[libvirt] [PATCH v7 00/12] Add support for TPM emulator

Stefan Berger posted 12 patches 5 years, 10 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20180524130245.1569144-1-stefanb@linux.vnet.ibm.com
Test syntax-check passed
There is a newer version of this series
docs/formatdomain.html.in                          |  43 +
docs/news.xml                                      |   9 +
docs/schemas/domaincommon.rng                      |  17 +
libvirt.spec.in                                    |   2 +
src/conf/domain_audit.c                            |   2 +
src/conf/domain_conf.c                             |  64 +-
src/conf/domain_conf.h                             |  15 +
src/libvirt_private.syms                           |   3 +
src/qemu/Makefile.inc.am                           |  10 +
src/qemu/libvirtd_qemu.aug                         |   5 +
src/qemu/qemu.conf                                 |   8 +
src/qemu/qemu_capabilities.c                       |   5 +
src/qemu/qemu_capabilities.h                       |   1 +
src/qemu/qemu_cgroup.c                             |  36 +
src/qemu/qemu_cgroup.h                             |   2 +
src/qemu/qemu_command.c                            |  34 +-
src/qemu/qemu_conf.c                               |  43 +
src/qemu/qemu_conf.h                               |   6 +
src/qemu/qemu_domain.c                             |   3 +
src/qemu/qemu_extdevice.c                          | 180 ++++
src/qemu/qemu_extdevice.h                          |  59 ++
src/qemu/qemu_process.c                            |  16 +
src/qemu/qemu_security.c                           |  69 ++
src/qemu/qemu_security.h                           |  11 +
src/qemu/qemu_tpm.c                                | 922 +++++++++++++++++++++
src/qemu/qemu_tpm.h                                |  56 ++
src/qemu/test_libvirtd_qemu.aug.in                 |   2 +
src/security/security_dac.c                        |   7 +
src/security/security_driver.h                     |   7 +
src/security/security_manager.c                    |  36 +
src/security/security_manager.h                    |   6 +
src/security/security_selinux.c                    | 172 ++++
src/security/security_stack.c                      |  40 +
src/util/virfile.c                                 |  55 ++
src/util/virfile.h                                 |   3 +
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml   |   1 +
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml |   1 +
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml   |   1 +
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml   |   1 +
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml  |   1 +
.../tpm-emulator-tpm2.x86_64-latest.args           |  33 +
tests/qemuxml2argvdata/tpm-emulator-tpm2.xml       |  30 +
.../tpm-emulator.x86_64-latest.args                |  33 +
tests/qemuxml2argvdata/tpm-emulator.xml            |  30 +
tests/qemuxml2argvtest.c                           |  16 +-
tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml     |  34 +
tests/qemuxml2xmloutdata/tpm-emulator.xml          |  34 +
tests/qemuxml2xmltest.c                            |   1 +
48 files changed, 2154 insertions(+), 11 deletions(-)
create mode 100644 src/qemu/qemu_extdevice.c
create mode 100644 src/qemu/qemu_extdevice.h
create mode 100644 src/qemu/qemu_tpm.c
create mode 100644 src/qemu/qemu_tpm.h
create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml
create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml
create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml
[libvirt] [PATCH v7 00/12] Add support for TPM emulator
Posted by Stefan Berger 5 years, 10 months ago
This series of patches adds support for the TPM emulator backend that
is available in QEMU and based on swtpm + libtpms. It allows to attach a
TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm
process, its Unix socket, and log file with the same label that the
QEMU process gets. Besides that swtpm is added to the emulator cgroup to
restrict its CPU usage.

The device XML can be changed from a TPM 1.2 to a TPM 2 and back to a
TPM 1.2. The device state is not removed during those changes but only
when the domain is undefined.

The swtpm needs persistent storage to store its state. For that I am
using the uuid of the VM as part of the path since the name of the VM
can be changed. Logfiles, PID files, and socket names are based on the
name of the VM, though.

  Stefan

v6->v7:
  - followed Jan Tomko's suggestion with resulting changing to patch
    10/12.
  - re-added missing parts related to swtpm_setup and TPM that got lost
    in v4

v5->v6:
  - Addressed John Ferlan's comments
  - rebased on latest tip
  - Added patch 12.

v4->v5:
  - Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments
  - rebased on latest tip

v3->v4:
  - Addressed John Ferlan's comments
  - Fixed bugs I found while testing
  - rebased on latest tip

Stefan Berger (12):
  conf: Add support for external swtpm TPM emulator to domain XML
  qemu: Extend QEMU capabilities with 'tpm-emulator'
  util: Implement virFileChownFiles()
  security: Add DAC and SELinux security for tpm-emulator
  qemu: Extend qemu_conf with tpm-emulator support
  qemu: Extend QEMU with external TPM support
  qemu: Add support for external swtpm TPM emulator
  tests: Add test cases for external swtpm TPM emulator
  security: Label the external swtpm with SELinux labels
  conf: Add support for choosing emulation of a TPM 2
  qemu: Add swtpm to emulator cgroup
  news: Update news with new TPM emulator feature

 docs/formatdomain.html.in                          |  43 +
 docs/news.xml                                      |   9 +
 docs/schemas/domaincommon.rng                      |  17 +
 libvirt.spec.in                                    |   2 +
 src/conf/domain_audit.c                            |   2 +
 src/conf/domain_conf.c                             |  64 +-
 src/conf/domain_conf.h                             |  15 +
 src/libvirt_private.syms                           |   3 +
 src/qemu/Makefile.inc.am                           |  10 +
 src/qemu/libvirtd_qemu.aug                         |   5 +
 src/qemu/qemu.conf                                 |   8 +
 src/qemu/qemu_capabilities.c                       |   5 +
 src/qemu/qemu_capabilities.h                       |   1 +
 src/qemu/qemu_cgroup.c                             |  36 +
 src/qemu/qemu_cgroup.h                             |   2 +
 src/qemu/qemu_command.c                            |  34 +-
 src/qemu/qemu_conf.c                               |  43 +
 src/qemu/qemu_conf.h                               |   6 +
 src/qemu/qemu_domain.c                             |   3 +
 src/qemu/qemu_extdevice.c                          | 180 ++++
 src/qemu/qemu_extdevice.h                          |  59 ++
 src/qemu/qemu_process.c                            |  16 +
 src/qemu/qemu_security.c                           |  69 ++
 src/qemu/qemu_security.h                           |  11 +
 src/qemu/qemu_tpm.c                                | 922 +++++++++++++++++++++
 src/qemu/qemu_tpm.h                                |  56 ++
 src/qemu/test_libvirtd_qemu.aug.in                 |   2 +
 src/security/security_dac.c                        |   7 +
 src/security/security_driver.h                     |   7 +
 src/security/security_manager.c                    |  36 +
 src/security/security_manager.h                    |   6 +
 src/security/security_selinux.c                    | 172 ++++
 src/security/security_stack.c                      |  40 +
 src/util/virfile.c                                 |  55 ++
 src/util/virfile.h                                 |   3 +
 tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml   |   1 +
 tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml |   1 +
 tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml   |   1 +
 tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml   |   1 +
 tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml  |   1 +
 .../tpm-emulator-tpm2.x86_64-latest.args           |  33 +
 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml       |  30 +
 .../tpm-emulator.x86_64-latest.args                |  33 +
 tests/qemuxml2argvdata/tpm-emulator.xml            |  30 +
 tests/qemuxml2argvtest.c                           |  16 +-
 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml     |  34 +
 tests/qemuxml2xmloutdata/tpm-emulator.xml          |  34 +
 tests/qemuxml2xmltest.c                            |   1 +
 48 files changed, 2154 insertions(+), 11 deletions(-)
 create mode 100644 src/qemu/qemu_extdevice.c
 create mode 100644 src/qemu/qemu_extdevice.h
 create mode 100644 src/qemu/qemu_tpm.c
 create mode 100644 src/qemu/qemu_tpm.h
 create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args
 create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml
 create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args
 create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml
 create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
 create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml

-- 
2.14.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v7 00/12] Add support for TPM emulator
Posted by John Ferlan 5 years, 10 months ago

On 05/24/2018 09:02 AM, Stefan Berger wrote:
> This series of patches adds support for the TPM emulator backend that
> is available in QEMU and based on swtpm + libtpms. It allows to attach a
> TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm
> process, its Unix socket, and log file with the same label that the
> QEMU process gets. Besides that swtpm is added to the emulator cgroup to
> restrict its CPU usage.
> 
> The device XML can be changed from a TPM 1.2 to a TPM 2 and back to a
> TPM 1.2. The device state is not removed during those changes but only
> when the domain is undefined.
> 
> The swtpm needs persistent storage to store its state. For that I am
> using the uuid of the VM as part of the path since the name of the VM
> can be changed. Logfiles, PID files, and socket names are based on the
> name of the VM, though.
> 
>   Stefan
> 
> v6->v7:
>   - followed Jan Tomko's suggestion with resulting changing to patch
>     10/12.
>   - re-added missing parts related to swtpm_setup and TPM that got lost
>     in v4
> 
> v5->v6:
>   - Addressed John Ferlan's comments
>   - rebased on latest tip
>   - Added patch 12.
> 
> v4->v5:
>   - Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments
>   - rebased on latest tip
> 
> v3->v4:
>   - Addressed John Ferlan's comments
>   - Fixed bugs I found while testing
>   - rebased on latest tip
> 
> Stefan Berger (12):
>   conf: Add support for external swtpm TPM emulator to domain XML
>   qemu: Extend QEMU capabilities with 'tpm-emulator'
>   util: Implement virFileChownFiles()
>   security: Add DAC and SELinux security for tpm-emulator
>   qemu: Extend qemu_conf with tpm-emulator support
>   qemu: Extend QEMU with external TPM support
>   qemu: Add support for external swtpm TPM emulator
>   tests: Add test cases for external swtpm TPM emulator
>   security: Label the external swtpm with SELinux labels
>   conf: Add support for choosing emulation of a TPM 2
>   qemu: Add swtpm to emulator cgroup
>   news: Update news with new TPM emulator feature
> 
>  docs/formatdomain.html.in                          |  43 +
>  docs/news.xml                                      |   9 +
>  docs/schemas/domaincommon.rng                      |  17 +
>  libvirt.spec.in                                    |   2 +
>  src/conf/domain_audit.c                            |   2 +
>  src/conf/domain_conf.c                             |  64 +-
>  src/conf/domain_conf.h                             |  15 +
>  src/libvirt_private.syms                           |   3 +
>  src/qemu/Makefile.inc.am                           |  10 +
>  src/qemu/libvirtd_qemu.aug                         |   5 +
>  src/qemu/qemu.conf                                 |   8 +
>  src/qemu/qemu_capabilities.c                       |   5 +
>  src/qemu/qemu_capabilities.h                       |   1 +
>  src/qemu/qemu_cgroup.c                             |  36 +
>  src/qemu/qemu_cgroup.h                             |   2 +
>  src/qemu/qemu_command.c                            |  34 +-
>  src/qemu/qemu_conf.c                               |  43 +
>  src/qemu/qemu_conf.h                               |   6 +
>  src/qemu/qemu_domain.c                             |   3 +
>  src/qemu/qemu_extdevice.c                          | 180 ++++
>  src/qemu/qemu_extdevice.h                          |  59 ++
>  src/qemu/qemu_process.c                            |  16 +
>  src/qemu/qemu_security.c                           |  69 ++
>  src/qemu/qemu_security.h                           |  11 +
>  src/qemu/qemu_tpm.c                                | 922 +++++++++++++++++++++
>  src/qemu/qemu_tpm.h                                |  56 ++
>  src/qemu/test_libvirtd_qemu.aug.in                 |   2 +
>  src/security/security_dac.c                        |   7 +
>  src/security/security_driver.h                     |   7 +
>  src/security/security_manager.c                    |  36 +
>  src/security/security_manager.h                    |   6 +
>  src/security/security_selinux.c                    | 172 ++++
>  src/security/security_stack.c                      |  40 +
>  src/util/virfile.c                                 |  55 ++
>  src/util/virfile.h                                 |   3 +
>  tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml   |   1 +
>  tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml |   1 +
>  tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml   |   1 +
>  tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml   |   1 +
>  tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml  |   1 +
>  .../tpm-emulator-tpm2.x86_64-latest.args           |  33 +
>  tests/qemuxml2argvdata/tpm-emulator-tpm2.xml       |  30 +
>  .../tpm-emulator.x86_64-latest.args                |  33 +
>  tests/qemuxml2argvdata/tpm-emulator.xml            |  30 +
>  tests/qemuxml2argvtest.c                           |  16 +-
>  tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml     |  34 +
>  tests/qemuxml2xmloutdata/tpm-emulator.xml          |  34 +
>  tests/qemuxml2xmltest.c                            |   1 +
>  48 files changed, 2154 insertions(+), 11 deletions(-)
>  create mode 100644 src/qemu/qemu_extdevice.c
>  create mode 100644 src/qemu/qemu_extdevice.h
>  create mode 100644 src/qemu/qemu_tpm.c
>  create mode 100644 src/qemu/qemu_tpm.h
>  create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args
>  create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml
>  create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args
>  create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml
>  create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
>  create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml
> 

I'm still fine with the applied R-By's (you can add to patch12 if you
desire as well).

John

FWIW: I knew there was another way we got the tail of the storage path,
but could not remember or find mdir_name. Glad someone else recalled it!
 It's not like the name of the method appears to have anything to do
with the functionality.

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v7 00/12] Add support for TPM emulator
Posted by Stefan Berger 5 years, 10 months ago
On 05/24/2018 09:21 AM, John Ferlan wrote:
>
> On 05/24/2018 09:02 AM, Stefan Berger wrote:
>> This series of patches adds support for the TPM emulator backend that
>> is available in QEMU and based on swtpm + libtpms. It allows to attach a
>> TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm
>> process, its Unix socket, and log file with the same label that the
>> QEMU process gets. Besides that swtpm is added to the emulator cgroup to
>> restrict its CPU usage.
>>
>> The device XML can be changed from a TPM 1.2 to a TPM 2 and back to a
>> TPM 1.2. The device state is not removed during those changes but only
>> when the domain is undefined.
>>
>> The swtpm needs persistent storage to store its state. For that I am
>> using the uuid of the VM as part of the path since the name of the VM
>> can be changed. Logfiles, PID files, and socket names are based on the
>> name of the VM, though.
>>
>>    Stefan
>>
>> v6->v7:
>>    - followed Jan Tomko's suggestion with resulting changing to patch
>>      10/12.
>>    - re-added missing parts related to swtpm_setup and TPM that got lost
>>      in v4
>>
>> v5->v6:
>>    - Addressed John Ferlan's comments
>>    - rebased on latest tip
>>    - Added patch 12.
>>
>> v4->v5:
>>    - Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments
>>    - rebased on latest tip
>>
>> v3->v4:
>>    - Addressed John Ferlan's comments
>>    - Fixed bugs I found while testing
>>    - rebased on latest tip
>>
>> Stefan Berger (12):
>>    conf: Add support for external swtpm TPM emulator to domain XML
>>    qemu: Extend QEMU capabilities with 'tpm-emulator'
>>    util: Implement virFileChownFiles()
>>    security: Add DAC and SELinux security for tpm-emulator
>>    qemu: Extend qemu_conf with tpm-emulator support
>>    qemu: Extend QEMU with external TPM support
>>    qemu: Add support for external swtpm TPM emulator
>>    tests: Add test cases for external swtpm TPM emulator
>>    security: Label the external swtpm with SELinux labels
>>    conf: Add support for choosing emulation of a TPM 2
>>    qemu: Add swtpm to emulator cgroup
>>    news: Update news with new TPM emulator feature
>>
>>   docs/formatdomain.html.in                          |  43 +
>>   docs/news.xml                                      |   9 +
>>   docs/schemas/domaincommon.rng                      |  17 +
>>   libvirt.spec.in                                    |   2 +
>>   src/conf/domain_audit.c                            |   2 +
>>   src/conf/domain_conf.c                             |  64 +-
>>   src/conf/domain_conf.h                             |  15 +
>>   src/libvirt_private.syms                           |   3 +
>>   src/qemu/Makefile.inc.am                           |  10 +
>>   src/qemu/libvirtd_qemu.aug                         |   5 +
>>   src/qemu/qemu.conf                                 |   8 +
>>   src/qemu/qemu_capabilities.c                       |   5 +
>>   src/qemu/qemu_capabilities.h                       |   1 +
>>   src/qemu/qemu_cgroup.c                             |  36 +
>>   src/qemu/qemu_cgroup.h                             |   2 +
>>   src/qemu/qemu_command.c                            |  34 +-
>>   src/qemu/qemu_conf.c                               |  43 +
>>   src/qemu/qemu_conf.h                               |   6 +
>>   src/qemu/qemu_domain.c                             |   3 +
>>   src/qemu/qemu_extdevice.c                          | 180 ++++
>>   src/qemu/qemu_extdevice.h                          |  59 ++
>>   src/qemu/qemu_process.c                            |  16 +
>>   src/qemu/qemu_security.c                           |  69 ++
>>   src/qemu/qemu_security.h                           |  11 +
>>   src/qemu/qemu_tpm.c                                | 922 +++++++++++++++++++++
>>   src/qemu/qemu_tpm.h                                |  56 ++
>>   src/qemu/test_libvirtd_qemu.aug.in                 |   2 +
>>   src/security/security_dac.c                        |   7 +
>>   src/security/security_driver.h                     |   7 +
>>   src/security/security_manager.c                    |  36 +
>>   src/security/security_manager.h                    |   6 +
>>   src/security/security_selinux.c                    | 172 ++++
>>   src/security/security_stack.c                      |  40 +
>>   src/util/virfile.c                                 |  55 ++
>>   src/util/virfile.h                                 |   3 +
>>   tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml   |   1 +
>>   tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml |   1 +
>>   tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml   |   1 +
>>   tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml   |   1 +
>>   tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml  |   1 +
>>   .../tpm-emulator-tpm2.x86_64-latest.args           |  33 +
>>   tests/qemuxml2argvdata/tpm-emulator-tpm2.xml       |  30 +
>>   .../tpm-emulator.x86_64-latest.args                |  33 +
>>   tests/qemuxml2argvdata/tpm-emulator.xml            |  30 +
>>   tests/qemuxml2argvtest.c                           |  16 +-
>>   tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml     |  34 +
>>   tests/qemuxml2xmloutdata/tpm-emulator.xml          |  34 +
>>   tests/qemuxml2xmltest.c                            |   1 +
>>   48 files changed, 2154 insertions(+), 11 deletions(-)
>>   create mode 100644 src/qemu/qemu_extdevice.c
>>   create mode 100644 src/qemu/qemu_extdevice.h
>>   create mode 100644 src/qemu/qemu_tpm.c
>>   create mode 100644 src/qemu/qemu_tpm.h
>>   create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args
>>   create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml
>>   create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args
>>   create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml
>>   create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
>>   create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml
>>
> I'm still fine with the applied R-By's (you can add to patch12 if you
> desire as well).

I think I'll post a v8 again with some more patches appended. The target 
is 4.5... it's getting late in the month and I am afraid that AppArmor 
support may be a bigger thing that probably shouldn't be split across 
4.4 and 4.5.

     Stefan


>
> John
>
> FWIW: I knew there was another way we got the tail of the storage path,
> but could not remember or find mdir_name. Glad someone else recalled it!
>   It's not like the name of the method appears to have anything to do
> with the functionality.
>

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list