[nova] TPM passthrough
mnaser at vexxhost.com
Thu Jun 20 14:44:47 UTC 2019
On Thu, Jun 20, 2019 at 10:40 AM Jim Rollenhagen <jim at jimrollenhagen.com> wrote:
> Hey y'all,
> We have an internal use case which requires a VM with a TPM, to be used to
> store a private key. Libvirt has two ways to present a TPM to a VM: passthrough
> or emulated. Per kashyap and the #qemu IRC channel, libvirt stores the TPM's
> state on disk, unencrypted. Our risk profile includes "someone walks away with
> a disk", so this won't work for our use case.
> The QEMU devs have asked for RFEs to implement vTPMs where the state never
> touches the disk, so I have hopes that this will be done eventually.
> However, I suspect that this will still take some time, especially as nobody
> has volunteered to actually do the work yet. So, I'd like to propose we
> implement TPM passthrough in Nova. My team is happy to do the work, but I'd
> love some guidance as to the best way to implement this so we can get a spec
> done (I assume it's "just another resource class"?).
Would it be using this? I'm just trying to gauge out what TPM passthrough
involves out of personal curiosity.
> If Nova doesn't want this feature in, and would rather just wait for the
> features in QEMU, we'll carry it downstream, I guess. :)
> // jim
Mohammed Naser — vexxhost
D. 800-910-1726 ext. 200
E. mnaser at vexxhost.com
More information about the openstack-discuss