From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Stefan Reiter <s.reiter@proxmox.com>
Subject: Re: [pve-devel] [RFC 0/2] Initial TPM support for VMs
Date: Fri, 16 Jul 2021 11:48:03 +0200 [thread overview]
Message-ID: <f8302408-569a-0b8f-da11-efddd8827a7b@proxmox.com> (raw)
In-Reply-To: <20210715142319.1457131-1-s.reiter@proxmox.com>
On 15.07.21 16:23, Stefan Reiter wrote:
> Design decision: 'swtpm' requires a *directory* per VM to store data, the files
> themselves are rather small (8.5kB for an initialized TPM 2.0 w/ BitLocker
> enabled). To allow for easier HA I went with a path in '/etc/pve/priv' for now,
> but that comes with it's own drawbacks. For example, a guest may write TPM state
> as often as they like, and Windows seems to do so every few seconds at random.
> (note: swtpm writes a temporary file and then uses atomic replace)
>
> Other ideas for this:
> * store in regular path, e.g. '/var/lib' - how to do HA? (note that
> live-migration works regardless, since the state is transferred via QEMU)
> * treat like efidisk and allow any storage - would be my favourite, but as said,
> swtpm requires a directory, not a single file...
>
> Missing feature/known issues:
> * backups and offline-snapshots don't include TPM data
> * migration may hickup, since destination and target are effectively "the same"
> * needs improved clearing logic, or potentially none at all (would be a benefit
> for the "efidisk-like" variant)
For the record, I talked about this with Stefan yesterday before he left for vacation,
and while the size seems pretty much OK for a file on pmxcfs the frequent updates are
just a no go, so that approach is NAK'd (not only be me, Dietmar voiced his objections
too).
I recommended asking swtpm upstream if they'd accept options for passing a explicit
TPM state-file and a separate run-state dir for the swtpm locks and state (we wouldn't
even need the swtmp locks as access synchronization of the state-file would be already
by the pve-storage stack locks, but I do not care much for those as there'd be no
contention anyway).
Then we can put the actual state on a volume similar to EFI disks and the ephemeral
run-state somewhere in "/run/qemu-server/$vmid.swtpm/", with that we got snapshots,
migrations (when local storage is used) and backups covered to rather easily.
If upstream is reluctant then an idea would be to either patch it ourself or use the
libtpms to write a replacement tool in rust, but as said, I'd always try to discuss
our needs with upstream first - IMO other (clustered) hyper-visor systems won't be to
happy as is either.
prev parent reply other threads:[~2021-07-16 9:48 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-15 14:23 Stefan Reiter
2021-07-15 14:23 ` [pve-devel] [RFC edk2-firmware 1/2] enable TPM and TPM2 support Stefan Reiter
2021-07-15 14:23 ` [pve-devel] [RFC qemu-server 2/2] fix #3075: add TPM v1.2 and v2.0 support via swtpm Stefan Reiter
2021-07-16 14:47 ` alexandre derumier
2021-08-09 18:17 ` Nick Chevsky
2021-08-10 7:48 ` Stefan Reiter
2021-07-16 9:48 ` Thomas Lamprecht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f8302408-569a-0b8f-da11-efddd8827a7b@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=s.reiter@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox