Daniel Berrangé

> > IIUC, in a common public cloud environment the CA cert used for signing the vTPM certs is going to common across every VM the cloud creates. IOW, different...

> 3\. Point 2) really shouldn't be an issue since things are tied together via signatures, certificates, and certificate contents: the certificates of the TPM are tied to the CA...

The /var/lib/libvirt/images directory is the default path that libvirt defines for storage. Any distro that has a policy denying use of that directory is seriously broken and needs to be...

Thanks for highlighting the -fw_cfg parameter usage here. I should point out that although this is exposed to the end user via -fw_cfg, and looks like a convenient way to...

@cpaelzer nothing todo from security pov since the data is passed inline, no references to external files on disk, so there is nothing to grant access to.

@dgonyeo thanks for testing that, you've uncovered a horrible bug in QEMU. While SMBIOS has no limit on string length, QEMU's command line option parser is arbitrarily truncating options at...

> I was very excited to learn that [Libvirt](https://gitlab.com/libvirt/libvirt) team uses Cirrus CI (via GitLab via cirrus-run) to execute their FreeBSD and macOS builds [for a couple of months already](https://www.mail-archive.com/[email protected]/msg201902.html)!...

FYI, GitLab has now dramatically reduced the number of CI minutes available to GitLab CI pipelines, by several orders of magnitude. As an unfortunate result, the cirrus-run approach to triggering...

> 1. Use verity, encode the root hash in the kernel cmdline embedded to a unified kernel image. This is of course incompatible with systems which deploy RPM for OS...

> The point is that if you are trying to stop local modifications, simply changing systemd is not going to be enough. Anything with root can mount anything wherever they...