Re: [PATCH 10/12] conf: Add support for choosing emulation of a TPM 2

Marc Hartmayer <mhartmay@xxxxxxxxxxxxx> · Thu, 24 May 2018 14:17:13 +0200

On Tue, May 22, 2018 at 10:44 PM +0200, Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> wrote:
> This patch extends the TPM's device XML with TPM 2 support. This only works
> for the emulator type backend and looks as follows:
>
>     <tpm model='tpm-tis'>
>       <backend type='emulator' version='2'/>
>     </tpm>
>
> The swtpm process now has --tpm2 as an additional parameter:
>
> system_u:system_r:svirt_t:s0:c597,c632 tss 18477 11.8  0.0 28364  3868 ?        Rs   11:13  13:50 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm2,mode=0640 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log --tpm2 --pid file=/var/run/libvirt/qemu/swtpm/testvm-swtpm.pid
>
> The version of the TPM can be changed and the state of the TPM is preserved.
>
> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
> Reviewed-by: John Ferlan <jferlan@xxxxxxxxxx>
> ---
>  docs/formatdomain.html.in                          | 15 ++++-
>  docs/schemas/domaincommon.rng                      | 12 ++++
>  src/conf/domain_conf.c                             | 27 ++++++++-
>  src/conf/domain_conf.h                             |  6 ++
>  src/qemu/qemu_tpm.c                                | 64 +++++++++++++++++++++-
>  .../tpm-emulator-tpm2.x86_64-latest.args           | 33 +++++++++++
>  tests/qemuxml2argvdata/tpm-emulator-tpm2.xml       | 30 ++++++++++
>  tests/qemuxml2argvtest.c                           |  1 +
>  tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml     | 34 ++++++++++++
>  9 files changed, 217 insertions(+), 5 deletions(-)
>  create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args
>  create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml
>  create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
>
> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
> index 08a57bd751..043c8da56f 100644
> --- a/docs/formatdomain.html.in
> +++ b/docs/formatdomain.html.in
> @@ -7719,7 +7719,7 @@ qemu-kvm -net nic,model=? /dev/null
>    ...
>    &lt;devices&gt;
>      &lt;tpm model='tpm-tis'&gt;
> -      &lt;backend type='emulator'&gt;
> +      &lt;backend type='emulator' version='2'&gt;
>        &lt;/backend&gt;
>      &lt;/tpm&gt;
>    &lt;/devices&gt;
> @@ -7769,6 +7769,19 @@ qemu-kvm -net nic,model=? /dev/null
>            </dd>
>          </dl>
>        </dd>
> +      <dt><code>version</code></dt>
> +      <dd>
> +        <p>
> +          The <code>version</code> attribute indicates the version
> +          of the TPM. By default a TPM 1.2 is created. This attribute
> +          only works with the <code>emulator</code> backend. The following
> +          versions are supported:
> +        </p>
> +        <ul>
> +          <li>'1.2' : creates a TPM 1.2</li>
> +          <li>'2' :  creates a TPM 2</li>
> +        </ul>
> +      </dd>
>      </dl>
>
>      <h4><a id="elementsNVRAM">NVRAM device</a></h4>
> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
> index 3582cb5019..f11833075a 100644
> --- a/docs/schemas/domaincommon.rng
> +++ b/docs/schemas/domaincommon.rng
> @@ -4130,6 +4130,18 @@
>            </attribute>
>          </group>
>        </choice>
> +      <choice>
> +        <group>
> +          <optional>
> +            <attribute name="version">
> +              <choice>
> +                <value>1.2</value>
> +                <value>2</value>
> +              </choice>
> +           </attribute>
> +          </optional>
> +        </group>
> +      </choice>
>      </element>
>    </define>
>
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index 15dd490d17..79904789ee 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -12657,7 +12657,7 @@ virDomainSmartcardDefParseXML(virDomainXMLOptionPtr xmlopt,
>   * or like this:
>   *
>   * <tpm model='tpm-tis'>
> - *   <backend type='emulator'/>
> + *   <backend type='emulator' version='2'/>
>   * </tpm>
>   */
>  static virDomainTPMDefPtr
> @@ -12670,6 +12670,7 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt,
>      char *path = NULL;
>      char *model = NULL;
>      char *backend = NULL;
> +    char *version = NULL;
>      virDomainTPMDefPtr def;
>      xmlNodePtr save = ctxt->node;
>      xmlNodePtr *backends = NULL;
> @@ -12716,6 +12717,20 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt,
>          goto error;
>      }
>
> +    version = virXMLPropString(backends[0], "version");
> +    if (!version || STREQ(version, "1.2")) {
> +        def->version = VIR_DOMAIN_TPM_VERSION_1_2;
> +        /* only TIS available for emulator */
> +        if (def->type == VIR_DOMAIN_TPM_TYPE_EMULATOR)
> +            def->model = VIR_DOMAIN_TPM_MODEL_TIS;

This will silently overwrite an already defined model - is this
intended? Also this seems like some kind of validation logic - not sure
if virDomainTPMDefParseXML is the right place for this.

> +    } else if (STREQ(version, "2")) {
> +        def->version = VIR_DOMAIN_TPM_VERSION_2;

[…snip]

Beste Grüße / Kind regards
   Marc Hartmayer

IBM Deutschland Research & Development GmbH
Vorsitzende des Aufsichtsrats: Martina Koederitz
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list