[PATCH v7 14/14] qemu: Handle locking of TPM state directory for incoming migration

Andrea Bolognani <abologna@xxxxxxxxxx> · Wed, 2 Oct 2024 17:41:47 +0200

By not attempting to lock the lock file, which would fail.

Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
---
 src/qemu/qemu_security.c | 10 ++++++----
 src/qemu/qemu_security.h |  6 ++++--
 src/qemu/qemu_tpm.c      | 21 ++++++++++++++++++---
 3 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
index 5e815ba2a0..6bb0f9170d 100644
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -551,7 +551,8 @@ qemuSecurityRestoreNetdevLabel(virQEMUDriver *driver,
 int
 qemuSecuritySetTPMLabels(virQEMUDriver *driver,
                          virDomainObj *vm,
-                         bool setTPMStateLabel)
+                         bool setTPMStateLabel,
+                         bool lockMetadataException)
 {
     qemuDomainObjPrivate *priv = vm->privateData;
     g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
@@ -567,7 +568,7 @@ qemuSecuritySetTPMLabels(virQEMUDriver *driver,
 
     if (virSecurityManagerTransactionCommit(driver->securityManager,
                                             -1, priv->rememberOwner,
-                                            false) < 0)
+                                            lockMetadataException) < 0)
         goto cleanup;
 
     ret = 0;
@@ -580,7 +581,8 @@ qemuSecuritySetTPMLabels(virQEMUDriver *driver,
 int
 qemuSecurityRestoreTPMLabels(virQEMUDriver *driver,
                              virDomainObj *vm,
-                             bool restoreTPMStateLabel)
+                             bool restoreTPMStateLabel,
+                             bool lockMetadataException)
 {
     qemuDomainObjPrivate *priv = vm->privateData;
     g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
@@ -596,7 +598,7 @@ qemuSecurityRestoreTPMLabels(virQEMUDriver *driver,
 
     if (virSecurityManagerTransactionCommit(driver->securityManager,
                                             -1, priv->rememberOwner,
-                                            false) < 0)
+                                            lockMetadataException) < 0)
         goto cleanup;
 
     ret = 0;
diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h
index 32f29bc210..36663cffde 100644
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -87,11 +87,13 @@ int qemuSecurityRestoreNetdevLabel(virQEMUDriver *driver,
 
 int qemuSecuritySetTPMLabels(virQEMUDriver *driver,
                              virDomainObj *vm,
-                             bool setTPMStateLabel);
+                             bool setTPMStateLabel,
+                             bool lockMetadataException);
 
 int qemuSecurityRestoreTPMLabels(virQEMUDriver *driver,
                                  virDomainObj *vm,
-                                 bool restoreTPMStateLabel);
+                                 bool restoreTPMStateLabel,
+                                 bool lockMetadataException);
 
 int qemuSecuritySetSavedStateLabel(virQEMUDriver *driver,
                                    virDomainObj *vm,
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 55927b4582..fcfc97dbca 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -934,6 +934,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
     virTimeBackOffVar timebackoff;
     const unsigned long long timeout = 1000; /* ms */
     pid_t pid = -1;
+    bool lockMetadataException = false;
 
     cfg = virQEMUDriverGetConfig(driver);
 
@@ -959,7 +960,21 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
     virCommandSetPidFile(cmd, pidfile);
     virCommandSetErrorFD(cmd, &errfd);
 
-    if (qemuSecuritySetTPMLabels(driver, vm, true) < 0)
+    if (incomingMigration && qemuTPMHasSharedStorage(driver, vm->def)) {
+        /* If the TPM is being migrated over shared storage, we can't
+         * lock all files before labeling them: the source swtpm
+         * process is still holding on to the lock file, and it will
+         * only release it after negotiation with the target swtpm
+         * process, which we can't start until labeling has been
+         * performed.
+         *
+         * So we explicity request for the lock file not to be locked
+         * before labeling in this specific, narrow scenario in order
+         * to make migration possible at all */
+        lockMetadataException = true;
+    }
+
+    if (qemuSecuritySetTPMLabels(driver, vm, true, lockMetadataException) < 0)
         return -1;
 
     if (qemuSecurityCommandRun(driver, vm, cmd, cfg->swtpm_user,
@@ -1008,7 +1023,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
         virProcessKillPainfully(pid, true);
     if (pidfile)
         unlink(pidfile);
-    qemuSecurityRestoreTPMLabels(driver, vm, true);
+    qemuSecurityRestoreTPMLabels(driver, vm, true, lockMetadataException);
     return -1;
 }
 
@@ -1144,7 +1159,7 @@ qemuExtTPMStop(virQEMUDriver *driver,
     if (outgoingMigration && qemuTPMHasSharedStorage(driver, vm->def))
         restoreTPMStateLabel = false;
 
-    if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel) < 0)
+    if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel, true) < 0)
         VIR_WARN("Unable to restore labels on TPM state and/or log file");
 }
 
-- 
2.46.2







