On Mon, Jul 18, 2022 at 11:30:43 +0200, Michal Privoznik wrote:
> When "default" model of a TPM was provided, our parses accepts it
> happily even though the value is forbidden by our RNG and not
> documented as accepted value. This is because of < 0 vs <= 0
> comparison of virDomainTPMModelTypeFromString() retval.
>
> Make the parser error out explicitly in this case. Users can
> always chose to not specify the attribute in which case we pick a
> sane default (in qemuDomainTPMDefPostParse()).
>
> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> ---
> src/conf/domain_conf.c | 2 +-
> src/conf/domain_conf.h | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index 4c7a5a044c..b7147945da 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -10360,7 +10360,7 @@ virDomainTPMDefParseXML(virDomainXMLOption *xmlopt,
>
> model = virXMLPropString(node, "model");
> if (model != NULL &&
> - (def->model = virDomainTPMModelTypeFromString(model)) < 0) {
> + (def->model = virDomainTPMModelTypeFromString(model)) <= 0) {
> virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
> _("Unknown TPM frontend model '%s'"), model);
> goto error;
'virDomainTPMDefFormat' happily formats 'default' as supported type:
virBufferAsprintf(&attrBuf, " model='%s'",
virDomainTPMModelTypeToString(def->model));
Is there any other code path which would forbid 'default'? If no, then
we might run into a situation where libvirt's parser would reject
parsing a XML formatted by libvirt itself, which is not acceptable.
In such case we'd need to leave the parser as-is and add just validation
where 'defau't will be forbidden, which is acceptable.
