On Mon, 2022-12-12 at 13:58 -0500, Stefan Berger wrote:
On 12/12/22 13:48, James Bottomley wrote:
On Mon, 2022-12-12 at 11:59 -0500, Stefan Berger wrote:
On 12/12/22 11:38, James Bottomley wrote:
[...]
the kernel use of the TPM, but I'm trying to fix that. The
standard mssim server is too simplistic to do transport layer
security, but like everything that does this (or rather doesn't
do this), you can front it with stunnel4.
And who or what is going to set this up?
I'm not sure I understand the question. Stunnel4 is mostly used to
convert unencrypted proxies like imap on 143 or smtp on 25 to the
secure version. Most people who run servers are fairly familiar
with using it. It's what IBM used for encrypted migration
initially. You can run stunnel on both ends, or the qemu side
could be built in using the qemu tls-creds way of doing things but
anything running the standard MS server would have to front it with
stunnel still.
So it's up to libvirt to setup stunnel to support a completely
different setup than what it has for swtpm already?
I don't think so, no. Libvirt doesn't usually help with server setup
(witness the complexity of setting up a server side vtpm proxy) so in
the case tls-creds were built in, it would just work if the object is