| Message ID | 20210504124842.220445-2-jandryuk@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | vtpmmgr: Some fixes - still incomplete | expand |
On 04/05/2021 13:48, Jason Andryuk wrote: > The vtpmmgr TPM 2.0 support is incomplete. Add a warning about that to > the documentation so others don't have to work through discovering it is > broken. > > Signed-off-by: Jason Andryuk <jandryuk@gmail.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> This is definitely the kind of health warning needed for people playing this area.
On 5/4/21 8:48 AM, Jason Andryuk wrote: > The vtpmmgr TPM 2.0 support is incomplete. Add a warning about that to > the documentation so others don't have to work through discovering it is > broken. > > Signed-off-by: Jason Andryuk <jandryuk@gmail.com> > --- Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com> > docs/man/xen-vtpmmgr.7.pod | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/docs/man/xen-vtpmmgr.7.pod b/docs/man/xen-vtpmmgr.7.pod > index af825a7ffe..875dcce508 100644 > --- a/docs/man/xen-vtpmmgr.7.pod > +++ b/docs/man/xen-vtpmmgr.7.pod > @@ -222,6 +222,17 @@ XSM label, not the kernel. > > =head1 Appendix B: vtpmmgr on TPM 2.0 > > +=head2 WARNING: Incomplete - cannot persist data > + > +TPM 2.0 support for vTPM manager is incomplete. There is no support for > +persisting an encryption key, so vTPM manager regenerates primary and secondary > +key handles each boot. > + > +Also, the vTPM manger group command implementation hardcodes TPM 1.2 commands. > +This means running manage-vtpmmgr.pl fails when the TPM 2.0 hardware rejects > +the TPM 1.2 commands. vTPM manager with TPM 2.0 cannot create groups and > +therefore cannot persist vTPM contents. > + > =head2 Manager disk image setup: > > The vTPM Manager requires a disk image to store its encrypted data. The image >
diff --git a/docs/man/xen-vtpmmgr.7.pod b/docs/man/xen-vtpmmgr.7.pod index af825a7ffe..875dcce508 100644 --- a/docs/man/xen-vtpmmgr.7.pod +++ b/docs/man/xen-vtpmmgr.7.pod @@ -222,6 +222,17 @@ XSM label, not the kernel. =head1 Appendix B: vtpmmgr on TPM 2.0 +=head2 WARNING: Incomplete - cannot persist data + +TPM 2.0 support for vTPM manager is incomplete. There is no support for +persisting an encryption key, so vTPM manager regenerates primary and secondary +key handles each boot. + +Also, the vTPM manger group command implementation hardcodes TPM 1.2 commands. +This means running manage-vtpmmgr.pl fails when the TPM 2.0 hardware rejects +the TPM 1.2 commands. vTPM manager with TPM 2.0 cannot create groups and +therefore cannot persist vTPM contents. + =head2 Manager disk image setup: The vTPM Manager requires a disk image to store its encrypted data. The image
The vtpmmgr TPM 2.0 support is incomplete. Add a warning about that to the documentation so others don't have to work through discovering it is broken. Signed-off-by: Jason Andryuk <jandryuk@gmail.com> --- docs/man/xen-vtpmmgr.7.pod | 11 +++++++++++ 1 file changed, 11 insertions(+)