From nobody Thu May 2 22:41:48 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) client-ip=205.139.110.61; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1597594628; cv=none; d=zohomail.com; s=zohoarc; b=Z0NFgX21SHqvgyuRq6mFY78MlODk3ZxvTGNHWYlJ39gjg1M8tkdbzWm+hduKWXuHwmwvMuJOp5J5movWY9LbTmabH+mzeNiTYocmOk3DH8GCqXhEE+Tlr+jKOH7+4CVcQz+9Nj+mH/pGCrjaO1wLXyoXL8gl1vLL4dpm5TNHcu4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1597594628; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=1JM59LTrUVCtxucQtlhi3++8urbkJXaqSnGoylxWJlg=; b=EtpKpFB6NHI5A9t6qh3imOD9JtXFjjWfUW1fufo08miHYQKqXS/NLWdNdoZcAH/gShrG9fN8lqPMYI99Ix+NSe9UdQKS6z/1vnxJP5YTuVEV90XlHyCXxxYs7ic08m3uuCEs0exqbMzI/4Gr9tOgKOyom1KofW+elrgLAY+G7ZY= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) by mx.zohomail.com with SMTPS id 1597594628535716.0635283162894; Sun, 16 Aug 2020 09:17:08 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-234-_oz6p7UpNd-66ZHgtJZkEA-1; Sun, 16 Aug 2020 12:17:04 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 7E4071005E5D; Sun, 16 Aug 2020 16:16:58 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 744305D9CA; Sun, 16 Aug 2020 16:16:56 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 7FEF24EE1D; Sun, 16 Aug 2020 16:16:51 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 07GGGnpB006147 for ; Sun, 16 Aug 2020 12:16:49 -0400 Received: by smtp.corp.redhat.com (Postfix) id 0FE99110E9AD; Sun, 16 Aug 2020 16:16:49 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0B91C110E9AA for ; Sun, 16 Aug 2020 16:16:45 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 877B9186E135 for ; Sun, 16 Aug 2020 16:16:45 +0000 (UTC) Received: from mail-qt1-f195.google.com (mail-qt1-f195.google.com [209.85.160.195]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-22-L_B6_JEoP5mZyiQdyRHijQ-1; Sun, 16 Aug 2020 12:16:43 -0400 Received: by mail-qt1-f195.google.com with SMTP id o22so10658983qtt.13 for ; Sun, 16 Aug 2020 09:16:43 -0700 (PDT) Received: from localhost.localdomain ([179.98.106.207]) by smtp.gmail.com with ESMTPSA id a203sm14134207qkg.30.2020.08.16.09.16.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 16 Aug 2020 09:16:41 -0700 (PDT) X-MC-Unique: _oz6p7UpNd-66ZHgtJZkEA-1 X-MC-Unique: L_B6_JEoP5mZyiQdyRHijQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=1JM59LTrUVCtxucQtlhi3++8urbkJXaqSnGoylxWJlg=; b=N3hZRV1iaP/kp4yn+wwqc7l0Fts916HAujeX+VRO403XgXDpZr/za7czMKM7eFc7+f txDg41ArSx75fXvyv1qsV/qxYbjWSoKS1DTCKLKywAh2oDxc+DCfJdibLweQEU2JKnOT BY+sNE2a0ueR0iaQZXShC1regaG7bZMp0Odsqf4isYr2IanXj5erxKQ3b4ERbBp913nr 0uTPMbe3F3mZfGlOUTLpSRyGuBAd/aTg3Dk2j4JR8aerJmWDXXvbIVJwqEryLTf6HHAb 2dOZ+aZ8pH/mRNEi1o5TOOJ77OsRLOIkp4zTAytpgwTw8/NadACHpp2ZRKHCsSPaFtn/ i++A== X-Gm-Message-State: AOAM532K7Y7jjgCa+WjH5l1FvvSF/NM0eu28aoxRgzBjivvF+b4wb7iU eYizdh7LnpPLbZI/jk8vO3uojPNFtsI= X-Google-Smtp-Source: ABdhPJxtk5YF1G5b208hDtE5i6V05fUmXHA11n27Q6ROsMOoVqJyJZHizoqN7sDs+Cwx3A1UTYrQfA== X-Received: by 2002:aed:2f44:: with SMTP id l62mr9591995qtd.207.1597594602273; Sun, 16 Aug 2020 09:16:42 -0700 (PDT) From: Julio Faracco To: libvir-list@redhat.com Subject: [PATCH] lxc: Add TPM passthrough option for LXC driver Date: Sun, 16 Aug 2020 13:16:30 -0300 Message-Id: <20200816161630.25490-1-jcfaracco@gmail.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-loop: libvir-list@redhat.com Cc: Julio Faracco X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0.002 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" There is no support to use TPM for passthrough for LXC libvirt driver this commit adds the option to use host TPM inside containers. Signed-off-by: Julio Faracco --- src/lxc/lxc_cgroup.c | 27 +++++++++++++++++++ src/lxc/lxc_controller.c | 56 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+) diff --git a/src/lxc/lxc_cgroup.c b/src/lxc/lxc_cgroup.c index d13f2adde5..955d2b4fc1 100644 --- a/src/lxc/lxc_cgroup.c +++ b/src/lxc/lxc_cgroup.c @@ -374,6 +374,33 @@ static int virLXCCgroupSetupDeviceACL(virDomainDefPtr = def, return -1; } =20 + for (i =3D 0; i < def->ntpms; i++) { + virDomainTPMDefPtr tpm =3D def->tpms[i]; + const char *dev =3D NULL; + + switch (tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + dev =3D "/dev/tpm0"; + break; + } + + if (!dev) + continue; + + if (!virFileExists(dev)) { + VIR_DEBUG("Ignoring non-existent device %s", dev); + continue; + } + + if (virCgroupAllowDevicePath(cgroup, dev, + VIR_CGROUP_DEVICE_READ, + false) < 0) + return -1; + } + VIR_DEBUG("Device ACL setup complete"); =20 return 0; diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index ae6b737b60..70ca773bbf 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -1644,6 +1644,59 @@ virLXCControllerSetupHostdevSubsysUSB(virDomainDefPt= r vmDef, } =20 =20 +static int +virLXCControllerSetupTPM(virLXCControllerPtr ctrl) +{ + virDomainDefPtr def =3D ctrl->def; + size_t i; + + for (i =3D 0; i < def->ntpms; i++) { + virDomainTPMDefPtr tpm =3D def->tpms[i]; + g_autofree char *path =3D NULL; + const char *tpm_dev =3D NULL; + struct stat sb; + dev_t dev; + + switch (tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + case VIR_DOMAIN_TPM_TYPE_LAST: + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("unsupported timer type (name) '%s'"), + virDomainTPMBackendTypeToString(tpm->type)); + return -1; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + tpm_dev =3D "/dev/tpm0"; + path =3D g_strdup_printf("/%s/%s.dev/%s", LXC_STATE_DIR, + def->name, "/rtc"); + break; + } + + if (!tpm_dev) + continue; + + if (stat(tpm_dev, &sb) < 0) { + virReportSystemError(errno, _("Unable to access %s"), + tpm_dev); + return -1; + } + + dev =3D makedev(major(sb.st_rdev), minor(sb.st_rdev)); + if (mknod(path, S_IFCHR, dev) < 0 || + chmod(path, sb.st_mode)) { + virReportSystemError(errno, + _("Failed to make device %s"), + path); + return -1; + } + + if (lxcContainerChown(def, path) < 0) + return -1; + } + + return 0; +} + + static int virLXCControllerSetupHostdevCapsStorage(virDomainDefPtr vmDef, virDomainHostdevDefPtr def, @@ -2358,6 +2411,9 @@ virLXCControllerRun(virLXCControllerPtr ctrl) if (virLXCControllerSetupAllHostdevs(ctrl) < 0) goto cleanup; =20 + if (virLXCControllerSetupTPM(ctrl) < 0) + goto cleanup; + if (virLXCControllerSetupFuse(ctrl) < 0) goto cleanup; =20 --=20 2.25.1