Re: [PATCH 2/6] tpm: Add support for external swtpm TPM emulator

[Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>]

On 04/06/2018 07:23 AM, Stefan Berger wrote:
> On 04/06/2018 04:26 AM, Daniel P. Berrangé wrote:
> > On Thu, Apr 05, 2018 at 05:56:02PM -0400, Stefan Berger wrote:
> > > This patch adds support for an external swtpm TPM emulator. The XML for
> > > this type of TPM looks as follows:
> > >
> > >   <tpm model='tpm-tis'>
> > >     <backend type='emulator'/>
> > >   </tpm>
> > >
> > > The XML will currently only start a TPM 1.2.
> > >
> > > Upon the first start, libvirt will run `swtpm_setup`, which will 
> > > simulate the
> > > manufacturing of a TPM and create certificates for it and write them 
> > > into the
> > > NVRAM location of the emulated TPM.
> > >
> > > Then, libvirt will automatically start the swtpm TPM emulator using 
> > > the `swtpm`
> > > executable.
> > >
> > > Once the VM terminates, libvirt uses the swtpm_ioctl executable to 
> > > gracefully
> > > shut down the `swtpm` in case it is still running (QEMU did not send 
> > > shutdown)
> > > or clean up the socket file.
> > >
> > > The above mentioned executables must be found in the PATH.
> > >
> > > The executables can either be run as root or started as root and 
> > > switch to
> > > the tss user. The requirement for the tss user comes through 'tcsd', 
> > > which
> > > is used for the simulation of the manufacturing. Which user is used 
> > > can be
> > > configured through qemu.conf.
> > >
> > > The swtpm writes out state into files. The state is kept in 
> > > /var/lib/libvirt/tpm:
> > >
> > > [root@localhost libvirt]# ls -lZ | grep tpm
> > >
> > > drwx--x--x. 7 root root unconfined_u:object_r:virt_var_lib_t:s0 4096 
> > > Apr  5 16:22 tpm
> > >
> > > The directory /var/lib/libvirt/tpm maintains per-TPM state 
> > > directories but
> > > also hosts the UnixIO socket of running swtpms, which QEMU uses for 
> > > communicating
> > > with them. At this point only the socket file is labeled properly 
> > > and made accessible
> > > for QEMU, which runs under the qemu user:
> > /var/lib is for persistent state while /var/run is for transient
> > state, so I think sockets should be under /var/run instead.
>
> /var/run/libvirt/qemu then ?

I now moved it into this neighborhood, which seems good due to the 
existing permissions:

# ls -lZ domain-1-testvm/
total 4
-rw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c40,c612 32 
Apr  6 09:55 master-key.aes
srwxrwxr-x. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c40,c612 0 
Apr  6 09:55 monitor.sock
srw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c40,c612 0 
Apr  6 09:55 swtpm.sock

    Stefan

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list