When 'swtpm_setup --print-capabilities' shows the 'tpm12-not-need-root' flag, then it is possible to create certificates for the TPM 1.2 also in non-privileged mode since swtpm_setup doesn't need tcsd anymore. Check for this flag and create the certificates if this flag is found. Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com&gt; --- src/qemu/qemu_tpm.c | 5 ++++- src/util/virtpm.c | 1 + src/util/virtpm.h | 1 + 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index e1b08a66c5..91e21ae646 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -463,11 +463,14 @@ qemuTPMEmulatorRunSetup(const char *storagepath, if (!swtpm_setup) return -1; - if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2) + if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2 && + !virTPMSwtpmSetupCapsGet( + VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT)) { return virFileWriteStr(logfile, _("Did not create EK and certificates since " "this requires privileged mode for a " "TPM 1.2\n"), 0600); + } if (!privileged && qemuTPMCreateConfigFiles(swtpm_setup) < 0) return -1; diff --git a/src/util/virtpm.c b/src/util/virtpm.c index 0f50de866c..40d9272e66 100644 --- a/src/util/virtpm.c +++ b/src/util/virtpm.c @@ -46,6 +46,7 @@ VIR_ENUM_IMPL(virTPMSwtpmSetupFeature, VIR_TPM_SWTPM_SETUP_FEATURE_LAST, "cmdarg-pwdfile-fd", "cmdarg-create-config-files", + "tpm12-not-need-root", ); /** diff --git a/src/util/virtpm.h b/src/util/virtpm.h index 3bb03b3b33..b75eb84f31 100644 --- a/src/util/virtpm.h +++ b/src/util/virtpm.h @@ -39,6 +39,7 @@ typedef enum { typedef enum { VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PWDFILE_FD, VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_CREATE_CONFIG_FILES, + VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT, VIR_TPM_SWTPM_SETUP_FEATURE_LAST } virTPMSwtpmSetupFeature; -- 2.31.1