When 'swtpm_setup --print-capabilities' shows the 'tpm12-not-need-root'
flag, then it is possible to create certificates for the TPM 1.2 also
in non-privileged mode since swtpm_setup doesn't need tcsd anymore.
Check for this flag and create the certificates if this flag is found.
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
---
src/qemu/qemu_tpm.c | 5 ++++-
src/util/virtpm.c | 1 +
src/util/virtpm.h | 1 +
3 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index e1b08a66c5..91e21ae646 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -463,11 +463,14 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
if (!swtpm_setup)
return -1;
- if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2)
+ if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2 &&
+ !virTPMSwtpmSetupCapsGet(
+ VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT)) {
return virFileWriteStr(logfile,
_("Did not create EK and certificates since "
"this requires privileged mode for a "
"TPM 1.2\n"), 0600);
+ }
if (!privileged && qemuTPMCreateConfigFiles(swtpm_setup) < 0)
return -1;
diff --git a/src/util/virtpm.c b/src/util/virtpm.c
index 0f50de866c..40d9272e66 100644
--- a/src/util/virtpm.c
+++ b/src/util/virtpm.c
@@ -46,6 +46,7 @@ VIR_ENUM_IMPL(virTPMSwtpmSetupFeature,
VIR_TPM_SWTPM_SETUP_FEATURE_LAST,
"cmdarg-pwdfile-fd",
"cmdarg-create-config-files",
+ "tpm12-not-need-root",
);
/**
diff --git a/src/util/virtpm.h b/src/util/virtpm.h
index 3bb03b3b33..b75eb84f31 100644
--- a/src/util/virtpm.h
+++ b/src/util/virtpm.h
@@ -39,6 +39,7 @@ typedef enum {
typedef enum {
VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PWDFILE_FD,
VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_CREATE_CONFIG_FILES,
+ VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT,
VIR_TPM_SWTPM_SETUP_FEATURE_LAST
} virTPMSwtpmSetupFeature;
--
2.31.1
