Add vTPM specification #1293
Add vTPM specification #1293
Conversation
Add the vTPM specification to the documentation, config.go, and
schema description. The following is an example of a vTPM description
that is found under the path /linux/resources/vtpms:
"vtpms": [
{
"statePath": "/var/lib/runc/myvtpm1",
"vtpmVersion": "2",
"createCerts": false,
"runAs": "tss",
"pcrBanks": "sha1,sha512"
}
]
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
everzakov
requested review from
AkihiroSuda,
crosbymichael,
cyphar,
dqminh,
giuseppe,
hqhq,
kolyshkin,
mrunalp,
thaJeztah,
tianon and
utam0k
as code owners
… the container Signed-off-by: Efim Verzakov <efimverzakov@gmail.com>
|
If I understand correctly, the idea is that a runtime is expected to start an instance of This is perhaps mirroring some of the concerns expressed in #920, but what's the benefit of doing that over running To maybe help explain why this makes me nervous, what do we do if the container dies? The runtime is typically long gone at that point, so what makes sure Another aspect is how non-container runtimes (VMs, etc) are expected to implement this. If they can't support this, they should probably simply error, right? The same if So in short, why is the runtime layer the appropriate place for this and not, say, the orchestrators like containerd, Docker, kubernetes, etc? |
Add the vTPM (virtual Trusted Platform Module) specification to the documentation, config.go and schema description. Runtime uses this specification to create vTPMs and pass them to the container. This virtual module can be used to create quotes, signatures and perform Direct Anonymous Attestation.
Also, users can specify that vTPM should be manufactured with precreated certs / activated PCR banks and populated Endorsement Key Pair.
The following is an example of a vTPM description that is found under the path /linux/resources/vtpms:
This PR is based on #920