From nobody Fri Dec 19 17:36:01 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1661169992; cv=none; d=zohomail.com; s=zohoarc; b=Z1Lj/gGofr/NgphoOxniQwMcMQMHU5887vleepog+mk15YUgHyJq0RjjXxrsHXTaI8z2ncgsPSZa6Ay1F30NVNEl/6Rvy+Bv5FqDIPMmql3t/swkUVr5HdNMiD6+xwRLJv8/uxVgesEzk+tHnwPZkEzZ0r1oqk0iYLz3W9KEXEE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1661169992; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=pyKwCcsOTV1XlaYudl0fzjDwWIc08bRoUToXsnSNdGs=; b=cH0MNBt7/qwy6u3OuYKNfEHZQM+5kraZYV269F0raemDzWMfPRogjHxygsz5MshnhagvT6vxoYWGD7+IgMbGVDxsV5OZhqvmZpvAeO1lOob18yVBvbU+S3+VWWIJV493aUghZW3E38oGwwIRDZ2VFenECZV1XOW7EmemYarwNg4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1661169992302162.09617292748965; Mon, 22 Aug 2022 05:06:32 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-540-Ah5iTvhUMmux7iFkcSO7sg-1; Mon, 22 Aug 2022 08:06:19 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 627BB1C1A94A; Mon, 22 Aug 2022 12:06:15 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 478EB4010FA1; Mon, 22 Aug 2022 12:06:15 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id B7F691946A77; Mon, 22 Aug 2022 12:06:13 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 2798D1946A47 for ; Mon, 22 Aug 2022 12:06:12 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 19DA22026D64; Mon, 22 Aug 2022 12:06:12 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast09.extmail.prod.ext.rdu2.redhat.com [10.11.55.25]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 14AF42026D4C for ; Mon, 22 Aug 2022 12:06:12 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id EC763299E750 for ; Mon, 22 Aug 2022 12:06:11 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-308-A7zlWUfpMCarX5gOD72Qow-1; Mon, 22 Aug 2022 08:06:10 -0400 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 27MC0EWd005435 for ; Mon, 22 Aug 2022 12:06:09 GMT Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3j49e306rt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 22 Aug 2022 12:06:09 +0000 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 27MC5mIk020724 for ; Mon, 22 Aug 2022 12:06:08 GMT Received: from b01cxnp23034.gho.pok.ibm.com (b01cxnp23034.gho.pok.ibm.com [9.57.198.29]) by ppma02dal.us.ibm.com with ESMTP id 3j2q897k8x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 22 Aug 2022 12:06:08 +0000 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 27MC67RI3932902 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 22 Aug 2022 12:06:07 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 34346AC060; Mon, 22 Aug 2022 12:06:07 +0000 (GMT) Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1D71AAC05F; Mon, 22 Aug 2022 12:06:07 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 22 Aug 2022 12:06:07 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1661169990; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=pyKwCcsOTV1XlaYudl0fzjDwWIc08bRoUToXsnSNdGs=; b=QrBeEjGVa0CzSfzvstMq16AtIY+mjyt9SvgslFTTibMJ8GXrF3zgDsER9/C7+VkD19m+K4 K7PC7JXGkauj/fhgBTcUYIzPUfigRNNlFRSvW9KOmuz7H0QUX5Dhz2Ds8yCcbDxqlQgbUM Dya6952jrVokIGmygKudJBPJt5mxTfI= X-MC-Unique: Ah5iTvhUMmux7iFkcSO7sg-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: A7zlWUfpMCarX5gOD72Qow-1 From: Stefan Berger To: libvir-list@redhat.com Subject: [PATCH 7/7] qemu: config: Extend TPM domain XML with shared storage support Date: Mon, 22 Aug 2022 08:05:54 -0400 Message-Id: <20220822120554.3529999-8-stefanb@linux.ibm.com> In-Reply-To: <20220822120554.3529999-1-stefanb@linux.ibm.com> References: <20220822120554.3529999-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: kFtDgu-NvbzHEax3CeKWc_mLs2iD7NxZ X-Proofpoint-GUID: kFtDgu-NvbzHEax3CeKWc_mLs2iD7NxZ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-22_06,2022-08-22_02,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxlogscore=813 impostorscore=0 malwarescore=0 bulkscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 mlxscore=0 clxscore=1015 priorityscore=1501 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208220051 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stefan Berger Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1661169994474100015 Content-Type: text/plain; charset="utf-8"; x-default="true" Extend the domain XML with a 'shared_storage' attribute for the TPM to support migration when the TPM's state directory is setup as shared storage between hosts. Document the shared_storage attribute. For libvirt to be able to correctly handle migration and the removal and security-labeling of TPM state files, it is necessary that the domain XML indicates whether shared stored has been set up for TPM state files. If shared storage is used the TPM domain XML must indicate this as follows: Signed-off-by: Stefan Berger --- docs/formatdomain.rst | 16 ++++++++++++++++ src/conf/domain_conf.c | 13 +++++++++++++ src/conf/schemas/domaincommon.rng | 5 +++++ 3 files changed, 34 insertions(+) diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index 212104fe1f..f6eb126617 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -7775,6 +7775,22 @@ Example: usage of the TPM Emulator This attribute only works with the ``emulator`` backend. The accepted v= alues are ``yes`` and ``no``. :since:`Since 7.0.0` =20 +``shared_storage`` + The ``shared_storage`` attribute indicates whether shared storage is + setup for storing 'swtpm' TPM state. It must be set to ``yes`` if shared + storage is used and must be omitted or set to ``no`` otherwise. The + default value is ``no``. This attribute is important for migrating + 'swtpm' state between hosts and managing the TPM state files. + :since:`Since 8.8.0` + + Note: All hosts sharing the storage must be configured to run swtpm + with the same account (see ``swtpm_user`` and ``swtpm_group`` in qemu.c= onf). + Further, any Linux security module used for file labeling, such as SELi= nux, + must be supported by the shared storage technology and be the same on a= ll + hosts or otherwise may need to be turned off. For example, when NFS is = used + for shared storage, SELinux must be turned off or put into permissive m= ode + since sVirt's MLS range labeling is not supported by NFS. + ``active_pcr_banks`` The ``active_pcr_banks`` node is used to define which of the PCR banks of a TPM 2.0 to activate. Valid names are for example sha1, sha256, sha= 384, diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 2fc94b40ef..9de23d6530 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -10418,6 +10418,7 @@ virDomainTPMDefParseXML(virDomainXMLOption *xmlopt, g_autofree char *path =3D NULL; g_autofree char *secretuuid =3D NULL; g_autofree char *persistent_state =3D NULL; + g_autofree char *shared_storage =3D NULL; g_autofree xmlNodePtr *backends =3D NULL; g_autofree xmlNodePtr *nodes =3D NULL; int bank; @@ -10492,6 +10493,16 @@ virDomainTPMDefParseXML(virDomainXMLOption *xmlopt, } } =20 + shared_storage =3D virXMLPropString(backends[0], "shared_storage"); + if (shared_storage) { + if (virStringParseYesNo(shared_storage, + &def->data.emulator.shared_storage) < = 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Invalid shared_storage value, either 'ye= s' or 'no'")); + goto error; + } + } + if ((nnodes =3D virXPathNodeSet("./backend/active_pcr_banks/*", ct= xt, &nodes)) < 0) break; if (nnodes > 0) @@ -24301,6 +24312,8 @@ virDomainTPMDefFormat(virBuffer *buf, } if (def->data.emulator.persistent_state) virBufferAddLit(&backendAttrBuf, " persistent_state=3D'yes'"); + if (def->data.emulator.shared_storage) + virBufferAddLit(&backendAttrBuf, " shared_storage=3D'yes'"); if (def->data.emulator.hassecretuuid) { char uuidstr[VIR_UUID_STRING_BUFLEN]; =20 diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincom= mon.rng index 7f6ea1d888..27000670b1 100644 --- a/src/conf/schemas/domaincommon.rng +++ b/src/conf/schemas/domaincommon.rng @@ -5541,6 +5541,11 @@ + + + + + --=20 2.37.1