On Wed, Oct 02, 2024 at 17:41:46 +0200, Andrea Bolognani wrote:
This is needed when migrating a guest that has persistent TPM state: relabeling (which implies locking) needs to happen before the swtpm process is started on the destination host, but the lock file won't be released by the swtpm process running on the source host before a handshake with the target process has happened, creating a catch-22 scenario.
In order to make migration possible, make it so that locking for lock files can be explicitly skipped. All other state files are handled as usual.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> --- src/qemu/qemu_security.c | 56 ++++++++++++++++++++++----------- src/security/security_dac.c | 12 +++++-- src/security/security_driver.h | 3 +- src/security/security_manager.c | 21 +++++++++++-- src/security/security_manager.h | 6 ++-- src/security/security_selinux.c | 12 +++++-- src/security/security_stack.c | 6 ++-- 7 files changed, 83 insertions(+), 33 deletions(-)
Reviewed-by: Peter Krempa <pkrempa@redhat.com>