1728030 – RFE: Add encryption of TPM emulator state

Bug 1728030 - RFE: Add encryption of TPM emulator state

Summary: RFE: Add encryption of TPM emulator state

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Virtualization Tools
Classification:	Community
Component:	libvirt
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Libvirt Maintainers
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-08 20:16 UTC by Marc-Andre Lureau
Modified:	2019-10-17 14:42 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-10-17 14:42:15 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Marc-Andre Lureau 2019-07-08 20:16:18 UTC

TPM emulator state contains sensitive data that can be encrypted thanks to swtpm support.

A proposal from Stefan Berger ([libvirt] Encrypted vTPM state) is to use an XML similar to luks and the virSecret object framework:

    <tpm model='tpm-tis'>
       <backend type='emulator' version='2.0'>
         <encryption format='vtpm'>
             <secret type='passphrase' uuid='32ee7e76-2178-47a1-ab7b-269e6e348015'/>
         </encryption>
       </backend>
     </tpm>

Comment 1 Marc-Andre Lureau 2019-10-17 14:42:15 UTC

Fixed in v5.6.0 (2019-08-05) 

Support encrypted soft TPM
    A soft TPM backend could be encrypted with passphrase. Now libvirt supports using a secret object to hold the passphrase, and referring to it via the encryption element of the TPM device.

Note You need to log in before you can comment on or make changes to this bug.