src/qemu/qemu_tpm.c | 5 ++++- src/util/virtpm.c | 1 + src/util/virtpm.h | 1 + 3 files changed, 6 insertions(+), 1 deletion(-)
When 'swtpm_setup --print-capabilities' shows the 'tpm12-not-need-root'
flag, then it is possible to create certificates for the TPM 1.2 also
in non-privileged mode since swtpm_setup doesn't need tcsd anymore.
Check for this flag and create the certificates if this flag is found.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/qemu/qemu_tpm.c | 5 ++++-
src/util/virtpm.c | 1 +
src/util/virtpm.h | 1 +
3 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index e1b08a66c5..91e21ae646 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -463,11 +463,14 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
if (!swtpm_setup)
return -1;
- if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2)
+ if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2 &&
+ !virTPMSwtpmSetupCapsGet(
+ VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT)) {
return virFileWriteStr(logfile,
_("Did not create EK and certificates since "
"this requires privileged mode for a "
"TPM 1.2\n"), 0600);
+ }
if (!privileged && qemuTPMCreateConfigFiles(swtpm_setup) < 0)
return -1;
diff --git a/src/util/virtpm.c b/src/util/virtpm.c
index 0f50de866c..40d9272e66 100644
--- a/src/util/virtpm.c
+++ b/src/util/virtpm.c
@@ -46,6 +46,7 @@ VIR_ENUM_IMPL(virTPMSwtpmSetupFeature,
VIR_TPM_SWTPM_SETUP_FEATURE_LAST,
"cmdarg-pwdfile-fd",
"cmdarg-create-config-files",
+ "tpm12-not-need-root",
);
/**
diff --git a/src/util/virtpm.h b/src/util/virtpm.h
index 3bb03b3b33..b75eb84f31 100644
--- a/src/util/virtpm.h
+++ b/src/util/virtpm.h
@@ -39,6 +39,7 @@ typedef enum {
typedef enum {
VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PWDFILE_FD,
VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_CREATE_CONFIG_FILES,
+ VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT,
VIR_TPM_SWTPM_SETUP_FEATURE_LAST
} virTPMSwtpmSetupFeature;
--
2.31.1
On 10/30/21 6:01 AM, Stefan Berger wrote: > When 'swtpm_setup --print-capabilities' shows the 'tpm12-not-need-root' > flag, then it is possible to create certificates for the TPM 1.2 also > in non-privileged mode since swtpm_setup doesn't need tcsd anymore. > Check for this flag and create the certificates if this flag is found. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > --- > src/qemu/qemu_tpm.c | 5 ++++- > src/util/virtpm.c | 1 + > src/util/virtpm.h | 1 + > 3 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c > index e1b08a66c5..91e21ae646 100644 > --- a/src/qemu/qemu_tpm.c > +++ b/src/qemu/qemu_tpm.c > @@ -463,11 +463,14 @@ qemuTPMEmulatorRunSetup(const char *storagepath, > if (!swtpm_setup) > return -1; > > - if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2) > + if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2 && > + !virTPMSwtpmSetupCapsGet( > + VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT)) { It's okay if this is on one line. The 80 character limit is more a suggestion and I find it more readable if it's all on one line. Reviewed-by: Michal Privoznik <mprivozn@redhat.com> and pushed. Michal
© 2016 - 2024 Red Hat, Inc.