In case of an incoming migration we do not need to run swtpm_setup
with all the parameters but only want to get the benefit of it
creating a TPM state file for us that we can then label with an
SELinux label. The actual state will be overwritten by the in-
coming state. So we have to pass an indicator for incomingMigration
all the way to the command line parameter generation for swtpm_setup.
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
---
src/qemu/qemu_extdevice.c | 5 ++--
src/qemu/qemu_extdevice.h | 3 ++-
src/qemu/qemu_process.c | 2 +-
src/qemu/qemu_tpm.c | 49 +++++++++++++++++++++++++--------------
src/qemu/qemu_tpm.h | 3 ++-
5 files changed, 40 insertions(+), 22 deletions(-)
diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c
index e576bca165..af52466421 100644
--- a/src/qemu/qemu_extdevice.c
+++ b/src/qemu/qemu_extdevice.c
@@ -128,7 +128,8 @@ qemuExtDevicesCleanupHost(virQEMUDriverPtr driver,
int
qemuExtDevicesStart(virQEMUDriverPtr driver,
virDomainObjPtr vm,
- qemuDomainLogContextPtr logCtxt)
+ qemuDomainLogContextPtr logCtxt,
+ bool incomingMigration)
{
int ret = 0;
@@ -136,7 +137,7 @@ qemuExtDevicesStart(virQEMUDriverPtr driver,
return -1;
if (vm->def->tpm)
- ret = qemuExtTPMStart(driver, vm, logCtxt);
+ ret = qemuExtTPMStart(driver, vm, logCtxt, incomingMigration);
return ret;
}
diff --git a/src/qemu/qemu_extdevice.h b/src/qemu/qemu_extdevice.h
index bbdb9a1cc2..5a53c79f38 100644
--- a/src/qemu/qemu_extdevice.h
+++ b/src/qemu/qemu_extdevice.h
@@ -40,7 +40,8 @@ void qemuExtDevicesCleanupHost(virQEMUDriverPtr driver,
int qemuExtDevicesStart(virQEMUDriverPtr driver,
virDomainObjPtr vm,
- qemuDomainLogContextPtr logCtxt)
+ qemuDomainLogContextPtr logCtxt,
+ bool incomingMigration)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
ATTRIBUTE_RETURN_CHECK;
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 75205bc121..fae18824ba 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6774,7 +6774,7 @@ qemuProcessLaunch(virConnectPtr conn,
if (qemuProcessGenID(vm, flags) < 0)
goto cleanup;
- if (qemuExtDevicesStart(driver, vm, logCtxt) < 0)
+ if (qemuExtDevicesStart(driver, vm, logCtxt, incoming != NULL) < 0)
goto cleanup;
VIR_DEBUG("Building emulator command line");
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 77ef601f74..4174aa4c62 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -453,6 +453,7 @@ qemuTPMSetupEncryption(const unsigned char *secretuuid,
* for the user given by userid or 'tss'
* @tpmversion: The version of the TPM, either a TPM 1.2 or TPM 2
* @encryption: pointer to virStorageEncryption holding secret
+ * @incomingMigration: whether we have an incoming migration
*
* Setup the external swtpm by creating endorsement key and
* certificates for it.
@@ -466,7 +467,8 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
gid_t swtpm_group,
const char *logfile,
const virDomainTPMVersion tpmversion,
- const unsigned char *secretuuid)
+ const unsigned char *secretuuid,
+ bool incomingMigration)
{
virCommandPtr cmd = NULL;
int exitstatus;
@@ -525,16 +527,23 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
pwdfile_fd = -1;
}
- virCommandAddArgList(cmd,
- "--tpm-state", storagepath,
- "--vmid", vmid,
- "--logfile", logfile,
- "--createek",
- "--create-ek-cert",
- "--create-platform-cert",
- "--lock-nvram",
- "--not-overwrite",
- NULL);
+ if (!incomingMigration) {
+ virCommandAddArgList(cmd,
+ "--tpm-state", storagepath,
+ "--vmid", vmid,
+ "--logfile", logfile,
+ "--createek",
+ "--create-ek-cert",
+ "--create-platform-cert",
+ "--lock-nvram",
+ "--not-overwrite",
+ NULL);
+ } else {
+ virCommandAddArgList(cmd,
+ "--tpm-state", storagepath,
+ "--overwrite",
+ NULL);
+ }
virCommandClearCaps(cmd);
@@ -568,6 +577,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
* @swtpmStateDir: the directory where swtpm writes the pid file and creates the
* Unix socket
* @shortName: the short name of the VM
+ * @incomingMigration: whether we have an incoming migration
*
* Create the virCommand use for starting the emulator
* Do some initializations on the way, such as creation of storage
@@ -581,7 +591,8 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
uid_t swtpm_user,
gid_t swtpm_group,
const char *swtpmStateDir,
- const char *shortName)
+ const char *shortName,
+ bool incomingMigration)
{
virCommandPtr cmd = NULL;
bool created = false;
@@ -605,7 +616,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
qemuTPMEmulatorRunSetup(tpm->data.emulator.storagepath, vmname, vmuuid,
privileged, swtpm_user, swtpm_group,
tpm->data.emulator.logfile, tpm->version,
- secretuuid) < 0)
+ secretuuid, incomingMigration) < 0)
goto error;
unlink(tpm->data.emulator.source.data.nix.path);
@@ -814,6 +825,7 @@ qemuExtTPMCleanupHost(virDomainDefPtr def)
* @driver: QEMU driver
* @vm: the domain object
* @logCtxt: log context
+ * @incomingMigration: whether we have an incoming migration
*
* Start the external TPM Emulator:
* - have the command line built
@@ -822,7 +834,8 @@ qemuExtTPMCleanupHost(virDomainDefPtr def)
static int
qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
virDomainObjPtr vm,
- qemuDomainLogContextPtr logCtxt)
+ qemuDomainLogContextPtr logCtxt,
+ bool incomingMigration)
{
int ret = -1;
virCommandPtr cmd = NULL;
@@ -846,7 +859,8 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
driver->privileged,
cfg->swtpm_user,
cfg->swtpm_group,
- cfg->swtpmStateDir, shortName)))
+ cfg->swtpmStateDir, shortName,
+ incomingMigration)))
goto cleanup;
if (qemuExtDeviceLogCommand(logCtxt, cmd, "TPM Emulator") < 0)
@@ -903,14 +917,15 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
int
qemuExtTPMStart(virQEMUDriverPtr driver,
virDomainObjPtr vm,
- qemuDomainLogContextPtr logCtxt)
+ qemuDomainLogContextPtr logCtxt,
+ bool incomingMigration)
{
int ret = 0;
virDomainTPMDefPtr tpm = vm->def->tpm;
switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
- ret = qemuExtTPMStartEmulator(driver, vm, logCtxt);
+ ret = qemuExtTPMStartEmulator(driver, vm, logCtxt, incomingMigration);
break;
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
case VIR_DOMAIN_TPM_TYPE_LAST:
diff --git a/src/qemu/qemu_tpm.h b/src/qemu/qemu_tpm.h
index 74c9924d68..5f454d3580 100644
--- a/src/qemu/qemu_tpm.h
+++ b/src/qemu/qemu_tpm.h
@@ -37,7 +37,8 @@ void qemuExtTPMCleanupHost(virDomainDefPtr def)
int qemuExtTPMStart(virQEMUDriverPtr driver,
virDomainObjPtr vm,
- qemuDomainLogContextPtr logCtxt)
+ qemuDomainLogContextPtr logCtxt,
+ bool incomingMigration)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
ATTRIBUTE_RETURN_CHECK;
--
2.21.0
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
