qemu: tpm: Enable creation of certs for TPM 1.2 in non-privileged mode

[PATCH] qemu: tpm: Enable creation of certs for TPM 1.2 in non-privileged mode

Posted by Stefan Berger 2 years, 5 months ago

When 'swtpm_setup --print-capabilities' shows the 'tpm12-not-need-root'
flag, then it is possible to create certificates for the TPM 1.2 also
in non-privileged mode since swtpm_setup doesn't need tcsd anymore.
Check for this flag and create the certificates if this flag is found.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/qemu/qemu_tpm.c | 5 ++++-
 src/util/virtpm.c   | 1 +
 src/util/virtpm.h   | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index e1b08a66c5..91e21ae646 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -463,11 +463,14 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
     if (!swtpm_setup)
         return -1;
 
-    if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2)
+    if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2 &&
+        !virTPMSwtpmSetupCapsGet(
+            VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT)) {
         return virFileWriteStr(logfile,
                                _("Did not create EK and certificates since "
                                  "this requires privileged mode for a "
                                  "TPM 1.2\n"), 0600);
+    }
 
     if (!privileged && qemuTPMCreateConfigFiles(swtpm_setup) < 0)
         return -1;
diff --git a/src/util/virtpm.c b/src/util/virtpm.c
index 0f50de866c..40d9272e66 100644
--- a/src/util/virtpm.c
+++ b/src/util/virtpm.c
@@ -46,6 +46,7 @@ VIR_ENUM_IMPL(virTPMSwtpmSetupFeature,
               VIR_TPM_SWTPM_SETUP_FEATURE_LAST,
               "cmdarg-pwdfile-fd",
               "cmdarg-create-config-files",
+              "tpm12-not-need-root",
 );
 
 /**
diff --git a/src/util/virtpm.h b/src/util/virtpm.h
index 3bb03b3b33..b75eb84f31 100644
--- a/src/util/virtpm.h
+++ b/src/util/virtpm.h
@@ -39,6 +39,7 @@ typedef enum {
 typedef enum {
     VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PWDFILE_FD,
     VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_CREATE_CONFIG_FILES,
+    VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT,
 
     VIR_TPM_SWTPM_SETUP_FEATURE_LAST
 } virTPMSwtpmSetupFeature;
-- 
2.31.1

Re: [PATCH] qemu: tpm: Enable creation of certs for TPM 1.2 in non-privileged mode

Posted by Michal Prívozník 2 years, 5 months ago

On 10/30/21 6:01 AM, Stefan Berger wrote:
> When 'swtpm_setup --print-capabilities' shows the 'tpm12-not-need-root'
> flag, then it is possible to create certificates for the TPM 1.2 also
> in non-privileged mode since swtpm_setup doesn't need tcsd anymore.
> Check for this flag and create the certificates if this flag is found.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  src/qemu/qemu_tpm.c | 5 ++++-
>  src/util/virtpm.c   | 1 +
>  src/util/virtpm.h   | 1 +
>  3 files changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
> index e1b08a66c5..91e21ae646 100644
> --- a/src/qemu/qemu_tpm.c
> +++ b/src/qemu/qemu_tpm.c
> @@ -463,11 +463,14 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
>      if (!swtpm_setup)
>          return -1;
>  
> -    if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2)
> +    if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2 &&
> +        !virTPMSwtpmSetupCapsGet(
> +            VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT)) {

It's okay if this is on one line. The 80 character limit is more a
suggestion and I find it more readable if it's all on one line.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

and pushed.

Michal