From nobody Sun Feb  8 19:39:44 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=none dis=none)  header.from=linux.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1664978577; cv=none;
	d=zohomail.com; s=zohoarc;
	b=YzUBIu5JRKz8AXUEG2v4WQuwJLlkd0fK0QKBT+2fIS4645K5Zl1CsCjwMD73ntM/R/BUhOdZqREUqQcY++UvEpYZfFhj9uGpL1Gi7Nlvt6tO7eIUxJXCL5lZLJx2V+fw9hwB/nfr1/UtI0sFURgG6POkyBjvY4zr1PN/ov0PE38=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1664978577;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=9k173YZf1Ek+3jv2sjEhFJ9XbN8E2yr4QmbpEKBWtAQ=;
	b=MxuaEgp6RubnnmE90eKrYCQ66kbSrREXK9hKHask6KP/0u/WxNOMBQ3otPQsxFaNQcMVy9U/mEr6hI0RvGXZzhWg8duMnQUDyvWwbNiyZoR65JY18z9X6mWxrJ/jaE4CUH1eXAAHw7YQk6QbCs6Od45hRmMpNojQvLMYPd2sBec=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail header.from=<stefanb@linux.ibm.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1664978577536782.633006092299;
 Wed, 5 Oct 2022 07:02:57 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-578-V-HShV_sOpCSrizg9DbMgQ-1; Wed, 05 Oct 2022 10:02:43 -0400
Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com
 [10.11.54.9])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E818B196EFA4;
	Wed,  5 Oct 2022 14:02:23 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id D18D84B3FDF;
	Wed,  5 Oct 2022 14:02:23 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 96F2A194338A;
	Wed,  5 Oct 2022 14:02:23 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com
 [10.11.54.7])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 5A4981947BBD for <libvir-list@listman.corp.redhat.com>;
 Wed,  5 Oct 2022 14:02:22 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 471811402BDC; Wed,  5 Oct 2022 14:02:22 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
 (mimecast08.extmail.prod.ext.rdu2.redhat.com [10.11.55.24])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 3FD531402BDF
 for <libvir-list@redhat.com>; Wed,  5 Oct 2022 14:02:22 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 23A4E384C6C7
 for <libvir-list@redhat.com>; Wed,  5 Oct 2022 14:02:22 +0000 (UTC)
Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com
 [148.163.158.5]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-25-4y7OvtaWPsayakZubgbaeg-1; Wed, 05 Oct 2022 10:02:20 -0400
Received: from pps.filterd (m0098419.ppops.net [127.0.0.1])
 by mx0b-001b2d01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id
 295DmEBL009840;
 Wed, 5 Oct 2022 14:02:15 GMT
Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com
 [169.63.214.131])
 by mx0b-001b2d01.pphosted.com (PPS) with ESMTPS id 3k1b4q0ga3-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Wed, 05 Oct 2022 14:02:15 +0000
Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1])
 by ppma01dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 295DpL7V027851;
 Wed, 5 Oct 2022 14:02:14 GMT
Received: from b01cxnp23034.gho.pok.ibm.com (b01cxnp23034.gho.pok.ibm.com
 [9.57.198.29]) by ppma01dal.us.ibm.com with ESMTP id 3jxd6a2ua5-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Wed, 05 Oct 2022 14:02:14 +0000
Received: from smtpav02.wdc07v.mail.ibm.com ([9.208.128.114])
 by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 295E2CKv9962170
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
 Wed, 5 Oct 2022 14:02:13 GMT
Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1])
 by IMSVA (Postfix) with ESMTP id C46B65805E;
 Wed,  5 Oct 2022 14:02:11 +0000 (GMT)
Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1])
 by IMSVA (Postfix) with ESMTP id 6748F58071;
 Wed,  5 Oct 2022 14:02:11 +0000 (GMT)
Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153])
 by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP;
 Wed,  5 Oct 2022 14:02:11 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1664978576;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=9k173YZf1Ek+3jv2sjEhFJ9XbN8E2yr4QmbpEKBWtAQ=;
	b=O0lidzTLYx3OVKkQ6ZjeJtGoECmRTcN6aRQHAM7vTslUhXQZeYZ1yQ/UlhZKOE4sDHUMGK
	yM0eldqbiahe1mIWaxuPfEZBPXkxcKVi7ZTCepHJxd2WIk+GoQJSLCZDGvWUqOp7+4xtXh
	PGX5ox+Ljjj208EQiI5YXbddeYFo/RY=
X-MC-Unique: V-HShV_sOpCSrizg9DbMgQ-1
X-Original-To: libvir-list@listman.corp.redhat.com
X-MC-Unique: 4y7OvtaWPsayakZubgbaeg-1
From: Stefan Berger <stefanb@linux.ibm.com>
To: libvir-list@redhat.com
Subject: [PATCH v2 4/9] qemu: tpm: Pass --migration option to swtpm if
 supported
Date: Wed,  5 Oct 2022 10:02:02 -0400
Message-Id: <20221005140207.3599989-5-stefanb@linux.ibm.com>
In-Reply-To: <20221005140207.3599989-1-stefanb@linux.ibm.com>
References: <20221005140207.3599989-1-stefanb@linux.ibm.com>
MIME-Version: 1.0
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: QrZ8-08awioM57MLNWEbbxBX6JrgVN8e
X-Proofpoint-ORIG-GUID: QrZ8-08awioM57MLNWEbbxBX6JrgVN8e
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1
 definitions=2022-10-05_03,2022-10-05_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 mlxlogscore=999
 impostorscore=0 lowpriorityscore=0 malwarescore=0 bulkscore=0 spamscore=0
 clxscore=1015 priorityscore=1501 suspectscore=0 phishscore=0 mlxscore=0
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2209130000 definitions=main-2210050085
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
 Definition; Similar Internal Domain=false;
 Similar Monitored External Domain=false; Custom External Domain=false;
 Mimecast External Domain=false; Newly Observed Domain=false;
 Internal User Name=false; Custom Display Name List=false;
 Reply-to Address Mismatch=false; Targeted Threat Dictionary=false;
 Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Cc: Stefan Berger <stefanb@linux.ibm.com>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1664978579153100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

Always pass the --migration option to swtpm, if swptm supports it (staring
with v0.8). Always apply the 'release-lock-outgoing' parameter with this
option and apply the 'incoming' parameter for incoming migration so that
swtpm releases the file lock on the source side when the state is migrated
and locks the file on the destination side when the state is received.

If a started swtpm instance is capable of migrating with share storage
then remember this with a flag in the virDomainTPMDef. This flag allows
for modifications of the installed swtpm, such as installing a version
that does not support migration with shared storage.

Report an error if swtpm does not support the --migration option and an
incoming migration across shared storage is requested.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/conf/domain_conf.h    |  1 +
 src/qemu/qemu_migration.c |  8 ++++++++
 src/qemu/qemu_tpm.c       | 40 +++++++++++++++++++++++++++++++++++++++
 src/qemu/qemu_tpm.h       |  3 +++
 4 files changed, 52 insertions(+)

diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 352b88eae5..4f9b5c6686 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1461,6 +1461,7 @@ struct _virDomainTPMDef {
             bool hassecretuuid;
             bool persistent_state;
             virBitmap *activePcrBanks;
+            bool canMigrateWithSharedStorage;
         } emulator;
     } data;
 };
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index efb27a24aa..431b1b0bcb 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -38,6 +38,7 @@
 #include "qemu_security.h"
 #include "qemu_slirp.h"
 #include "qemu_block.h"
+#include "qemu_tpm.h"
=20
 #include "domain_audit.h"
 #include "virlog.h"
@@ -2789,6 +2790,13 @@ qemuMigrationSrcBegin(virConnectPtr conn,
         goto cleanup;
     }
=20
+    if ((flags & VIR_MIGRATE_TPM_SHARED_STORAGE) &&
+        !qemuTPMCanMigrateSharedStorage(vm->def)) {
+        virReportError(VIR_ERR_NO_SUPPORT, "%s",
+                       _("the running swtpm does not support migration wit=
h shared storage"));
+        goto cleanup;
+    }
+
     if (flags & VIR_MIGRATE_POSTCOPY_RESUME) {
         ret =3D qemuMigrationSrcBeginResumePhase(conn, driver, vm, xmlin,
                                                cookieout, cookieoutlen, fl=
ags);
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 07def3c840..fde15b7587 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -644,6 +644,32 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
         virCommandAddArgFormat(cmd, "pwdfd=3D%d,mode=3Daes-256-cbc", migpw=
dfile_fd);
     }
=20
+    /* If swtpm supports it, start it with --migration release-lock-outgoi=
ng
+     * so it can migrate across shared storage if needed.
+     */
+    tpm->data.emulator.canMigrateWithSharedStorage =3D false;
+    if (virTPMSwtpmCapsGet(VIR_TPM_SWTPM_FEATURE_CMDARG_MIGRATION)) {
+        bool incoming =3D false;
+
+        if (incomingMigration && (flags & VIR_MIGRATE_TPM_SHARED_STORAGE))
+            incoming =3D true;
+        virCommandAddArg(cmd, "--migration");
+        virCommandAddArgFormat(cmd, "release-lock-outgoing%s",
+                               incoming ? ",incoming": "");
+        tpm->data.emulator.canMigrateWithSharedStorage =3D true;
+    } else {
+        /* Report an error if there's an incoming migration across shared
+         * storage and swtpm does not support the --migration option.
+         */
+        if (incomingMigration && (flags & VIR_MIGRATE_TPM_SHARED_STORAGE))=
 {
+            virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,
+                _("%s (on destination side) does not support the --migrati=
on option "
+                  "needed for migration with shared storage"),
+                   swtpm);
+            goto error;
+        }
+    }
+
     return g_steal_pointer(&cmd);
=20
  error:
@@ -967,6 +993,20 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
 }
=20
=20
+bool
+qemuTPMCanMigrateSharedStorage(virDomainDef *def)
+{
+    size_t i;
+
+    for (i =3D 0; i < def->ntpms; i++) {
+        if (def->tpms[i]->type =3D=3D VIR_DOMAIN_TPM_TYPE_EMULATOR &&
+            !def->tpms[i]->data.emulator.canMigrateWithSharedStorage) {
+            return false;
+        }
+    }
+    return true;
+}
+
 /* ---------------------
  *  Module entry points
  * ---------------------
diff --git a/src/qemu/qemu_tpm.h b/src/qemu/qemu_tpm.h
index 410c9ec1c6..630fa7074f 100644
--- a/src/qemu/qemu_tpm.h
+++ b/src/qemu/qemu_tpm.h
@@ -57,3 +57,6 @@ int qemuExtTPMSetupCgroup(virQEMUDriver *driver,
                           virCgroup *cgroup)
     ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
     G_GNUC_WARN_UNUSED_RESULT;
+
+bool qemuTPMCanMigrateSharedStorage(virDomainDef *def)
+    ATTRIBUTE_NONNULL(1);
--=20
2.37.3