From nobody Sun Feb 8 12:39:09 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1666112716; cv=none; d=zohomail.com; s=zohoarc; b=iyAANUcpcgcS2zo/zKRRwCjkpCzNL5bwd+B8XcfRQ59wuCAQXgoNUB4f7W5du3EUQU/5tFJF3+Ogqtgv/GoLVm94tiyPjz+4OUU+/jF2peDb+UjZW1sd/lUiVVOzqynwCYttxQMQZFZO95XVqhzloWeY3ZJsO6HPzMX++FyI2qY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1666112716; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=wW5yJq9ZBwWf1L/eDSk7Xh+iNrZj64rX0J9d7wHf2ak=; b=bP29vSXaInhZ+owwczNi6EUFld5Brt6kzeyri3V4t0a1580TEiaUc5Z8LWKkrp94ZXEr4gP5iEc+iNzvmNp9UYB7VGSottD6u68K4dFMNPiv6sNq4xxlv66IHcyVb8GQ3kCI/IuSlx9LNqc3CJ4N82lrhPGHk2hx6BdguuMUMIE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1666112716945835.4784290439771; Tue, 18 Oct 2022 10:05:16 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-397-u647QXGnPPWgpOaBgLOdXA-1; Tue, 18 Oct 2022 13:05:11 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F1C26858F13; Tue, 18 Oct 2022 17:05:07 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9291E49BB62; Tue, 18 Oct 2022 17:05:07 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 17C4719465A2; Tue, 18 Oct 2022 17:05:07 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CB6DA194658F for ; Tue, 18 Oct 2022 17:05:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id AF2F4C15BAB; Tue, 18 Oct 2022 17:05:05 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast09.extmail.prod.ext.rdu2.redhat.com [10.11.55.25]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A7E17C15BA5 for ; Tue, 18 Oct 2022 17:05:05 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8BBDD299E778 for ; Tue, 18 Oct 2022 17:05:05 +0000 (UTC) Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-2-O_cerWs-PceOvFbFhZhK9g-1; Tue, 18 Oct 2022 13:05:03 -0400 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 29IH0qqt009566; Tue, 18 Oct 2022 17:05:03 GMT Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3ka05q05vf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 18 Oct 2022 17:05:02 +0000 Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1]) by ppma03wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 29IGplpj013517; Tue, 18 Oct 2022 17:05:01 GMT Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by ppma03wdc.us.ibm.com with ESMTP id 3k7mg9fnw6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 18 Oct 2022 17:05:01 +0000 Received: from smtpav02.dal12v.mail.ibm.com ([9.208.128.128]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 29IH4x7Z7602690 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 18 Oct 2022 17:05:00 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 433AD58066; Tue, 18 Oct 2022 17:05:00 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EA3E75805E; Tue, 18 Oct 2022 17:04:59 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 18 Oct 2022 17:04:59 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1666112714; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=wW5yJq9ZBwWf1L/eDSk7Xh+iNrZj64rX0J9d7wHf2ak=; b=YhtebMxWgT+GomIG5modV4rz4DWK6KyONR4bGDzV8MT1RxzzNY2UHdgY8M5pcMvD+RP6nC zaljsi2HkPPkAKci1A4VlMSq+yVpRWne3wYpO1SoIEyRv/mk0rlCWmTkdq3FeziGTqaYAt C9orH20StwY9Xw2mIdXJP04noGLi52w= X-MC-Unique: u647QXGnPPWgpOaBgLOdXA-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: O_cerWs-PceOvFbFhZhK9g-1 From: Stefan Berger To: libvir-list@redhat.com Subject: [PATCH v3 4/6] qemu: tpm: Pass --migration option to swtpm if supported and needed Date: Tue, 18 Oct 2022 13:04:50 -0400 Message-Id: <20221018170452.241864-5-stefanb@linux.ibm.com> In-Reply-To: <20221018170452.241864-1-stefanb@linux.ibm.com> References: <20221018170452.241864-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: hkou5YnXSJVyCg9kS1YtL8ATfMi8fUG1 X-Proofpoint-ORIG-GUID: hkou5YnXSJVyCg9kS1YtL8ATfMi8fUG1 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-10-18_06,2022-10-18_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 lowpriorityscore=0 malwarescore=0 impostorscore=0 suspectscore=0 adultscore=0 spamscore=0 phishscore=0 mlxscore=0 clxscore=1015 mlxlogscore=961 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2210180097 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: mprivozn@redhat.com, Stefan Berger Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1666112718283100001 Content-Type: text/plain; charset="utf-8"; x-default="true" Pass the --migration option to swtpm if swptm supports it (starting with v0.8) and if the TPM's state is written on shared storage. If this is the case apply the 'release-lock-outgoing' parameter with this option and apply the 'incoming' parameter for incoming migration so that swtpm releases the file lock on the source side when the state is migrated and locks the file on the destination side when the state is received. If a started swtpm instance is running with the necessary options of migrating with share storage then remember this with a flag in the virDomainTPMPrivateDef. Report an error if swtpm does not support the --migration option and an incoming migration across shared storage is requested. Signed-off-by: Stefan Berger --- src/qemu/qemu_migration.c | 8 +++++ src/qemu/qemu_tpm.c | 66 ++++++++++++++++++++++++++++++++++++++- src/qemu/qemu_tpm.h | 6 ++++ 3 files changed, 79 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 33105cf07b..5b4f4615ee 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -38,6 +38,7 @@ #include "qemu_security.h" #include "qemu_slirp.h" #include "qemu_block.h" +#include "qemu_tpm.h" =20 #include "domain_audit.h" #include "virlog.h" @@ -2789,6 +2790,13 @@ qemuMigrationSrcBegin(virConnectPtr conn, goto cleanup; } =20 + if (qemuTPMHasSharedStorage(vm->def) && + !qemuTPMCanMigrateSharedStorage(vm->def)) { + virReportError(VIR_ERR_NO_SUPPORT, "%s", + _("the running swtpm does not support migration wit= h shared storage")); + goto cleanup; + } + if (flags & VIR_MIGRATE_POSTCOPY_RESUME) { ret =3D qemuMigrationSrcBeginResumePhase(conn, driver, vm, xmlin, cookieout, cookieoutlen, fl= ags); diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index a45ad599aa..7b0afe94ec 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -557,6 +557,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm, int migpwdfile_fd =3D -1; const unsigned char *secretuuid =3D NULL; bool create_storage =3D true; + bool on_shared_storage; =20 if (!swtpm) return NULL; @@ -564,7 +565,8 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm, /* Do not create storage and run swtpm_setup on incoming migration over * shared storage */ - if (incomingMigration && virFileIsSharedFS(tpm->data.emulator.storagep= ath)) + on_shared_storage =3D virFileIsSharedFS(tpm->data.emulator.storagepath= ); + if (incomingMigration && on_shared_storage) create_storage =3D false; =20 if (create_storage && @@ -642,6 +644,31 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm, virCommandAddArgFormat(cmd, "pwdfd=3D%d,mode=3Daes-256-cbc", migpw= dfile_fd); } =20 + /* If swtpm supports it and the TPM state is stored on shared storage, + * start swtpm with --migration release-lock-outgoing so it can migrate + * across shared storage if needed. + */ + QEMU_DOMAIN_TPM_PRIVATE(tpm)->swtpm.can_migrate_shared_storage =3D fal= se; + if (on_shared_storage && + virTPMSwtpmCapsGet(VIR_TPM_SWTPM_FEATURE_CMDARG_MIGRATION)) { + + virCommandAddArg(cmd, "--migration"); + virCommandAddArgFormat(cmd, "release-lock-outgoing%s", + incomingMigration ? ",incoming": ""); + QEMU_DOMAIN_TPM_PRIVATE(tpm)->swtpm.can_migrate_shared_storage =3D= true; + } else { + /* Report an error if there's an incoming migration across shared + * storage and swtpm does not support the --migration option. + */ + if (incomingMigration && on_shared_storage) { + virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, + _("%s (on destination side) does not support the --migrati= on option " + "needed for migration with shared storage"), + swtpm); + goto error; + } + } + return g_steal_pointer(&cmd); =20 error: @@ -962,6 +989,43 @@ qemuTPMEmulatorStart(virQEMUDriver *driver, } =20 =20 +bool +qemuTPMHasSharedStorage(virDomainDef *def) +{ + size_t i; + + for (i =3D 0; i < def->ntpms; i++) { + virDomainTPMDef *tpm =3D def->tpms[i]; + switch (tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + return virFileIsSharedFS(tpm->data.emulator.storagepath); + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_LAST: + } + } + + return false; +} + + +bool +qemuTPMCanMigrateSharedStorage(virDomainDef *def) +{ + size_t i; + + for (i =3D 0; i < def->ntpms; i++) { + virDomainTPMDef *tpm =3D def->tpms[i]; + switch (tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + return QEMU_DOMAIN_TPM_PRIVATE(tpm)->swtpm.can_migrate_shared_= storage; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_LAST: + } + } + return true; +} + + /* --------------------- * Module entry points * --------------------- diff --git a/src/qemu/qemu_tpm.h b/src/qemu/qemu_tpm.h index f068f3ca5a..9daa3e14df 100644 --- a/src/qemu/qemu_tpm.h +++ b/src/qemu/qemu_tpm.h @@ -56,3 +56,9 @@ int qemuExtTPMSetupCgroup(virQEMUDriver *driver, virCgroup *cgroup) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) G_GNUC_WARN_UNUSED_RESULT; + +bool qemuTPMHasSharedStorage(virDomainDef *def) + ATTRIBUTE_NONNULL(1); + +bool qemuTPMCanMigrateSharedStorage(virDomainDef *def) + ATTRIBUTE_NONNULL(1); --=20 2.37.3