[libvirt] [PATCH v5 17/20] tpm: Pass migration key passphrase via fd to swtpm
Daniel P. Berrangé
berrange at redhat.com
Thu Jul 25 09:58:02 UTC 2019
On Fri, Jul 12, 2019 at 12:23:51PM -0400, Stefan Berger wrote:
> This patch now passes the passphrase as a migration key to swtpm.
> This now encrypts the state of the TPM while a VM is migrated between
> hosts or when suspended into a file. Since the migration key secret
> is the same as the state encryption secret, this now requires that
> the migration destination host has the same secret value.
>
> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> ---
> src/qemu/qemu_tpm.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
> @@ -651,6 +655,12 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
> pwdfile_fd);
> virCommandPassFD(cmd, pwdfile_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
> pwdfile_fd = -1;
> +
> + virCommandAddArg(cmd, "--migration-key");
> + virCommandAddArgFormat(cmd, "pwdfd=%d,mode=aes-256-cbc,kdf=pbkdf2",
> + migpwdfile_fd);
Why do we have to specify a kdf for migration, but not for the original
on disk encryoptiuon ?
> + virCommandPassFD(cmd, migpwdfile_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
> + migpwdfile_fd = -1;
Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list