From nobody Wed May 14 02:01:18 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1527022069271177.39667088238082; Tue, 22 May 2018 13:47:49 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7E67E3007B22; Tue, 22 May 2018 20:47:47 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 17D36308BDA1; Tue, 22 May 2018 20:47:47 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B7F3218033EE; Tue, 22 May 2018 20:47:46 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w4MKlheU030204 for ; Tue, 22 May 2018 16:47:43 -0400 Received: by smtp.corp.redhat.com (Postfix) id 9FE1E45B48; Tue, 22 May 2018 20:47:43 +0000 (UTC) Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com [10.5.110.39]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9723945B59 for ; Tue, 22 May 2018 20:47:43 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C740C9D0F7 for ; Tue, 22 May 2018 20:47:41 +0000 (UTC) Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4MKiY7f103598 for ; Tue, 22 May 2018 16:47:41 -0400 Received: from e11.ny.us.ibm.com (e11.ny.us.ibm.com [129.33.205.201]) by mx0a-001b2d01.pphosted.com with ESMTP id 2j4q6e99ek-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 22 May 2018 16:47:41 -0400 Received: from localhost by e11.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 22 May 2018 16:47:39 -0400 Received: from b01cxnp22034.gho.pok.ibm.com (9.57.198.24) by e11.ny.us.ibm.com (146.89.104.198) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 22 May 2018 16:47:36 -0400 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4MKj6OH43647158 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 22 May 2018 20:45:06 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8A0A911206B; Tue, 22 May 2018 16:45:10 -0400 (EDT) Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7253E112065; Tue, 22 May 2018 16:45:10 -0400 (EDT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP; Tue, 22 May 2018 16:45:10 -0400 (EDT) From: Stefan Berger To: libvir-list@redhat.com Date: Tue, 22 May 2018 16:44:51 -0400 In-Reply-To: <20180522204453.528837-1-stefanb@linux.vnet.ibm.com> References: <20180522204453.528837-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18052220-2213-0000-0000-000002AE076B X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00009067; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000261; SDB=6.01036168; UDB=6.00530049; IPR=6.00815296; MB=3.00021245; MTD=3.00000008; XFM=3.00000015; UTC=2018-05-22 20:47:37 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18052220-2214-0000-0000-00005A3E07F8 Message-Id: <20180522204453.528837-11-stefanb@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-05-22_06:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=43 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805220214 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 207 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 22 May 2018 20:47:41 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 22 May 2018 20:47:41 +0000 (UTC) for IP:'148.163.156.1' DOMAIN:'mx0a-001b2d01.pphosted.com' HELO:'mx0a-001b2d01.pphosted.com' FROM:'stefanb@linux.vnet.ibm.com' RCPT:'' X-RedHat-Spam-Score: -0.7 (RCVD_IN_DNSWL_LOW) 148.163.156.1 mx0a-001b2d01.pphosted.com 148.163.156.1 mx0a-001b2d01.pphosted.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.39 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.27 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 10/12] conf: Add support for choosing emulation of a TPM 2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.24 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Tue, 22 May 2018 20:47:48 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" This patch extends the TPM's device XML with TPM 2 support. This only works for the emulator type backend and looks as follows: The swtpm process now has --tpm2 as an additional parameter: system_u:system_r:svirt_t:s0:c597,c632 tss 18477 11.8 0.0 28364 3868 ? = Rs 11:13 13:50 /usr/bin/swtpm socket --daemon --ctrl type=3Dunixio,= path=3D/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=3D0660 --tpmstate= dir=3D/var/lib/libvirt/swtpm/testvm/tpm2,mode=3D0640 --log file=3D/var/log= /swtpm/libvirt/qemu/testvm-swtpm.log --tpm2 --pid file=3D/var/run/libvirt/q= emu/swtpm/testvm-swtpm.pid The version of the TPM can be changed and the state of the TPM is preserved. Signed-off-by: Stefan Berger Reviewed-by: John Ferlan --- docs/formatdomain.html.in | 15 ++++- docs/schemas/domaincommon.rng | 12 ++++ src/conf/domain_conf.c | 27 ++++++++- src/conf/domain_conf.h | 6 ++ src/qemu/qemu_tpm.c | 64 ++++++++++++++++++= +++- .../tpm-emulator-tpm2.x86_64-latest.args | 33 +++++++++++ tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 ++++++++++ tests/qemuxml2argvtest.c | 1 + tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 ++++++++++++ 9 files changed, 217 insertions(+), 5 deletions(-) create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.= args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 08a57bd751..043c8da56f 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -7719,7 +7719,7 @@ qemu-kvm -net nic,model=3D? /dev/null ... <devices> <tpm model=3D'tpm-tis'> - <backend type=3D'emulator'> + <backend type=3D'emulator' version=3D'2'> </backend> </tpm> </devices> @@ -7769,6 +7769,19 @@ qemu-kvm -net nic,model=3D? /dev/null +
version
+
+

+ The version attribute indicates the version + of the TPM. By default a TPM 1.2 is created. This attribute + only works with the emulator backend. The following + versions are supported: +

+
    +
  • '1.2' : creates a TPM 1.2
    • +
  • '2' : creates a TPM 2
    • +
+
=20

NVRAM device

diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 3582cb5019..f11833075a 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -4130,6 +4130,18 @@ + + + + + + 1.2 + 2 + + + + + =20 diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 15dd490d17..79904789ee 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -12657,7 +12657,7 @@ virDomainSmartcardDefParseXML(virDomainXMLOptionPtr= xmlopt, * or like this: * * - * + * * */ static virDomainTPMDefPtr @@ -12670,6 +12670,7 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlop= t, char *path =3D NULL; char *model =3D NULL; char *backend =3D NULL; + char *version =3D NULL; virDomainTPMDefPtr def; xmlNodePtr save =3D ctxt->node; xmlNodePtr *backends =3D NULL; @@ -12716,6 +12717,20 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlo= pt, goto error; } =20 + version =3D virXMLPropString(backends[0], "version"); + if (!version || STREQ(version, "1.2")) { + def->version =3D VIR_DOMAIN_TPM_VERSION_1_2; + /* only TIS available for emulator */ + if (def->type =3D=3D VIR_DOMAIN_TPM_TYPE_EMULATOR) + def->model =3D VIR_DOMAIN_TPM_MODEL_TIS; + } else if (STREQ(version, "2")) { + def->version =3D VIR_DOMAIN_TPM_VERSION_2; + } else { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("Unsupported TPM version '%s'"), + version); + } + switch (def->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: path =3D virXPathString("string(./backend/device/@path)", ctxt); @@ -12740,6 +12755,7 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlop= t, VIR_FREE(model); VIR_FREE(backend); VIR_FREE(backends); + VIR_FREE(version); ctxt->node =3D save; return def; =20 @@ -21836,6 +21852,12 @@ virDomainTPMDefCheckABIStability(virDomainTPMDefPt= r src, return false; } =20 + if (src->version !=3D dst->version) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Target TPM version doesn't match source")); + return false; + } + return virDomainDeviceInfoCheckABIStability(&src->info, &dst->info); } =20 @@ -24941,6 +24963,9 @@ virDomainTPMDefFormat(virBufferPtr buf, virBufferAsprintf(buf, "type)); =20 + if (def->version =3D=3D VIR_DOMAIN_TPM_VERSION_2) + virBufferAddLit(buf, " version=3D'2'"); + switch (def->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: virBufferAddLit(buf, ">\n"); diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 92466278ab..e2409899bc 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -1291,12 +1291,18 @@ typedef enum { VIR_DOMAIN_TPM_TYPE_LAST } virDomainTPMBackendType; =20 +typedef enum { + VIR_DOMAIN_TPM_VERSION_1_2, + VIR_DOMAIN_TPM_VERSION_2, +} virDomainTPMVersion; + # define VIR_DOMAIN_TPM_DEFAULT_DEVICE "/dev/tpm0" =20 struct _virDomainTPMDef { virDomainTPMBackendType type; virDomainDeviceInfo info; virDomainTPMModel model; + virDomainTPMVersion version; union { struct { virDomainChrSourceDef source; diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 11b91aa915..508685c455 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -54,6 +54,41 @@ static char *swtpm_path; static char *swtpm_setup; static char *swtpm_ioctl; =20 +bool swtpm_supports_tpm2; + +/* + * qemuTPMCheckForTPM2Support + * + * Check whether swtpm_setup supports TPM 2 + */ +static void +qemuTPMCheckForTPM2Support(void) +{ + virCommandPtr cmd; + char *help =3D NULL; + + if (!swtpm_setup) + return; + + cmd =3D virCommandNew(swtpm_setup); + if (!cmd) + return; + + virCommandAddArg(cmd, "--help"); + virCommandSetOutputBuffer(cmd, &help); + + if (virCommandRun(cmd, NULL) < 0) + goto cleanup; + + if (strstr(help, "--tpm2")) + swtpm_supports_tpm2 =3D true; + + cleanup: + virCommandFree(cmd); + VIR_FREE(help); +} + + /* * qemuTPMEmulatorInit * @@ -93,6 +128,7 @@ qemuTPMEmulatorInit(void) VIR_FREE(swtpm_setup); return -1; } + qemuTPMCheckForTPM2Support(); } =20 if (!swtpm_ioctl) { @@ -120,16 +156,29 @@ qemuTPMEmulatorInit(void) * * @swtpmStorageDir: directory for swtpm persistent state * @uuid: The UUID of the VM for which to create the storage + * @tpmversion: version of the TPM * * Create the swtpm's storage path */ static char * qemuTPMCreateEmulatorStoragePath(const char *swtpmStorageDir, - const char *uuidstr) + const char *uuidstr, + virDomainTPMVersion tpmversion) { char *path =3D NULL; + const char *dir =3D ""; =20 - ignore_value(virAsprintf(&path, "%s/%s/tpm1.2", swtpmStorageDir, uuids= tr)); + switch (tpmversion) { + case VIR_DOMAIN_TPM_VERSION_1_2: + dir =3D "tpm1.2"; + break; + case VIR_DOMAIN_TPM_VERSION_2: + dir =3D "tpm2"; + break; + } + + ignore_value(virAsprintf(&path, "%s/%s/%s", swtpmStorageDir, uuidstr, + dir)); =20 return path; } @@ -290,7 +339,8 @@ qemuTPMEmulatorInitPaths(virDomainTPMDefPtr tpm, =20 if (!tpm->data.emulator.storagepath && !(tpm->data.emulator.storagepath =3D - qemuTPMCreateEmulatorStoragePath(swtpmStorageDir, uuidstr))) + qemuTPMCreateEmulatorStoragePath(swtpmStorageDir, uuidstr, + tpm->version))) return -1; =20 return 0; @@ -514,6 +564,14 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm, virCommandSetUID(cmd, swtpm_user); virCommandSetGID(cmd, swtpm_group); =20 + switch (tpm->version) { + case VIR_DOMAIN_TPM_VERSION_1_2: + break; + case VIR_DOMAIN_TPM_VERSION_2: + virCommandAddArg(cmd, "--tpm2"); + break; + } + return cmd; =20 error: diff --git a/tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args b/= tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args new file mode 100644 index 0000000000..82b676f966 --- /dev/null +++ b/tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args @@ -0,0 +1,33 @@ +LC_ALL=3DC \ +PATH=3D/bin \ +HOME=3D/home/test \ +USER=3Dtest \ +LOGNAME=3Dtest \ +QEMU_AUDIO_DRV=3Dnone \ +/usr/bin/qemu-system-x86_64 \ +-name guest=3DTPM-VM,debug-threads=3Don \ +-S \ +-object secret,id=3DmasterKey0,format=3Draw,\ +file=3D/tmp/lib/domain--1-TPM-VM/master-key.aes \ +-machine pc-i440fx-2.12,accel=3Dtcg,usb=3Doff,dump-guest-core=3Doff \ +-m 2048 \ +-realtime mlock=3Doff \ +-smp 1,sockets=3D1,cores=3D1,threads=3D1 \ +-uuid 11d7cd22-da89-3094-6212-079a48a309a1 \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=3Dcharmonitor,path=3D/tmp/lib/domain--1-TPM-VM/monitor.= sock,\ +server,nowait \ +-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dcontrol \ +-rtc base=3Dutc \ +-no-shutdown \ +-boot menu=3Don,strict=3Don \ +-device piix3-usb-uhci,id=3Dusb,bus=3Dpci.0,addr=3D0x1.0x2 \ +-tpmdev emulator,id=3Dtpm-tpm0,chardev=3Dchrtpm \ +-chardev socket,id=3Dchrtpm,path=3D/dev/test \ +-device tpm-tis,tpmdev=3Dtpm-tpm0,id=3Dtpm0 \ +-device virtio-balloon-pci,id=3Dballoon0,bus=3Dpci.0,addr=3D0x2 \ +-sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,\ +resourcecontrol=3Ddeny \ +-msg timestamp=3Don diff --git a/tests/qemuxml2argvdata/tpm-emulator-tpm2.xml b/tests/qemuxml2a= rgvdata/tpm-emulator-tpm2.xml new file mode 100644 index 0000000000..7546930d19 --- /dev/null +++ b/tests/qemuxml2argvdata/tpm-emulator-tpm2.xml @@ -0,0 +1,30 @@ + + TPM-VM + 11d7cd22-da89-3094-6212-079a48a309a1 + 2097152 + 512288 + 1 + + hvm + + + + + + + + destroy + restart + destroy + + /usr/bin/qemu-system-x86_64 + + + + + + + + + + diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 587f15242e..a4801407b6 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -2027,6 +2027,7 @@ mymain(void) DO_TEST_PARSE_ERROR("tpm-no-backend-invalid", QEMU_CAPS_DEVICE_TPM_PASSTHROUGH, QEMU_CAPS_DEVICE= _TPM_TIS); DO_TEST_CAPS_LATEST("tpm-emulator"); + DO_TEST_CAPS_LATEST("tpm-emulator-tpm2"); =20 DO_TEST_PARSE_ERROR("pci-domain-invalid", NONE); DO_TEST_PARSE_ERROR("pci-bus-invalid", NONE); diff --git a/tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml b/tests/qemuxml= 2xmloutdata/tpm-emulator-tpm2.xml new file mode 100644 index 0000000000..eff55fc5df --- /dev/null +++ b/tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml @@ -0,0 +1,34 @@ + + TPM-VM + 11d7cd22-da89-3094-6212-079a48a309a1 + 2097152 + 512288 + 1 + + hvm + + + + + + + + destroy + restart + destroy + + /usr/bin/qemu-system-x86_64 + +
+ + + + + + + + +
+ + + --=20 2.14.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list