When share storage for the TPM state files has been setup betwen hosts then
remove the TPM state files and directory only when undefining a VM and only
if the attribute persistent_state is not set. Avoid removing the TPM state
files and directory structure when a VM is migrated and shared storage is
used since this would also remove those files and directory structure on
the destination side.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/qemu/qemu_tpm.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 20c7e92766..d1639318e7 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -728,10 +728,20 @@ qemuTPMEmulatorInitPaths(virDomainTPMDef *tpm,
  */
 static void
 qemuTPMEmulatorCleanupHost(virDomainTPMDef *tpm,
-                           qemuDomainUndefineReason undefReason G_GNUC_UNUSED)
+                           qemuDomainUndefineReason undefReason)
 {
-    if (!tpm->data.emulator.persistent_state)
+    if (tpm->data.emulator.shared_storage) {
+        /* When using shared storage remove the domain only if this is due to
+         * a 'virsh undefine' type of command and only if persistent_state ==
+         * false. Avoid removal of the state files/directory during migration.
+         */
+        if (undefReason == QEMU_DOMAIN_UNDEFINE_DOMAIN &&
+           !tpm->data.emulator.persistent_state) {
+            qemuTPMEmulatorDeleteStorage(tpm);
+        }
+    } else if (!tpm->data.emulator.persistent_state) {
         qemuTPMEmulatorDeleteStorage(tpm);
+    }
 }
 
 
-- 
2.37.1

On Mon, Aug 22, 2022 at 08:05:53AM -0400, Stefan Berger wrote:
> When share storage for the TPM state files has been setup betwen hosts then
> remove the TPM state files and directory only when undefining a VM and only
> if the attribute persistent_state is not set. Avoid removing the TPM state
> files and directory structure when a VM is migrated and shared storage is
> used since this would also remove those files and directory structure on
> the destination side.

I think our current undefine behaviour is probably flawed. We go to the
trouble of refusing to remove the firmware NVRAM when undefining because
it contains important VM state, but then happily blow away the TPM state.
Totally inconsistent behaviour :-(  Its too late to change the default
behaviour, but we likely ought to add a flag

    VIR_DOMAIN_UNDEFINE_KEEP_TPM

and plumb that through the varius code paths, which would remove the
need for this specific 'qemuDomainUndefineReason' enum.

> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  src/qemu/qemu_tpm.c | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
> index 20c7e92766..d1639318e7 100644
> --- a/src/qemu/qemu_tpm.c
> +++ b/src/qemu/qemu_tpm.c
> @@ -728,10 +728,20 @@ qemuTPMEmulatorInitPaths(virDomainTPMDef *tpm,
>   */
>  static void
>  qemuTPMEmulatorCleanupHost(virDomainTPMDef *tpm,
> -                           qemuDomainUndefineReason undefReason G_GNUC_UNUSED)
> +                           qemuDomainUndefineReason undefReason)
>  {
> -    if (!tpm->data.emulator.persistent_state)
> +    if (tpm->data.emulator.shared_storage) {
> +        /* When using shared storage remove the domain only if this is due to
> +         * a 'virsh undefine' type of command and only if persistent_state ==
> +         * false. Avoid removal of the state files/directory during migration.
> +         */
> +        if (undefReason == QEMU_DOMAIN_UNDEFINE_DOMAIN &&
> +           !tpm->data.emulator.persistent_state) {
> +            qemuTPMEmulatorDeleteStorage(tpm);
> +        }
> +    } else if (!tpm->data.emulator.persistent_state) {
>          qemuTPMEmulatorDeleteStorage(tpm);
> +    }
>  }
>  
>  
> -- 
> 2.37.1
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

On 8/22/22 12:46, Daniel P. Berrangé wrote:
> On Mon, Aug 22, 2022 at 08:05:53AM -0400, Stefan Berger wrote:
>> When share storage for the TPM state files has been setup betwen hosts then
>> remove the TPM state files and directory only when undefining a VM and only
>> if the attribute persistent_state is not set. Avoid removing the TPM state
>> files and directory structure when a VM is migrated and shared storage is
>> used since this would also remove those files and directory structure on
>> the destination side.
> 
> I think our current undefine behaviour is probably flawed. We go to the
> trouble of refusing to remove the firmware NVRAM when undefining because
> it contains important VM state, but then happily blow away the TPM state.
> Totally inconsistent behaviour :-(  Its too late to change the default
> behaviour, but we likely ought to add a flag
> 
>      VIR_DOMAIN_UNDEFINE_KEEP_TPM
> 
> and plumb that through the varius code paths, which would remove the
> need for this specific 'qemuDomainUndefineReason' enum.

I think the granularity encoded in the reason is necessary for the 
following patch I was going to post later on:

Subject: [PATCH] qemu: tpm: Remove TPM state with non-shared storage

This patch 'fixes' the behavior of the persistent_state TPM domain XML
attribute that intends to preserve the state of the TPM but should not
keep the state around on all the hosts a VM has been migrated to. It
removes the TPM state directory structure from the source host upon
successful migration when non-shared storage is used. Similarly, it
removes it from the destination host upon migration failure when
non-shared storage is used.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
  src/qemu/qemu_domain.h    | 2 ++
  src/qemu/qemu_migration.c | 4 ++--
  src/qemu/qemu_tpm.c       | 3 +++
  3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 8e5dacf624..4cf6a640c2 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -685,6 +685,8 @@ int 
qemuDomainSnapshotDiscardAllMetadata(virQEMUDriver *driver,
  typedef enum {
      QEMU_DOMAIN_UNDEFINE_UNSPEC = 0,
      QEMU_DOMAIN_UNDEFINE_DOMAIN,    /* virsh undefine type of command */
+    QEMU_DOMAIN_UNDEFINE_MIGRATION_SRC, /* undefine due to successful 
migration on src */
+    QEMU_DOMAIN_UNDEFINE_MIGRATION_DST, /* undefine due to failed 
migration on dst */
  } qemuDomainUndefineReason;

  void qemuDomainRemoveInactive(virQEMUDriver *driver,
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index b15c1ccc22..f50a488072 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -4055,7 +4055,7 @@ qemuMigrationSrcConfirm(virQEMUDriver *driver,
              vm->persistent = 0;
          }
          qemuDomainRemoveInactive(driver, vm,
-                                 QEMU_DOMAIN_UNDEFINE_UNSPEC);
+                                 QEMU_DOMAIN_UNDEFINE_MIGRATION_SRC);
      }

   cleanup:
@@ -6668,7 +6668,7 @@ qemuMigrationDstFinishActive(virQEMUDriver *driver,
      }

      if (!virDomainObjIsActive(vm))
-        qemuDomainRemoveInactive(driver, vm, QEMU_DOMAIN_UNDEFINE_UNSPEC);
+        qemuDomainRemoveInactive(driver, vm, 
QEMU_DOMAIN_UNDEFINE_MIGRATION_DST);

      virErrorRestore(&orig_err);
      return NULL;
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index d1639318e7..ad9bc9f1a5 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -739,6 +739,9 @@ qemuTPMEmulatorCleanupHost(virDomainTPMDef *tpm,
             !tpm->data.emulator.persistent_state) {
              qemuTPMEmulatorDeleteStorage(tpm);
          }
+    } else if (undefReason == QEMU_DOMAIN_UNDEFINE_MIGRATION_SRC  ||
+               undefReason == QEMU_DOMAIN_UNDEFINE_MIGRATION_DST) {
+        qemuTPMEmulatorDeleteStorage(tpm);
      } else if (!tpm->data.emulator.persistent_state) {
          qemuTPMEmulatorDeleteStorage(tpm);
      }
--
2.37.1


The complete qemuTPMEmulatorCleanupHost handling shared and non-shared 
storage along with the persistent_state attribute now looks like this:

static void
qemuTPMEmulatorCleanupHost(virDomainTPMDef *tpm,
                            qemuDomainUndefineReason undefReason)
{
     if (tpm->data.emulator.shared_storage) {
         /* When using shared storage remove the domain only if this is 
due to
          * a 'virsh undefine' type of command and only if 
persistent_state ==
          * false. Avoid removal of the state files/directory during 
migration.
          */
         if (undefReason == QEMU_DOMAIN_UNDEFINE_DOMAIN &&
            !tpm->data.emulator.persistent_state) {
             qemuTPMEmulatorDeleteStorage(tpm);
         }
     } else if (undefReason == QEMU_DOMAIN_UNDEFINE_MIGRATION_SRC  ||
                undefReason == QEMU_DOMAIN_UNDEFINE_MIGRATION_DST) {
         qemuTPMEmulatorDeleteStorage(tpm);
     } else if (!tpm->data.emulator.persistent_state) {
         qemuTPMEmulatorDeleteStorage(tpm);
     }
}


Regards,
    Stefan

On Mon, Aug 22, 2022 at 03:17:34PM -0400, Stefan Berger wrote:
> 
> 
> On 8/22/22 12:46, Daniel P. Berrangé wrote:
> > On Mon, Aug 22, 2022 at 08:05:53AM -0400, Stefan Berger wrote:
> > > When share storage for the TPM state files has been setup betwen hosts then
> > > remove the TPM state files and directory only when undefining a VM and only
> > > if the attribute persistent_state is not set. Avoid removing the TPM state
> > > files and directory structure when a VM is migrated and shared storage is
> > > used since this would also remove those files and directory structure on
> > > the destination side.
> > 
> > I think our current undefine behaviour is probably flawed. We go to the
> > trouble of refusing to remove the firmware NVRAM when undefining because
> > it contains important VM state, but then happily blow away the TPM state.
> > Totally inconsistent behaviour :-(  Its too late to change the default
> > behaviour, but we likely ought to add a flag
> > 
> >      VIR_DOMAIN_UNDEFINE_KEEP_TPM
> > 
> > and plumb that through the varius code paths, which would remove the
> > need for this specific 'qemuDomainUndefineReason' enum.
> 
> I think the granularity encoded in the reason is necessary for the following
> patch I was going to post later on:
> 
> Subject: [PATCH] qemu: tpm: Remove TPM state with non-shared storage
> 
> This patch 'fixes' the behavior of the persistent_state TPM domain XML
> attribute that intends to preserve the state of the TPM but should not
> keep the state around on all the hosts a VM has been migrated to. It
> removes the TPM state directory structure from the source host upon
> successful migration when non-shared storage is used. Similarly, it
> removes it from the destination host upon migration failure when
> non-shared storage is used.

'persistent_state' is something that applies to transient VMs.

What I'm suggesting is that we should have some control over
this for persistent VMs, when calling 'undefine'.

ie   virsh undefine --keep-nvram --keep-tpm  $VMNAME  

if we have this feature in the public API, then its impl should
support both this feature and your future patch for
'persistent_state'. 

> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  src/qemu/qemu_domain.h    | 2 ++
>  src/qemu/qemu_migration.c | 4 ++--
>  src/qemu/qemu_tpm.c       | 3 +++
>  3 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
> index 8e5dacf624..4cf6a640c2 100644
> --- a/src/qemu/qemu_domain.h
> +++ b/src/qemu/qemu_domain.h
> @@ -685,6 +685,8 @@ int qemuDomainSnapshotDiscardAllMetadata(virQEMUDriver
> *driver,
>  typedef enum {
>      QEMU_DOMAIN_UNDEFINE_UNSPEC = 0,
>      QEMU_DOMAIN_UNDEFINE_DOMAIN,    /* virsh undefine type of command */
> +    QEMU_DOMAIN_UNDEFINE_MIGRATION_SRC, /* undefine due to successful
> migration on src */
> +    QEMU_DOMAIN_UNDEFINE_MIGRATION_DST, /* undefine due to failed migration
> on dst */
>  } qemuDomainUndefineReason;
> 
>  void qemuDomainRemoveInactive(virQEMUDriver *driver,
> diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
> index b15c1ccc22..f50a488072 100644
> --- a/src/qemu/qemu_migration.c
> +++ b/src/qemu/qemu_migration.c
> @@ -4055,7 +4055,7 @@ qemuMigrationSrcConfirm(virQEMUDriver *driver,
>              vm->persistent = 0;
>          }
>          qemuDomainRemoveInactive(driver, vm,
> -                                 QEMU_DOMAIN_UNDEFINE_UNSPEC);
> +                                 QEMU_DOMAIN_UNDEFINE_MIGRATION_SRC);
>      }
> 
>   cleanup:
> @@ -6668,7 +6668,7 @@ qemuMigrationDstFinishActive(virQEMUDriver *driver,
>      }
> 
>      if (!virDomainObjIsActive(vm))
> -        qemuDomainRemoveInactive(driver, vm, QEMU_DOMAIN_UNDEFINE_UNSPEC);
> +        qemuDomainRemoveInactive(driver, vm,
> QEMU_DOMAIN_UNDEFINE_MIGRATION_DST);
> 
>      virErrorRestore(&orig_err);
>      return NULL;
> diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
> index d1639318e7..ad9bc9f1a5 100644
> --- a/src/qemu/qemu_tpm.c
> +++ b/src/qemu/qemu_tpm.c
> @@ -739,6 +739,9 @@ qemuTPMEmulatorCleanupHost(virDomainTPMDef *tpm,
>             !tpm->data.emulator.persistent_state) {
>              qemuTPMEmulatorDeleteStorage(tpm);
>          }
> +    } else if (undefReason == QEMU_DOMAIN_UNDEFINE_MIGRATION_SRC  ||
> +               undefReason == QEMU_DOMAIN_UNDEFINE_MIGRATION_DST) {
> +        qemuTPMEmulatorDeleteStorage(tpm);
>      } else if (!tpm->data.emulator.persistent_state) {
>          qemuTPMEmulatorDeleteStorage(tpm);
>      }
> --
> 2.37.1
> 
> 
> The complete qemuTPMEmulatorCleanupHost handling shared and non-shared
> storage along with the persistent_state attribute now looks like this:
> 
> static void
> qemuTPMEmulatorCleanupHost(virDomainTPMDef *tpm,
>                            qemuDomainUndefineReason undefReason)
> {
>     if (tpm->data.emulator.shared_storage) {
>         /* When using shared storage remove the domain only if this is due
> to
>          * a 'virsh undefine' type of command and only if persistent_state
> ==
>          * false. Avoid removal of the state files/directory during
> migration.
>          */
>         if (undefReason == QEMU_DOMAIN_UNDEFINE_DOMAIN &&
>            !tpm->data.emulator.persistent_state) {
>             qemuTPMEmulatorDeleteStorage(tpm);
>         }
>     } else if (undefReason == QEMU_DOMAIN_UNDEFINE_MIGRATION_SRC  ||
>                undefReason == QEMU_DOMAIN_UNDEFINE_MIGRATION_DST) {
>         qemuTPMEmulatorDeleteStorage(tpm);
>     } else if (!tpm->data.emulator.persistent_state) {
>         qemuTPMEmulatorDeleteStorage(tpm);
>     }
> }
> 
> 
> Regards,
>    Stefan
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

On 8/23/22 08:52, Daniel P. Berrangé wrote:
> On Mon, Aug 22, 2022 at 03:17:34PM -0400, Stefan Berger wrote:
>>
>>
>> On 8/22/22 12:46, Daniel P. Berrangé wrote:
>>> On Mon, Aug 22, 2022 at 08:05:53AM -0400, Stefan Berger wrote:
>>>> When share storage for the TPM state files has been setup betwen hosts then
>>>> remove the TPM state files and directory only when undefining a VM and only
>>>> if the attribute persistent_state is not set. Avoid removing the TPM state
>>>> files and directory structure when a VM is migrated and shared storage is
>>>> used since this would also remove those files and directory structure on
>>>> the destination side.
>>>
>>> I think our current undefine behaviour is probably flawed. We go to the
>>> trouble of refusing to remove the firmware NVRAM when undefining because
>>> it contains important VM state, but then happily blow away the TPM state.
>>> Totally inconsistent behaviour :-(  Its too late to change the default
>>> behaviour, but we likely ought to add a flag
>>>
>>>       VIR_DOMAIN_UNDEFINE_KEEP_TPM
>>>
>>> and plumb that through the varius code paths, which would remove the
>>> need for this specific 'qemuDomainUndefineReason' enum.
>>
>> I think the granularity encoded in the reason is necessary for the following
>> patch I was going to post later on:
>>
>> Subject: [PATCH] qemu: tpm: Remove TPM state with non-shared storage
>>
>> This patch 'fixes' the behavior of the persistent_state TPM domain XML
>> attribute that intends to preserve the state of the TPM but should not
>> keep the state around on all the hosts a VM has been migrated to. It
>> removes the TPM state directory structure from the source host upon
>> successful migration when non-shared storage is used. Similarly, it
>> removes it from the destination host upon migration failure when
>> non-shared storage is used.
> 
> 'persistent_state' is something that applies to transient VMs.

It's an attribute set in the TPM's domain XML and affects the TPM state 
permanently:

persistent_state

     The persistent_state attribute indicates whether 'swtpm' TPM state 
is kept or not when a transient domain is powered off or undefined. This 
option can be used for preserving TPM state. By default the value is no. 
This attribute only works with the emulator backend. The accepted values 
are yes and no. Since 7.0.0

The documentation may say transient but the code seems to just not 
remove the state at all once a user has set this in the domain XML:

static void
qemuTPMEmulatorCleanupHost(virDomainTPMDef *tpm)
{
     if (!tpm->data.emulator.persistent_state)
         qemuTPMEmulatorDeleteStorage(tpm);
}

https://github.com/libvirt/libvirt/blob/master/src/qemu/qemu_tpm.c#L707

We cannot get rid of the persistent_state in the domain XML but with 
--keep-tpm we would have a second method to keep the state. My guess is 
the author of the persistent_state patch did not want to instrument 
callers but achieve the effect with just producing a different XML.

> What I'm suggesting is that we should have some control over
> this for persistent VMs, when calling 'undefine'.
> 
> ie   virsh undefine --keep-nvram --keep-tpm  $VMNAME
> 
> if we have this feature in the public API, then its impl should
> support both this feature and your future patch for
> 'persistent_state'.

And how do we handle removal decisions on shared storage so that the 
directory structure is not removed when a VM is undefined on the source 
machine versus we want to have the directory structure removed on the 
source machine upon successful migration when no shared storage is used? 
This TPM-specific decision for removal seems better on the qemu_tpm.c 
level rather than having to decide whether to keep the TPM state around 
at all the call-sites that patch 1/7 instrumented with the reason 
parameter (albeit unspecific in most cases) and pass down a KEEP_TPM 
parameter instead. Getting the reason for the undefine on the qemu_tpm.c 
level lets us make this TPM-specific decision there rather than at all 
sites further up in the call stack.

Regards,
    Stefan

On Tue, Aug 23, 2022 at 09:15:52AM -0400, Stefan Berger wrote:
> 
> 
> On 8/23/22 08:52, Daniel P. Berrangé wrote:
> > On Mon, Aug 22, 2022 at 03:17:34PM -0400, Stefan Berger wrote:
> > > 
> > > 
> > > On 8/22/22 12:46, Daniel P. Berrangé wrote:
> > > > On Mon, Aug 22, 2022 at 08:05:53AM -0400, Stefan Berger wrote:
> > > > > When share storage for the TPM state files has been setup betwen hosts then
> > > > > remove the TPM state files and directory only when undefining a VM and only
> > > > > if the attribute persistent_state is not set. Avoid removing the TPM state
> > > > > files and directory structure when a VM is migrated and shared storage is
> > > > > used since this would also remove those files and directory structure on
> > > > > the destination side.
> > > > 
> > > > I think our current undefine behaviour is probably flawed. We go to the
> > > > trouble of refusing to remove the firmware NVRAM when undefining because
> > > > it contains important VM state, but then happily blow away the TPM state.
> > > > Totally inconsistent behaviour :-(  Its too late to change the default
> > > > behaviour, but we likely ought to add a flag
> > > > 
> > > >       VIR_DOMAIN_UNDEFINE_KEEP_TPM
> > > > 
> > > > and plumb that through the varius code paths, which would remove the
> > > > need for this specific 'qemuDomainUndefineReason' enum.
> > > 
> > > I think the granularity encoded in the reason is necessary for the following
> > > patch I was going to post later on:
> > > 
> > > Subject: [PATCH] qemu: tpm: Remove TPM state with non-shared storage
> > > 
> > > This patch 'fixes' the behavior of the persistent_state TPM domain XML
> > > attribute that intends to preserve the state of the TPM but should not
> > > keep the state around on all the hosts a VM has been migrated to. It
> > > removes the TPM state directory structure from the source host upon
> > > successful migration when non-shared storage is used. Similarly, it
> > > removes it from the destination host upon migration failure when
> > > non-shared storage is used.
> > 
> > 'persistent_state' is something that applies to transient VMs.
> 
> It's an attribute set in the TPM's domain XML and affects the TPM state
> permanently:
> 
> persistent_state
> 
>     The persistent_state attribute indicates whether 'swtpm' TPM state is
> kept or not when a transient domain is powered off or undefined. This option
> can be used for preserving TPM state. By default the value is no. This
> attribute only works with the emulator backend. The accepted values are yes
> and no. Since 7.0.0
> 
> The documentation may say transient but the code seems to just not remove
> the state at all once a user has set this in the domain XML:
> 
> static void
> qemuTPMEmulatorCleanupHost(virDomainTPMDef *tpm)
> {
>     if (!tpm->data.emulator.persistent_state)
>         qemuTPMEmulatorDeleteStorage(tpm);
> }
> 
> https://github.com/libvirt/libvirt/blob/master/src/qemu/qemu_tpm.c#L707
> 
> We cannot get rid of the persistent_state in the domain XML but with
> --keep-tpm we would have a second method to keep the state. My guess is the
> author of the persistent_state patch did not want to instrument callers but
> achieve the effect with just producing a different XML.

Yeah, IMHO, the persistent_state attribute was a mistake, but we can't
get rid of it due to back compatibility.  The need of persistence is
something that is contextually dependant, rather than a property of
the VM you can know upfront. When undefining a VM there are reasons to
both delete and preserve the TPM state that can only be known at the
time the undefine operation is invoked. 

So we can't delete the XML attr, but we can add new flags to the undefine
API and define how they interact wit the persistent_state attribute.

  * persistent_state=absent, flags=0                  => delete
  * persistent_state=absent, flags=UNDEFINE_TPM       => delete
  * persistent_state=absent, flags=UNDEFINE_KEEP_TPM  => keep

  * persistent_state=yes, flags=0,                    => keep
  * persistent_state=yes, flags=UNDEFINE_TPM          => delete
  * persistent_state=yes, flags=UNDEFINE_KEEP_TPM     => keep

  * persistent_state=no, flags=0,                     => delete
  * persistent_state=no, flags=UNDEFINE_TPM           => delete
  * persistent_state=no, flags=UNDEFINE_KEEP_TPM      => keep



> 
> > What I'm suggesting is that we should have some control over
> > this for persistent VMs, when calling 'undefine'.
> > 
> > ie   virsh undefine --keep-nvram --keep-tpm  $VMNAME
> > 
> > if we have this feature in the public API, then its impl should
> > support both this feature and your future patch for
> > 'persistent_state'.
> 
> And how do we handle removal decisions on shared storage so that the
> directory structure is not removed when a VM is undefined on the source
> machine versus we want to have the directory structure removed on the source
> machine upon successful migration when no shared storage is used? This
> TPM-specific decision for removal seems better on the qemu_tpm.c level
> rather than having to decide whether to keep the TPM state around at all the
> call-sites that patch 1/7 instrumented with the reason parameter (albeit
> unspecific in most cases) and pass down a KEEP_TPM parameter instead.

No matter what, we need to plumb in an extra parameter across the call
sites.

> Getting the reason for the undefine on the qemu_tpm.c level lets us make
> this TPM-specific decision there rather than at all sites further up in the
> call stack.

When exposing the above mentioned flags to virDomainUndefine I don't
think the "undefine reason" makes sense as a concept to pass around,
as compared to a 'bool deleteTPMState'


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|