[libvirt] [PATCH v4 04/23] conf: Extend TPM XML parser with encryption support

Daniel P. Berrangé berrange at redhat.com
Fri Jul 12 09:30:02 UTC 2019 

On Thu, Jul 11, 2019 at 03:41:32PM -0400, Stefan Berger wrote:
> Extend the TPM device XML parser and XML generator with emulator
> state encryption support.
> 
> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> Reviewed-by: Marc-André Lureau <marcandre.lureau at redhat.com>
> ---
>  src/conf/domain_conf.c | 40 +++++++++++++++++++++++++++++++++++++++-
>  src/conf/domain_conf.h |  1 +
>  2 files changed, 40 insertions(+), 1 deletion(-)
> 
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index 3323c9a5b1..df6238c299 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -2950,6 +2950,7 @@ void virDomainTPMDefFree(virDomainTPMDefPtr def)
>          virDomainChrSourceDefClear(&def->data.emulator.source);
>          VIR_FREE(def->data.emulator.storagepath);
>          VIR_FREE(def->data.emulator.logfile);
> +        virStorageEncryptionFree(def->data.emulator.encryption);
>          break;
>      case VIR_DOMAIN_TPM_TYPE_LAST:
>          break;
> @@ -13048,6 +13049,16 @@ virDomainSmartcardDefParseXML(virDomainXMLOptionPtr xmlopt,
>   * <tpm model='tpm-tis'>
>   *   <backend type='emulator' version='2'/>
>   * </tpm>
> + *
> + * Emulator state encryption is supported with the following:
> + *
> + * <tpm model='tpm-tis'>
> + *   <backend type='emulator' version='2'>
> + *     <encryption format='vtpm'>
> + *        <secret type='passphrase' uuid='32ee7e76-2178-47a1-ab7b-269e6e348015'/>
> + *     </encryption>
> + *   </backend>
> + * </tpm>

Again this feels rather odd to me - we're just providing a password to
the swtpm process. We don't need to have a choice of encyption formats
in the XML - the way this is implemented allows you to specify lusk or
qcow2 for encryption which is rather meaningless here, and likewise
allows vtpm for disk encryption.

We should just be referencing the secret without this extra level of
XML nesting eg

   <encrypt secret=".....uuid..."/>

and avoid use of virStorageEncryption entirely.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list