[RFE] Expose supported TPM version in domCapabilities (via 'swtpm')
Description of problem
It can be useful to management applications to query for supported TPM (Trusted Platform Module) via libvirt's domCapabilities API.
Some Linux distributions (e.g. RHEL 9) have deprecated/removed support for TPM 1.2 (as it is tied to SHA-1.)
It looks like libvirt already probes the swtpm
binary for capabilities, and swtpm_setup
already exposes the info that can be used by higher-level management tools. (The below is from Fedora 36.)
$> swtpm_setup --print-capabilities | jq
{
"type": "swtpm_setup",
"features": [
"tpm-1.2",
"tpm-2.0",
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"tpm12-not-need-root",
"cmdarg-write-ek-cert-files",
"cmdarg-create-config-files",
"cmdarg-reconfigure-pcr-banks",
"tpm2-rsa-keysize-2048",
"tpm2-rsa-keysize-3072"
],
"version": "0.7.3"
}
(Thanks: Andrea Bolognani for a discussion on this.)
Edited by Kashyap Chamarthy