docs: Add documentation for the TPM backend profile node

Add documentation for the TPM backend profile node and point the reader to further documentation about TPM profiles available in the swtpm man page. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2024-12-22 05:35:25 +00:00 · 2024-11-13 12:39:47 -05:00 · 2024-11-13 12:39:47 -05:00 · 526f08da62
commit 526f08da62
parent 90c40d3b9c
1 changed files with 30 additions and 0 deletions
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@ -8135,6 +8135,7 @@ Example: usage of the TPM Emulator
           <active_pcr_banks>
               <sha256/>
           </active_pcr_banks>
+           <profile source='local:restricted' removeDisabled='check'/>
         </backend>
       </tpm>
     </devices>
@ -8229,6 +8230,35 @@ Example: usage of the TPM Emulator
   and may not have any effect otherwise. The selection of PCR banks only works
   with the ``emulator`` backend. :since:`Since 7.10.0`

+``profile``
+   The ``profile`` node is used to set a profile for a TPM 2.0 given in the
+   source attribute. This profile will be set when the TPM is initially
+   created and after that cannot be changed anymore. If no profile is provided,
+   then swtpm will use the latest built-in 'default' profile or the default
+   profile set in swtpm_setup.conf. Otherwise swtpm_setup will search for a
+   profile with the given name with appended .json suffix in a configurable
+   local and then in a distro directory. If none could be found in either, it
+   will fall back trying to use a built-in one.
+
+   The built-in 'null' profile provides backwards compatibility with
+   libtpms v0.9 but also restricts the user to use only TPM features that were
+   available at the time of libtpms v0.9. The built-in 'custom' profile is the
+   only profile that a user can modify and where the ``removeDisabled``
+   attribute has any effect. This attribute is particularly useful when a host
+   is running in FIPS mode and therefore some crypto algorithms (camellia,
+   tdes, unpadded RSA encryption, 1024-bit RSA keys, and others) are
+   disabled. When it is set to ``check`` (recommended) then only those
+   algorithms that are currently disabled will automatically be removed from
+   the 'custom' profile, while when it is set to ``fips-host`` then all
+   potentially disabled algorithms will be removed. :since:`Since 10.??.0`
+
+   TPM profiles provided by a distro can be referenced with the 'distro:'
+   prefix. Locally created TPM profiles can be referenced with the
+   'local:' prefix.
+
+   For further information about TPM profiles see the man pages for ``swtpm``
+   (swtpm v0.10).
+
 ``encryption``
   The ``encryption`` element allows the state of a TPM emulator to be
   encrypted. The ``secret`` must reference a secret object that holds the