[PATCH] lxc: Add TPM passthrough option for LXC driver
Julio Faracco
jcfaracco at gmail.com
Sun Aug 16 16:16:30 UTC 2020
There is no support to use TPM for passthrough for LXC libvirt driver
this commit adds the option to use host TPM inside containers.
Signed-off-by: Julio Faracco <jcfaracco at gmail.com>
---
src/lxc/lxc_cgroup.c | 27 +++++++++++++++++++
src/lxc/lxc_controller.c | 56 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 83 insertions(+)
diff --git a/src/lxc/lxc_cgroup.c b/src/lxc/lxc_cgroup.c
index d13f2adde5..955d2b4fc1 100644
--- a/src/lxc/lxc_cgroup.c
+++ b/src/lxc/lxc_cgroup.c
@@ -374,6 +374,33 @@ static int virLXCCgroupSetupDeviceACL(virDomainDefPtr def,
return -1;
}
+ for (i = 0; i < def->ntpms; i++) {
+ virDomainTPMDefPtr tpm = def->tpms[i];
+ const char *dev = NULL;
+
+ switch (tpm->type) {
+ case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ case VIR_DOMAIN_TPM_TYPE_LAST:
+ break;
+ case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+ dev = "/dev/tpm0";
+ break;
+ }
+
+ if (!dev)
+ continue;
+
+ if (!virFileExists(dev)) {
+ VIR_DEBUG("Ignoring non-existent device %s", dev);
+ continue;
+ }
+
+ if (virCgroupAllowDevicePath(cgroup, dev,
+ VIR_CGROUP_DEVICE_READ,
+ false) < 0)
+ return -1;
+ }
+
VIR_DEBUG("Device ACL setup complete");
return 0;
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index ae6b737b60..70ca773bbf 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -1644,6 +1644,59 @@ virLXCControllerSetupHostdevSubsysUSB(virDomainDefPtr vmDef,
}
+static int
+virLXCControllerSetupTPM(virLXCControllerPtr ctrl)
+{
+ virDomainDefPtr def = ctrl->def;
+ size_t i;
+
+ for (i = 0; i < def->ntpms; i++) {
+ virDomainTPMDefPtr tpm = def->tpms[i];
+ g_autofree char *path = NULL;
+ const char *tpm_dev = NULL;
+ struct stat sb;
+ dev_t dev;
+
+ switch (tpm->type) {
+ case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ case VIR_DOMAIN_TPM_TYPE_LAST:
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("unsupported timer type (name) '%s'"),
+ virDomainTPMBackendTypeToString(tpm->type));
+ return -1;
+ case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+ tpm_dev = "/dev/tpm0";
+ path = g_strdup_printf("/%s/%s.dev/%s", LXC_STATE_DIR,
+ def->name, "/rtc");
+ break;
+ }
+
+ if (!tpm_dev)
+ continue;
+
+ if (stat(tpm_dev, &sb) < 0) {
+ virReportSystemError(errno, _("Unable to access %s"),
+ tpm_dev);
+ return -1;
+ }
+
+ dev = makedev(major(sb.st_rdev), minor(sb.st_rdev));
+ if (mknod(path, S_IFCHR, dev) < 0 ||
+ chmod(path, sb.st_mode)) {
+ virReportSystemError(errno,
+ _("Failed to make device %s"),
+ path);
+ return -1;
+ }
+
+ if (lxcContainerChown(def, path) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
+
static int
virLXCControllerSetupHostdevCapsStorage(virDomainDefPtr vmDef,
virDomainHostdevDefPtr def,
@@ -2358,6 +2411,9 @@ virLXCControllerRun(virLXCControllerPtr ctrl)
if (virLXCControllerSetupAllHostdevs(ctrl) < 0)
goto cleanup;
+ if (virLXCControllerSetupTPM(ctrl) < 0)
+ goto cleanup;
+
if (virLXCControllerSetupFuse(ctrl) < 0)
goto cleanup;
--
2.25.1
More information about the libvir-list
mailing list