On Mon, Jul 18, 2022 at 11:30:43 +0200, Michal Privoznik wrote:
When "default" model of a TPM was provided, our parses accepts it happily even though the value is forbidden by our RNG and not documented as accepted value. This is because of < 0 vs <= 0 comparison of virDomainTPMModelTypeFromString() retval.
Make the parser error out explicitly in this case. Users can always chose to not specify the attribute in which case we pick a sane default (in qemuDomainTPMDefPostParse()).
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/conf/domain_conf.c | 2 +- src/conf/domain_conf.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 4c7a5a044c..b7147945da 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -10360,7 +10360,7 @@ virDomainTPMDefParseXML(virDomainXMLOption *xmlopt,
model = virXMLPropString(node, "model"); if (model != NULL && - (def->model = virDomainTPMModelTypeFromString(model)) < 0) { + (def->model = virDomainTPMModelTypeFromString(model)) <= 0) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, _("Unknown TPM frontend model '%s'"), model); goto error;
'virDomainTPMDefFormat' happily formats 'default' as supported type: virBufferAsprintf(&attrBuf, " model='%s'", virDomainTPMModelTypeToString(def->model)); Is there any other code path which would forbid 'default'? If no, then we might run into a situation where libvirt's parser would reject parsing a XML formatted by libvirt itself, which is not acceptable. In such case we'd need to leave the parser as-is and add just validation where 'defau't will be forbidden, which is acceptable.