From nobody Wed May 14 11:41:09 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1522965384862900.5901432331605; Thu, 5 Apr 2018 14:56:24 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4FE9283F43; Thu, 5 Apr 2018 21:56:23 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2BE2B60182; Thu, 5 Apr 2018 21:56:23 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 62FC11800CA0; Thu, 5 Apr 2018 21:56:22 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w35LuLpb021505 for ; Thu, 5 Apr 2018 17:56:21 -0400 Received: by smtp.corp.redhat.com (Postfix) id 95BC67D910; Thu, 5 Apr 2018 21:56:21 +0000 (UTC) Received: from mx1.redhat.com (ext-mx01.extmail.prod.ext.phx2.redhat.com [10.5.110.25]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8C9A87D921 for ; Thu, 5 Apr 2018 21:56:20 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F2F2481F0C for ; Thu, 5 Apr 2018 21:56:18 +0000 (UTC) Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w35LsNSF082076 for ; Thu, 5 Apr 2018 17:56:18 -0400 Received: from e37.co.us.ibm.com (e37.co.us.ibm.com [32.97.110.158]) by mx0b-001b2d01.pphosted.com with ESMTP id 2h5u6sj1nv-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Thu, 05 Apr 2018 17:56:18 -0400 Received: from localhost by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 5 Apr 2018 15:56:17 -0600 Received: from b03cxnp08026.gho.boulder.ibm.com (9.17.130.18) by e37.co.us.ibm.com (192.168.1.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 5 Apr 2018 15:56:16 -0600 Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w35LuFvD10944950; Thu, 5 Apr 2018 14:56:15 -0700 Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C440F136046; Thu, 5 Apr 2018 15:56:15 -0600 (MDT) Received: from sbct-3.watson.ibm.com (unknown [9.47.158.153]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id 79D0913603C; Thu, 5 Apr 2018 15:56:15 -0600 (MDT) From: Stefan Berger To: libvir-list@redhat.com Date: Thu, 5 Apr 2018 17:56:05 -0400 In-Reply-To: <1522965366-836-1-git-send-email-stefanb@linux.vnet.ibm.com> References: <1522965366-836-1-git-send-email-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18040521-0024-0000-0000-0000182F9B66 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00008810; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000256; SDB=6.01013642; UDB=6.00516697; IPR=6.00792902; MB=3.00020438; MTD=3.00000008; XFM=3.00000015; UTC=2018-04-05 21:56:16 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18040521-0025-0000-0000-00004F66FCBD Message-Id: <1522965366-836-6-git-send-email-stefanb@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-04-05_09:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=43 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1804050222 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 207 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 05 Apr 2018 21:56:19 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 05 Apr 2018 21:56:19 +0000 (UTC) for IP:'148.163.158.5' DOMAIN:'mx0b-001b2d01.pphosted.com' HELO:'mx0a-001b2d01.pphosted.com' FROM:'stefanb@linux.vnet.ibm.com' RCPT:'' X-RedHat-Spam-Score: -0.7 (RCVD_IN_DNSWL_LOW) 148.163.158.5 mx0b-001b2d01.pphosted.com 148.163.158.5 mx0b-001b2d01.pphosted.com X-Scanned-By: MIMEDefang 2.83 on 10.5.110.25 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 5/6] tpm: Add support for choosing emulation of a TPM 2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 05 Apr 2018 21:56:23 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" This patch extends the TPM's device XML with TPM 2 support. This only works for the emulator type backend and looks as follows: Once the version of a TPM has been chosen it cannot be changed anymore unle= ss one removes the TPM device first and then reads it. However, one looses all the secrets stored inside or tied to the emulated TPM by doing this. Signed-off-by: Stefan Berger --- docs/formatdomain.html.in | 17 ++++++- docs/schemas/domaincommon.rng | 13 ++++++ src/conf/domain_conf.c | 36 ++++++++++++++- src/conf/domain_conf.h | 6 +++ src/util/virtpm.c | 64 ++++++++++++++++++++++= +++- tests/qemuxml2argvdata/tpm-emulator-tpm2.args | 24 ++++++++++ tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 ++++++++++++ tests/qemuxml2argvtest.c | 3 ++ tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 ++++++++++++++ 9 files changed, 223 insertions(+), 4 deletions(-) create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index bd6fedc..e5463a0 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -7635,7 +7635,7 @@ qemu-kvm -net nic,model=3D? /dev/null ... <devices> <tpm model=3D'tpm-tis'> - <backend type=3D'emulator'> + <backend type=3D'emulator' tpmversion=3D'2'> </backend> </tpm> </devices> @@ -7684,6 +7684,21 @@ qemu-kvm -net nic,model=3D? /dev/null +
tpmversion
+
+

+ The tpmversion attribute indicates the version + of the TPM. By default a TPM 1.2 is created. This attribute + only works with the emulator backend. The following + versions are supported: +

+
    +
  • '1.2' : creates a TPM 1.2
    • +
  • '2.0' or '2' : creates a TPM 2
    • +
+ Note that once a certain version of a TPM has been created for + a guest, the version must not be changed anymore. +
=20

NVRAM device

diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index d628444..77328bd 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -4140,6 +4140,19 @@ + + + + + + 1.2 + 2 + 2.0 + + + + + =20 diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 72e4412..5498e2e 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -12557,7 +12557,7 @@ virDomainSmartcardDefParseXML(virDomainXMLOptionPtr= xmlopt, * or like this: * * - * + * * */ static virDomainTPMDefPtr @@ -12570,6 +12570,7 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlop= t, char *path =3D NULL; char *model =3D NULL; char *backend =3D NULL; + char *tpmversion =3D NULL; virDomainTPMDefPtr def; xmlNodePtr save =3D ctxt->node; xmlNodePtr *backends =3D NULL; @@ -12616,6 +12617,20 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlo= pt, goto error; } =20 + tpmversion =3D virXMLPropString(backends[0], "tpmversion"); + if (!tpmversion || STREQ(tpmversion, "1.2")) { + def->tpmversion =3D VIR_DOMAIN_TPM_VERSION_1_2; + /* only TIS available for emulator */ + if (def->type =3D=3D VIR_DOMAIN_TPM_TYPE_EMULATOR) + def->model =3D VIR_DOMAIN_TPM_MODEL_TIS; + } else if (STREQ(tpmversion, "2.0") || STREQ(tpmversion, "2")) { + def->tpmversion =3D VIR_DOMAIN_TPM_VERSION_2; + } else { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("Unsupported TPM version '%s'"), + tpmversion); + } + switch (def->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: path =3D virXPathString("string(./backend/device/@path)", ctxt); @@ -12640,6 +12655,7 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlop= t, VIR_FREE(model); VIR_FREE(backend); VIR_FREE(backends); + VIR_FREE(tpmversion); ctxt->node =3D save; return def; =20 @@ -24803,6 +24819,8 @@ virDomainTPMDefFormat(virBufferPtr buf, virBufferAdjustIndent(buf, 2); virBufferAsprintf(buf, "type)); + if (def->tpmversion =3D=3D VIR_DOMAIN_TPM_VERSION_2) + virBufferAddLit(buf, " tpmversion=3D'2'"); virBufferAdjustIndent(buf, 2); =20 switch (def->type) { @@ -29430,6 +29448,22 @@ virDomainCheckTPMChanges(virDomainDefPtr def, if (newDef->tpm->type !=3D def->tpm->type) { /* type changed */ virDomainTPMDeleteAny(def); + } else { + switch (def->tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + if (def->tpm->tpmversion !=3D newDef->tpm->tpmversion) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("The version of the TPM cannot " + "be changed; the TPM must be removed " + "from the VM and a new TPM added; " + "Note: all secrets will be lost")); + ret =3D -1; + } + break; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + } } } =20 diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 1f479b0..4aab54b 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -1289,12 +1289,18 @@ typedef enum { VIR_DOMAIN_TPM_TYPE_LAST } virDomainTPMBackendType; =20 +typedef enum { + VIR_DOMAIN_TPM_VERSION_1_2, + VIR_DOMAIN_TPM_VERSION_2, +} virDomainTPMVersion; + # define VIR_DOMAIN_TPM_DEFAULT_DEVICE "/dev/tpm0" =20 struct _virDomainTPMDef { virDomainTPMBackendType type; virDomainDeviceInfo info; virDomainTPMModel model; + virDomainTPMVersion tpmversion; union { struct { virDomainChrSourceDef source; diff --git a/src/util/virtpm.c b/src/util/virtpm.c index 354761e..7390895 100644 --- a/src/util/virtpm.c +++ b/src/util/virtpm.c @@ -52,6 +52,8 @@ static char *swtpm_path; static char *swtpm_setup; static char *swtpm_ioctl; =20 +static bool swtpm_supports_tpm2; + /** * virTPMCreateCancelPath: * @devpath: Path to the TPM device @@ -96,6 +98,40 @@ virTPMCreateCancelPath(const char *devpath) } =20 /* + * virTPMCheckForTPM2Support + * + * Check whether swtpm_setup supports TPM 2 + */ +static void +virTPMCheckForTPM2Support(void) +{ + virCommandPtr cmd; + char *help =3D NULL; + + if (!swtpm_setup) + return; + + cmd =3D virCommandNew(swtpm_setup); + if (!cmd) + return; + + virCommandAddArg(cmd, "--help"); + virCommandSetOutputBuffer(cmd, &help); + + if (virCommandRun(cmd, NULL) < 0) + goto cleanup; + + if (strstr(help, "--tpm2")) { + fprintf(stderr, "TPM2 is supported by swtpm_setup\n"); + swtpm_supports_tpm2 =3D true; + } + + cleanup: + virCommandFree(cmd); + VIR_FREE(help); +} + +/* * virTPMEmulatorInit * * Initialize the Emulator functions by searching for necessary @@ -134,6 +170,7 @@ virTPMEmulatorInit(void) VIR_FREE(swtpm_setup); return -1; } + virTPMCheckForTPM2Support(); } =20 if (!swtpm_ioctl) { @@ -311,12 +348,14 @@ virTPMTryConnect(const char *pathname, unsigned long = timeout_ms) * typically this should be 'tss' * @logfile: The file to write the log into; it must be writable * for the user given by userid or 'tss' + * @tpmversion: The version of the TPM, either a TPM 1.2 or TPM 2 * * Setup the external swtpm */ static int virTPMSetupEmulator(const char *storagepath, const unsigned char *vmuuid, - uid_t swtpm_user, const char *logfile) + uid_t swtpm_user, const char *logfile, + const virDomainTPMVersion tpmversion) { virCommandPtr cmd =3D NULL; int exitstatus; @@ -335,6 +374,18 @@ virTPMSetupEmulator(const char *storagepath, const uns= igned char *vmuuid, virCommandAddArg(cmd, "--runas"); virCommandAddArgFormat(cmd, "%u", swtpm_user); } + + switch (tpmversion) { + case VIR_DOMAIN_TPM_VERSION_1_2: + break; + case VIR_DOMAIN_TPM_VERSION_2: + virCommandAddArgList(cmd, "--tpm2", NULL); + if (!swtpm_supports_tpm2) { + goto cleanup; + } + break; + } + virCommandAddArgList(cmd, "--tpm-state", storagepath, "--vmid", uuid, @@ -400,7 +451,8 @@ virTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm, cons= t unsigned char *vmuuid, goto error; =20 if (created && - virTPMSetupEmulator(storagepath, vmuuid, swtpm_user, logfile) < 0) + virTPMSetupEmulator(storagepath, vmuuid, swtpm_user, logfile, + tpm->tpmversion) < 0) goto error; =20 if (!(tpm->data.emulator.source.data.nix.path =3D @@ -437,6 +489,14 @@ virTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm, con= st unsigned char *vmuuid, virCommandAllowCap(cmd, CAP_SETUID); } =20 + switch (tpm->tpmversion) { + case VIR_DOMAIN_TPM_VERSION_1_2: + break; + case VIR_DOMAIN_TPM_VERSION_2: + virCommandAddArg(cmd, "--tpm2"); + break; + } + tpm->data.emulator.storagepath =3D storagepath; VIR_FREE(tpm->data.emulator.logfile); tpm->data.emulator.logfile =3D logfile; diff --git a/tests/qemuxml2argvdata/tpm-emulator-tpm2.args b/tests/qemuxml2= argvdata/tpm-emulator-tpm2.args new file mode 100644 index 0000000..9418c74 --- /dev/null +++ b/tests/qemuxml2argvdata/tpm-emulator-tpm2.args @@ -0,0 +1,24 @@ +LC_ALL=3DC \ +PATH=3D/bin \ +HOME=3D/home/test \ +USER=3Dtest \ +LOGNAME=3Dtest \ +QEMU_AUDIO_DRV=3Dnone \ +/usr/bin/qemu-system-x86_64 \ +-name TPM-VM \ +-S \ +-M pc-0.12 \ +-m 2048 \ +-smp 1,sockets=3D1,cores=3D1,threads=3D1 \ +-uuid 11d7cd22-da89-3094-6212-079a48a309a1 \ +-nographic \ +-nodefaults \ +-chardev socket,id=3Dcharmonitor,path=3D/tmp/lib/domain--1-TPM-VM/monitor.= sock,\ +server,nowait \ +-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dreadline \ +-boot c \ +-usb \ +-tpmdev emulator,id=3Dtpm-tpm0,chardev=3Dchrtpm \ +-chardev socket,id=3Dchrtpm,path=3D/dev/test \ +-device tpm-tis,tpmdev=3Dtpm-tpm0,id=3Dtpm0 \ +-device virtio-balloon-pci,id=3Dballoon0,bus=3Dpci.0,addr=3D0x3 diff --git a/tests/qemuxml2argvdata/tpm-emulator-tpm2.xml b/tests/qemuxml2a= rgvdata/tpm-emulator-tpm2.xml new file mode 100644 index 0000000..070bedb --- /dev/null +++ b/tests/qemuxml2argvdata/tpm-emulator-tpm2.xml @@ -0,0 +1,30 @@ + + TPM-VM + 11d7cd22-da89-3094-6212-079a48a309a1 + 2097152 + 512288 + 1 + + hvm + + + + + + + + destroy + restart + destroy + + /usr/bin/qemu-system-x86_64 + + + + + + + + + + diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 92846c3..5d0650b 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -2156,6 +2156,9 @@ mymain(void) DO_TEST("tpm-emulator", QEMU_CAPS_DEVICE_TPM_PASSTHROUGH, QEMU_CAPS_DEVICE_TPM_EMULATO= R, QEMU_CAPS_DEVICE_TPM_TIS); + DO_TEST("tpm-emulator-tpm2", + QEMU_CAPS_DEVICE_TPM_PASSTHROUGH, QEMU_CAPS_DEVICE_TPM_EMULATO= R, + QEMU_CAPS_DEVICE_TPM_TIS); =20 =20 DO_TEST_PARSE_ERROR("pci-domain-invalid", NONE); diff --git a/tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml b/tests/qemuxml= 2xmloutdata/tpm-emulator-tpm2.xml new file mode 100644 index 0000000..4a68bd8 --- /dev/null +++ b/tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml @@ -0,0 +1,34 @@ + + TPM-VM + 11d7cd22-da89-3094-6212-079a48a309a1 + 2097152 + 512288 + 1 + + hvm + + + + + + + + destroy + restart + destroy + + /usr/bin/qemu-system-x86_64 + +
+ + + + + + + + +
+ + + --=20 2.5.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list