On 11/2/21 05:38, Michal Prívozník wrote:
On 11/1/21 6:23 PM, Stefan Berger wrote: So this runs reconfigure on every cold boot of a guest. I wonder whether there's a way to run it just once, when activePcrBanks have changed. For instance, in qemuDomainDefineXMLFlags() the @oldDef is set to the old domain definition and maybe we can use that to compare activePcrBanks and run reconfigure at that time? That won't cover transient domains though, nor it would cover domains which are persistent but are started with a different XML (yes, as horrible as it sounds you can 'virsh define dom1.xml && virsh create dom2.xml' where dom1.xml and dom2.xml have nothing in common except domain <name/> and <uuid/>).
I think to 'enforce' what is shown in the XML is the simplest solution. Whatever the user may have done inside the VM, such as used firmware menu to reconfigure the active PCR banks doesn't matter since what will be enforced next time when the VM is cold-started is what is shown in the XML. Otherwise it's documented how it behaves.
Stefan