This series of patches addresses the RFE in BZ 172830: https://bugzilla.redhat.com/show_bug.cgi?id=1728030 This series of patches adds support for vTPM state encryption by passing the read-end of a pipe's file descriptor to 'swtpm_setup' and 'swtpm' where they can read a passphrase from and derive a key from that passphrase. The TPM's domain XML looks to enable state encryption looks like this: <tpm model='tpm-tis'> <backend type='emulator' version='1.2'> <encryption secret='2c9ceaba-c6ef-4f38-86fd-6e3adb2df5cd'/> </backend> </tpm> The vTPM secret holding the passphrase looks like this: <secret ephemeral='no' private='yes'> <uuid>2c9ceaba-c6ef-4f38-86fd-6e3adb2df5cd</uuid> <description>vTPM passphrase example</description> <usage type='vtpm'> <name>vtpm_example</name> </usage> </secret> The swtpm v0.2 is needed that supports the command line option --print-capabilities returning a JSON object that identifies features added since v0.1. One such features is the possibility to pass a passphrase via a file descriptor. The patches do some refactoring of existing code on the way. Stefan v1->v2: - Added Marc-André's R-bs - Addressed comments - Added patches to extend virCommand to be able to write contents of multiple buffers to file descriptors for a spawned process to read from v2->v3: - Fixed some pointer issues following conversion to use VIR_AUTOFREE v3->v4: - Added test case for virCommandSetSendBuffer() to commantest.c - Addressed other issues raised by Marc-André v4->v5: - Simplified encryption node in TPM's domain XML and adapted everything that depends on this; dropped some patches and removed some R-bs for non-trivial stuff - Not limiting write size for fd's with O_NONBLOCK set v5->v6: - Addressed comments on v5 Stefan Berger (19): secret: Add support for usage type vTPM, extend schema and test case tests: Add already existing test case tpm-emulator-tpm2 conf: Extend TPM XML parser with encryption support tests: Add test for TPM XML encryption parser and formatter tests: Add tests for QEMU command line generation with encrypted TPM tpm: Move qemuTPMEmulatorInit to virTPMEmulatorInit in virtpm.c tpm: Refactor virTPMEmulatorInit to use loop tpm: Check whether previously found executables were updated tpm: Parse the capabilities supported by swtpm and swtpm_setup utils: Implement function to pass a buffer to send via a fd to virCommand utils: Convert pollfd array to be allocated utils: Mark inpipe as non-blocking utils: Extend virCommandProcessIO to include the send buffers tests: Extend command test to transfer large data to process on multiple fds tpm: Use fd to pass password to swtpm_setup and swtpm tpm: Pass migration key passphrase via fd to swtpm tpm: Check TPM XML device configuration changes after edit docs: Extend Secret XML documentation with vtpm usage type docs: Extend TPM docs with new encryption element docs/formatdomain.html.in | 12 + docs/formatsecret.html.in | 61 +++- docs/schemas/domaincommon.rng | 11 + docs/schemas/secret.rng | 10 + include/libvirt/libvirt-secret.h | 1 + include/libvirt/virterror.h | 2 + src/conf/domain_conf.c | 87 ++++- src/conf/domain_conf.h | 6 + src/conf/secret_conf.c | 13 + src/libvirt_private.syms | 10 + src/qemu/qemu_driver.c | 28 ++ src/qemu/qemu_extdevice.c | 2 +- src/qemu/qemu_extdevice.h | 3 + src/qemu/qemu_tpm.c | 211 ++++++++----- src/util/vircommand.c | 148 ++++++++- src/util/vircommand.h | 5 + src/util/virerror.c | 2 + src/util/virsecret.c | 2 +- src/util/virtpm.c | 298 +++++++++++++++++- src/util/virtpm.h | 23 ++ tests/commandhelper.c | 70 +++- tests/commandtest.c | 113 +++++++ .../tpm-emulator-tpm2-enc.x86_64-latest.args | 35 ++ .../tpm-emulator-tpm2-enc.xml | 32 ++ tests/qemuxml2argvtest.c | 1 + .../tpm-emulator-tpm2-enc.xml | 36 +++ tests/qemuxml2xmltest.c | 2 + tests/secretxml2xmlin/usage-vtpm.xml | 7 + tests/secretxml2xmltest.c | 1 + 29 files changed, 1145 insertions(+), 87 deletions(-) create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2-enc.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2-enc.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2-enc.xml create mode 100644 tests/secretxml2xmlin/usage-vtpm.xml -- 2.20.1 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
