[libvirt] [PATCH v7 00/12] Add support for TPM emulator
Stefan Berger
stefanb at linux.vnet.ibm.com
Thu May 24 14:00:38 UTC 2018
On 05/24/2018 09:21 AM, John Ferlan wrote:
>
> On 05/24/2018 09:02 AM, Stefan Berger wrote:
>> This series of patches adds support for the TPM emulator backend that
>> is available in QEMU and based on swtpm + libtpms. It allows to attach a
>> TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm
>> process, its Unix socket, and log file with the same label that the
>> QEMU process gets. Besides that swtpm is added to the emulator cgroup to
>> restrict its CPU usage.
>>
>> The device XML can be changed from a TPM 1.2 to a TPM 2 and back to a
>> TPM 1.2. The device state is not removed during those changes but only
>> when the domain is undefined.
>>
>> The swtpm needs persistent storage to store its state. For that I am
>> using the uuid of the VM as part of the path since the name of the VM
>> can be changed. Logfiles, PID files, and socket names are based on the
>> name of the VM, though.
>>
>> Stefan
>>
>> v6->v7:
>> - followed Jan Tomko's suggestion with resulting changing to patch
>> 10/12.
>> - re-added missing parts related to swtpm_setup and TPM that got lost
>> in v4
>>
>> v5->v6:
>> - Addressed John Ferlan's comments
>> - rebased on latest tip
>> - Added patch 12.
>>
>> v4->v5:
>> - Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments
>> - rebased on latest tip
>>
>> v3->v4:
>> - Addressed John Ferlan's comments
>> - Fixed bugs I found while testing
>> - rebased on latest tip
>>
>> Stefan Berger (12):
>> conf: Add support for external swtpm TPM emulator to domain XML
>> qemu: Extend QEMU capabilities with 'tpm-emulator'
>> util: Implement virFileChownFiles()
>> security: Add DAC and SELinux security for tpm-emulator
>> qemu: Extend qemu_conf with tpm-emulator support
>> qemu: Extend QEMU with external TPM support
>> qemu: Add support for external swtpm TPM emulator
>> tests: Add test cases for external swtpm TPM emulator
>> security: Label the external swtpm with SELinux labels
>> conf: Add support for choosing emulation of a TPM 2
>> qemu: Add swtpm to emulator cgroup
>> news: Update news with new TPM emulator feature
>>
>> docs/formatdomain.html.in | 43 +
>> docs/news.xml | 9 +
>> docs/schemas/domaincommon.rng | 17 +
>> libvirt.spec.in | 2 +
>> src/conf/domain_audit.c | 2 +
>> src/conf/domain_conf.c | 64 +-
>> src/conf/domain_conf.h | 15 +
>> src/libvirt_private.syms | 3 +
>> src/qemu/Makefile.inc.am | 10 +
>> src/qemu/libvirtd_qemu.aug | 5 +
>> src/qemu/qemu.conf | 8 +
>> src/qemu/qemu_capabilities.c | 5 +
>> src/qemu/qemu_capabilities.h | 1 +
>> src/qemu/qemu_cgroup.c | 36 +
>> src/qemu/qemu_cgroup.h | 2 +
>> src/qemu/qemu_command.c | 34 +-
>> src/qemu/qemu_conf.c | 43 +
>> src/qemu/qemu_conf.h | 6 +
>> src/qemu/qemu_domain.c | 3 +
>> src/qemu/qemu_extdevice.c | 180 ++++
>> src/qemu/qemu_extdevice.h | 59 ++
>> src/qemu/qemu_process.c | 16 +
>> src/qemu/qemu_security.c | 69 ++
>> src/qemu/qemu_security.h | 11 +
>> src/qemu/qemu_tpm.c | 922 +++++++++++++++++++++
>> src/qemu/qemu_tpm.h | 56 ++
>> src/qemu/test_libvirtd_qemu.aug.in | 2 +
>> src/security/security_dac.c | 7 +
>> src/security/security_driver.h | 7 +
>> src/security/security_manager.c | 36 +
>> src/security/security_manager.h | 6 +
>> src/security/security_selinux.c | 172 ++++
>> src/security/security_stack.c | 40 +
>> src/util/virfile.c | 55 ++
>> src/util/virfile.h | 3 +
>> tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 +
>> tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 +
>> tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 +
>> tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 +
>> tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 +
>> .../tpm-emulator-tpm2.x86_64-latest.args | 33 +
>> tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 +
>> .../tpm-emulator.x86_64-latest.args | 33 +
>> tests/qemuxml2argvdata/tpm-emulator.xml | 30 +
>> tests/qemuxml2argvtest.c | 16 +-
>> tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 +
>> tests/qemuxml2xmloutdata/tpm-emulator.xml | 34 +
>> tests/qemuxml2xmltest.c | 1 +
>> 48 files changed, 2154 insertions(+), 11 deletions(-)
>> create mode 100644 src/qemu/qemu_extdevice.c
>> create mode 100644 src/qemu/qemu_extdevice.h
>> create mode 100644 src/qemu/qemu_tpm.c
>> create mode 100644 src/qemu/qemu_tpm.h
>> create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args
>> create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml
>> create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args
>> create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml
>> create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
>> create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml
>>
> I'm still fine with the applied R-By's (you can add to patch12 if you
> desire as well).
I think I'll post a v8 again with some more patches appended. The target
is 4.5... it's getting late in the month and I am afraid that AppArmor
support may be a bigger thing that probably shouldn't be split across
4.4 and 4.5.
Stefan
>
> John
>
> FWIW: I knew there was another way we got the tail of the storage path,
> but could not remember or find mdir_name. Glad someone else recalled it!
> It's not like the name of the method appears to have anything to do
> with the functionality.
>
More information about the libvir-list
mailing list