[SeaBIOS] [PATCH v8 0/8] Add TPM support to SeaBIOS

Kevin O'Connor kevin at koconnor.net
Tue Aug 26 21:56:40 CEST 2014 

On Tue, Aug 26, 2014 at 03:13:11PM -0400, Stefan Berger wrote:
> "Kevin O'Connor" <kevin at koconnor.net> wrote on 08/26/2014 12:49:57 PM:
> > On Tue, Aug 26, 2014 at 12:07:54PM -0400, Stefan Berger wrote:
> > > The other aspect is that this extension propagates all the way into 
> higher 
> > > layers: libvirt would need an API and command
> > > line tool extension just to set this flag  and presumably use the QEMU 
> 
> > > monitor with a new command to indicate it.
> > > You want to be able to do this in a cloud environment, you need 
> another 
> > > API and/or GUI support in your cloud stack for doing
> > > just this...  I doesn't seem to become a lot easier this way.
> > 
> > Not easier.  But I don't think adding this menu to SeaBIOS is the
> > solution either.  As before, for the bulk of users it's just cryptic,
> > and for those rare users that do need it, it is not in a place they
> > want it.
> 
> Let me approach this all the way from the cloud user perspective:
> 
> One can add a TPM to a VM via an attribute to the image one wants to 
> deploy. So having a TPM attached to a VM
> would be an option. Libvirt can then create a slightly different XML that 
> instructs QEMU to show the SeaBIOS menu
> IF a TPM is attached. If no TPM is attached, no menu is shown, so no 
> changes here. I find this a useable solution
> that helps those that want a TPM to be attached to the VM and leaves 
> things as they are for those that don't.

If you're going to update libvirt (and cloud stack) for a "show the
TPM menu" flag.  Might as well just update libvirt (and stack) to set
the TPM enable/disable/clear setting directly.

>Besides that root gets too much
> control over VMs with attached TPMs running on a system if libvirt
> was to be extended with this kind of support. You could then set the
> above mentioned flags and see what happens when the VM gives up
> ownership the next time it boots...

I don't understand the above.  Root on the guest would have no such
ability.  Root on the host can't be stopped anyway..

-Kevin

More information about the SeaBIOS mailing list