On 10/5/22 16:01, Stefan Berger wrote: > This series of patches adds support for migrating vTPMs across hosts whose > storage has been set up to share the directory structure holding the state > of the TPM (swtpm). A new migration flag VIR_MIGRATE_TPM_SHARED_STORAGE is > added to enable this. This flag influences the management of the directory > structure holding the TPM state, which for example is only removed when a > domain is undefined and not when a VM is removed on the migration source > host. Further, when shared storage is used then security labeling on the > destination side is skipped assuming that the labeling was already done on > the source side. > > I have tested this with an NFS setup where I had to turn SELinux off on > the hosts since the SELinux MLS range labeling is not supported by NFS. > > Shared storage migration requires (upcoming) swtpm v0.8. > > Stefan > > Stefan Berger (9): > util: Add parsing support for swtpm's cmdarg-migration capability > qemu: Introduced VIR_MIGRATE_TPM_SHARED_STORAGE for TPM migration > qemu: tpm: Conditionally create storage on incoming migration > qemu: tpm: Pass --migration option to swtpm if supported > qemu: tpm: Avoid security labels on incoming migration with shared > storage > qemu: tpm: Require UNDEFINE_TPM to be set to remove TPM state > qemu: tpm: Determine whether to remove TPM state during migration > qemu: tpm: Enable migration with VIR_MIGRATE_TPM_SHARED_STORAGE > virsh: Add support for --tpm-shared-storage flag for migration > > docs/manpages/virsh.rst | 6 +++ > include/libvirt/libvirt-domain.h | 8 +++ > src/conf/domain_conf.h | 1 + > src/qemu/qemu_driver.c | 4 +- > src/qemu/qemu_extdevice.c | 5 +- > src/qemu/qemu_extdevice.h | 3 +- > src/qemu/qemu_migration.c | 23 +++++++-- > src/qemu/qemu_migration.h | 1 + > src/qemu/qemu_process.c | 10 ++-- > src/qemu/qemu_process.h | 6 ++- > src/qemu/qemu_saveimage.c | 2 +- > src/qemu/qemu_snapshot.c | 4 +- > src/qemu/qemu_tpm.c | 87 ++++++++++++++++++++++++++++---- > src/qemu/qemu_tpm.h | 24 ++++++++- > src/util/virtpm.c | 1 + > src/util/virtpm.h | 1 + > tools/virsh-domain.c | 7 +++ > 17 files changed, 164 insertions(+), 29 deletions(-) > Overall, I like this. I've raised couple of points in my review. I've made suggested changes as 'fixup' commits and pushed everything on my gitlab: https://gitlab.com/MichalPrivoznik/libvirt/-/commits/tpm_migration_v2 (except for private data for TPM which I'm suggesting somewhere in review). Feel free to take them an squash them in. Or just parts of it. I mean, I wasn't sure where exactly I should stop passing 'flags' and set 'sharedStorage' bool argument. Maybe I was too aggressive and flags can be passed all the way down. Michal
