From nobody Fri Dec 19 17:37:26 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1661169986; cv=none; d=zohomail.com; s=zohoarc; b=MBTTqTc4W03wBirrp8JJhNqDjQ420mddqnQfEWOf5U8doU4pOIJqDR9NteDCdC55z8NPDB24+31mOMxmaPIOqGJsGEZu8Tx9KaFNwvDr2qT3UG2B7W/GaIYk6p01D+9GImoXWGHpHQtXy/5L0bggBlV5YLMI2axiHFs7XZu5VGg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1661169986; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=qlPdw/AZts/T2Pwrv2k5R7Nw7FYkKGshnRqe7cE6iQA=; b=XySNvQv5+kWMAz7pofnb2by28IcTaJgA/swJ+rb8Qeiwa7ipt50VwUoFYtigfAMUEIk8xNr/sAmD4EFMuZXXgdfHrWYhmP+sjHMFHzOZPEmX76aJqj1SqpIxYpq7X8B+cFf2rrsEwbheVp1KEa0TtNAqmOIPAZWsaNoDww7atP8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 166116998670234.87009405134211; Mon, 22 Aug 2022 05:06:26 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-582-hW2H3BzRNh69K7tulPhm0A-1; Mon, 22 Aug 2022 08:06:21 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E239580A0BC; Mon, 22 Aug 2022 12:06:15 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id C807A111F3B6; Mon, 22 Aug 2022 12:06:15 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 50C081946A62; Mon, 22 Aug 2022 12:06:14 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 34CD51946A48 for ; Mon, 22 Aug 2022 12:06:12 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 15C889458A; Mon, 22 Aug 2022 12:06:12 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 11EC0945D0 for ; Mon, 22 Aug 2022 12:06:12 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E677B801585 for ; Mon, 22 Aug 2022 12:06:11 +0000 (UTC) Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-625-wCXYREH1O_K50G_YZgbFyg-1; Mon, 22 Aug 2022 08:06:09 -0400 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 27MBwtII020703 for ; Mon, 22 Aug 2022 12:06:09 GMT Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3j49df08rj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 22 Aug 2022 12:06:09 +0000 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 27MBoOTs016732 for ; Mon, 22 Aug 2022 12:06:08 GMT Received: from b01cxnp23034.gho.pok.ibm.com (b01cxnp23034.gho.pok.ibm.com [9.57.198.29]) by ppma01dal.us.ibm.com with ESMTP id 3j2q89qn3d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 22 Aug 2022 12:06:08 +0000 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 27MC67TX65012220 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 22 Aug 2022 12:06:07 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 02CD0AC067; Mon, 22 Aug 2022 12:06:07 +0000 (GMT) Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F4073AC05B; Mon, 22 Aug 2022 12:06:06 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 22 Aug 2022 12:06:06 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1661169985; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=qlPdw/AZts/T2Pwrv2k5R7Nw7FYkKGshnRqe7cE6iQA=; b=JWwSicdXwBjmTsDa/wPPhwoISX0X2iFBqKRIHi/XB9Bsvd59kZHXAoymdE0E145NZ2bn3A HMp/2GkHTyLmECCXqvbkMgE/fg5M5L4HDWWklMQbRqeEnrb9DihJj+3QFX54L6Eac2FhuL Pc3yPOIfV7VeJTJrwTeKSY0AUR61J+8= X-MC-Unique: hW2H3BzRNh69K7tulPhm0A-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: wCXYREH1O_K50G_YZgbFyg-1 From: Stefan Berger To: libvir-list@redhat.com Subject: [PATCH 5/7] qemu: tpm: Avoid security labels on incoming migration with shared storage Date: Mon, 22 Aug 2022 08:05:52 -0400 Message-Id: <20220822120554.3529999-6-stefanb@linux.ibm.com> In-Reply-To: <20220822120554.3529999-1-stefanb@linux.ibm.com> References: <20220822120554.3529999-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: HE25Ky83oqcZaEgIH4JSBVdaXBF7fkqY X-Proofpoint-ORIG-GUID: HE25Ky83oqcZaEgIH4JSBVdaXBF7fkqY X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-22_06,2022-08-22_02,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 bulkscore=0 suspectscore=0 priorityscore=1501 lowpriorityscore=0 malwarescore=0 spamscore=0 mlxlogscore=999 impostorscore=0 clxscore=1015 mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208220051 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stefan Berger Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1661169988508100005 Content-Type: text/plain; charset="utf-8"; x-default="true" When using shared storage there is no need to apply security labels on the storage since the files have to have been labeled already on the source side and we must assume that the source and destination side have been setup to use the same uid and gid for running swtpm as well as share the same security labels. whether the security labels can be used at all depends on the shared storage and whether and how it supports them. Signed-off-by: Stefan Berger --- src/qemu/qemu_tpm.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 8b3ef4e34e..20c7e92766 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -924,10 +924,19 @@ qemuTPMEmulatorStart(virQEMUDriver *driver, virCommandSetPidFile(cmd, pidfile); virCommandSetErrorFD(cmd, &errfd); =20 - if (qemuSecurityStartTPMEmulator(driver, vm, cmd, - cfg->swtpm_user, cfg->swtpm_group, - NULL, &cmdret) < 0) - return -1; + if (incomingMigration && + tpm->data.emulator.shared_storage) { + /* security labels must have been set up on source already */ + if (qemuSecurityCommandRun(driver, vm, cmd, + cfg->swtpm_user, cfg->swtpm_group, + NULL, &cmdret) < 0) { + goto error; + } + } else if (qemuSecurityStartTPMEmulator(driver, vm, cmd, + cfg->swtpm_user, cfg->swtpm_gr= oup, + NULL, &cmdret) < 0) { + goto error; + } =20 if (cmdret < 0) { /* virCommandRun() hidden in qemuSecurityStartTPMEmulator() --=20 2.37.1