[libvirt] [PATCH v8 00/18] Add support for TPM emulator (for 4.5)
by Stefan Berger
This series of patches adds support for the TPM emulator backend that
is available in QEMU and based on swtpm + libtpms. It allows to attach a
TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm
process, its Unix socket, and log file with the same label that the
QEMU process gets. Besides that swtpm is added to the emulator cgroup to
restrict its CPU usage.
The device XML can be changed from a TPM 1.2 to a TPM 2 and back to a
TPM 1.2. The device state is not removed during those changes but only
when the domain is undefined.
The swtpm needs persistent storage to store its state. For that I am
using the uuid of the VM as part of the path since the name of the VM
can be changed. Logfiles, PID files, and socket names are based on the
name of the VM, though.
Stefan
v7->v8:
- Delaying this series for 4.5; adjusted references to 4.4
- Fixed a test case since version='1.2' is now formatted as well
- Appended patches for AppArmor and auditing
- Appended patches that improve / fix existing code
- patch for validating the TPM configuration rather than overwriting it;
a particular case is the CRB interface does not work with a TPM 1.2
- swtpm_setup can be run for a TPM 2 in unprivileged mode as well
v6->v7:
- followed Jan Tomko's suggestion with resulting changing to patch
10/12.
- re-added missing parts related to swtpm_setup and TPM that got lost
in v4
v5->v6:
- Addressed John Ferlan's comments
- rebased on latest tip
- Added patch 12.
v4->v5:
- Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments
- rebased on latest tip
v3->v4:
- Addressed John Ferlan's comments
- Fixed bugs I found while testing
- rebased on latest tip
Stefan Berger (18):
conf: Add support for external swtpm TPM emulator to domain XML
qemu: Extend QEMU capabilities with 'tpm-emulator'
util: Implement virFileChownFiles()
security: Add DAC and SELinux security for tpm-emulator
qemu: Extend qemu_conf with tpm-emulator support
qemu: Extend QEMU with external TPM support
qemu: Add support for external swtpm TPM emulator
tests: Add test cases for external swtpm TPM emulator
security: Label the external swtpm with SELinux labels
conf: Add support for choosing emulation of a TPM 2
qemu: Add swtpm to emulator cgroup
news: Update news with new TPM emulator feature
security: Add swtpm paths to the domain's AppArmor profile
qemu: Run swtpm_setup in unprivileged mode for a TPM 2
qemu: Validate chosen TPM model rather than overwriting it
conf: Audit TPM emulator device at domain startup
conf: Use resrc=tpm in case of TPM passthrough following docs
conf: Use virDomainChrSourceDefClear() rather than VIR_FREE()
docs/auditlog.html.in | 2 +-
docs/formatdomain.html.in | 43 +
docs/news.xml | 13 +
docs/schemas/domaincommon.rng | 17 +
examples/apparmor/libvirt-qemu | 3 +
libvirt.spec.in | 2 +
src/conf/domain_audit.c | 20 +-
src/conf/domain_conf.c | 49 +-
src/conf/domain_conf.h | 15 +
src/libvirt_private.syms | 3 +
src/qemu/Makefile.inc.am | 10 +
src/qemu/libvirtd_qemu.aug | 5 +
src/qemu/qemu.conf | 8 +
src/qemu/qemu_capabilities.c | 5 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_cgroup.c | 36 +
src/qemu/qemu_cgroup.h | 2 +
src/qemu/qemu_command.c | 34 +-
src/qemu/qemu_conf.c | 43 +
src/qemu/qemu_conf.h | 6 +
src/qemu/qemu_domain.c | 31 +-
src/qemu/qemu_extdevice.c | 180 ++++
src/qemu/qemu_extdevice.h | 59 ++
src/qemu/qemu_process.c | 16 +
src/qemu/qemu_security.c | 69 ++
src/qemu/qemu_security.h | 11 +
src/qemu/qemu_tpm.c | 922 +++++++++++++++++++++
src/qemu/qemu_tpm.h | 56 ++
src/qemu/test_libvirtd_qemu.aug.in | 2 +
src/security/security_dac.c | 7 +
src/security/security_driver.h | 7 +
src/security/security_manager.c | 36 +
src/security/security_manager.h | 6 +
src/security/security_selinux.c | 172 ++++
src/security/security_stack.c | 40 +
src/security/virt-aa-helper.c | 24 +
src/util/virfile.c | 55 ++
src/util/virfile.h | 3 +
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 +
.../tpm-emulator-tpm2.x86_64-latest.args | 33 +
tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 +
.../tpm-emulator.x86_64-latest.args | 33 +
tests/qemuxml2argvdata/tpm-emulator.xml | 30 +
tests/qemuxml2argvtest.c | 16 +-
tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 +
tests/qemuxml2xmloutdata/tpm-emulator.xml | 34 +
tests/qemuxml2xmltest.c | 1 +
51 files changed, 2212 insertions(+), 17 deletions(-)
create mode 100644 src/qemu/qemu_extdevice.c
create mode 100644 src/qemu/qemu_extdevice.h
create mode 100644 src/qemu/qemu_tpm.c
create mode 100644 src/qemu/qemu_tpm.h
create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml
create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml
create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml
--
2.14.3
6 years, 5 months
[libvirt] [PATCH 0/8] vsock hotplug
by Ján Tomko
Followup for:
https://bugzilla.redhat.com/show_bug.cgi?id=1291851
Ján Tomko (8):
qemu: split out qemuBuildVsockDevStr
qemuBuildVsockDevStr: allow passing a fdprefix
export virDomainVsockDefFree
qemu: export vsock-related functions
qemu: implement vsock hotplug
conf: introduce virDomainVsockDefEquals
qemu: implement vsock hotunplug
qemu: implement vsock coldplug/coldunplug
src/conf/domain_conf.c | 18 +++++++
src/conf/domain_conf.h | 3 ++
src/libvirt_private.syms | 2 +
src/qemu/qemu_alias.c | 2 +-
src/qemu/qemu_alias.h | 2 +
src/qemu/qemu_command.c | 39 ++++++++++----
src/qemu/qemu_command.h | 8 +++
src/qemu/qemu_driver.c | 36 +++++++++++--
src/qemu/qemu_hotplug.c | 138 ++++++++++++++++++++++++++++++++++++++++++++++-
src/qemu/qemu_hotplug.h | 7 +++
src/qemu/qemu_process.c | 2 +-
src/qemu/qemu_process.h | 2 +
12 files changed, 241 insertions(+), 18 deletions(-)
--
2.16.1
6 years, 5 months
[libvirt] [PATCH 0/3] Require GnuTLS
by Michal Privoznik
As mentioned in discussion to my PRNG patches [1] we use GnuTLS
functions widely. Therefore, make GnuTLS required at build time.
This enables us to drop most of #ifdef WITH_GNULS we have. Not all of
them though because we still want libvirt-setuid-rpc-client.la to build
without GnuTLS.
I should also mention that surprisingly this breaks travis. This time,
it's Ubuntu that lacks new enough GnuTLS and not OSX. But after Peter's
patches travis is broken anyway (on GnuTLS).
Michal Privoznik (3):
configure: Require GnuTLS
build: Build gnutls related sources unconditionally
src: Drop most of #ifdef WITH_GNUTLS
configure.ac | 2 --
m4/virt-gnutls.m4 | 4 ---
src/Makefile.am | 7 +----
src/locking/lock_daemon.c | 4 ---
src/logging/log_daemon.c | 4 ---
src/lxc/lxc_controller.c | 2 --
src/qemu/qemu_migration_cookie.c | 12 +++-----
src/remote/remote_daemon.c | 23 ---------------
src/remote/remote_daemon_dispatch.c | 2 --
src/rpc/Makefile.inc.am | 14 ++-------
src/rpc/virnetdaemon.h | 4 +--
src/rpc/virnetserver.c | 6 ----
src/rpc/virnetserver.h | 6 +---
src/rpc/virnetserverclient.c | 57 +++----------------------------------
src/rpc/virnetserverclient.h | 8 ------
src/rpc/virnetserverservice.c | 24 ----------------
src/rpc/virnetserverservice.h | 10 -------
src/util/vircrypto.c | 43 ++--------------------------
tests/Makefile.am | 12 ++------
tests/qemuxml2argvtest.c | 15 ----------
tests/vircryptotest.c | 24 +++++-----------
tests/virfilecachetest.c | 18 +++---------
tests/virnetdaemontest.c | 8 ------
tests/virnetserverclienttest.c | 2 --
tests/virrandommock.c | 8 ++----
25 files changed, 32 insertions(+), 287 deletions(-)
--
2.16.4
6 years, 5 months
[libvirt] [jenkins-ci PATCH 0/5] guests: Make Perl and Python paths dynamic
by Andrea Bolognani
Plus other cleanups. See patches 3/5 and 4/5 for the good stuff.
Andrea Bolognani (5):
guests: Add .j2 extension to existing templates
guests: Remove distinction between files and templates
guests: Make PERL5LIB dynamic
guests: Make PYTHONPATH dynamic
guests: Move remaining paths out of the inventory
guests/group_vars/all/main.yml | 13 --------
guests/host_vars/libvirt-centos-6/main.yml | 3 --
guests/host_vars/libvirt-centos-7/main.yml | 3 --
guests/host_vars/libvirt-debian-8/main.yml | 3 --
guests/host_vars/libvirt-debian-9/main.yml | 3 --
guests/host_vars/libvirt-debian-sid/main.yml | 3 --
guests/host_vars/libvirt-fedora-27/main.yml | 3 --
guests/host_vars/libvirt-fedora-28/main.yml | 3 --
.../host_vars/libvirt-fedora-rawhide/main.yml | 3 --
guests/host_vars/libvirt-freebsd-10/main.yml | 3 --
guests/host_vars/libvirt-freebsd-11/main.yml | 3 --
.../libvirt-freebsd-current/main.yml | 3 --
guests/host_vars/libvirt-ubuntu-14/main.yml | 3 --
guests/host_vars/libvirt-ubuntu-16/main.yml | 3 --
guests/host_vars/libvirt-ubuntu-18/main.yml | 3 --
guests/tasks/base.yml | 12 +++----
guests/tasks/users.yml | 6 ++--
.../{bash_profile => bash_profile.j2} | 0
guests/templates/bashrc | 20 ------------
guests/templates/bashrc.j2 | 32 +++++++++++++++++++
.../ccache.conf => templates/ccache.conf.j2} | 0
.../fedora-rawhide-kernel-nodebug.repo.j2} | 0
.../jessie-backports.preferences.j2} | 0
.../jessie-backports.sources.j2} | 0
24 files changed, 41 insertions(+), 84 deletions(-)
rename guests/templates/{bash_profile => bash_profile.j2} (100%)
delete mode 100644 guests/templates/bashrc
create mode 100644 guests/templates/bashrc.j2
rename guests/{files/ccache.conf => templates/ccache.conf.j2} (100%)
rename guests/{files/fedora-rawhide-kernel-nodebug.repo => templates/fedora-rawhide-kernel-nodebug.repo.j2} (100%)
rename guests/{files/jessie-backports.preferences => templates/jessie-backports.preferences.j2} (100%)
rename guests/{files/jessie-backports.sources => templates/jessie-backports.sources.j2} (100%)
--
2.17.0
6 years, 5 months
[libvirt] [RFC PATCH] travis: require libgnutls28-dev
by Ján Tomko
Since commit <eee8c85> we require GnuTLS >= 3.2.0.
Install the aptly-named libgnutls28-dev package
instead of plain libgnutls-dev.
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
RFC, since I haven't even started to figure out how to test it.
Exposed by commit 3bf1959 which led to
virCryptoHaveCipher(VIR_CRYPTO_CIPHER_AES256CBC)
being called from the test suite, in qemuDomainSupportsEncryptedSecret.
The proper fix for non-GnuTLS user is probably disabling the build
of QEMU driver without GnuTLS, since capabilities caching won't work
properly anyway without the hash functions.
.travis.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.travis.yml b/.travis.yml
index f4dd0427a9..3f7c67398a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -60,7 +60,7 @@ addons:
- libdbus-1-dev
- libdevmapper-dev
- libfuse-dev
- - libgnutls-dev
+ - libgnutls28-dev
- libnetcf-dev
- libnl-3-dev
- libnl-route-3-dev
--
2.13.6
6 years, 5 months
[libvirt] [jenkins-ci PATCH] guests: Fix os_version for development branches
by Andrea Bolognani
We currently know about three development branches: Fedora
Rawhide, Debian sid and FreeBSD -CURRENT.
For all three, we use the name of the development branch in
the guest name; however, the value of os_version is not set
consistently, making it awkward to create package mappings
specific to these development branches.
As an added bonus, this makes the code setting os_name and
os_version more straightforward by simplifying conditionals
and removing regexp-based string replacement.
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
---
guests/tasks/base.yml | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/guests/tasks/base.yml b/guests/tasks/base.yml
index 70d5abc..9f27470 100644
--- a/guests/tasks/base.yml
+++ b/guests/tasks/base.yml
@@ -2,25 +2,33 @@
- name: Set additional facts (OS)
set_fact:
os_name: '{{ ansible_distribution }}'
+
+- name: Set additional facts (OS)
+ set_fact:
os_version: '{{ ansible_distribution_major_version }}'
when:
- - ansible_distribution != 'FreeBSD'
- - ansible_distribution_release != 'Rawhide'
+ - ansible_distribution_major_version is defined
- name: Set additional facts (OS)
set_fact:
- os_name: '{{ ansible_distribution }}'
os_version: Rawhide
when:
- - ansible_distribution != 'FreeBSD'
+ - os_name == 'Fedora'
- ansible_distribution_release == 'Rawhide'
- name: Set additional facts (OS)
set_fact:
- os_name: '{{ ansible_distribution }}'
- os_version: '{{ ansible_distribution_release|regex_replace("^(\d+)\.\d+-.*$", "\1") }}'
+ os_version: Sid
+ when:
+ - os_name == 'Debian'
+ - '{{ ansible_distribution_major_version|match("^.*/sid$") }}'
+
+- name: Set additional facts (OS)
+ set_fact:
+ os_version: Current
when:
- ansible_distribution == 'FreeBSD'
+ - '{{ ansible_distribution_release|match("^.*-CURRENT$") }}'
- name: Set additional facts (package format)
set_fact:
--
2.17.0
6 years, 5 months
[libvirt] [PATCHv2] virFileAccessibleAs: Remove redundant forkRet
by Radostin Stoyanov
The variable forkRet is not used after commit 25f8781
Signed-off-by: Radostin Stoyanov <rstoyanov1(a)gmail.com>
---
src/util/virfile.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/src/util/virfile.c b/src/util/virfile.c
index 523241f64f..a2c4cebb56 100644
--- a/src/util/virfile.c
+++ b/src/util/virfile.c
@@ -2117,7 +2117,6 @@ virFileAccessibleAs(const char *path, int mode,
{
pid_t pid = 0;
int status, ret = 0;
- int forkRet = 0;
gid_t *groups;
int ngroups;
@@ -2152,15 +2151,6 @@ virFileAccessibleAs(const char *path, int mode,
return 0;
}
- /* child.
- * Return positive value here. Parent
- * will change it to negative one. */
-
- if (forkRet < 0) {
- ret = errno;
- goto childerror;
- }
-
if (virSetUIDGID(uid, gid, groups, ngroups) < 0) {
ret = errno;
goto childerror;
--
2.17.1
6 years, 5 months
[libvirt] [PATCH] virFork: Remove redundant forkRet variable
by Radostin Stoyanov
The variable forkRest is not used after commit 25f8781
https://github.com/libvirt/libvirt/commit/25f8781#diff-d2023c1ac4f688aa20...
Signed-off-by: Radostin Stoyanov <rstoyanov1(a)gmail.com>
---
src/util/virfile.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/src/util/virfile.c b/src/util/virfile.c
index 523241f64f..a2c4cebb56 100644
--- a/src/util/virfile.c
+++ b/src/util/virfile.c
@@ -2117,7 +2117,6 @@ virFileAccessibleAs(const char *path, int mode,
{
pid_t pid = 0;
int status, ret = 0;
- int forkRet = 0;
gid_t *groups;
int ngroups;
@@ -2152,15 +2151,6 @@ virFileAccessibleAs(const char *path, int mode,
return 0;
}
- /* child.
- * Return positive value here. Parent
- * will change it to negative one. */
-
- if (forkRet < 0) {
- ret = errno;
- goto childerror;
- }
-
if (virSetUIDGID(uid, gid, groups, ngroups) < 0) {
ret = errno;
goto childerror;
--
2.17.1
6 years, 5 months
[libvirt] [PATCH] virFileAccessibleAs: Remove redundant forkRet
by Radostin Stoyanov
The variable forkRet is not used after commit 25f8781
https://github.com/libvirt/libvirt/commit/25f8781#diff-d2023c1ac4f688aa20...
Signed-off-by: Radostin Stoyanov <rstoyanov1(a)gmail.com>
---
src/util/virfile.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/src/util/virfile.c b/src/util/virfile.c
index 523241f64f..a2c4cebb56 100644
--- a/src/util/virfile.c
+++ b/src/util/virfile.c
@@ -2117,7 +2117,6 @@ virFileAccessibleAs(const char *path, int mode,
{
pid_t pid = 0;
int status, ret = 0;
- int forkRet = 0;
gid_t *groups;
int ngroups;
@@ -2152,15 +2151,6 @@ virFileAccessibleAs(const char *path, int mode,
return 0;
}
- /* child.
- * Return positive value here. Parent
- * will change it to negative one. */
-
- if (forkRet < 0) {
- ret = errno;
- goto childerror;
- }
-
if (virSetUIDGID(uid, gid, groups, ngroups) < 0) {
ret = errno;
goto childerror;
--
2.17.1
6 years, 5 months
[libvirt] [PATCH] virFileAccessibleAs: Remove redundant forkRet
by Radostin Stoyanov
The variable forkRest is not used after commit 25f8781
https://github.com/libvirt/libvirt/commit/25f8781#diff-d2023c1ac4f688aa20...
Signed-off-by: Radostin Stoyanov <rstoyanov1(a)gmail.com>
---
src/util/virfile.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/src/util/virfile.c b/src/util/virfile.c
index 523241f64f..a2c4cebb56 100644
--- a/src/util/virfile.c
+++ b/src/util/virfile.c
@@ -2117,7 +2117,6 @@ virFileAccessibleAs(const char *path, int mode,
{
pid_t pid = 0;
int status, ret = 0;
- int forkRet = 0;
gid_t *groups;
int ngroups;
@@ -2152,15 +2151,6 @@ virFileAccessibleAs(const char *path, int mode,
return 0;
}
- /* child.
- * Return positive value here. Parent
- * will change it to negative one. */
-
- if (forkRet < 0) {
- ret = errno;
- goto childerror;
- }
-
if (virSetUIDGID(uid, gid, groups, ngroups) < 0) {
ret = errno;
goto childerror;
--
2.17.1
6 years, 5 months
