From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49788) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aLutl-0003ca-1d for qemu-devel@nongnu.org; Wed, 20 Jan 2016 10:42:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aLuti-0005TB-1g for qemu-devel@nongnu.org; Wed, 20 Jan 2016 10:42:16 -0500 Received: from mx1.redhat.com ([209.132.183.28]:44081) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aLuth-0005T1-S1 for qemu-devel@nongnu.org; Wed, 20 Jan 2016 10:42:13 -0500 Date: Wed, 20 Jan 2016 15:42:09 +0000 From: "Daniel P. Berrange" Message-ID: <20160120154209.GE13215@redhat.com> References: <1451921002-8263-1-git-send-email-stefanb@us.ibm.com> <20160120145839.GB13215@redhat.com> <201601201523.u0KFNwOH000398@d01av04.pok.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <201601201523.u0KFNwOH000398@d01av04.pok.ibm.com> Subject: Re: [Qemu-devel] [PATCH v5 0/4] Extend TPM support with a QEMU-external TPM Reply-To: "Daniel P. Berrange" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Berger Cc: mst@redhat.com, qemu-devel@nongnu.org, jb613w@att.com, quan.xu@intel.com, silviu.vlasceanu@gmail.com, hagen.lauer@huawei.com On Wed, Jan 20, 2016 at 10:23:50AM -0500, Stefan Berger wrote: > "Daniel P. Berrange" wrote on 01/20/2016 09:58:39 > AM: > > > > Subject: Re: [Qemu-devel] [PATCH v5 0/4] Extend TPM support with a > > QEMU-external TPM > > > > On Mon, Jan 04, 2016 at 10:23:18AM -0500, Stefan Berger wrote: > > > The following series of patches extends TPM support with an > > > external TPM that offers a Linux CUSE (character device in userspace) > > > interface. This TPM lets each VM access its own private vTPM. > > > > What is the backing store for this vTPM ? Are the vTPMs all > > multiplexed onto the host's physical TPM or is there something > > else going on ? > > The vTPM writes its state into a plain file. In case the user started the > vTPM, the user gets to choose the directory. In case of libvirt, libvirt > sets up the directory and starts the vTPM with the directory as a > parameter. The expectation for VMs (also containers) is that each VM can > use the full set of TPM commands with the vTPM and due to how the TPM > works, it cannot use the hardware TPM for that. SeaBIOS has been extended > with TPM 1.2 support and initializes the vTPM in the same way it would > initialize a hardware TPM. So if its using a plain file, then when snapshotting VMs we have to do full copies of the file and keep them all around in sync with the disk snapshots. By not having this functionality in QEMU we don't immediately have a way to use qcow2 for the vTPM file backing store to deal with snapshot management. The vTPM needs around snapshotting feel fairly similar to the NVRAM needs, so it would be desiralbe to have a ability to do a consistent thing for both. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|