[nova] TPM passthrough

Jim Rollenhagen jim at jimrollenhagen.com
Thu Jun 20 14:57:23 UTC 2019


// jim


On Thu, Jun 20, 2019 at 10:44 AM Mohammed Naser <mnaser at vexxhost.com> wrote:

> On Thu, Jun 20, 2019 at 10:40 AM Jim Rollenhagen <jim at jimrollenhagen.com>
> wrote:
> >
> > Hey y'all,
> >
> > We have an internal use case which requires a VM with a TPM, to be used
> to
> > store a private key. Libvirt has two ways to present a TPM to a VM:
> passthrough
> > or emulated. Per kashyap and the #qemu IRC channel, libvirt stores the
> TPM's
> > state on disk, unencrypted. Our risk profile includes "someone walks
> away with
> > a disk", so this won't work for our use case.
> >
> > The QEMU devs have asked for RFEs to implement vTPMs where the state
> never
> > touches the disk, so I have hopes that this will be done eventually.
> >
> > However, I suspect that this will still take some time, especially as
> nobody
> > has volunteered to actually do the work yet. So, I'd like to propose we
> > implement TPM passthrough in Nova. My team is happy to do the work, but
> I'd
> > love some guidance as to the best way to implement this so we can get a
> spec
> > done (I assume it's "just another resource class"?).
>
> https://wiki.qemu.org/Features/TPM
>
> Would it be using this?  I'm just trying to gauge out what TPM passthrough
> involves out of personal curiosity.
>

Yes, though I think those notes are from before it was implemented.

Here's the libvirt XML to make it work:
https://libvirt.org/formatdomain.html#elementsTpm

I assume we'd just translate a TPM resource class in the flavor to this XML,
but I'm hoping a nova developer can confirm this. :)

// jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190620/325f4a85/attachment.html>


More information about the openstack-discuss mailing list