[PATCH] lxc: Add TPM passthrough option for LXC driver
There is no support to use TPM for passthrough for LXC libvirt driver
this commit adds the option to use host TPM inside containers.
Signed-off-by: Julio Faracco <jcfaracco(a)gmail.com>
---
src/lxc/lxc_cgroup.c | 27 +++++++++++++++++++
src/lxc/lxc_controller.c | 56 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 83 insertions(+)
diff --git a/src/lxc/lxc_cgroup.c b/src/lxc/lxc_cgroup.c
index d13f2adde5..955d2b4fc1 100644
--- a/src/lxc/lxc_cgroup.c
+++ b/src/lxc/lxc_cgroup.c
@@ -374,6 +374,33 @@ static int virLXCCgroupSetupDeviceACL(virDomainDefPtr def,
return -1;
}
+ for (i = 0; i < def->ntpms; i++) {
+ virDomainTPMDefPtr tpm = def->tpms[i];
+ const char *dev = NULL;
+
+ switch (tpm->type) {
+ case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ case VIR_DOMAIN_TPM_TYPE_LAST:
+ break;
+ case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+ dev = "/dev/tpm0";
+ break;
+ }
+
+ if (!dev)
+ continue;
+
+ if (!virFileExists(dev)) {
+ VIR_DEBUG("Ignoring non-existent device %s", dev);
+ continue;
+ }
+
+ if (virCgroupAllowDevicePath(cgroup, dev,
+ VIR_CGROUP_DEVICE_READ,
+ false) < 0)
+ return -1;
+ }
+
VIR_DEBUG("Device ACL setup complete");
return 0;
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index ae6b737b60..70ca773bbf 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -1644,6 +1644,59 @@ virLXCControllerSetupHostdevSubsysUSB(virDomainDefPtr vmDef,
}
+static int
+virLXCControllerSetupTPM(virLXCControllerPtr ctrl)
+{
+ virDomainDefPtr def = ctrl->def;
+ size_t i;
+
+ for (i = 0; i < def->ntpms; i++) {
+ virDomainTPMDefPtr tpm = def->tpms[i];
+ g_autofree char *path = NULL;
+ const char *tpm_dev = NULL;
+ struct stat sb;
+ dev_t dev;
+
+ switch (tpm->type) {
+ case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ case VIR_DOMAIN_TPM_TYPE_LAST:
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("unsupported timer type (name) '%s'"),
+ virDomainTPMBackendTypeToString(tpm->type));
+ return -1;
+ case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+ tpm_dev = "/dev/tpm0";
+ path = g_strdup_printf("/%s/%s.dev/%s", LXC_STATE_DIR,
+ def->name, "/rtc");
+ break;
+ }
+
+ if (!tpm_dev)
+ continue;
+
+ if (stat(tpm_dev, &sb) < 0) {
+ virReportSystemError(errno, _("Unable to access %s"),
+ tpm_dev);
+ return -1;
+ }
+
+ dev = makedev(major(sb.st_rdev), minor(sb.st_rdev));
+ if (mknod(path, S_IFCHR, dev) < 0 ||
+ chmod(path, sb.st_mode)) {
+ virReportSystemError(errno,
+ _("Failed to make device %s"),
+ path);
+ return -1;
+ }
+
+ if (lxcContainerChown(def, path) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
+
static int
virLXCControllerSetupHostdevCapsStorage(virDomainDefPtr vmDef,
virDomainHostdevDefPtr def,
@@ -2358,6 +2411,9 @@ virLXCControllerRun(virLXCControllerPtr ctrl)
if (virLXCControllerSetupAllHostdevs(ctrl) < 0)
goto cleanup;
+ if (virLXCControllerSetupTPM(ctrl) < 0)
+ goto cleanup;
+
if (virLXCControllerSetupFuse(ctrl) < 0)
goto cleanup;
--
2.25.1