[PATCH 0/1] qemu_tpm: Start swtpm(8) daemon with --terminate switch

Nick Chevsky posted 1 patch 1 week, 5 days ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20210913061618.4019652-1-nchevsky@gmail.com
src/qemu/qemu_tpm.c | 2 ++
1 file changed, 2 insertions(+)

[PATCH 0/1] qemu_tpm: Start swtpm(8) daemon with --terminate switch

Posted by Nick Chevsky 1 week, 5 days ago
libvirt expects the swtpm(8) daemon to auto-terminate along with QEMU.
While that's already the case, it's currently happening for the wrong
reason: swtpm's documented way of achieving this behavior is via the
--terminate switch (which causes the daemon to shut down when the
data channel connection drops), but libvirt isn't currently using
this switch--and it should.

The reason this currently works anyway, even without the --terminate
switch, is two-fold:

(1) When QEMU terminates gracefully, it sends command CMD_SHUTDOWN to
    swtpm which triggers a shutdown. Nothing wrong with this one.
(2) When QEMU dies abruptly (e.g. SIGKILL, SIGSEGV) without issuing
    CMD_SHUTDOWN, swtpm should (a) shut down if the --terminate switch
    was given OR (b) stay alive if --terminate wasn't given. At the
    moment this isn't being respected, and swtpm unconditionally shuts
    down (regardless of whether --terminate was given or not) due to a
    bug in swtpm's connection handling logic [1]. libvirt currently
    relies on this incorrect and undocumented upstream behavior,
    trusting swtpm to shut itself down even when --terminate wasn't
    given, which is wrong and bound to break.

The discussion [1] between swtpm's author and I shows that --terminate
(a) is the proper way to achieve--and guarantee--the current behavior,
(b) is innocuous to add since it won't alter existing behavior, (c)
should've been used by libvirt all along, and (d) should be enforced
by swtpm going forward.

Since libvirt presently relies on swtpm's current (incorrect) behavior
and we don't want to break libvirt, we need libvirt to start invoking
swtpm with the --terminate switch ASAP so that the upstream bug can
be fixed as soon as it's safe. Fixing the bug is the first step toward
eventually enabling non-libvirt swtpm users to optionally run swtpm as
a persistent service, allowing a VM to connect to and disconnect from
it without the daemon dying.

Proxmox VE, to which I also contribute, is already using --terminate
in its (WIP) swtpm implementation.

[1] https://github.com/stefanberger/swtpm/pull/509 -- Note that this
    already-merged PR addresses only one half of the bug; the other
    half (which will actually effect the change) remains on hold until
    libvirt implements --terminate.

Nick Chevsky (1):
  qemu_tpm: Start swtpm(8) daemon with --terminate switch

 src/qemu/qemu_tpm.c | 2 ++
 1 file changed, 2 insertions(+)

-- 
2.30.2