<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 10/8/21 12:33 PM, Marc-André Lureau
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMxuvaw+yqMy0Q=Qxixu5fYa9QC7KiU39LmVW4vSfA2ufdR=-Q@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">Hi<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Oct 8, 2021 at 6:44
PM Stefan Berger <<a href="mailto:stefanb@linux.ibm.com"
moz-do-not-send="true">stefanb@linux.ibm.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Using swtpm v0.7.0 we can
run swtpm_setup to create default config files<br>
for swtpm_setup and swtpm-localca in session mode. Now a
user can start<br>
a VM with an attached TPM without having to run this program
on the<br>
command line before. This program needs to run once.<br>
<br>
This patch addresses the issue raised in<br>
<a
href="https://bugzilla.redhat.com/show_bug.cgi?id=2010649"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://bugzilla.redhat.com/show_bug.cgi?id=2010649</a><br>
<br>
Signed-off-by: Stefan Berger <<a
href="mailto:stefanb@linux.ibm.com" target="_blank"
moz-do-not-send="true">stefanb@linux.ibm.com</a>><br>
<br>
---<br>
v3:<br>
- Removed logfile parameter<br>
</blockquote>
<div><br>
</div>
<div>I guess it's redirected to libvirt log then?</div>
</div>
</div>
</blockquote>
<p>So you are saying it should capture the stderr output ?<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:CAMxuvaw+yqMy0Q=Qxixu5fYa9QC7KiU39LmVW4vSfA2ufdR=-Q@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div> <br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<br>
v2:<br>
- fixed return code if swtpm_setup doesn't support the
option<br>
---<br>
src/qemu/qemu_tpm.c | 39
+++++++++++++++++++++++++++++++++++++++<br>
src/util/virtpm.c | 1 +<br>
src/util/virtpm.h | 1 +<br>
3 files changed, 41 insertions(+)<br>
<br>
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c<br>
index 100481503c..434c357c24 100644<br>
--- a/src/qemu/qemu_tpm.c<br>
+++ b/src/qemu/qemu_tpm.c<br>
@@ -385,6 +385,42 @@ qemuTPMSetupEncryption(const unsigned
char *secretuuid,<br>
return virCommandSetSendBuffer(cmd,
g_steal_pointer(&secret), secret_len);<br>
}<br>
<br>
+<br>
+/*<br>
+ * qemuTPMCreateConfigFiles: run swtpm_setup
--create-config-files skip-if-exist<br>
+ */<br>
+static int<br>
+qemuTPMCreateConfigFiles(void)<br>
+{<br>
+ g_autofree char *swtpm_setup = virTPMGetSwtpmSetup();<br>
+ g_autoptr(virCommand) cmd = NULL;<br>
+ int exitstatus;<br>
+<br>
+ if (!swtpm_setup)<br>
+ return -1;<br>
</blockquote>
<div><br>
</div>
</div>
</div>
</blockquote>
<blockquote type="cite"
cite="mid:CAMxuvaw+yqMy0Q=Qxixu5fYa9QC7KiU39LmVW4vSfA2ufdR=-Q@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div>I think what Daniel was saying is that this shouldn't
fail suddenly for users with older swtpm that already have
the configuration setup.</div>
</div>
</div>
</blockquote>
<p><br>
</p>
<p>The above only fails if swtm_setup is not installed, if that's
what you mean. That's when swtpm_setup is NULL.<br>
</p>
<p>If you run `swptm_setup --create-config-files skip-if-exist` when
any one of the 3 config files already exist, it will do nothing
and exit with 0.<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:CAMxuvaw+yqMy0Q=Qxixu5fYa9QC7KiU39LmVW4vSfA2ufdR=-Q@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
+<br>
+ if (!virTPMSwtpmSetupCapsGet(<br>
+
VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_CREATE_CONFIG_FILES))<br>
+ return 0;<br>
</blockquote>
</div>
</div>
</blockquote>
<p><br>
</p>
<p>This is the case when swtpm_setup doesn't support
--create-config-files. That's when the user has to use the old
/usr/share/swtpm/swptm-create-user-config-files to create the
config files, which will then be located at the same place that
`swptm_setup --create-config-files skip-if-exist` would create
them or check whether any one of them exist and skip. <br>
</p>
<p>3 config files will be created and if the user then removes 1 or
2 of them he created an invalid configuration and the start of the
next VM will fail due to a bad configuration with missing config
files. The config files would only be created again if all 3 were
missing. <br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:CAMxuvaw+yqMy0Q=Qxixu5fYa9QC7KiU39LmVW4vSfA2ufdR=-Q@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
+<br>
+ cmd = virCommandNew(swtpm_setup);<br>
+ if (!cmd)<br>
+ return -1;<br>
+<br>
+ virCommandAddArgList(cmd, "--create-config-files",
"skip-if-exist", NULL);<br>
+ virCommandClearCaps(cmd);<br>
+<br>
+ if (virCommandRun(cmd, &exitstatus) < 0 ||
exitstatus != 0) {<br>
+ virReportError(VIR_ERR_INTERNAL_ERROR,<br>
+ _("Could not run '%s' to create
config files. exitstatus: %d",<br>
+ swtpm_setup, exitstatus);<br>
+ return -1;<br>
</blockquote>
</div>
</div>
</blockquote>
<p>In the error case the stderr output of swtpm_setup should
probably show up here?<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:CAMxuvaw+yqMy0Q=Qxixu5fYa9QC7KiU39LmVW4vSfA2ufdR=-Q@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
+ }<br>
+<br>
+ return 0;<br>
+}<br>
+<br>
+<br>
/*<br>
* qemuTPMEmulatorRunSetup<br>
*<br>
@@ -432,6 +468,9 @@ qemuTPMEmulatorRunSetup(const char
*storagepath,<br>
"this requires privileged
mode for a "<br>
"TPM 1.2\n"), 0600);<br>
<br>
+ if (!privileged && qemuTPMCreateConfigFiles())<br>
+ return -1;<br>
+<br>
cmd = virCommandNew(swtpm_setup);<br>
if (!cmd)<br>
return -1;<br>
diff --git a/src/util/virtpm.c b/src/util/virtpm.c<br>
index 1a567139b4..0f50de866c 100644<br>
--- a/src/util/virtpm.c<br>
+++ b/src/util/virtpm.c<br>
@@ -45,6 +45,7 @@ VIR_ENUM_IMPL(virTPMSwtpmFeature,<br>
VIR_ENUM_IMPL(virTPMSwtpmSetupFeature,<br>
VIR_TPM_SWTPM_SETUP_FEATURE_LAST,<br>
"cmdarg-pwdfile-fd",<br>
+ "cmdarg-create-config-files",<br>
);<br>
<br>
/**<br>
diff --git a/src/util/virtpm.h b/src/util/virtpm.h<br>
index d021a083b4..3bb03b3b33 100644<br>
--- a/src/util/virtpm.h<br>
+++ b/src/util/virtpm.h<br>
@@ -38,6 +38,7 @@ typedef enum {<br>
<br>
typedef enum {<br>
VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PWDFILE_FD,<br>
+ VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_CREATE_CONFIG_FILES,<br>
<br>
VIR_TPM_SWTPM_SETUP_FEATURE_LAST<br>
} virTPMSwtpmSetupFeature;<br>
-- <br>
2.31.1<br>
<br>
</blockquote>
</div>
</div>
</blockquote>
</body>
</html>