From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46916) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aLug6-0005nR-Va for qemu-devel@nongnu.org; Wed, 20 Jan 2016 10:28:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aLug3-000288-Oy for qemu-devel@nongnu.org; Wed, 20 Jan 2016 10:28:10 -0500 Received: from e37.co.us.ibm.com ([32.97.110.158]:44101) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aLug3-00027x-Fa for qemu-devel@nongnu.org; Wed, 20 Jan 2016 10:28:07 -0500 Received: from localhost by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 20 Jan 2016 08:25:08 -0700 Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18]) by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id B2FA13E4009E for ; Wed, 20 Jan 2016 08:25:04 -0700 (MST) Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u0KFP4aX29556744 for ; Wed, 20 Jan 2016 08:25:04 -0700 Received: from d03av01.boulder.ibm.com (localhost [127.0.0.1]) by d03av01.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id u0KFP4Q9031617 for ; Wed, 20 Jan 2016 08:25:04 -0700 Received: from d50lp31.co.us.ibm.com (d50lp31.boulder.ibm.com [9.17.249.32]) by d03av01.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id u0KFO0vW020649 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Wed, 20 Jan 2016 08:24:00 -0700 Message-Id: <201601201524.u0KFO0vW020649@d03av01.boulder.ibm.com> Received: from localhost by d50lp31.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 20 Jan 2016 08:24:00 -0700 Received: from /spool/local by smtp.notes.na.collabserv.com with smtp.notes.na.collabserv.com ESMTP for from ; Wed, 20 Jan 2016 15:23:52 -0000 In-Reply-To: <20160120145839.GB13215@redhat.com> From: "Stefan Berger" Date: Wed, 20 Jan 2016 10:23:50 -0500 References: <1451921002-8263-1-git-send-email-stefanb@us.ibm.com> <20160120145839.GB13215@redhat.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_alternative 0054957D85257F40_=" Subject: Re: [Qemu-devel] [PATCH v5 0/4] Extend TPM support with a QEMU-external TPM List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: mst@redhat.com, qemu-devel@nongnu.org, jb613w@att.com, quan.xu@intel.com, silviu.vlasceanu@gmail.com, hagen.lauer@huawei.com --=_alternative 0054957D85257F40_= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="US-ASCII" "Daniel P. Berrange" wrote on 01/20/2016 09:58:39=20 AM: > Subject: Re: [Qemu-devel] [PATCH v5 0/4] Extend TPM support with a=20 > QEMU-external TPM >=20 > On Mon, Jan 04, 2016 at 10:23:18AM -0500, Stefan Berger wrote: > > The following series of patches extends TPM support with an > > external TPM that offers a Linux CUSE (character device in userspace) > > interface. This TPM lets each VM access its own private vTPM. >=20 > What is the backing store for this vTPM ? Are the vTPMs all > multiplexed onto the host's physical TPM or is there something > else going on ? The vTPM writes its state into a plain file. In case the user started the=20 vTPM, the user gets to choose the directory. In case of libvirt, libvirt=20 sets up the directory and starts the vTPM with the directory as a=20 parameter. The expectation for VMs (also containers) is that each VM can=20 use the full set of TPM commands with the vTPM and due to how the TPM=20 works, it cannot use the hardware TPM for that. SeaBIOS has been extended=20 with TPM 1.2 support and initializes the vTPM in the same way it would=20 initialize a hardware TPM. Regards, Stefan >=20 > Regards, > Daniel > --=20 > |: http://berrange.com -o- =20 http://www.flickr.com/photos/dberrange/ :| > |: http://libvirt.org -o- =20 http://virt-manager.org :| > |: http://autobuild.org -o- =20 http://search.cpan.org/~danberr/ :| > |: http://entangle-photo.org -o- =20 http://live.gnome.org/gtk-vnc :| >=20 --=_alternative 0054957D85257F40_= Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="US-ASCII" "Daniel P. Berrange" <berrange@redhat.com&g= t; wrote on 01/20/2016 09:58:39 AM:


= > Subject: Re: [Qemu-devel] [PATCH v5 0/4] Extend TPM support with a
> QEMU-external TPM
>
> On Mon, Jan 04, 2016 at 10:23:18AM -0500, Stefan Berger = wrote:
> > The following series of patches extends TPM support wit= h an
> > external TPM that offers a Linux CUSE (character device i= n userspace)
> > interface. This TPM lets each VM access its own p= rivate vTPM.
>
> What is the backing store for this vTPM ? Are= the vTPMs all
> multiplexed onto the host's physical TPM or is there= something
> else going on ?

Th= e vTPM writes its state into a plain file. In case the user started the vTPM, the user gets to choose the directory. In case of libvirt, libvirt sets up the directory and starts the vTPM with the directory as a parameter. The expectation for VMs (also containers) is that each VM can use the full set of TPM commands with the vTPM and due to how the TPM works, it cannot use the hardware TPM for that. SeaBIOS has been extended with TPM 1.2 support and initializes the vTPM in the same way it would initialize a hardware TPM.

Regards,
   Stefan

>
> Regards,
> Daniel
= > --
> |: http://berrange.com    =  -o-    http://www.flickr.com/photos/dberrange/= :|
> |: http://libvirt.org             -o-     &nb= sp;       <= font size=3D2>http://virt-manager.org:|<= br>> |: h= ttp://autobuild.org      = -o-         http://search.cpan.org/~danberr/= :|
> |: http://entangle-photo.org      -o-       = http://live.gn= ome.org/gtk-vnc:|
>

--=_alternative 0054957D85257F40_=--