From nobody Sun Feb  8 19:03:10 2026
Delivered-To: importer@patchew.org
Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied
 by domain of lists.libvirt.org) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain
 of lists.libvirt.org)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1707841300906584.238152872028;
 Tue, 13 Feb 2024 08:21:40 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id C14D11A6C; Tue, 13 Feb 2024 11:21:39 -0500 (EST)
Received: from lists.libvirt.org.85.43.8.in-addr.arpa (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 460DE1A2F;
	Tue, 13 Feb 2024 11:16:33 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id D661419C4; Tue, 13 Feb 2024 11:16:14 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id D5E2119BF
	for <devel@lists.libvirt.org>; Tue, 13 Feb 2024 11:16:13 -0500 (EST)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-29-ft6mw-fOO2Siz5_X1vrBoA-1; Tue, 13 Feb 2024 11:16:12 -0500
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com
 [10.11.54.10])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id DB332108BE9B
	for <devel@lists.libvirt.org>; Tue, 13 Feb 2024 16:16:11 +0000 (UTC)
Received: from maggie.brq.redhat.com (unknown [10.43.3.102])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 839C1492C2D
	for <devel@lists.libvirt.org>; Tue, 13 Feb 2024 16:16:11 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No,
 score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
	version=3.4.4
X-MC-Unique: ft6mw-fOO2Siz5_X1vrBoA-1
From: Michal Privoznik <mprivozn@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH 2/4] conf: Introduce @tpm attribute to <secret/>
Date: Tue, 13 Feb 2024 17:16:06 +0100
Message-ID: 
 <5169aca197a3193014e32dee67dbc3ac997478b2.1707840643.git.mprivozn@redhat.com>
In-Reply-To: <cover.1707840643.git.mprivozn@redhat.com>
References: <cover.1707840643.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.10
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Message-ID-Hash: 4HQXJSW3MUUP2Z3OI2P3GOGAIMFW7ZYJ
X-Message-ID-Hash: 4HQXJSW3MUUP2Z3OI2P3GOGAIMFW7ZYJ
X-MailFrom: mprivozn@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/4HQXJSW3MUUP2Z3OI2P3GOGAIMFW7ZYJ/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
Content-Type: text/plain; charset="utf-8"; x-default="true"
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1707841301933100001

This attribute exists next to @ephemeral and @private attributes
and controls whether the secret value is encrypted using system's
TPM chip before stored on disk. Obviously, it's mutually
exclusive with @ephemeral which forces us to keep the secret
value in memory only.

In the long run, we can even encrypt secret values that are kept
in memory (so they can't be obtained by dumping virtsecretd's
memory). But that's not what is being implemented here.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 docs/formatsecret.rst                    |  8 ++++++--
 src/conf/schemas/secret.rng              |  5 +++++
 src/conf/secret_conf.c                   | 17 +++++++++++++++++
 src/conf/secret_conf.h                   |  2 ++
 tests/secretxml2xmlin/usage-tpm-vtpm.xml |  7 +++++++
 tests/secretxml2xmltest.c                |  1 +
 6 files changed, 38 insertions(+), 2 deletions(-)
 create mode 100644 tests/secretxml2xmlin/usage-tpm-vtpm.xml

diff --git a/docs/formatsecret.rst b/docs/formatsecret.rst
index d0c37ff165..c7910aecce 100644
--- a/docs/formatsecret.rst
+++ b/docs/formatsecret.rst
@@ -10,14 +10,18 @@ Secret XML
 ----------
=20
 Secrets stored by libvirt may have attributes associated with them, using =
the
-``secret`` element. The ``secret`` element has two optional attributes, ea=
ch
-with values '``yes``' and '``no``', and defaulting to '``no``':
+``secret`` element. The ``secret`` element has the following optional
+attributes, each with values '``yes``' and '``no``', and defaulting to
+'``no``':
=20
 ``ephemeral``
    This secret must only be kept in memory, never stored persistently.
 ``private``
    The value of the secret must not be revealed to any caller of libvirt, =
nor to
    any other node.
+``tpm``
+   The value of the secret is stored using a key that's derived from the
+   system's TPM2 chip. This is mutually exclusive with ``ephemeral``.
=20
 The top-level ``secret`` element may contain the following elements:
=20
diff --git a/src/conf/schemas/secret.rng b/src/conf/schemas/secret.rng
index c90e2eb81f..59d825bf91 100644
--- a/src/conf/schemas/secret.rng
+++ b/src/conf/schemas/secret.rng
@@ -19,6 +19,11 @@
           <ref name=3D"virYesNo"/>
         </attribute>
       </optional>
+      <optional>
+        <attribute name=3D"tpm">
+          <ref name=3D"virYesNo"/>
+        </attribute>
+      </optional>
       <interleave>
         <optional>
           <element name=3D"uuid">
diff --git a/src/conf/secret_conf.c b/src/conf/secret_conf.c
index 966536599e..1ab6cf5cd4 100644
--- a/src/conf/secret_conf.c
+++ b/src/conf/secret_conf.c
@@ -130,6 +130,7 @@ virSecretParseXML(xmlXPathContext *ctxt)
     g_autoptr(virSecretDef) def =3D NULL;
     g_autofree char *ephemeralstr =3D NULL;
     g_autofree char *privatestr =3D NULL;
+    g_autofree char *tpmstr =3D NULL;
     g_autofree char *uuidstr =3D NULL;
=20
     def =3D g_new0(virSecretDef, 1);
@@ -150,6 +151,17 @@ virSecretParseXML(xmlXPathContext *ctxt)
         }
     }
=20
+    if (virXMLPropTristateBool(ctxt->node, "tpm",
+                               VIR_XML_PROP_NONE, &def->tpm) < 0) {
+        return NULL;
+    }
+
+    if (def->tpm =3D=3D VIR_TRISTATE_BOOL_YES && def->isephemeral) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                       _("ephemeral and tpm are mutually exclusive"));
+        return NULL;
+    }
+
     uuidstr =3D virXPathString("string(./uuid)", ctxt);
     if (!uuidstr) {
         if (virUUIDGenerate(def->uuid) < 0) {
@@ -248,6 +260,11 @@ virSecretDefFormat(const virSecretDef *def)
                       def->isephemeral ? "yes" : "no",
                       def->isprivate ? "yes" : "no");
=20
+    if (def->tpm !=3D VIR_TRISTATE_BOOL_ABSENT) {
+        virBufferAsprintf(&attrBuf, " tpm=3D'%s'",
+                          virTristateBoolTypeToString(def->tpm));
+    }
+
     virUUIDFormat(def->uuid, uuidstr);
     virBufferEscapeString(&childBuf, "<uuid>%s</uuid>\n", uuidstr);
     if (def->description !=3D NULL)
diff --git a/src/conf/secret_conf.h b/src/conf/secret_conf.h
index 8f8f47933a..8a9e382c1e 100644
--- a/src/conf/secret_conf.h
+++ b/src/conf/secret_conf.h
@@ -21,11 +21,13 @@
 #pragma once
=20
 #include "internal.h"
+#include "virenum.h"
=20
 typedef struct _virSecretDef virSecretDef;
 struct _virSecretDef {
     bool isephemeral;
     bool isprivate;
+    virTristateBool tpm;
     unsigned char uuid[VIR_UUID_BUFLEN];
     char *description;          /* May be NULL */
     virSecretUsageType usage_type;
diff --git a/tests/secretxml2xmlin/usage-tpm-vtpm.xml b/tests/secretxml2xml=
in/usage-tpm-vtpm.xml
new file mode 100644
index 0000000000..b70785113c
--- /dev/null
+++ b/tests/secretxml2xmlin/usage-tpm-vtpm.xml
@@ -0,0 +1,7 @@
+<secret ephemeral=3D'no' private=3D'yes' tpm=3D'yes'>
+  <uuid>46b96412-fffc-46a3-bf3d-c371f776cadb</uuid>
+  <description>vTPM secret</description>
+  <usage type=3D'vtpm'>
+    <name>vTPMvTPMvTPM</name>
+  </usage>
+</secret>
diff --git a/tests/secretxml2xmltest.c b/tests/secretxml2xmltest.c
index eb4d3e143c..cdd34546b2 100644
--- a/tests/secretxml2xmltest.c
+++ b/tests/secretxml2xmltest.c
@@ -69,6 +69,7 @@ mymain(void)
     DO_TEST("usage-iscsi");
     DO_TEST("usage-tls");
     DO_TEST("usage-vtpm");
+    DO_TEST("usage-tpm-vtpm");
=20
     return ret =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE;
 }
--=20
2.43.0
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org