[CentOS-virt] TPM

Wed Aug 29 14:39:18 UTC 2018
Stephen John Smoogen <smooge at gmail.com>

On Wed, 29 Aug 2018 at 10:25, Dag Nygren <dag at newtech.fi> wrote:
> On onsdag 29 augusti 2018 kl. 15:37:47 EEST Alvin Starr wrote:
> > You could try using Xen.
> > A quick search implies that Xen from 4.3 onward will virtualize TPM.
> > I am not sure if the libvirt drivers for xen will support the feature
> > but some work around may be possible.
> Nice attitude and helpfulness in this list!
> Just had a look and it doesn't seem to be that an intrusive
> change going from QEMU to XEN.
> pacemaker,corosync and libvirt all seem to isolate
> the engine and most settings should work as is.
> Anyone here with an experience in transitioning QEMU -> XEN ?

That is a major change. Xen uses a model of

[Hardware] <- [Xen MK] -> [Domain0]
                       -> [Domain1]
and Qemu

[Hardware] <- [Linux] -> [Qemu] -> [Domain1]
                                -> [Domain2]

This isn't earth shattering and the other tools you mentioned are passive
about using one or the other. In either case though access to the TPM is
not easy.
http://www.cse.psu.edu/~pdm12/cse544/slides/cse544-schiffman-vTPM.pdf goes
through some of the problems. You need to be aware of the limitations of
the specific TPM your hardware has, and what you are giving up in the trust
model with any vTPM [aka your virtual machine can't move from its server,
your TPM isn't real and can possibly looked at by other guests, etc etc.]

> Best
> Dag
> _______________________________________________
> CentOS-virt mailing list
> CentOS-virt at centos.org
> https://lists.centos.org/mailman/listinfo/centos-virt

Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-virt/attachments/20180829/343106eb/attachment-0006.html>