From nobody Wed May 14 05:51:56 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1525465448600972.7775386490313; Fri, 4 May 2018 13:24:08 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 287C481DE7; Fri, 4 May 2018 20:24:07 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EA33E20155E7; Fri, 4 May 2018 20:24:06 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 9439E180613A; Fri, 4 May 2018 20:24:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w44KNCnA013888 for ; Fri, 4 May 2018 16:23:12 -0400 Received: by smtp.corp.redhat.com (Postfix) id 43B3730012C4; Fri, 4 May 2018 20:23:12 +0000 (UTC) Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.40]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3874930012C2 for ; Fri, 4 May 2018 20:23:09 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4F22A3005157 for ; Fri, 4 May 2018 20:23:08 +0000 (UTC) Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w44KJjHp071096 for ; Fri, 4 May 2018 16:23:07 -0400 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx0b-001b2d01.pphosted.com with ESMTP id 2hrv0qdsuv-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 04 May 2018 16:23:07 -0400 Received: from localhost by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 4 May 2018 14:23:06 -0600 Received: from b03cxnp08025.gho.boulder.ibm.com (9.17.130.17) by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 4 May 2018 14:23:03 -0600 Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w44KLjeJ21234110; Fri, 4 May 2018 13:21:47 -0700 Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CCB21136048; Fri, 4 May 2018 14:21:47 -0600 (MDT) Received: from sbct-3.watson.ibm.com (unknown [9.47.158.153]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id 7545C136043; Fri, 4 May 2018 14:21:47 -0600 (MDT) From: Stefan Berger To: libvir-list@redhat.com Date: Fri, 4 May 2018 16:21:21 -0400 In-Reply-To: <1525465285-14102-1-git-send-email-stefanb@linux.vnet.ibm.com> References: <1525465285-14102-1-git-send-email-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18050420-0008-0000-0000-000009B68470 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00008970; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000258; SDB=6.01027522; UDB=6.00524878; IPR=6.00806656; MB=3.00020932; MTD=3.00000008; XFM=3.00000015; UTC=2018-05-04 20:23:04 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18050420-0009-0000-0000-0000471A9C8E Message-Id: <1525465285-14102-11-git-send-email-stefanb@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-05-04_08:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805040185 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 207 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Fri, 04 May 2018 20:23:08 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Fri, 04 May 2018 20:23:08 +0000 (UTC) for IP:'148.163.158.5' DOMAIN:'mx0b-001b2d01.pphosted.com' HELO:'mx0a-001b2d01.pphosted.com' FROM:'stefanb@linux.vnet.ibm.com' RCPT:'' X-RedHat-Spam-Score: -0.7 (RCVD_IN_DNSWL_LOW) 148.163.158.5 mx0b-001b2d01.pphosted.com 148.163.158.5 mx0b-001b2d01.pphosted.com X-Scanned-By: MIMEDefang 2.84 on 10.5.110.40 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.26 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v3 10/14] qemu: Add support for external swtpm TPM emulator X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.25 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Fri, 04 May 2018 20:24:07 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" This patch adds support for an external swtpm TPM emulator. The XML for this type of TPM looks as follows: The XML will currently only start a TPM 1.2. Upon first start, libvirt will run `swtpm_setup`, which will simulate the manufacturing of a TPM and create certificates for it and write them into NVRAM locations of the emulated TPM. After that libvirt starts the swtpm TPM emulator using the `swtpm` executab= le. Once the VM terminates, libvirt uses the swtpm_ioctl executable to graceful= ly shut down the `swtpm` in case it is still running (QEMU did not send shutdo= wn) or clean up the socket file. The above mentioned executables must be found in the PATH. The executables can either be run as root or started as root and switch to the tss user. The requirement for the tss user comes through 'tcsd', which is used for the simulation of the manufacturing. Which user is used can be configured through qemu.conf. By default 'tss' is used. The swtpm writes out state into files. The state is kept in /var/lib/libvir= t/swtpm: [root@localhost libvirt]# ls -lZ | grep swtpm drwx--x--x. 7 root root unconfined_u:object_r:virt_var_lib_t:s0 4096 Apr 5= 16:22 swtpm The directory /var/lib/libvirt/swtpm maintains per-TPM state directories. (Using the uuid of the VM for that since the name can change per VM renamin= g but we need a stable directory name.) [root@localhost swtpm]# ls -lZ total 4 drwx------. 2 tss tss system_u:object_r:virt_var_lib_t:s0 4096 A= pr 5 16:46 485d0004-a48f-436a-8457-8a3b73e28568 [root@localhost 485d0004-a48f-436a-8457-8a3b73e28568]# ls -lZ total 4 drwx------. 2 tss tss system_u:object_r:virt_var_lib_t:s0 4096 Apr 10 21:34= tpm1.2 [root@localhost tpm1.2]# ls -lZ total 8 -rw-r--r--. 1 tss tss system_u:object_r:virt_var_lib_t:s0 3648 Apr 5 16:46= tpm-00.permall The directory /var/run/libvirt/qemu/swtpm/ hosts the swtpm.sock that QEMU uses to communicate with the swtpm: root@localhost domain-1-testvm]# ls -lZ total 0 srw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c597,c632 0 Apr= 6 10:24 1-testvm-swtpm.sock The logfile for the swtpm is in /var/log/swtpm/libvirt/qemu: [root@localhost-3 qemu]# ls -lZ total 4 -rw-------. 1 tss tss unconfined_u:object_r:var_log_t:s0 2199 Apr 6 14:01 = testvm-swtpm.log The processes are labeled as follows: [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm= | grep socket | grep -v grep system_u:system_r:virtd_t:s0-s0:c0.c1023 tss 18697 0.0 0.0 28172 3892 ? = Ss 16:46 0:00 /usr/bin/swtpm socket --daemon --ctrl type=3Dunixio,p= ath=3D/var/run/libvirt/qemu/swtpm/1-testvm-swtpm.sock,mode=3D0600 --tpmstat= e dir=3D/var/lib/libvirt/swtpm/485d0004-a48f-436a-8457-8a3b73e28568/tpm1.2 = --log file=3D/var/log/swtpm/libvirt/qemu/testvm-swtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu = | grep tpm | grep -v grep system_u:system_r:svirt_t:s0:c413,c430 qemu 18702 2.5 0.0 3036052 48676 ? = Sl 16:46 0:08 /bin/qemu-system-x86_64 [...] Signed-off-by: Stefan Berger Reviewed-by: John Ferlan --- src/conf/domain_conf.c | 22 ++++++++++++++++++++++ src/libvirt_private.syms | 1 + src/qemu/qemu_command.c | 39 +++++++++++++++++++++++++++++++++------ src/qemu/qemu_domain.c | 3 +++ src/qemu/qemu_driver.c | 7 +++++++ 5 files changed, 66 insertions(+), 6 deletions(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index d9945dd..a42574a 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -2593,6 +2593,24 @@ void virDomainHostdevDefClear(virDomainHostdevDefPtr= def) } } =20 +void virDomainTPMDelete(virDomainDefPtr def) +{ + virDomainTPMDefPtr tpm =3D def->tpm; + + if (!tpm) + return; + + switch (tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + virTPMDeleteEmulatorStorage(tpm); + break; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_LAST: + /* nothing to do */ + break; + } +} + void virDomainTPMDefFree(virDomainTPMDefPtr def) { if (!def) @@ -27614,6 +27632,10 @@ virDomainDeleteConfig(const char *configDir, goto cleanup; } =20 + /* in case domain is NOT running, remove any TPM storage */ + if (!dom->persistent) + virDomainTPMDelete(dom->def); + ret =3D 0; =20 cleanup: diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index eebfc72..e533b95 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -559,6 +559,7 @@ virDomainTimerTrackTypeToString; virDomainTPMBackendTypeFromString; virDomainTPMBackendTypeToString; virDomainTPMDefFree; +virDomainTPMDelete; virDomainTPMModelTypeFromString; virDomainTPMModelTypeToString; virDomainUSBDeviceDefForeach; diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index bb330bf..c02b783 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -9425,21 +9425,31 @@ qemuBuildTPMDevStr(const virDomainDef *def, =20 =20 static char * -qemuBuildTPMBackendStr(const virDomainDef *def, +qemuBuildTPMBackendStr(virDomainDef *def, virCommandPtr cmd, virQEMUCapsPtr qemuCaps, int *tpmfd, - int *cancelfd) + int *cancelfd, + char **chardev) { - const virDomainTPMDef *tpm =3D def->tpm; + virDomainTPMDef *tpm =3D def->tpm; virBuffer buf =3D VIR_BUFFER_INITIALIZER; - const char *type =3D virDomainTPMBackendTypeToString(tpm->type); + const char *type =3D NULL; char *cancel_path =3D NULL, *devset =3D NULL; const char *tpmdev; =20 *tpmfd =3D -1; *cancelfd =3D -1; =20 + switch (tpm->type) { + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + type =3D virDomainTPMBackendTypeToString(tpm->type); + break; + case VIR_DOMAIN_TPM_TYPE_LAST: + goto error; + } + virBufferAsprintf(&buf, "%s,id=3Dtpm-%s", type, tpm->info.alias); =20 switch (tpm->type) { @@ -9491,6 +9501,16 @@ qemuBuildTPMBackendStr(const virDomainDef *def, =20 break; case VIR_DOMAIN_TPM_TYPE_EMULATOR: + if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_DEVICE_TPM_EMULATOR)) + goto no_support; + + virBufferAddLit(&buf, ",chardev=3Dchrtpm"); + + if (virAsprintf(chardev, "socket,id=3Dchrtpm,path=3D%s", + tpm->data.emulator.source.data.nix.path) < 0) + goto error; + + break; case VIR_DOMAIN_TPM_TYPE_LAST: goto error; } @@ -9517,10 +9537,11 @@ qemuBuildTPMBackendStr(const virDomainDef *def, =20 static int qemuBuildTPMCommandLine(virCommandPtr cmd, - const virDomainDef *def, + virDomainDef *def, virQEMUCapsPtr qemuCaps) { char *optstr; + char *chardev =3D NULL; int tpmfd =3D -1; int cancelfd =3D -1; char *fdset; @@ -9529,12 +9550,18 @@ qemuBuildTPMCommandLine(virCommandPtr cmd, return 0; =20 if (!(optstr =3D qemuBuildTPMBackendStr(def, cmd, qemuCaps, - &tpmfd, &cancelfd))) + &tpmfd, &cancelfd, + &chardev))) return -1; =20 virCommandAddArgList(cmd, "-tpmdev", optstr, NULL); VIR_FREE(optstr); =20 + if (chardev) { + virCommandAddArgList(cmd, "-chardev", chardev, NULL); + VIR_FREE(chardev); + } + if (tpmfd >=3D 0) { fdset =3D qemuVirCommandGetFDSet(cmd, tpmfd); if (!fdset) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index d3eac43..57a82dc 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -34,6 +34,7 @@ #include "qemu_migration.h" #include "qemu_migration_params.h" #include "qemu_security.h" +#include "qemu_extdevice.h" #include "viralloc.h" #include "virlog.h" #include "virerror.h" @@ -7166,6 +7167,8 @@ qemuDomainRemoveInactive(virQEMUDriverPtr driver, VIR_WARN("unable to remove snapshot directory %s", snapDir); VIR_FREE(snapDir); } + if (!qemuExtDevicesInitPaths(driver, vm->def)) + virDomainTPMDelete(vm->def); =20 virObjectRef(vm); =20 diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 9ce97ea..f496f89 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -60,6 +60,7 @@ #include "qemu_migration_params.h" #include "qemu_blockjob.h" #include "qemu_security.h" +#include "qemu_extdevice.h" =20 #include "virerror.h" #include "virlog.h" @@ -7349,6 +7350,9 @@ qemuDomainCreateWithFlags(virDomainPtr dom, unsigned = int flags) goto endjob; } =20 + if (qemuExtDevicesInitPaths(driver, vm->def) < 0) + goto endjob; + if (qemuDomainObjStart(dom->conn, driver, vm, flags, QEMU_ASYNC_JOB_START) < 0) goto endjob; @@ -7494,6 +7498,9 @@ qemuDomainUndefineFlags(virDomainPtr dom, if (!(vm =3D qemuDomObjFromDomain(dom))) return -1; =20 + if (qemuExtDevicesInitPaths(driver, vm->def) < 0) + return -1; + cfg =3D virQEMUDriverGetConfig(driver); =20 if (virDomainUndefineFlagsEnsureACL(dom->conn, vm->def) < 0) --=20 2.5.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list