libvirt expects the swtpm(8) daemon to auto-terminate along with QEMU.
While that's already the case, it's currently happening for the wrong
reason: swtpm's documented way of achieving this behavior is via the
--terminate switch (which causes the daemon to shut down when the
data channel connection drops), but libvirt isn't currently using
this switch--and it should.
The reason this currently works anyway, even without the --terminate
switch, is two-fold:
(1) When QEMU terminates gracefully, it sends command CMD_SHUTDOWN to
swtpm which triggers a shutdown. Nothing wrong with this one.
(2) When QEMU dies abruptly (e.g. SIGKILL, SIGSEGV) without issuing
CMD_SHUTDOWN, swtpm should (a) shut down if the --terminate switch
was given OR (b) stay alive if --terminate wasn't given. At the
moment this isn't being respected, and swtpm unconditionally shuts
down (regardless of whether --terminate was given or not) due to a
bug in swtpm's connection handling logic [1]. libvirt currently
relies on this incorrect and undocumented upstream behavior,
trusting swtpm to shut itself down even when --terminate wasn't
given, which is wrong and bound to break.
The discussion [1] between swtpm's author and I shows that --terminate
(a) is the proper way to achieve--and guarantee--the current behavior,
(b) is innocuous to add since it won't alter existing behavior, (c)
should've been used by libvirt all along, and (d) should be enforced
by swtpm going forward.
Since libvirt presently relies on swtpm's current (incorrect) behavior
and we don't want to break libvirt, we need libvirt to start invoking
swtpm with the --terminate switch ASAP so that the upstream bug can
be fixed as soon as it's safe. Fixing the bug is the first step toward
eventually enabling non-libvirt swtpm users to optionally run swtpm as
a persistent service, allowing a VM to connect to and disconnect from
it without the daemon dying.
Proxmox VE, to which I also contribute, is already using --terminate
in its (WIP) swtpm implementation.
[1] https://github.com/stefanberger/swtpm/pull/509 -- Note that this
already-merged PR addresses only one half of the bug; the other
half (which will actually effect the change) remains on hold until
libvirt implements --terminate.
Nick Chevsky (1):
qemu_tpm: Start swtpm(8) daemon with --terminate switch
src/qemu/qemu_tpm.c | 2 ++
1 file changed, 2 insertions(+)
--
2.30.2
