[libvirt] [PATCH 2/6] tpm: Add support for external swtpm TPM emulator

Stefan Berger stefanb at linux.vnet.ibm.com
Fri Apr 6 14:02:51 UTC 2018 

On 04/06/2018 07:23 AM, Stefan Berger wrote:
> On 04/06/2018 04:26 AM, Daniel P. Berrangé wrote:
>> On Thu, Apr 05, 2018 at 05:56:02PM -0400, Stefan Berger wrote:
>>> This patch adds support for an external swtpm TPM emulator. The XML for
>>> this type of TPM looks as follows:
>>>
>>>   <tpm model='tpm-tis'>
>>>     <backend type='emulator'/>
>>>   </tpm>
>>>
>>> The XML will currently only start a TPM 1.2.
>>>
>>> Upon the first start, libvirt will run `swtpm_setup`, which will 
>>> simulate the
>>> manufacturing of a TPM and create certificates for it and write them 
>>> into the
>>> NVRAM location of the emulated TPM.
>>>
>>> Then, libvirt will automatically start the swtpm TPM emulator using 
>>> the `swtpm`
>>> executable.
>>>
>>> Once the VM terminates, libvirt uses the swtpm_ioctl executable to 
>>> gracefully
>>> shut down the `swtpm` in case it is still running (QEMU did not send 
>>> shutdown)
>>> or clean up the socket file.
>>>
>>> The above mentioned executables must be found in the PATH.
>>>
>>> The executables can either be run as root or started as root and 
>>> switch to
>>> the tss user. The requirement for the tss user comes through 'tcsd', 
>>> which
>>> is used for the simulation of the manufacturing. Which user is used 
>>> can be
>>> configured through qemu.conf.
>>>
>>> The swtpm writes out state into files. The state is kept in 
>>> /var/lib/libvirt/tpm:
>>>
>>> [root at localhost libvirt]# ls -lZ | grep tpm
>>>
>>> drwx--x--x. 7 root root unconfined_u:object_r:virt_var_lib_t:s0 4096 
>>> Apr  5 16:22 tpm
>>>
>>> The directory /var/lib/libvirt/tpm maintains per-TPM state 
>>> directories but
>>> also hosts the UnixIO socket of running swtpms, which QEMU uses for 
>>> communicating
>>> with them. At this point only the socket file is labeled properly 
>>> and made accessible
>>> for QEMU, which runs under the qemu user:
>> /var/lib is for persistent state while /var/run is for transient
>> state, so I think sockets should be under /var/run instead.
>
> /var/run/libvirt/qemu then ?

I now moved it into this neighborhood, which seems good due to the 
existing permissions:

# ls -lZ domain-1-testvm/
total 4
-rw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c40,c612 32 
Apr  6 09:55 master-key.aes
srwxrwxr-x. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c40,c612 0 
Apr  6 09:55 monitor.sock
srw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c40,c612 0 
Apr  6 09:55 swtpm.sock

     Stefan

More information about the libvir-list mailing list