[v2] swtpm: Add support for profiles

[RFC PATCH v2 8/8] qemu: Extend swtpm_setup command line to set a profile by its name

Posted by Stefan Berger 1 year, 4 months ago

Runs swtpm_setup with the --profile-name option if the user provided the
name of a profile. swtpm_setup will try to load the profile from
directories with local profiles and distro profiles and if no profile
by this name with appended '.json' suffix could be found there, it will
fall back to try to use an internal profile with the given name.

Also set the --profile-remove-disabled option if the user provided a value
in the remove_disabled attribute in the profile XML node.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/qemu/qemu_tpm.c | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index e8e7e8b5c1..48446cd631 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -340,6 +340,40 @@ qemuTPMVirCommandAddEncryption(virCommand *cmd,
 }
 
 
+/*
+ * Add a (optional) profile to the swtpm_setup command line.
+ *
+ * @cmd: virCommand to add options to
+ * @emulator: emulator parameters
+ *
+ * Returns 0 on success, -1 on failure.
+ */
+static int
+qemuTPMVirCommandAddProfile(virCommand *cmd,
+                            const virDomainTPMEmulatorDef *emulator)
+{
+    if (!emulator->profile_name)
+        return 0;
+
+    if (!virTPMSwtpmSetupCapsGet(
+            VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PROFILE)) {
+        virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
+                       _("swtpm_setup has no support for profiles"));
+        return -1;
+    }
+
+    virCommandAddArgList(cmd,
+                         "--profile-name", emulator->profile_name,
+                         NULL);
+
+    if (emulator->profile_remove_disabled)
+        virCommandAddArgList(cmd,
+                             "--profile-remove-disable",
+                             emulator->profile_remove_disabled,
+                             NULL);
+    return 0;
+}
+
 /*
  * qemuTPMEmulatorRunSetup
  *
@@ -416,6 +450,8 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
                              "--lock-nvram",
                              "--not-overwrite",
                              NULL);
+        if (qemuTPMVirCommandAddProfile(cmd, emulator) < 0)
+            return -1;
     } else {
         virCommandAddArgList(cmd,
                              "--tpm-state", storagepath,
-- 
2.46.1

Re: [RFC PATCH v2 8/8] qemu: Extend swtpm_setup command line to set a profile by its name

Posted by Marc-André Lureau 1 year, 4 months ago

On Thu, Sep 26, 2024 at 11:32 PM Stefan Berger <stefanb@linux.ibm.com> wrote:
>
> Runs swtpm_setup with the --profile-name option if the user provided the
> name of a profile. swtpm_setup will try to load the profile from
> directories with local profiles and distro profiles and if no profile
> by this name with appended '.json' suffix could be found there, it will
> fall back to try to use an internal profile with the given name.
>
> Also set the --profile-remove-disabled option if the user provided a value
> in the remove_disabled attribute in the profile XML node.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

> ---
>  src/qemu/qemu_tpm.c | 36 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 36 insertions(+)
>
> diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
> index e8e7e8b5c1..48446cd631 100644
> --- a/src/qemu/qemu_tpm.c
> +++ b/src/qemu/qemu_tpm.c
> @@ -340,6 +340,40 @@ qemuTPMVirCommandAddEncryption(virCommand *cmd,
>  }
>
>
> +/*
> + * Add a (optional) profile to the swtpm_setup command line.
> + *
> + * @cmd: virCommand to add options to
> + * @emulator: emulator parameters
> + *
> + * Returns 0 on success, -1 on failure.
> + */
> +static int
> +qemuTPMVirCommandAddProfile(virCommand *cmd,
> +                            const virDomainTPMEmulatorDef *emulator)
> +{
> +    if (!emulator->profile_name)
> +        return 0;
> +
> +    if (!virTPMSwtpmSetupCapsGet(
> +            VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PROFILE)) {
> +        virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
> +                       _("swtpm_setup has no support for profiles"));
> +        return -1;
> +    }
> +
> +    virCommandAddArgList(cmd,
> +                         "--profile-name", emulator->profile_name,
> +                         NULL);
> +
> +    if (emulator->profile_remove_disabled)
> +        virCommandAddArgList(cmd,
> +                             "--profile-remove-disable",
> +                             emulator->profile_remove_disabled,
> +                             NULL);
> +    return 0;
> +}
> +
>  /*
>   * qemuTPMEmulatorRunSetup
>   *
> @@ -416,6 +450,8 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
>                               "--lock-nvram",
>                               "--not-overwrite",
>                               NULL);
> +        if (qemuTPMVirCommandAddProfile(cmd, emulator) < 0)
> +            return -1;
>      } else {
>          virCommandAddArgList(cmd,
>                               "--tpm-state", storagepath,
> --
> 2.46.1
>

[RFC PATCH v2 1/8] conf: Move TPM emulator parameters into own struct
[RFC PATCH v2 2/8] qemu: Pass virQEMUDriverConfig rather than some of its fields
[RFC PATCH v2 3/8] util: Add parsing support for swtpm_setup's cmdarg-profile capability
[RFC PATCH v2 4/8] conf: Define enum virDomainTPMProfileRemoveDisabled
[RFC PATCH v2 5/8] schema: Extend schema for TPM emulator profile node
[RFC PATCH v2 6/8] conf: Add support for profile parameter on TPM emulator in domain XML
[RFC PATCH v2 7/8] docs: Add documentation for the TPM backend profile node
[RFC PATCH v2 8/8] qemu: Extend swtpm_setup command line to set a profile by its name