[libvirt] [PATCH v7 00/12] Add support for TPM emulator
by Stefan Berger
This series of patches adds support for the TPM emulator backend that
is available in QEMU and based on swtpm + libtpms. It allows to attach a
TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm
process, its Unix socket, and log file with the same label that the
QEMU process gets. Besides that swtpm is added to the emulator cgroup to
restrict its CPU usage.
The device XML can be changed from a TPM 1.2 to a TPM 2 and back to a
TPM 1.2. The device state is not removed during those changes but only
when the domain is undefined.
The swtpm needs persistent storage to store its state. For that I am
using the uuid of the VM as part of the path since the name of the VM
can be changed. Logfiles, PID files, and socket names are based on the
name of the VM, though.
Stefan
v6->v7:
- followed Jan Tomko's suggestion with resulting changing to patch
10/12.
- re-added missing parts related to swtpm_setup and TPM that got lost
in v4
v5->v6:
- Addressed John Ferlan's comments
- rebased on latest tip
- Added patch 12.
v4->v5:
- Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments
- rebased on latest tip
v3->v4:
- Addressed John Ferlan's comments
- Fixed bugs I found while testing
- rebased on latest tip
Stefan Berger (12):
conf: Add support for external swtpm TPM emulator to domain XML
qemu: Extend QEMU capabilities with 'tpm-emulator'
util: Implement virFileChownFiles()
security: Add DAC and SELinux security for tpm-emulator
qemu: Extend qemu_conf with tpm-emulator support
qemu: Extend QEMU with external TPM support
qemu: Add support for external swtpm TPM emulator
tests: Add test cases for external swtpm TPM emulator
security: Label the external swtpm with SELinux labels
conf: Add support for choosing emulation of a TPM 2
qemu: Add swtpm to emulator cgroup
news: Update news with new TPM emulator feature
docs/formatdomain.html.in | 43 +
docs/news.xml | 9 +
docs/schemas/domaincommon.rng | 17 +
libvirt.spec.in | 2 +
src/conf/domain_audit.c | 2 +
src/conf/domain_conf.c | 64 +-
src/conf/domain_conf.h | 15 +
src/libvirt_private.syms | 3 +
src/qemu/Makefile.inc.am | 10 +
src/qemu/libvirtd_qemu.aug | 5 +
src/qemu/qemu.conf | 8 +
src/qemu/qemu_capabilities.c | 5 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_cgroup.c | 36 +
src/qemu/qemu_cgroup.h | 2 +
src/qemu/qemu_command.c | 34 +-
src/qemu/qemu_conf.c | 43 +
src/qemu/qemu_conf.h | 6 +
src/qemu/qemu_domain.c | 3 +
src/qemu/qemu_extdevice.c | 180 ++++
src/qemu/qemu_extdevice.h | 59 ++
src/qemu/qemu_process.c | 16 +
src/qemu/qemu_security.c | 69 ++
src/qemu/qemu_security.h | 11 +
src/qemu/qemu_tpm.c | 922 +++++++++++++++++++++
src/qemu/qemu_tpm.h | 56 ++
src/qemu/test_libvirtd_qemu.aug.in | 2 +
src/security/security_dac.c | 7 +
src/security/security_driver.h | 7 +
src/security/security_manager.c | 36 +
src/security/security_manager.h | 6 +
src/security/security_selinux.c | 172 ++++
src/security/security_stack.c | 40 +
src/util/virfile.c | 55 ++
src/util/virfile.h | 3 +
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 +
.../tpm-emulator-tpm2.x86_64-latest.args | 33 +
tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 +
.../tpm-emulator.x86_64-latest.args | 33 +
tests/qemuxml2argvdata/tpm-emulator.xml | 30 +
tests/qemuxml2argvtest.c | 16 +-
tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 +
tests/qemuxml2xmloutdata/tpm-emulator.xml | 34 +
tests/qemuxml2xmltest.c | 1 +
48 files changed, 2154 insertions(+), 11 deletions(-)
create mode 100644 src/qemu/qemu_extdevice.c
create mode 100644 src/qemu/qemu_extdevice.h
create mode 100644 src/qemu/qemu_tpm.c
create mode 100644 src/qemu/qemu_tpm.h
create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml
create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml
create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml
--
2.14.3
6 years, 6 months
[libvirt] [PATCH] Fix indentation of virshAllocpagesPagesizeCompleter arguments.
by Roland Schulz
---
tools/virsh-completer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/virsh-completer.c b/tools/virsh-completer.c
index cbd5326d0..1df4d55af 100644
--- a/tools/virsh-completer.c
+++ b/tools/virsh-completer.c
@@ -568,8 +568,8 @@ virshSnapshotNameCompleter(vshControl *ctl,
char **
virshAllocpagesPagesizeCompleter(vshControl *ctl,
- const vshCmd *cmd ATTRIBUTE_UNUSED,
- unsigned int flags)
+ const vshCmd *cmd ATTRIBUTE_UNUSED,
+ unsigned int flags)
{
unsigned long long byteval = 0;
xmlXPathContextPtr ctxt = NULL;
--
2.17.0
6 years, 6 months
[libvirt] [PATCH] Add virshAllocpagesPagesizeCompleter to opts_freepages.
by Roland Schulz
Signed-off-by: Roland Schulz <schullzroll(a)gmail.com>
---
For the time being virshAllocpagesPagesizeCompleter can be used with
other commands that use --pagesize option.
tools/virsh-host.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/virsh-host.c b/tools/virsh-host.c
index dfe58de30..991c0f50a 100644
--- a/tools/virsh-host.c
+++ b/tools/virsh-host.c
@@ -280,6 +280,7 @@ static const vshCmdOptDef opts_freepages[] = {
},
{.name = "pagesize",
.type = VSH_OT_INT,
+ .completer = virshAllocpagesPagesizeCompleter,
.help = N_("page size (in kibibytes)")
},
{.name = "all",
--
2.17.0
6 years, 6 months
[libvirt] [ [PATCH v3 0/8] virsh completion for event, secret-event, pool-event and nodedev-event
by Lin Ma
v2 -> v3:
Most of patches in original v2 patchset were pushed, only 2 patches left,
So create a new patchset for including the 2 patches and 6 new completion
patches which about secret-event, pool-event and nodedev-event.
(Borrowed code & idea from Michal Privoznik for these patches design)
Lin Ma (8):
virsh-secret: Rename vshEventCallback to vshSecretEventCallback
virsh: Add event name completion to 'secret-event' command
virsh: Move vshEventCallback structure definition to virsh-domain.h
virsh: Add event name completion to 'event' command
virsh-pool: Rename vshEventCallback to vshPoolEventCallback
virsh: Add event name completion to 'pool-event' command
virsh-nodedev: Rename vshEventCallback to vshNodedevEventCallback
virsh: Add event name completion to 'nodedev-event' command
tools/virsh-completer.c | 119 ++++++++++++++++++++++++++++++++++++++++++++++++
tools/virsh-completer.h | 15 ++++++
tools/virsh-domain.c | 9 +---
tools/virsh-domain.h | 8 ++++
tools/virsh-nodedev.c | 19 +++-----
tools/virsh-nodedev.h | 8 ++++
tools/virsh-pool.c | 19 +++-----
tools/virsh-pool.h | 8 ++++
tools/virsh-secret.c | 18 +++-----
tools/virsh-secret.h | 8 ++++
10 files changed, 189 insertions(+), 42 deletions(-)
--
2.16.2
6 years, 6 months
[libvirt] [PATCH 00/12] Add support for TPM emulator
by Stefan Berger
This series of patches adds support for the TPM emulator backend that
is available in QEMU and based on swtpm + libtpms. It allows to attach a
TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm
process, its Unix socket, and log file with the same label that the
QEMU process gets. Besides that swtpm is added to the emulator cgroup to
restrict its CPU usage.
The device XML can be changed from a TPM 1.2 to a TPM 2 and back to a
TPM 1.2. The device state is not removed during those changes but only
when the domain is undefined.
The swtpm needs persistent storage to store its state. For that I am
using the uuid of the VM as part of the path since the name of the VM
can be changed. Logfiles, PID files, and socket names are based on the
name of the VM, though.
Stefan
v5->v6:
- Addressed John Ferlan's comments
- rebased on latest tip
- Added patch 12.
v4->v5:
- Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments
- rebased on latest tip
v3->v4:
- Addressed John Ferlan's comments
- Fixed bugs I found while testing
- rebased on latest tip
Stefan Berger (12):
conf: Add support for external swtpm TPM emulator to domain XML
qemu: Extend QEMU capabilities with 'tpm-emulator'
util: Implement virFileChownFiles()
security: Add DAC and SELinux security for tpm-emulator
qemu: Extend qemu_conf with tpm-emulator support
qemu: Extend QEMU with external TPM support
qemu: Add support for external swtpm TPM emulator
tests: Add test cases for external swtpm TPM emulator
security: Label the external swtpm with SELinux labels
conf: Add support for choosing emulation of a TPM 2
qemu: Add swtpm to emulator cgroup
news: Update news with new TPM emulator feature
docs/formatdomain.html.in | 43 +
docs/news.xml | 9 +
docs/schemas/domaincommon.rng | 17 +
libvirt.spec.in | 2 +
src/conf/domain_audit.c | 2 +
src/conf/domain_conf.c | 53 +-
src/conf/domain_conf.h | 12 +
src/libvirt_private.syms | 3 +
src/qemu/Makefile.inc.am | 10 +
src/qemu/libvirtd_qemu.aug | 5 +
src/qemu/qemu.conf | 8 +
src/qemu/qemu_capabilities.c | 5 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_cgroup.c | 36 +
src/qemu/qemu_cgroup.h | 2 +
src/qemu/qemu_command.c | 34 +-
src/qemu/qemu_conf.c | 43 +
src/qemu/qemu_conf.h | 6 +
src/qemu/qemu_domain.c | 3 +
src/qemu/qemu_extdevice.c | 180 ++++
src/qemu/qemu_extdevice.h | 59 ++
src/qemu/qemu_process.c | 16 +
src/qemu/qemu_security.c | 69 ++
src/qemu/qemu_security.h | 11 +
src/qemu/qemu_tpm.c | 946 +++++++++++++++++++++
src/qemu/qemu_tpm.h | 56 ++
src/qemu/test_libvirtd_qemu.aug.in | 2 +
src/security/security_dac.c | 7 +
src/security/security_driver.h | 7 +
src/security/security_manager.c | 36 +
src/security/security_manager.h | 6 +
src/security/security_selinux.c | 172 ++++
src/security/security_stack.c | 40 +
src/util/virfile.c | 55 ++
src/util/virfile.h | 3 +
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 +
.../tpm-emulator-tpm2.x86_64-latest.args | 33 +
tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 +
.../tpm-emulator.x86_64-latest.args | 33 +
tests/qemuxml2argvdata/tpm-emulator.xml | 30 +
tests/qemuxml2argvtest.c | 16 +-
tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 +
tests/qemuxml2xmloutdata/tpm-emulator.xml | 34 +
tests/qemuxml2xmltest.c | 1 +
48 files changed, 2165 insertions(+), 10 deletions(-)
create mode 100644 src/qemu/qemu_extdevice.c
create mode 100644 src/qemu/qemu_extdevice.h
create mode 100644 src/qemu/qemu_tpm.c
create mode 100644 src/qemu/qemu_tpm.h
create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml
create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml
create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml
--
2.14.3
6 years, 6 months
[libvirt] [REPOSTv3 PATCHv3 0/6] Add support for VM Generation ID (vmgenid)
by John Ferlan
This is the 3rd reposting because of qemu capabilities conflicts,
maybe the 3rd time will be the charm.
Previous, e.g. REPOSTv2 posting:
https://www.redhat.com/archives/libvir-list/2018-May/msg01332.html
Cover from the PATCHv3 posting:
v2: https://www.redhat.com/archives/libvir-list/2018-April/msg02234.html
Changes since v2:
* Essentially handle comments from code review of original series from
comments received for patch 6:
https://www.redhat.com/archives/libvir-list/2018-April/msg02240.html
It's a somewhat simplified approach removing the ABI checks and the
adjustment to the genid value as part of domain def copy.
* (NEW) Patch 5 - add a 'genid' domain capability (similar to how Cole
added support for vmcoreinfo). Since the apps need a way to determine
whether this is enabled, this seems to be the best way.
John Ferlan (6):
conf: Add VM Generation ID parse/format support
qemu: Add VM Generation ID device capability
qemu: Alter VM Generation ID for specific startup/launch transitions
qemu: Add VM Generation ID to qemu command line
domcaps: Add 'genid' to domain capabilities
docs: Add news article for VM Generation ID
docs/formatdomain.html.in | 27 +++++++++++
docs/formatdomaincaps.html.in | 7 ++-
docs/news.xml | 13 ++++++
docs/schemas/domaincaps.rng | 7 +++
docs/schemas/domaincommon.rng | 8 ++++
src/conf/domain_capabilities.c | 3 ++
src/conf/domain_capabilities.h | 1 +
src/conf/domain_conf.c | 54 ++++++++++++++++++++++
src/conf/domain_conf.h | 5 ++
src/qemu/qemu_capabilities.c | 4 ++
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 24 ++++++++++
src/qemu/qemu_driver.c | 17 +++++--
src/qemu/qemu_process.c | 46 +++++++++++++++++-
src/qemu/qemu_process.h | 1 +
tests/domaincapsschemadata/basic.xml | 1 +
tests/domaincapsschemadata/bhyve_basic.x86_64.xml | 1 +
tests/domaincapsschemadata/bhyve_fbuf.x86_64.xml | 1 +
tests/domaincapsschemadata/bhyve_uefi.x86_64.xml | 1 +
tests/domaincapsschemadata/full.xml | 1 +
tests/domaincapsschemadata/libxl-xenfv-usb.xml | 1 +
tests/domaincapsschemadata/libxl-xenfv.xml | 1 +
tests/domaincapsschemadata/libxl-xenpv-usb.xml | 1 +
tests/domaincapsschemadata/libxl-xenpv.xml | 1 +
tests/domaincapsschemadata/qemu_1.7.0.x86_64.xml | 1 +
.../qemu_2.12.0-virt.aarch64.xml | 1 +
tests/domaincapsschemadata/qemu_2.12.0.ppc64.xml | 1 +
tests/domaincapsschemadata/qemu_2.12.0.s390x.xml | 1 +
tests/domaincapsschemadata/qemu_2.12.0.x86_64.xml | 1 +
.../qemu_2.6.0-virt.aarch64.xml | 1 +
tests/domaincapsschemadata/qemu_2.6.0.aarch64.xml | 1 +
tests/domaincapsschemadata/qemu_2.6.0.ppc64.xml | 1 +
tests/domaincapsschemadata/qemu_2.6.0.x86_64.xml | 1 +
tests/domaincapsschemadata/qemu_2.7.0.s390x.xml | 1 +
.../domaincapsschemadata/qemu_2.8.0-tcg.x86_64.xml | 1 +
tests/domaincapsschemadata/qemu_2.8.0.s390x.xml | 1 +
tests/domaincapsschemadata/qemu_2.8.0.x86_64.xml | 1 +
.../domaincapsschemadata/qemu_2.9.0-q35.x86_64.xml | 1 +
.../domaincapsschemadata/qemu_2.9.0-tcg.x86_64.xml | 1 +
tests/domaincapsschemadata/qemu_2.9.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml | 1 +
.../qemuxml2argvdata/genid-auto.x86_64-latest.args | 30 ++++++++++++
tests/qemuxml2argvdata/genid-auto.xml | 32 +++++++++++++
tests/qemuxml2argvdata/genid.x86_64-latest.args | 30 ++++++++++++
tests/qemuxml2argvdata/genid.xml | 32 +++++++++++++
tests/qemuxml2argvtest.c | 4 ++
tests/qemuxml2xmloutdata/genid-active.xml | 32 +++++++++++++
tests/qemuxml2xmloutdata/genid-auto-active.xml | 32 +++++++++++++
tests/qemuxml2xmloutdata/genid-auto-inactive.xml | 32 +++++++++++++
tests/qemuxml2xmloutdata/genid-inactive.xml | 32 +++++++++++++
tests/qemuxml2xmltest.c | 5 +-
53 files changed, 500 insertions(+), 7 deletions(-)
create mode 100644 tests/qemuxml2argvdata/genid-auto.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/genid-auto.xml
create mode 100644 tests/qemuxml2argvdata/genid.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/genid.xml
create mode 100644 tests/qemuxml2xmloutdata/genid-active.xml
create mode 100644 tests/qemuxml2xmloutdata/genid-auto-active.xml
create mode 100644 tests/qemuxml2xmloutdata/genid-auto-inactive.xml
create mode 100644 tests/qemuxml2xmloutdata/genid-inactive.xml
--
2.14.3
6 years, 6 months
[libvirt] [PATCH] news: Add TLS non-shared storage migration
by Peter Krempa
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
docs/news.xml | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/docs/news.xml b/docs/news.xml
index 8f2c7d5dff..329b1c7129 100644
--- a/docs/news.xml
+++ b/docs/news.xml
@@ -54,6 +54,16 @@
a QEMU virtual machine.
</description>
</change>
+ <change>
+ <summary>
+ Add support for migration of QEMU VMs with non-shared storage over TLS
+ </summary>
+ <description>
+ It's now possible to use the VIR_MIGRATE_TLS flag together with
+ VIR_MIGRATE_NON_SHARED_DISK. The connection is then secured using the
+ TLS environment which is setup for the migration connection.
+ </description>
+ </change>
</section>
<section title="Improvements">
<change>
--
2.16.2
6 years, 6 months
[libvirt] [PATCH v2] Edit test capabilities to contain different cell pagesizes.
by Roland Schulz
Signed-off-by: Roland Schulz <schullzroll(a)gmail.com>
---
src/test/test_driver.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/src/test/test_driver.c b/src/test/test_driver.c
index 467587b19..3fe0c2831 100644
--- a/src/test/test_driver.c
+++ b/src/test/test_driver.c
@@ -322,30 +322,34 @@ testBuildCapabilities(virConnectPtr conn)
if (virCapabilitiesAddHostFeature(caps, "nonpae") < 0)
goto error;
- if (VIR_ALLOC_N(caps->host.pagesSize, 2) < 0)
+ if (VIR_ALLOC_N(caps->host.pagesSize, 4) < 0)
goto error;
caps->host.pagesSize[caps->host.nPagesSize++] = 4;
+ caps->host.pagesSize[caps->host.nPagesSize++] = 8;
caps->host.pagesSize[caps->host.nPagesSize++] = 2048;
+ caps->host.pagesSize[caps->host.nPagesSize++] = 1024 * 1024;
for (i = 0; i < privconn->numCells; i++) {
virCapsHostNUMACellCPUPtr cpu_cells;
virCapsHostNUMACellPageInfoPtr pages;
- size_t nPages;
+ size_t nPages = caps->host.nPagesSize - 1;
if (VIR_ALLOC_N(cpu_cells, privconn->cells[i].numCpus) < 0 ||
- VIR_ALLOC_N(pages, caps->host.nPagesSize) < 0) {
+ VIR_ALLOC_N(pages, caps->host.nPagesSize - 1) < 0) {
VIR_FREE(cpu_cells);
goto error;
}
-
- nPages = caps->host.nPagesSize;
+ if (i == 1)
+ pages[0].size = caps->host.pagesSize[0];
+ else
+ pages[0].size = caps->host.pagesSize[1];
memcpy(cpu_cells, privconn->cells[i].cpus,
sizeof(*cpu_cells) * privconn->cells[i].numCpus);
- for (j = 0; j < nPages; j++)
- pages[j].size = caps->host.pagesSize[j];
+ for (j = 1; j < nPages; j++)
+ pages[j].size = caps->host.pagesSize[j+1];
pages[0].avail = privconn->cells[i].mem / pages[0].size;
--
2.17.0
6 years, 6 months
[libvirt] [PATCH 0/8] qemu: Kill text/HMP monitor code
by Peter Krempa
Most of the code is now dead as we support qemu 1.5 and upwards. Remove
the unused bits.
Peter Krempa (8):
qemu: monitor: Drop fallback to text monitor for 'inject-nmi' command
qemu: monitor: Drop fallback to text monitor for 'send-key' command
qemu: monitor: Remove unused qemuMonitor(Add|Remove)HostNetwork
qemu: monitor: Drop QEMU_CHECK_MONITOR_JSON... macros
qemu: monitor: Drop JSON versions of savevm/delvm/loadv
tests: Drop qemumonitortest
qemu: monitor: Drop calls to text monitor impl where possible
qemu: monitor: Remove dead code from text monitor
src/qemu/qemu_monitor.c | 519 +++-------
src/qemu/qemu_monitor.h | 12 -
src/qemu/qemu_monitor_json.c | 41 +-
src/qemu/qemu_monitor_json.h | 4 -
src/qemu/qemu_monitor_text.c | 2166 ------------------------------------------
src/qemu/qemu_monitor_text.h | 150 ---
tests/Makefile.am | 11 +-
tests/qemumonitortest.c | 203 ----
8 files changed, 144 insertions(+), 2962 deletions(-)
delete mode 100644 tests/qemumonitortest.c
--
2.16.2
6 years, 6 months
