[PATCH v2 0/3] util/xml: make xml parser error reporting less terrible
by Daniel P. Berrangé
libxml2 has terrible error reporting when failing to open files, which
has led to significant wasted time on wild goose chases. This improves
it by taking libxml2 out of the business of opening & reading files.
Daniel P. Berrangé (3):
util/xml: fix extraction of XML context
util/xml: don't assume libxml2 has the filename of the document
util/xml: open XML files before calling libxml2
src/util/virxml.c | 29 +++++++++++++------
.../broken-xml-invalid.x86_64-latest.err | 4 +--
.../nonexistent-file.x86_64-latest.err | 2 +-
3 files changed, 23 insertions(+), 12 deletions(-)
--
2.46.0
1 month
[PATCH] docs: permit a user's chosen identity with SoB
by Daniel P. Berrangé
The docs for submitting a patch describe using your "Legal Name" with
the Signed-off-by line.
In recent times, there's been a general push back[1] against the notion
that use of Signed-off-by in a project automatically requires / implies
the use of legal ("real") names and greater awareness of the downsides.
Full discussion of the problems of such policies is beyond the scope of
this commit message, but at a high level they are liable to marginalize,
disadvantage, and potentially result in harm, to contributors.
TL;DR: there are compelling reasons for a person to choose distinct
identities in different contexts & a decision to override that choice
should not be taken lightly.
A number of key projects have responded to the issues raised by making
it clear that a contributor is free to determine the identity used in
SoB lines:
* Linux has clarified[2] that they merely expect use of the
contributor's "known identity", removing the previous explicit
rejection of pseudonyms.
* CNCF has clarified[3] that the real name is simply the identity
the contributor chooses to use in the context of the community
and does not have to be a legal name, nor birth name, nor appear
on any government ID.
Since we have no intention of ever routinely checking any form of ID
documents for contributors[4], realistically we have no way of knowing
anything about the name they are using, except through chance, or
through the contributor volunteering the information. IOW, we almost
certainly already have people using pseudonyms for contributions.
This proposes to accept that reality and eliminate unnecessary friction,
by following Linux & the CNCF in merely asking that a contributors'
commonly known identity, of their choosing, be used with the SoB line.
[1] Raised in many contexts at many times, but a decent overall summary
can be read at https://drewdevault.com/2023/10/31/On-real-names.html
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit...
[3] https://github.com/cncf/foundation/blob/659fd32c86dc/dco-guidelines.md
[4] Excluding the rare GPG key signing parties for regular maintainers
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
docs/governance.rst | 6 +++---
docs/hacking.rst | 9 ++++++---
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/docs/governance.rst b/docs/governance.rst
index 44dd54d4a0..04bb739237 100644
--- a/docs/governance.rst
+++ b/docs/governance.rst
@@ -112,9 +112,9 @@ There are no special requirements to becoming a contributor other than having
the interest and ability to provide a contribution. The libvirt project **does
not require** any *"Contributor License Agreement"* to be signed prior to
engagement with the community. However for contributing patches, providing a
-'Signed-off-by' line with the author's legal name and e-mail address to
-demonstrate agreement and compliance with the `Developer Certificate of
-Origin <https://developercertificate.org/>`__ is required.
+'Signed-off-by' line with the author's chosen name and e-mail address to
+demonstrate agreement and compliance with the `Developer Certificate
+of Origin <hacking.html#developer-certificate-of-origin>`__ is required.
In making a non-patch contribution to the project, the community member is
implicitly stating that they accept the terms of the license under which the
diff --git a/docs/hacking.rst b/docs/hacking.rst
index c2e79e4501..825b8b83d2 100644
--- a/docs/hacking.rst
+++ b/docs/hacking.rst
@@ -83,9 +83,12 @@ Contributors to libvirt projects **must** assert that they are
in compliance with the `Developer Certificate of Origin
1.1 <https://developercertificate.org/>`__. This is achieved by
adding a "Signed-off-by" line containing the contributor's name
-and e-mail to every commit message. The presence of this line
-attests that the contributor has read the above lined DCO and
-agrees with its statements.
+and e-mail to every commit message. The name should be the identity
+the contributor has chosen to be known as in the context of the
+community. It does not need to be a legal name, nor match any
+formal ID documents, but should not be anonymous, nor misrepresent
+who you are. The presence of this line attests that the contributor
+has read the above linked DCO and agrees with its statements.
Further reading
===============
--
2.46.0
1 month
[PATCH v3 00/10] swtpm: Add support for profiles
by Stefan Berger
Upcoming libtpms v0.10 and swtpm v0.10 will have TPM profile support that
allows to restrict a TPM's provided set of crypto algorithms and commands
and through which backwards compatibility and migration from newer versions
of libtpms to older ones (up to libtpms v0.9) is supported. For the latter
to work it is necessary that the user chooses the right ('null') profile.
This series adds support for passing a profile choice to swtpm_setup by
setting it in the domain XML using the <profile/> XML node. An optional
attribute 'remove_disabled' can be set in this node and accepts two values:
"check": test a few crypto algorithms (tdes, camellia, unpadded encryption,
and others) for whether they are currently disabled due to FIPS
mode on the host and remove these algorithms in the 'custom'
profile if they are disabled;
"fips-host": do not test but remove all the possibly disabled crypto
algorithms (from list above)
Also extend the documentation but point the user to swtpm and libtpms
documentation for further details.
Follow Deniel's suggestions there's now a PR for swtpm_setup to support
searching for profiles though a configurable local directory, distro
directory and if no profile could be found there (with appended
".json" suffix) it will fall back to try to use a built-in profile by
the provided name: https://github.com/stefanberger/swtpm/pull/918
Stefan
v3:
- 2/10: Adjustments to due rebase
- Applied Marc-André's R-b tags
- 10/10: Read back profile name from swtpm and adjust it in emulator defs
Stefan Berger (10):
conf: Move TPM emulator parameters into own struct
qemu: Pass virQEMUDriverConfig rather than some of its fields
util: Add parsing support for swtpm_setup's cmdarg-profile capability
conf: Define enum virDomainTPMProfileRemoveDisabled
schema: Extend schema for TPM emulator profile node
conf: Add support for profile parameter on TPM emulator in domain XML
docs: Add documentation for the TPM backend profile node
qemu: Extend swtpm_setup command line to set a profile by its name
qemu: Move adding of keys to swtpm command line into own function
qemu: Read the profile name after creation of TPM instance
docs/formatdomain.rst | 30 +++
src/conf/domain_conf.c | 43 +++++
src/conf/domain_conf.h | 35 ++--
src/conf/domain_validate.c | 7 +
src/conf/schemas/domaincommon.rng | 25 +++
src/conf/virconftypes.h | 2 +
src/qemu/qemu_extdevice.c | 5 +-
src/qemu/qemu_tpm.c | 310 ++++++++++++++++++++----------
src/qemu/qemu_tpm.h | 3 +-
src/util/virtpm.c | 2 +
src/util/virtpm.h | 2 +
tests/testutilsqemu.c | 1 +
12 files changed, 355 insertions(+), 110 deletions(-)
--
2.47.0
1 month
Help with setting up libvirt for development.
by validsudoku@gmail.com
Hi, pardon my ignorance. I'm trying to add some changes to the libvirt codebase (https://gitlab.com/libvirt/libvirt).
I've successfully built it with `meson setup /build` and a `compile_commands.json` was generated in the build folder. But vscode keeps showing that there are errors from trying to find certain files and identifiers. I have also copied the `compile_commands.json` to the root of the project with no success. I'm new to working on a large C codebase, as i'm mainly into Go. I have also installed the `meson.build` extension as prescribed in https://mesonbuild.com/IDE-integration.html, is there anything i'm missing?
1 month
[PATCH] spec: Drop nwfilter dependency in libvirt-daemon-xen
by Jim Fehlig
The libvirt xen driver does not support nwfilters. In fact, since
commit d721b6840f, the driver rejects VM configuration referencing
nwfilters. Drop the needless nwfilter dependency from
libvirt-daemon-xen.
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
libvirt.spec.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index f26de04553..d54d2a1e3e 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -993,7 +993,6 @@ Requires: libvirt-daemon-driver-libxl = %{version}-%{release}
Requires: libvirt-daemon-driver-interface = %{version}-%{release}
Requires: libvirt-daemon-driver-network = %{version}-%{release}
Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
-Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
Requires: libvirt-daemon-driver-secret = %{version}-%{release}
Requires: libvirt-daemon-driver-storage = %{version}-%{release}
Requires: xen
--
2.43.0
1 month
Re: [PATCH v4 3/6] schema: add TPM emulator <source type='file'
path='..'>
by Stefan Berger
>
> Learn to parse a file path for the TPM state.
>
> Signed-off-by: Marc-André Lureau <marcandre.lureau(a)redhat.com>
> ---
> docs/formatdomain.rst | 19 ++++++++++++++
> src/conf/domain_conf.c | 28 +++++++++++++++++++++
> src/conf/domain_conf.h | 9 +++++++
> src/conf/schemas/domaincommon.rng | 14 +++++++++++
> tests/qemuxmlconfdata/tpm-emulator-tpm2.xml | 1 +
> 5 files changed, 71 insertions(+)
>
> diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
> index e6f09a728f..d4feb4421c 100644
> --- a/docs/formatdomain.rst
> +++ b/docs/formatdomain.rst
> @@ -8174,6 +8174,25 @@ Example: usage of the TPM Emulator
> The default version used depends on the combination of hypervisor,
> guest
> architecture, TPM model and backend.
>
> +``source``
> + The ``source`` element specifies the location of the TPM state
> storage . This
> + element only works with the ``emulator`` backend.
> +
> + If not specified, the storage configuration is left to libvirt
> discretion.
IMO it would be good to mention that it is up to the user to prevent
files being used by multiple VMs, especially if locking cannot be used.
> +
> + This element requires that swtpm v0.7 or later is installed.
> +
> + The following attributes are supported:
> +
> + ``type``
> + The type of storage. It's possible to provide "file" to utilize a
> single
> + file or block device where the TPM state will be stored.
> +
> + ``path``
> + The path to the TPM state storage.
> +
> + :since:`Since v10.8.0`
> +
> ``persistent_state``
> The ``persistent_state`` attribute indicates whether 'swtpm' TPM
> state is
> kept or not when a transient domain is powered off or undefined. This
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index 284a3815b3..9dd8b6b55d 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -1322,6 +1322,12 @@ VIR_ENUM_IMPL(virDomainTPMVersion,
> "2.0",
> );
>
> +VIR_ENUM_IMPL(virDomainTPMSourceType,
> + VIR_DOMAIN_TPM_SOURCE_TYPE_LAST,
> + "default",
> + "file",
> +);
> +
> VIR_ENUM_IMPL(virDomainTPMPcrBank,
> VIR_DOMAIN_TPM_PCR_BANK_LAST,
> "sha1",
> @@ -10784,6 +10790,7 @@ virDomainTPMDefParseXML(virDomainXMLOption *xmlopt,
> int nbackends;
> int nnodes;
> size_t i;
> + xmlNodePtr source_node = NULL;
> g_autofree char *path = NULL;
> g_autofree char *secretuuid = NULL;
> g_autofree char *persistent_state = NULL;
> @@ -10857,6 +10864,22 @@ virDomainTPMDefParseXML(virDomainXMLOption *xmlopt,
> def->data.emulator.hassecretuuid = true;
> }
>
> + source_node = virXPathNode("./backend/source", ctxt);
> + if (source_node) {
> + if (virXMLPropEnum(source_node, "type",
> + virDomainTPMSourceTypeTypeFromString,
> + VIR_XML_PROP_NONZERO,
> + &def->data.emulator.source_type) < 0)
> + goto error;
> + path = virXMLPropString(source_node, "path");
> + if (!path) {
> + virReportError(VIR_ERR_XML_ERROR, "%s",
> + _("missing TPM source path"));
> + goto error;
> + }
> + def->data.emulator.source_path = g_steal_pointer(&path);
> + }
> +
> persistent_state = virXMLPropString(backends[0],
> "persistent_state");
> if (persistent_state) {
> if (virStringParseYesNo(persistent_state,
> @@ -25070,6 +25093,11 @@ virDomainTPMDefFormat(virBuffer *buf,
>
> virXMLFormatElement(&backendChildBuf, "active_pcr_banks",
> NULL, &activePcrBanksBuf);
> }
> + if (def->data.emulator.source_type !=
> VIR_DOMAIN_TPM_SOURCE_TYPE_DEFAULT) {
> + virBufferAsprintf(&backendChildBuf, "<source type='%s'",
> +
> virDomainTPMSourceTypeTypeToString(def->data.emulator.source_type));
> + virBufferEscapeString(&backendChildBuf, " path='%s'/>\n",
> def->data.emulator.source_path);
> + }
> break;
> case VIR_DOMAIN_TPM_TYPE_EXTERNAL:
> if (def->data.external.source->type == VIR_DOMAIN_CHR_TYPE_UNIX) {
> diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
> index 6b27322e3e..7a70f68177 100644
> --- a/src/conf/domain_conf.h
> +++ b/src/conf/domain_conf.h
> @@ -1463,6 +1463,13 @@ typedef enum {
> VIR_DOMAIN_TPM_PCR_BANK_LAST
> } virDomainPcrBank;
>
> +typedef enum {
> + VIR_DOMAIN_TPM_SOURCE_TYPE_DEFAULT = 0,
> + VIR_DOMAIN_TPM_SOURCE_TYPE_FILE,
> +
> + VIR_DOMAIN_TPM_SOURCE_TYPE_LAST
> +} virDomainTPMSourceType;
> +
> #define VIR_DOMAIN_TPM_DEFAULT_DEVICE "/dev/tpm0"
>
> struct _virDomainTPMDef {
> @@ -1478,6 +1485,7 @@ struct _virDomainTPMDef {
> struct {
> virDomainTPMVersion version;
> virDomainChrSourceDef *source;
> + virDomainTPMSourceType source_type;
> char *source_path;
> char *logfile;
> unsigned int debug;
> @@ -4277,6 +4285,7 @@ VIR_ENUM_DECL(virDomainRNGBackend);
> VIR_ENUM_DECL(virDomainTPMModel);
> VIR_ENUM_DECL(virDomainTPMBackend);
> VIR_ENUM_DECL(virDomainTPMVersion);
> +VIR_ENUM_DECL(virDomainTPMSourceType);
> VIR_ENUM_DECL(virDomainTPMPcrBank);
> VIR_ENUM_DECL(virDomainMemoryModel);
> VIR_ENUM_DECL(virDomainMemoryBackingModel);
> diff --git a/src/conf/schemas/domaincommon.rng
> b/src/conf/schemas/domaincommon.rng
> index efb5f00d77..72c8b6c694 100644
> --- a/src/conf/schemas/domaincommon.rng
> +++ b/src/conf/schemas/domaincommon.rng
> @@ -5923,6 +5923,7 @@
> <interleave>
> <ref name="tpm-backend-emulator-encryption"/>
> <ref name="tpm-backend-emulator-active-pcr-banks"/>
> + <ref name="tpm-backend-emulator-source"/>
> </interleave>
> <optional>
> <attribute name="persistent_state">
> @@ -5981,6 +5982,19 @@
> </optional>
> </define>
>
> + <define name="tpm-backend-emulator-source">
> + <optional>
> + <element name="source">
> + <attribute name="type">
> + <value>file</value>
> + </attribute>
> + <attribute name="path">
> + <ref name="filePath"/>
Should probably be absFilePath?
With this nit:
Reviewed-by: Stefan Berger <stefanb(a)linux.ibm.com>
> + </attribute>
> + </element>
> + </optional>
> + </define>
> +
> <define name="tpm-backend-emulator-encryption">
> <optional>
> <element name="encryption">
> diff --git a/tests/qemuxmlconfdata/tpm-emulator-tpm2.xml
> b/tests/qemuxmlconfdata/tpm-emulator-tpm2.xml
> index 8a613db456..3d6300f544 100644
> --- a/tests/qemuxmlconfdata/tpm-emulator-tpm2.xml
> +++ b/tests/qemuxmlconfdata/tpm-emulator-tpm2.xml
> @@ -34,6 +34,7 @@
> <sha256/>
> <sha512/>
> </active_pcr_banks>
> + <source type='file' path='/path/to/state'/>
> </backend>
> </tpm>
> <audio id='1' type='none'/>
> --
> 2.47.0
1 month
[PATCH v4 0/6] Add TPM emulator <source type='file/dir' path='..'/>
by marcandre.lureau@redhat.com
From: Marc-André Lureau <marcandre.lureau(a)redhat.com>
Hi,
When swtpm capabilities reports "nvram-backend-dir", it can accepts a single
file or block device where TPM state will be stored.
--tpmstate must be backend-uri=file://.
v4:
- add "qemu: explicit swtpm state locking"
- add r-b from Stefan, first patch only atm
v3:
- changed to <source type='file/dir' path='..'/>
v2:
- add <source dir='..'/> support as well (Daniel)
Related: https://issues.redhat.com/browse/CNV-35250
Marc-André Lureau (6):
util: check swtpm nvram-backend-{dir,file} capabilities
tpm: rename 'storagepath' to 'source_path'
schema: add TPM emulator <source type='file' path='..'>
schema: add TPM emulator <source type='dir' path='..'>
qemu_tpm: handle file/block storage source
qemu: explicit swtpm state locking
docs/formatdomain.rst | 20 +++
src/conf/domain_conf.c | 31 ++++-
src/conf/domain_conf.h | 12 +-
src/conf/schemas/domaincommon.rng | 26 ++++
src/qemu/qemu_tpm.c | 115 +++++++++++++-----
src/security/security_selinux.c | 6 +-
src/util/virtpm.c | 3 +
src/util/virtpm.h | 3 +
.../qemuxmlconfdata/tpm-emulator-tpm2-enc.xml | 1 +
tests/qemuxmlconfdata/tpm-emulator-tpm2.xml | 1 +
tests/testutilsqemu.c | 1 +
11 files changed, 186 insertions(+), 33 deletions(-)
--
2.47.0
1 month
[PATCH rfcv4 00/13] LIBVIRT: X86: TDX support
by Zhenzhong Duan
Hi,
This series brings libvirt the x86 TDX support.
* What's TDX?
TDX stands for Trust Domain Extensions which isolates VMs from
the virtual-machine manager (VMM)/hypervisor and any other software on
the platform.
To support TDX, multiple software components, not only KVM but also QEMU,
guest Linux and virtual bios, need to be updated. For more details, please
check link[1].
This patchset is another software component to extend libvirt to support TDX,
with which one can start a TDX guest from high level rather than running qemu
directly.
* Misc
As QEMU use a software emulated way to reset guest which isn't supported by TDX
guest for security reason. We simulate reboot for TDX guest by kill and create a
new one in FakeReboot framework.
Complete code can be found at [2], matching qemu code can be found at [3].
There is a 'debug' property for tdx-guest object which isn't in matching qemu[3]
yet. I keep them intentionally as they will be implemented in qemu as extention
series of [3].
* Test
start/stop/reboot with virsh
stop/reboot trigger in guest
stop with on_poweroff=destroy/restart
reboot with on_reboot=destroy/restart
* Patch organization
- patch 1-4: Support query of TDX capabilities.
- patch 5-8: Add TDX type to launchsecurity framework.
- patch 9-11: Add reboot support to TDX guest
- patch 12-13: Add test and docs
TODO:
- update QEMU capabilities data in tests, depending on qemu TDX merged beforehand
- add reconnect logic in virsh command
[1] https://lore.kernel.org/kvm/cover.1708933498.git.isaku.yamahata@intel.com
[2] https://github.com/intel/libvirt-tdx/commits/tdx_for_upstream_rfcv4
[3] https://github.com/intel/qemu-tdx/tree/tdx-qemu-upstream-v5
Thanks
Zhenzhong
Changelog:
rfcv4:
- add a check to tools/virt-host-validate-qemu.c (Daniel)
- remove check of q35 (Daniel)
- model 'SocktetAddress' QAPI in xml schema (Daniel)
- s/Quote-Generation-Service/quoteGenerationService/ (Daniel)
- define bits in tdx->policy and add validating logic (Daniel)
- presume QEMU choose split kernel irqchip for TDX guest by default (Daniel)
- utilize existing FakeReboot framework to do reboot for TDX guest (Daniel)
- drop patch11 'conf: Add support to keep same domid for hard reboot' (Daniel)
- add test in tests/ to validate parsing and formatting logic (Daniel)
- add doc in docs/formatdomain.rst (Daniel)
- add R-B
rfcv3:
- Change to generate qemu cmdline with -bios
- drop firmware auto match as -bios is used
- add a hard reboot method to reboot TDX guest
rfcv3: https://www.mail-archive.com/devel@lists.libvirt.org/msg00385.html
rfcv2:
- give up using qmp cmd and check TDX directly on host for TDX capabilities.
- use launchsecurity framework to support TDX
- use <os>.<loader> for general loader
- add auto firmware match feature for TDX
A example TDVF fimware description file 70-edk2-x86_64-tdx.json:
{
"description": "UEFI firmware for x86_64, supporting Intel TDX",
"interface-types": [
"uefi"
],
"mapping": {
"device": "generic",
"filename": "/usr/share/OVMF/OVMF_CODE-tdx.fd"
},
"targets": [
{
"architecture": "x86_64",
"machines": [
"pc-q35-*"
]
}
],
"features": [
"intel-tdx",
"verbose-dynamic"
],
"tags": [
]
}
rfcv2: https://www.mail-archive.com/libvir-list@redhat.com/msg219378.html
Zhenzhong Duan (13):
tools: Secure guest check for Intel in virt-host-validate
qemu: Check if INTEL Trust Domain Extention support is enabled
qemu: Add TDX capability
conf: expose TDX feature in domain capabilities
conf: add tdx as launch security type
qemu: Add command line and validation for TDX type
qemu: force special parameters enabled for TDX guest
Add Intel TDX Quote Generation Service(QGS) support
qemu: add FakeReboot support for TDX guest
qemu: Support reboot command in guest
qemu: Avoid duplicate FakeReboot for secure guest
Add test cases for Intel TDX
docs: domain: Add documentation for Intel TDX guest
docs/formatdomain.rst | 68 ++++
docs/formatdomaincaps.rst | 1 +
src/conf/domain_capabilities.c | 1 +
src/conf/domain_capabilities.h | 1 +
src/conf/domain_conf.c | 312 ++++++++++++++++++
src/conf/domain_conf.h | 75 +++++
src/conf/schemas/domaincaps.rng | 9 +
src/conf/schemas/domaincommon.rng | 135 ++++++++
src/conf/virconftypes.h | 2 +
src/qemu/qemu_capabilities.c | 36 +-
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 139 ++++++++
src/qemu/qemu_firmware.c | 1 +
src/qemu/qemu_monitor.c | 28 +-
src/qemu/qemu_monitor.h | 2 +-
src/qemu/qemu_monitor_json.c | 6 +-
src/qemu/qemu_namespace.c | 1 +
src/qemu/qemu_process.c | 75 +++++
src/qemu/qemu_validate.c | 44 +++
...unch-security-tdx-qgs-fd.x86_64-latest.xml | 77 +++++
.../launch-security-tdx-qgs-fd.xml | 30 ++
...ch-security-tdx-qgs-inet.x86_64-latest.xml | 77 +++++
.../launch-security-tdx-qgs-inet.xml | 30 ++
...ch-security-tdx-qgs-unix.x86_64-latest.xml | 77 +++++
.../launch-security-tdx-qgs-unix.xml | 30 ++
...h-security-tdx-qgs-vsock.x86_64-latest.xml | 77 +++++
.../launch-security-tdx-qgs-vsock.xml | 30 ++
tests/qemuxmlconftest.c | 24 ++
tools/virt-host-validate-common.c | 22 +-
tools/virt-host-validate-common.h | 1 +
30 files changed, 1407 insertions(+), 5 deletions(-)
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-fd.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-fd.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-inet.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-inet.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-unix.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-unix.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-vsock.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-vsock.xml
--
2.34.1
1 month
[PATCH v3 0/5] Add TPM emulator <source type='file/dir' path='..'/>
by marcandre.lureau@redhat.com
From: Marc-André Lureau <marcandre.lureau(a)redhat.com>
Hi,
When swtpm capabilities reports "nvram-backend-dir", it can accepts a single
file or block device where TPM state will be stored.
--tpmstate must be backend-uri=file://.
v3:
- changed to <source type='file/dir' path='..'/>
v2:
- add <source dir='..'/> support as well (Daniel)
Related: https://issues.redhat.com/browse/CNV-35250
Marc-André Lureau (5):
util: check swtpm nvram-backend-{dir,file} capabilities
tpm: rename 'storagepath' to 'source_path'
schema: add TPM emulator <source type='file' path='..'>
schema: add TPM emulator <source type='dir' path='..'>
qemu_tpm: handle file/block storage source
docs/formatdomain.rst | 20 ++++
src/conf/domain_conf.c | 31 ++++-
src/conf/domain_conf.h | 12 +-
src/conf/schemas/domaincommon.rng | 26 +++++
src/qemu/qemu_tpm.c | 110 +++++++++++++-----
src/security/security_selinux.c | 4 +-
src/util/virtpm.c | 2 +
src/util/virtpm.h | 2 +
.../qemuxmlconfdata/tpm-emulator-tpm2-enc.xml | 1 +
tests/qemuxmlconfdata/tpm-emulator-tpm2.xml | 1 +
10 files changed, 176 insertions(+), 33 deletions(-)
--
2.45.2.827.g557ae147e6
1 month
