Re: [PATCH] tpm: add backend for mssim

[Stefan Berger <stefanb@linux.ibm.com>]

On 12/12/22 14:12, James Bottomley wrote:
> On Mon, 2022-12-12 at 13:58 -0500, Stefan Berger wrote:
>> On 12/12/22 13:48, James Bottomley wrote:
>>> On Mon, 2022-12-12 at 11:59 -0500, Stefan Berger wrote:
>>>> On 12/12/22 11:38, James Bottomley wrote:
> [...]
>>>>> the kernel use of the TPM, but I'm trying to fix that.  The
>>>>> standard mssim server is too simplistic to do transport layer
>>>>> security, but like everything that does this (or rather doesn't
>>>>> do this), you can front it with stunnel4.
>>>>
>>>> And who or what is going to set this up?
>>>
>>> I'm not sure I understand the question.  Stunnel4 is mostly used to
>>> convert unencrypted proxies like imap on 143 or smtp on 25 to the
>>> secure version.  Most people who run servers are fairly familiar
>>> with using it.  It's what IBM used for encrypted migration
>>> initially.  You can run stunnel on both ends, or the qemu side
>>> could be built in using the qemu tls-creds way of doing things but
>>> anything running the standard MS server would have to front it with
>>> stunnel still.
>>
>> So it's up to libvirt to setup stunnel to support a completely
>> different setup than what it has for swtpm already?
> 
> I don't think so, no.  Libvirt doesn't usually help with server setup
> (witness the complexity of setting up a server side vtpm proxy) so in
> the case tls-creds were built in, it would just work if the object is

I see, so you are extending the TPM emulator with TLS on the client side so you don't need another tool to setup a TLS connection from the QEMU/client side.

Is the server side across the network or on the same host? Either way, what is the latency that this introduces because I would expect that this slows down IMA since the PCR extensions & TPM 2 response now go back and forth across the network?

     Stefan

> specified.  The complexity is all on the server side to front it with
> stunnel.
>
> James
>