On 11/3/25 07:09, Rene Ribaud wrote:
>
> [...]
 >
>       #### vTPM Live Migration ####
>
> The team reviewed how to handle TPM secret security policies during
> instance operations.
> Changing the assigned policy during resize is not supported, as it adds
> complexity and can lead to image/flavor conflicts.
> Rebuilds are already blocked for vTPM instances, so once a policy is set
> via resize, it remains locked in.
> Existing instances from previous releases are unaffected.
>
> ✅ Do not allow changing the TPM secret security policy after assignment.
> ✅ Remove the option to select the policy from the image for simplicity.
> ✅ Default policy is “user”, but compute nodes support all policies by
> default.
> ✅ Document in the spec and release notes that deployers must define
> flavors with |hw:tpm_secret_security| if they want to enable this.
> ✅ Mention that |[libvirt]supported_tpm_secret_security = ['user',
> 'host', 'deployment']| can be adjusted by operators.
>
> [...]
 >

Just a small correction to the summary here.

We agreed to _enable_ changing the assigned TPM secret security policy
via resize for both pre-existing and new instances. Removing the ability
to select the policy from the image lets us avoid flavor/image conflict
issues.

Cheers,
-melwitt