[libvirt] [PATCH 2/6] tpm: Add support for external swtpm TPM emulator
Stefan Berger
stefanb at linux.vnet.ibm.com
Mon Apr 9 18:52:33 UTC 2018
On 04/06/2018 10:54 AM, Daniel P. Berrangé wrote:
> On Fri, Apr 06, 2018 at 10:49:23AM -0400, Stefan Berger wrote:
>
>>>>> I would feel better if we just directly killed the process - with
>>>>> this approach if something goes wrong with swtpm it may never
>>>>> respond to this request and stay running.
>>>> swtpm can write a pidfile. I am only adding this later in this series.
>>>> Problem is with --daemon libvirt doesn't know the pid of the swtpm anymore.
>>> The other option is to not use --daemon, and let libvirt write the pid
>>> file, but that introduces the race with socket path creation again
>>> which is not good.
>> Sounds like we should leave this as it is? Unless swtpm was broken, there
>> shouldn't be a reason why the we wouldn't be able to shut down swtpm by
>> sending a command to it. The socket and its directory must not have
>> disappeared of course.
> Agreed.
I reworked this patch series quite a bit. Primarily in regards to the
directories for where the data, socket, logfile, and pidfiles are
stored. At the moment I need the following two additional SELinux rules
for svirt on Fedora 23 (old).
allow svirt_t virtd_t:fifo_file write;
allow svirt_t virtd_t:process sigchld;
Not sure where I can find the sources for the policy, but maybe there's
a more recent version that already has it?
Should this first patch be split? Take out the XML parser and generator ?
Regards,
Stefan
>
> Regards,
> Daniel
More information about the libvir-list
mailing list