On Mon, 2022-12-12 at 13:58 -0500, Stefan Berger wrote: > On 12/12/22 13:48, James Bottomley wrote: > > On Mon, 2022-12-12 at 11:59 -0500, Stefan Berger wrote: > > > On 12/12/22 11:38, James Bottomley wrote: [...] > > > > the kernel use of the TPM, but I'm trying to fix that. The > > > > standard mssim server is too simplistic to do transport layer > > > > security, but like everything that does this (or rather doesn't > > > > do this), you can front it with stunnel4. > > > > > > And who or what is going to set this up? > > > > I'm not sure I understand the question. Stunnel4 is mostly used to > > convert unencrypted proxies like imap on 143 or smtp on 25 to the > > secure version. Most people who run servers are fairly familiar > > with using it. It's what IBM used for encrypted migration > > initially. You can run stunnel on both ends, or the qemu side > > could be built in using the qemu tls-creds way of doing things but > > anything running the standard MS server would have to front it with > > stunnel still. > > So it's up to libvirt to setup stunnel to support a completely > different setup than what it has for swtpm already?
I don't think so, no. Libvirt doesn't usually help with server setup (witness the complexity of setting up a server side vtpm proxy) so in the case tls-creds were built in, it would just work if the object is specified. The complexity is all on the server side to front it with stunnel. James
