On 5/13/20 12:45 PM, Stefan Berger wrote:
[...]
I think users need to understand that a pSeries guest will not benefit from
this but only a pSeries guest that is a secure virtual machine that needs
special hardware to run and where there is an Ultravisor. Everyone would want
more security for their pSeries guest, especially if it comes for free.
Unfortunately this is not the case and one needs new hardware...
True. I propose this wording:
<span class="since">Since 6.4.0</span>, a new model called
<code>spapr-tpm-proxy</code> was added for pSeries guests. This model
only works with the 'passthrough' backend. It creates a TPM Proxy
device that communicates with an existing TPM Resource Manager in the
host,
for example /dev/tpmrm0, to enable secure virtual machine support for
the
guest with the help of an Ultravisor. Adding a TPM Proxy to a pSeries
guest
brings no security benefits unless the guest is running in a PPC64
host that
has Ultravisor support and access to a TPM Resource Manager. Only one
TPM
Proxy device is allowed per guest, but a TPM Proxy device can be
added together
with other TPM devices.
If you agree, I'll use a similar text in the news.xml changes (patch 8/8) as
well.
Thanks,
DHB
Thanks,
DHB
