Re: [libvirt] [PATCH 2/6] tpm: Add support for external swtpm TPM emulator

On 04/06/2018 04:26 AM, Daniel P. Berrangé wrote: > On Thu, Apr 05, 2018 at 05:56:02PM -0400, Stefan Berger wrote: >> This patch adds support for an external swtpm TPM emulator. The XML for >> this type of TPM looks as follows: >> >> <tpm model='tpm-tis'> >> <backend type='emulator'/> >> </tpm> >> >> The XML will currently only start a TPM 1.2. >> >> Upon the first start, libvirt will run `swtpm_setup`, which will >> simulate the >> manufacturing of a TPM and create certificates for it and write them >> into the >> NVRAM location of the emulated TPM. >> >> Then, libvirt will automatically start the swtpm TPM emulator using >> the `swtpm` >> executable. >> >> Once the VM terminates, libvirt uses the swtpm_ioctl executable to >> gracefully >> shut down the `swtpm` in case it is still running (QEMU did not send >> shutdown) >> or clean up the socket file. >> >> The above mentioned executables must be found in the PATH. >> >> The executables can either be run as root or started as root and >> switch to >> the tss user. The requirement for the tss user comes through 'tcsd', >> which >> is used for the simulation of the manufacturing. Which user is used >> can be >> configured through qemu.conf. >> >> The swtpm writes out state into files. The state is kept in >> /var/lib/libvirt/tpm: >> >> [root@localhost libvirt]# ls -lZ | grep tpm >> >> drwx--x--x. 7 root root unconfined_u:object_r:virt_var_lib_t:s0 4096 >> Apr 5 16:22 tpm >> >> The directory /var/lib/libvirt/tpm maintains per-TPM state >> directories but >> also hosts the UnixIO socket of running swtpms, which QEMU uses for >> communicating >> with them. At this point only the socket file is labeled properly >> and made accessible >> for QEMU, which runs under the qemu user: > /var/lib is for persistent state while /var/run is for transient > state, so I think sockets should be under /var/run instead. /var/run/libvirt/qemu then ?