On Wed, Oct 02, 2024 at 17:41:46 +0200, Andrea Bolognani wrote:
This is needed when migrating a guest that has persistent TPM
state: relabeling (which implies locking) needs to happen
before the swtpm process is started on the destination host,
but the lock file won't be released by the swtpm process
running on the source host before a handshake with the target
process has happened, creating a catch-22 scenario.
In order to make migration possible, make it so that locking
for lock files can be explicitly skipped. All other state
files are handled as usual.
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
---
src/qemu/qemu_security.c | 56 ++++++++++++++++++++++-----------
src/security/security_dac.c | 12 +++++--
src/security/security_driver.h | 3 +-
src/security/security_manager.c | 21 +++++++++++--
src/security/security_manager.h | 6 ++--
src/security/security_selinux.c | 12 +++++--
src/security/security_stack.c | 6 ++--
7 files changed, 83 insertions(+), 33 deletions(-)
Reviewed-by: Peter Krempa <pkrempa(a)redhat.com>