>
            <xsl:element name="sha256"></xsl:element>
            <xsl:element name="sha384"></xsl:element>
            <xsl:element name="sha512"></xsl:element>
        </xsl:element>
    </xsl:copy>
  </xsl:template>
</xsl:stylesheet>

@daniel-weisse
Allow setting of TPM active PCR banks
506fc40 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Allow choosing domain firmware type
d5f830c 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@daniel-weisse