src/qemu/qemu_extdevice.c | 5 ++-- src/qemu/qemu_extdevice.h | 3 ++- src/qemu/qemu_process.c | 2 +- src/qemu/qemu_tpm.c | 49 +++++++++++++++++++++++++-------------- src/qemu/qemu_tpm.h | 3 ++- 5 files changed, 40 insertions(+), 22 deletions(-)
In case of an incoming migration we do not need to run swtpm_setup
with all the parameters but only want to get the benefit of it
creating a TPM state file for us that we can then label with an
SELinux label. The actual state will be overwritten by the in-
coming state. So we have to pass an indicator for incomingMigration
all the way to the command line parameter generation for swtpm_setup.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/qemu/qemu_extdevice.c | 5 ++--
src/qemu/qemu_extdevice.h | 3 ++-
src/qemu/qemu_process.c | 2 +-
src/qemu/qemu_tpm.c | 49 +++++++++++++++++++++++++--------------
src/qemu/qemu_tpm.h | 3 ++-
5 files changed, 40 insertions(+), 22 deletions(-)
diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c
index e576bca165..af52466421 100644
--- a/src/qemu/qemu_extdevice.c
+++ b/src/qemu/qemu_extdevice.c
@@ -128,7 +128,8 @@ qemuExtDevicesCleanupHost(virQEMUDriverPtr driver,
int
qemuExtDevicesStart(virQEMUDriverPtr driver,
virDomainObjPtr vm,
- qemuDomainLogContextPtr logCtxt)
+ qemuDomainLogContextPtr logCtxt,
+ bool incomingMigration)
{
int ret = 0;
@@ -136,7 +137,7 @@ qemuExtDevicesStart(virQEMUDriverPtr driver,
return -1;
if (vm->def->tpm)
- ret = qemuExtTPMStart(driver, vm, logCtxt);
+ ret = qemuExtTPMStart(driver, vm, logCtxt, incomingMigration);
return ret;
}
diff --git a/src/qemu/qemu_extdevice.h b/src/qemu/qemu_extdevice.h
index bbdb9a1cc2..5a53c79f38 100644
--- a/src/qemu/qemu_extdevice.h
+++ b/src/qemu/qemu_extdevice.h
@@ -40,7 +40,8 @@ void qemuExtDevicesCleanupHost(virQEMUDriverPtr driver,
int qemuExtDevicesStart(virQEMUDriverPtr driver,
virDomainObjPtr vm,
- qemuDomainLogContextPtr logCtxt)
+ qemuDomainLogContextPtr logCtxt,
+ bool incomingMigration)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
ATTRIBUTE_RETURN_CHECK;
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 75205bc121..fae18824ba 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6774,7 +6774,7 @@ qemuProcessLaunch(virConnectPtr conn,
if (qemuProcessGenID(vm, flags) < 0)
goto cleanup;
- if (qemuExtDevicesStart(driver, vm, logCtxt) < 0)
+ if (qemuExtDevicesStart(driver, vm, logCtxt, incoming != NULL) < 0)
goto cleanup;
VIR_DEBUG("Building emulator command line");
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 77ef601f74..4174aa4c62 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -453,6 +453,7 @@ qemuTPMSetupEncryption(const unsigned char *secretuuid,
* for the user given by userid or 'tss'
* @tpmversion: The version of the TPM, either a TPM 1.2 or TPM 2
* @encryption: pointer to virStorageEncryption holding secret
+ * @incomingMigration: whether we have an incoming migration
*
* Setup the external swtpm by creating endorsement key and
* certificates for it.
@@ -466,7 +467,8 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
gid_t swtpm_group,
const char *logfile,
const virDomainTPMVersion tpmversion,
- const unsigned char *secretuuid)
+ const unsigned char *secretuuid,
+ bool incomingMigration)
{
virCommandPtr cmd = NULL;
int exitstatus;
@@ -525,16 +527,23 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
pwdfile_fd = -1;
}
- virCommandAddArgList(cmd,
- "--tpm-state", storagepath,
- "--vmid", vmid,
- "--logfile", logfile,
- "--createek",
- "--create-ek-cert",
- "--create-platform-cert",
- "--lock-nvram",
- "--not-overwrite",
- NULL);
+ if (!incomingMigration) {
+ virCommandAddArgList(cmd,
+ "--tpm-state", storagepath,
+ "--vmid", vmid,
+ "--logfile", logfile,
+ "--createek",
+ "--create-ek-cert",
+ "--create-platform-cert",
+ "--lock-nvram",
+ "--not-overwrite",
+ NULL);
+ } else {
+ virCommandAddArgList(cmd,
+ "--tpm-state", storagepath,
+ "--overwrite",
+ NULL);
+ }
virCommandClearCaps(cmd);
@@ -568,6 +577,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
* @swtpmStateDir: the directory where swtpm writes the pid file and creates the
* Unix socket
* @shortName: the short name of the VM
+ * @incomingMigration: whether we have an incoming migration
*
* Create the virCommand use for starting the emulator
* Do some initializations on the way, such as creation of storage
@@ -581,7 +591,8 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
uid_t swtpm_user,
gid_t swtpm_group,
const char *swtpmStateDir,
- const char *shortName)
+ const char *shortName,
+ bool incomingMigration)
{
virCommandPtr cmd = NULL;
bool created = false;
@@ -605,7 +616,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
qemuTPMEmulatorRunSetup(tpm->data.emulator.storagepath, vmname, vmuuid,
privileged, swtpm_user, swtpm_group,
tpm->data.emulator.logfile, tpm->version,
- secretuuid) < 0)
+ secretuuid, incomingMigration) < 0)
goto error;
unlink(tpm->data.emulator.source.data.nix.path);
@@ -814,6 +825,7 @@ qemuExtTPMCleanupHost(virDomainDefPtr def)
* @driver: QEMU driver
* @vm: the domain object
* @logCtxt: log context
+ * @incomingMigration: whether we have an incoming migration
*
* Start the external TPM Emulator:
* - have the command line built
@@ -822,7 +834,8 @@ qemuExtTPMCleanupHost(virDomainDefPtr def)
static int
qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
virDomainObjPtr vm,
- qemuDomainLogContextPtr logCtxt)
+ qemuDomainLogContextPtr logCtxt,
+ bool incomingMigration)
{
int ret = -1;
virCommandPtr cmd = NULL;
@@ -846,7 +859,8 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
driver->privileged,
cfg->swtpm_user,
cfg->swtpm_group,
- cfg->swtpmStateDir, shortName)))
+ cfg->swtpmStateDir, shortName,
+ incomingMigration)))
goto cleanup;
if (qemuExtDeviceLogCommand(logCtxt, cmd, "TPM Emulator") < 0)
@@ -903,14 +917,15 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
int
qemuExtTPMStart(virQEMUDriverPtr driver,
virDomainObjPtr vm,
- qemuDomainLogContextPtr logCtxt)
+ qemuDomainLogContextPtr logCtxt,
+ bool incomingMigration)
{
int ret = 0;
virDomainTPMDefPtr tpm = vm->def->tpm;
switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
- ret = qemuExtTPMStartEmulator(driver, vm, logCtxt);
+ ret = qemuExtTPMStartEmulator(driver, vm, logCtxt, incomingMigration);
break;
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
case VIR_DOMAIN_TPM_TYPE_LAST:
diff --git a/src/qemu/qemu_tpm.h b/src/qemu/qemu_tpm.h
index 74c9924d68..5f454d3580 100644
--- a/src/qemu/qemu_tpm.h
+++ b/src/qemu/qemu_tpm.h
@@ -37,7 +37,8 @@ void qemuExtTPMCleanupHost(virDomainDefPtr def)
int qemuExtTPMStart(virQEMUDriverPtr driver,
virDomainObjPtr vm,
- qemuDomainLogContextPtr logCtxt)
+ qemuDomainLogContextPtr logCtxt,
+ bool incomingMigration)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
ATTRIBUTE_RETURN_CHECK;
--
2.21.0
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Hi
On Sat, Jul 27, 2019 at 12:41 AM Stefan Berger <stefanb@linux.ibm.com> wrote:
>
> In case of an incoming migration we do not need to run swtpm_setup
> with all the parameters but only want to get the benefit of it
> creating a TPM state file for us that we can then label with an
> SELinux label. The actual state will be overwritten by the in-
> coming state. So we have to pass an indicator for incomingMigration
> all the way to the command line parameter generation for swtpm_setup.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
iirc, I needed to pass it down as well in my slirp-helper series.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> ---
> src/qemu/qemu_extdevice.c | 5 ++--
> src/qemu/qemu_extdevice.h | 3 ++-
> src/qemu/qemu_process.c | 2 +-
> src/qemu/qemu_tpm.c | 49 +++++++++++++++++++++++++--------------
> src/qemu/qemu_tpm.h | 3 ++-
> 5 files changed, 40 insertions(+), 22 deletions(-)
>
> diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c
> index e576bca165..af52466421 100644
> --- a/src/qemu/qemu_extdevice.c
> +++ b/src/qemu/qemu_extdevice.c
> @@ -128,7 +128,8 @@ qemuExtDevicesCleanupHost(virQEMUDriverPtr driver,
> int
> qemuExtDevicesStart(virQEMUDriverPtr driver,
> virDomainObjPtr vm,
> - qemuDomainLogContextPtr logCtxt)
> + qemuDomainLogContextPtr logCtxt,
> + bool incomingMigration)
> {
> int ret = 0;
>
> @@ -136,7 +137,7 @@ qemuExtDevicesStart(virQEMUDriverPtr driver,
> return -1;
>
> if (vm->def->tpm)
> - ret = qemuExtTPMStart(driver, vm, logCtxt);
> + ret = qemuExtTPMStart(driver, vm, logCtxt, incomingMigration);
>
> return ret;
> }
> diff --git a/src/qemu/qemu_extdevice.h b/src/qemu/qemu_extdevice.h
> index bbdb9a1cc2..5a53c79f38 100644
> --- a/src/qemu/qemu_extdevice.h
> +++ b/src/qemu/qemu_extdevice.h
> @@ -40,7 +40,8 @@ void qemuExtDevicesCleanupHost(virQEMUDriverPtr driver,
>
> int qemuExtDevicesStart(virQEMUDriverPtr driver,
> virDomainObjPtr vm,
> - qemuDomainLogContextPtr logCtxt)
> + qemuDomainLogContextPtr logCtxt,
> + bool incomingMigration)
> ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
> ATTRIBUTE_RETURN_CHECK;
>
> diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
> index 75205bc121..fae18824ba 100644
> --- a/src/qemu/qemu_process.c
> +++ b/src/qemu/qemu_process.c
> @@ -6774,7 +6774,7 @@ qemuProcessLaunch(virConnectPtr conn,
> if (qemuProcessGenID(vm, flags) < 0)
> goto cleanup;
>
> - if (qemuExtDevicesStart(driver, vm, logCtxt) < 0)
> + if (qemuExtDevicesStart(driver, vm, logCtxt, incoming != NULL) < 0)
> goto cleanup;
>
> VIR_DEBUG("Building emulator command line");
> diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
> index 77ef601f74..4174aa4c62 100644
> --- a/src/qemu/qemu_tpm.c
> +++ b/src/qemu/qemu_tpm.c
> @@ -453,6 +453,7 @@ qemuTPMSetupEncryption(const unsigned char *secretuuid,
> * for the user given by userid or 'tss'
> * @tpmversion: The version of the TPM, either a TPM 1.2 or TPM 2
> * @encryption: pointer to virStorageEncryption holding secret
> + * @incomingMigration: whether we have an incoming migration
> *
> * Setup the external swtpm by creating endorsement key and
> * certificates for it.
> @@ -466,7 +467,8 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
> gid_t swtpm_group,
> const char *logfile,
> const virDomainTPMVersion tpmversion,
> - const unsigned char *secretuuid)
> + const unsigned char *secretuuid,
> + bool incomingMigration)
> {
> virCommandPtr cmd = NULL;
> int exitstatus;
> @@ -525,16 +527,23 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
> pwdfile_fd = -1;
> }
>
> - virCommandAddArgList(cmd,
> - "--tpm-state", storagepath,
> - "--vmid", vmid,
> - "--logfile", logfile,
> - "--createek",
> - "--create-ek-cert",
> - "--create-platform-cert",
> - "--lock-nvram",
> - "--not-overwrite",
> - NULL);
> + if (!incomingMigration) {
> + virCommandAddArgList(cmd,
> + "--tpm-state", storagepath,
> + "--vmid", vmid,
> + "--logfile", logfile,
> + "--createek",
> + "--create-ek-cert",
> + "--create-platform-cert",
> + "--lock-nvram",
> + "--not-overwrite",
> + NULL);
> + } else {
> + virCommandAddArgList(cmd,
> + "--tpm-state", storagepath,
> + "--overwrite",
> + NULL);
> + }
>
> virCommandClearCaps(cmd);
>
> @@ -568,6 +577,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
> * @swtpmStateDir: the directory where swtpm writes the pid file and creates the
> * Unix socket
> * @shortName: the short name of the VM
> + * @incomingMigration: whether we have an incoming migration
> *
> * Create the virCommand use for starting the emulator
> * Do some initializations on the way, such as creation of storage
> @@ -581,7 +591,8 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
> uid_t swtpm_user,
> gid_t swtpm_group,
> const char *swtpmStateDir,
> - const char *shortName)
> + const char *shortName,
> + bool incomingMigration)
> {
> virCommandPtr cmd = NULL;
> bool created = false;
> @@ -605,7 +616,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
> qemuTPMEmulatorRunSetup(tpm->data.emulator.storagepath, vmname, vmuuid,
> privileged, swtpm_user, swtpm_group,
> tpm->data.emulator.logfile, tpm->version,
> - secretuuid) < 0)
> + secretuuid, incomingMigration) < 0)
> goto error;
>
> unlink(tpm->data.emulator.source.data.nix.path);
> @@ -814,6 +825,7 @@ qemuExtTPMCleanupHost(virDomainDefPtr def)
> * @driver: QEMU driver
> * @vm: the domain object
> * @logCtxt: log context
> + * @incomingMigration: whether we have an incoming migration
> *
> * Start the external TPM Emulator:
> * - have the command line built
> @@ -822,7 +834,8 @@ qemuExtTPMCleanupHost(virDomainDefPtr def)
> static int
> qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
> virDomainObjPtr vm,
> - qemuDomainLogContextPtr logCtxt)
> + qemuDomainLogContextPtr logCtxt,
> + bool incomingMigration)
> {
> int ret = -1;
> virCommandPtr cmd = NULL;
> @@ -846,7 +859,8 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
> driver->privileged,
> cfg->swtpm_user,
> cfg->swtpm_group,
> - cfg->swtpmStateDir, shortName)))
> + cfg->swtpmStateDir, shortName,
> + incomingMigration)))
> goto cleanup;
>
> if (qemuExtDeviceLogCommand(logCtxt, cmd, "TPM Emulator") < 0)
> @@ -903,14 +917,15 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
> int
> qemuExtTPMStart(virQEMUDriverPtr driver,
> virDomainObjPtr vm,
> - qemuDomainLogContextPtr logCtxt)
> + qemuDomainLogContextPtr logCtxt,
> + bool incomingMigration)
> {
> int ret = 0;
> virDomainTPMDefPtr tpm = vm->def->tpm;
>
> switch (tpm->type) {
> case VIR_DOMAIN_TPM_TYPE_EMULATOR:
> - ret = qemuExtTPMStartEmulator(driver, vm, logCtxt);
> + ret = qemuExtTPMStartEmulator(driver, vm, logCtxt, incomingMigration);
> break;
> case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
> case VIR_DOMAIN_TPM_TYPE_LAST:
> diff --git a/src/qemu/qemu_tpm.h b/src/qemu/qemu_tpm.h
> index 74c9924d68..5f454d3580 100644
> --- a/src/qemu/qemu_tpm.h
> +++ b/src/qemu/qemu_tpm.h
> @@ -37,7 +37,8 @@ void qemuExtTPMCleanupHost(virDomainDefPtr def)
>
> int qemuExtTPMStart(virQEMUDriverPtr driver,
> virDomainObjPtr vm,
> - qemuDomainLogContextPtr logCtxt)
> + qemuDomainLogContextPtr logCtxt,
> + bool incomingMigration)
> ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
> ATTRIBUTE_RETURN_CHECK;
>
> --
> 2.21.0
>
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2026 Red Hat, Inc.