Hi
On Wed, Nov 13, 2024 at 9:40 PM Stefan Berger <stef...@linux.ibm.com> wrote:
>
> Upcoming libtpms v0.10 and swtpm v0.10 will have TPM profile support that
> allows to restrict a TPM's provided set of crypto algorithms and commands
> and through which backwards compatibility and migration from newer versions
> of libtpms to older ones (up to libtpms v0.9) is supported. For the latter
> to work it is necessary that the user chooses the right ('null') profile.
>
> This series adds support for passing a profile choice to swtpm_setup by
> setting it in the domain XML using the <profile/> XML node. An optional
> attribute 'remove_disabled' can be set in this node and accepts two values:
>
> "check": test a few crypto algorithms (tdes, camellia, unpadded encryption,
> and others) for whether they are currently disabled due to FIPS
> mode on the host and remove these algorithms in the 'custom'
> profile if they are disabled;
> "fips-host": do not test but remove all the possibly disabled crypto
> algorithms (from list above)
>
> Also extend the documentation but point the user to swtpm and libtpms
> documentation for further details.
>
> Follow Deniel's suggestions there's now a PR for swtpm_setup to support
> searching for profiles though a configurable local directory, distro
> directory and if no profile could be found there (with appended
> ".json" suffix) it will fall back to try to use a built-in profile by
> the provided name: https://github.com/stefanberger/swtpm/pull/918
>
> Stefan
>
> v4:
> - Renamed previous 'name' attribute in profile XML node to 'source'
> to indicate that the profile was created from some sort of 'source'.
> The 'name' is now set from the name of the profile read from the
> swtpm instance's state once it has been created.
This difference between 'source' and 'name' is not described in the
domain xml documentation.
Also the doc still has 10.??.0.
thanks
