[PATCH v3] qemu: tpm: Run swtpm_setup --create-config-files in session mode

Stefan Berger stefanb at linux.ibm.com
Fri Oct 8 18:30:45 UTC 2021 

On 10/8/21 12:33 PM, Marc-André Lureau wrote:
> Hi On Fri, Oct 8, 2021 at 6:44 PM Stefan Berger 
> <stefanb at linux.ibm.com> wrote: Using swtpm v0.7.0 we can run 
> swtpm_setup to create default config files for swtpm_setup and 
> swtpm-localca in session mode. Now a user can start a VM with 
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
> Hi
>
> On Fri, Oct 8, 2021 at 6:44 PM Stefan Berger <stefanb at linux.ibm.com 
> <mailto:stefanb at linux.ibm.com>> wrote:
>
>     Using swtpm v0.7.0 we can run swtpm_setup to create default config
>     files
>     for swtpm_setup and swtpm-localca in session mode. Now a user can
>     start
>     a VM with an attached TPM without having to run this program on the
>     command line before. This program needs to run once.
>
>     This patch addresses the issue raised in
>     https://bugzilla.redhat.com/show_bug.cgi?id=2010649
>     <https://bugzilla.redhat.com/show_bug.cgi?id=2010649>
>
>     Signed-off-by: Stefan Berger <stefanb at linux.ibm.com
>     <mailto:stefanb at linux.ibm.com>>
>
>     ---
>     v3:
>       - Removed logfile parameter
>
>
> I guess it's redirected to libvirt log then?

So you are saying it should capture the stderr output ?


>
>
>     v2:
>       - fixed return code if swtpm_setup doesn't support the option
>     ---
>      src/qemu/qemu_tpm.c | 39 +++++++++++++++++++++++++++++++++++++++
>      src/util/virtpm.c   |  1 +
>      src/util/virtpm.h   |  1 +
>      3 files changed, 41 insertions(+)
>
>     diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
>     index 100481503c..434c357c24 100644
>     --- a/src/qemu/qemu_tpm.c
>     +++ b/src/qemu/qemu_tpm.c
>     @@ -385,6 +385,42 @@ qemuTPMSetupEncryption(const unsigned char
>     *secretuuid,
>          return virCommandSetSendBuffer(cmd, g_steal_pointer(&secret),
>     secret_len);
>      }
>
>     +
>     +/*
>     + * qemuTPMCreateConfigFiles: run swtpm_setup
>     --create-config-files skip-if-exist
>     + */
>     +static int
>     +qemuTPMCreateConfigFiles(void)
>     +{
>     +    g_autofree char *swtpm_setup = virTPMGetSwtpmSetup();
>     +    g_autoptr(virCommand) cmd = NULL;
>     +    int exitstatus;
>     +
>     +    if (!swtpm_setup)
>     +        return -1;
>
>
> I think what Daniel was saying is that this shouldn't fail suddenly 
> for users with older swtpm that already have the configuration setup.


The above only fails if swtm_setup is not installed, if that's what you 
mean. That's when swtpm_setup is NULL.

If you run `swptm_setup --create-config-files skip-if-exist` when any 
one of the 3 config files already exist, it will do nothing and exit with 0.


>
>     +
>     +    if (!virTPMSwtpmSetupCapsGet(
>     + VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_CREATE_CONFIG_FILES))
>     +        return 0;
>

This is the case when swtpm_setup doesn't support --create-config-files. 
That's when the user has to use the old 
/usr/share/swtpm/swptm-create-user-config-files to create the config 
files, which will then be located at the same place that `swptm_setup 
--create-config-files skip-if-exist` would create them or check whether 
any one of them exist and skip.

3 config files will be created and if the user then removes 1 or 2 of 
them he created an invalid configuration and the start of the next VM 
will fail due to a bad configuration with missing config files. The 
config files would only be created again if all 3 were missing.


>     +
>     +    cmd = virCommandNew(swtpm_setup);
>     +    if (!cmd)
>     +        return -1;
>     +
>     +    virCommandAddArgList(cmd, "--create-config-files",
>     "skip-if-exist", NULL);
>     +    virCommandClearCaps(cmd);
>     +
>     +    if (virCommandRun(cmd, &exitstatus) < 0 || exitstatus != 0) {
>     +        virReportError(VIR_ERR_INTERNAL_ERROR,
>     +                       _("Could not run '%s' to create config
>     files. exitstatus: %d",
>     +                          swtpm_setup, exitstatus);
>     +        return -1;
>
In the error case the stderr output of swtpm_setup should probably show 
up here?


>     +    }
>     +
>     +    return 0;
>     +}
>     +
>     +
>      /*
>       * qemuTPMEmulatorRunSetup
>       *
>     @@ -432,6 +468,9 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
>                                       "this requires privileged mode
>     for a "
>                                       "TPM 1.2\n"), 0600);
>
>     +    if (!privileged && qemuTPMCreateConfigFiles())
>     +        return -1;
>     +
>          cmd = virCommandNew(swtpm_setup);
>          if (!cmd)
>              return -1;
>     diff --git a/src/util/virtpm.c b/src/util/virtpm.c
>     index 1a567139b4..0f50de866c 100644
>     --- a/src/util/virtpm.c
>     +++ b/src/util/virtpm.c
>     @@ -45,6 +45,7 @@ VIR_ENUM_IMPL(virTPMSwtpmFeature,
>      VIR_ENUM_IMPL(virTPMSwtpmSetupFeature,
>                    VIR_TPM_SWTPM_SETUP_FEATURE_LAST,
>                    "cmdarg-pwdfile-fd",
>     +              "cmdarg-create-config-files",
>      );
>
>      /**
>     diff --git a/src/util/virtpm.h b/src/util/virtpm.h
>     index d021a083b4..3bb03b3b33 100644
>     --- a/src/util/virtpm.h
>     +++ b/src/util/virtpm.h
>     @@ -38,6 +38,7 @@ typedef enum {
>
>      typedef enum {
>          VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PWDFILE_FD,
>     +    VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_CREATE_CONFIG_FILES,
>
>          VIR_TPM_SWTPM_SETUP_FEATURE_LAST
>      } virTPMSwtpmSetupFeature;
>     -- 
>     2.31.1
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20211008/01a180ab/attachment-0001.htm>

More information about the libvir-list mailing list