[RFC PATCH v1 6/6] qemu: Run swtpm_setup with --profile option if profile given

Stefan Berger <stefanb@xxxxxxxxxxxxx> · Thu, 19 Sep 2024 13:00:36 -0400

Runs swtpm_setup with the --profile option if the user provided a profile
and swtpm_setup supports the option. Also use the --profile-remove-disabled
option if the user provided a value in the remove_disabled attribute in the
profile XML node.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
---
 src/qemu/qemu_tpm.c | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 2f17918cbb..ec0e456163 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -355,6 +355,8 @@ qemuTPMVirCommandAddEncryption(virCommand *cmd,
  * @tpmversion: The version of the TPM, either a TPM 1.2 or TPM 2
  * @encryption: pointer to virStorageEncryption holding secret
  * @incomingMigration: whether we have an incoming migration
+ * @profile: optional TPM 2 profile
+ * @profile_remove_disabled: value for remove_disabled option parameter
  *
  * Setup the external swtpm by creating endorsement key and
  * certificates for it.
@@ -369,7 +371,9 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
                         const char *logfile,
                         const virDomainTPMVersion tpmversion,
                         const unsigned char *secretuuid,
-                        bool incomingMigration)
+                        bool incomingMigration,
+                        const char *profile,
+                        const char *profile_remove_disabled)
 {
     g_autoptr(virCommand) cmd = NULL;
     int exitstatus;
@@ -422,6 +426,22 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
                              "--lock-nvram",
                              "--not-overwrite",
                              NULL);
+        if (profile) {
+            if (!virTPMSwtpmSetupCapsGet(
+                    VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PROFILE)) {
+                virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
+                               _("swtpm_setup has no support for profiles"));
+                return -1;
+            }
+            virCommandAddArgList(cmd,
+                                 "--profile", profile,
+                                 NULL);
+            if (profile_remove_disabled)
+                virCommandAddArgList(cmd,
+                                     "--profile-remove-disable",
+                                     profile_remove_disabled,
+                                     NULL);
+        }
     } else {
         virCommandAddArgList(cmd,
                              "--tpm-state", storagepath,
@@ -584,7 +604,9 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
                                 privileged, swtpm_user, swtpm_group,
                                 tpm->data.emulator.logfile,
                                 tpm->data.emulator.version,
-                                secretuuid, incomingMigration) < 0)
+                                secretuuid, incomingMigration,
+                                tpm->data.emulator.profile,
+                                tpm->data.emulator.profile_remove_disabled) < 0)
         goto error;
 
     if (!incomingMigration &&
-- 
2.46.0






