[libvirt] [PATCH 00/12] Add support for TPM emulator
This series of patches adds support for the TPM emulator backend that is available in QEMU and based on swtpm + libtpms. It allows to attach a TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm process, its Unix socket, and log file with the same label that the QEMU process gets. Besides that swtpm is added to the emulator cgroup to restrict its CPU usage. The device XML can be changed from a TPM 1.2 to a TPM 2 and back to a TPM 1.2. The device state is not removed during those changes but only when the domain is undefined. The swtpm needs persistent storage to store its state. For that I am using the uuid of the VM as part of the path since the name of the VM can be changed. Logfiles, PID files, and socket names are based on the name of the VM, though. Stefan v5->v6: - Addressed John Ferlan's comments - rebased on latest tip - Added patch 12. v4->v5: - Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments - rebased on latest tip v3->v4: - Addressed John Ferlan's comments - Fixed bugs I found while testing - rebased on latest tip Stefan Berger (12): conf: Add support for external swtpm TPM emulator to domain XML qemu: Extend QEMU capabilities with 'tpm-emulator' util: Implement virFileChownFiles() security: Add DAC and SELinux security for tpm-emulator qemu: Extend qemu_conf with tpm-emulator support qemu: Extend QEMU with external TPM support qemu: Add support for external swtpm TPM emulator tests: Add test cases for external swtpm TPM emulator security: Label the external swtpm with SELinux labels conf: Add support for choosing emulation of a TPM 2 qemu: Add swtpm to emulator cgroup news: Update news with new TPM emulator feature docs/formatdomain.html.in | 43 + docs/news.xml | 9 + docs/schemas/domaincommon.rng | 17 + libvirt.spec.in | 2 + src/conf/domain_audit.c | 2 + src/conf/domain_conf.c | 53 +- src/conf/domain_conf.h | 12 + src/libvirt_private.syms | 3 + src/qemu/Makefile.inc.am | 10 + src/qemu/libvirtd_qemu.aug | 5 + src/qemu/qemu.conf | 8 + src/qemu/qemu_capabilities.c | 5 + src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_cgroup.c | 36 + src/qemu/qemu_cgroup.h | 2 + src/qemu/qemu_command.c | 34 +- src/qemu/qemu_conf.c | 43 + src/qemu/qemu_conf.h | 6 + src/qemu/qemu_domain.c | 3 + src/qemu/qemu_extdevice.c | 180 ++++ src/qemu/qemu_extdevice.h | 59 ++ src/qemu/qemu_process.c | 16 + src/qemu/qemu_security.c | 69 ++ src/qemu/qemu_security.h | 11 + src/qemu/qemu_tpm.c | 946 +++++++++++++++++++++ src/qemu/qemu_tpm.h | 56 ++ src/qemu/test_libvirtd_qemu.aug.in | 2 + src/security/security_dac.c | 7 + src/security/security_driver.h | 7 + src/security/security_manager.c | 36 + src/security/security_manager.h | 6 + src/security/security_selinux.c | 172 ++++ src/security/security_stack.c | 40 + src/util/virfile.c | 55 ++ src/util/virfile.h | 3 + tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + .../tpm-emulator-tpm2.x86_64-latest.args | 33 + tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 + .../tpm-emulator.x86_64-latest.args | 33 + tests/qemuxml2argvdata/tpm-emulator.xml | 30 + tests/qemuxml2argvtest.c | 16 +- tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 + tests/qemuxml2xmloutdata/tpm-emulator.xml | 34 + tests/qemuxml2xmltest.c | 1 + 48 files changed, 2165 insertions(+), 10 deletions(-) create mode 100644 src/qemu/qemu_extdevice.c create mode 100644 src/qemu/qemu_extdevice.h create mode 100644 src/qemu/qemu_tpm.c create mode 100644 src/qemu/qemu_tpm.h create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml -- 2.14.3
This patch adds support for an external swtpm TPM emulator. The XML for this type of TPM looks as follows: <tpm model='tpm-tis'> <backend type='emulator'/> </tpm> The XML will currently only define a TPM 1.2. Extend the documentation. Add a test case testing the XML parser and formatter. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- docs/formatdomain.html.in | 30 +++++++++++++++++++++++++++ docs/schemas/domaincommon.rng | 5 +++++ src/conf/domain_audit.c | 2 ++ src/conf/domain_conf.c | 28 +++++++++++++++++++------ src/conf/domain_conf.h | 6 ++++++ src/qemu/qemu_cgroup.c | 1 + src/qemu/qemu_command.c | 1 + src/qemu/qemu_domain.c | 1 + src/security/security_dac.c | 2 ++ src/security/security_selinux.c | 2 ++ tests/qemuxml2argvdata/tpm-emulator.xml | 30 +++++++++++++++++++++++++++ tests/qemuxml2xmloutdata/tpm-emulator.xml | 34 +++++++++++++++++++++++++++++++ tests/qemuxml2xmltest.c | 1 + 13 files changed, 137 insertions(+), 6 deletions(-) create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 0d0fd3b9f3..08a57bd751 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -7704,6 +7704,26 @@ qemu-kvm -net nic,model=? /dev/null </tpm> </devices> ... +</pre> + + <p> + The emulator device type gives access to a TPM emulator providing + TPM functionlity for each VM. QEMU talks to it over a Unix socket. With + the emulator device type each guest gets its own private TPM. + <span class="since">'emulator' since 4.4.0</span> + </p> + <p> + Example: usage of the TPM Emulator + </p> +<pre> + ... + <devices> + <tpm model='tpm-tis'> + <backend type='emulator'> + </backend> + </tpm> + </devices> + ... </pre> <dl> <dt><code>model</code></dt> @@ -7738,6 +7758,16 @@ qemu-kvm -net nic,model=? /dev/null </p> </dd> </dl> + <dl> + <dt><code>emulator</code></dt> + <dd> + <p> + For this backend type the 'swtpm' TPM Emulator must be installed on the + host. Libvirt will automatically start an independent TPM emulator + for each QEMU guest requesting access to it. + </p> + </dd> + </dl> </dd> </dl> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 71ac3d079c..3582cb5019 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -4124,6 +4124,11 @@ </attribute> <ref name="tpm-passthrough-device"/> </group> + <group> + <attribute name="type"> + <value>emulator</value> + </attribute> + </group> </choice> </element> </define> diff --git a/src/conf/domain_audit.c b/src/conf/domain_audit.c index 82868bca76..25cccddb56 100644 --- a/src/conf/domain_audit.c +++ b/src/conf/domain_audit.c @@ -586,6 +586,8 @@ virDomainAuditTPM(virDomainObjPtr vm, virDomainTPMDefPtr tpm, "virt=%s resrc=dev reason=%s %s uuid=%s %s", virt, reason, vmname, uuidstr, device); break; + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + break; case VIR_DOMAIN_TPM_TYPE_LAST: default: break; diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 3689ac0a82..15dd490d17 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -864,7 +864,8 @@ VIR_ENUM_IMPL(virDomainTPMModel, VIR_DOMAIN_TPM_MODEL_LAST, "tpm-crb") VIR_ENUM_IMPL(virDomainTPMBackend, VIR_DOMAIN_TPM_TYPE_LAST, - "passthrough") + "passthrough", + "emulator") VIR_ENUM_IMPL(virDomainIOMMUModel, VIR_DOMAIN_IOMMU_MODEL_LAST, "intel") @@ -2601,6 +2602,11 @@ void virDomainTPMDefFree(virDomainTPMDefPtr def) case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: VIR_FREE(def->data.passthrough.source.data.file.path); break; + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + virDomainChrSourceDefClear(&def->data.emulator.source); + VIR_FREE(def->data.emulator.storagepath); + VIR_FREE(def->data.emulator.logfile); + break; case VIR_DOMAIN_TPM_TYPE_LAST: break; } @@ -12648,6 +12654,11 @@ virDomainSmartcardDefParseXML(virDomainXMLOptionPtr xmlopt, * </backend> * </tpm> * + * or like this: + * + * <tpm model='tpm-tis'> + * <backend type='emulator'/> + * </tpm> */ static virDomainTPMDefPtr virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, @@ -12714,6 +12725,8 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, def->data.passthrough.source.type = VIR_DOMAIN_CHR_TYPE_DEV; path = NULL; break; + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + break; case VIR_DOMAIN_TPM_TYPE_LAST: goto error; } @@ -24925,22 +24938,25 @@ virDomainTPMDefFormat(virBufferPtr buf, virBufferAsprintf(buf, "<tpm model='%s'>\n", virDomainTPMModelTypeToString(def->model)); virBufferAdjustIndent(buf, 2); - virBufferAsprintf(buf, "<backend type='%s'>\n", + virBufferAsprintf(buf, "<backend type='%s'", virDomainTPMBackendTypeToString(def->type)); - virBufferAdjustIndent(buf, 2); switch (def->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + virBufferAddLit(buf, ">\n"); + virBufferAdjustIndent(buf, 2); virBufferEscapeString(buf, "<device path='%s'/>\n", def->data.passthrough.source.data.file.path); + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "</backend>\n"); + break; + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + virBufferAddLit(buf, "/>\n"); break; case VIR_DOMAIN_TPM_TYPE_LAST: break; } - virBufferAdjustIndent(buf, -2); - virBufferAddLit(buf, "</backend>\n"); - virDomainDeviceInfoFormat(buf, &def->info, flags); virBufferAdjustIndent(buf, -2); diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index a78fdee40c..92466278ab 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -1286,6 +1286,7 @@ typedef enum { typedef enum { VIR_DOMAIN_TPM_TYPE_PASSTHROUGH, + VIR_DOMAIN_TPM_TYPE_EMULATOR, VIR_DOMAIN_TPM_TYPE_LAST } virDomainTPMBackendType; @@ -1300,6 +1301,11 @@ struct _virDomainTPMDef { struct { virDomainChrSourceDef source; } passthrough; + struct { + virDomainChrSourceDef source; + char *storagepath; + char *logfile; + } emulator; } data; }; diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 546a4c8e63..54b00a5da5 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -305,6 +305,7 @@ qemuSetupTPMCgroup(virDomainObjPtr vm) case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: ret = qemuSetupChrSourceCgroup(vm, &dev->data.passthrough.source); break; + case VIR_DOMAIN_TPM_TYPE_EMULATOR: case VIR_DOMAIN_TPM_TYPE_LAST: break; } diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 9da2d609e8..fe6d0912cb 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -9482,6 +9482,7 @@ qemuBuildTPMBackendStr(const virDomainDef *def, VIR_FREE(cancel_path); break; + case VIR_DOMAIN_TPM_TYPE_EMULATOR: case VIR_DOMAIN_TPM_TYPE_LAST: goto error; } diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index d3beee5d87..ca5b2c3485 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -10418,6 +10418,7 @@ qemuDomainSetupTPM(virQEMUDriverConfigPtr cfg ATTRIBUTE_UNUSED, return -1; break; + case VIR_DOMAIN_TPM_TYPE_EMULATOR: case VIR_DOMAIN_TPM_TYPE_LAST: /* nada */ break; diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 8938e2dd89..3ab229992a 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1372,6 +1372,7 @@ virSecurityDACSetTPMFileLabel(virSecurityManagerPtr mgr, &tpm->data.passthrough.source, false); break; + case VIR_DOMAIN_TPM_TYPE_EMULATOR: case VIR_DOMAIN_TPM_TYPE_LAST: break; } @@ -1393,6 +1394,7 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr, &tpm->data.passthrough.source, false); break; + case VIR_DOMAIN_TPM_TYPE_EMULATOR: case VIR_DOMAIN_TPM_TYPE_LAST: break; } diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 5f74ef739b..5d20fdae70 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1472,6 +1472,7 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr, return -1; } break; + case VIR_DOMAIN_TPM_TYPE_EMULATOR: case VIR_DOMAIN_TPM_TYPE_LAST: break; } @@ -1505,6 +1506,7 @@ virSecuritySELinuxRestoreTPMFileLabelInt(virSecurityManagerPtr mgr, VIR_FREE(cancel_path); } break; + case VIR_DOMAIN_TPM_TYPE_EMULATOR: case VIR_DOMAIN_TPM_TYPE_LAST: break; } diff --git a/tests/qemuxml2argvdata/tpm-emulator.xml b/tests/qemuxml2argvdata/tpm-emulator.xml new file mode 100644 index 0000000000..7f1e5756cb --- /dev/null +++ b/tests/qemuxml2argvdata/tpm-emulator.xml @@ -0,0 +1,30 @@ +<domain type='qemu'> + <name>TPM-VM</name> + <uuid>11d7cd22-da89-3094-6212-079a48a309a1</uuid> + <memory unit='KiB'>2097152</memory> + <currentMemory unit='KiB'>512288</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='x86_64' machine='pc-i440fx-2.12'>hvm</type> + <boot dev='hd'/> + <bootmenu enable='yes'/> + </os> + <features> + <acpi/> + </features> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <controller type='usb' index='0'/> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <tpm model='tpm-tis'> + <backend type='emulator'/> + </tpm> + <memballoon model='virtio'/> + </devices> +</domain> diff --git a/tests/qemuxml2xmloutdata/tpm-emulator.xml b/tests/qemuxml2xmloutdata/tpm-emulator.xml new file mode 100644 index 0000000000..1b66e8b08a --- /dev/null +++ b/tests/qemuxml2xmloutdata/tpm-emulator.xml @@ -0,0 +1,34 @@ +<domain type='qemu'> + <name>TPM-VM</name> + <uuid>11d7cd22-da89-3094-6212-079a48a309a1</uuid> + <memory unit='KiB'>2097152</memory> + <currentMemory unit='KiB'>512288</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='x86_64' machine='pc-i440fx-2.12'>hvm</type> + <boot dev='hd'/> + <bootmenu enable='yes'/> + </os> + <features> + <acpi/> + </features> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <controller type='usb' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <tpm model='tpm-tis'> + <backend type='emulator'/> + </tpm> + <memballoon model='virtio'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </memballoon> + </devices> +</domain> diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c index 7cedc2b999..3068e92ee6 100644 --- a/tests/qemuxml2xmltest.c +++ b/tests/qemuxml2xmltest.c @@ -675,6 +675,7 @@ mymain(void) DO_TEST("disk-copy_on_read", NONE); DO_TEST("tpm-passthrough", NONE); DO_TEST("tpm-passthrough-crb", NONE); + DO_TEST("tpm-emulator", NONE); DO_TEST("metadata", NONE); DO_TEST("metadata-duplicate", NONE); -- 2.14.3
Extend the QEMU capabilities with tpm-emulator support. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_capabilities.c | 5 +++++ src/qemu/qemu_capabilities.h | 1 + tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + 7 files changed, 11 insertions(+) diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index bface72de2..e1ea95535c 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -487,6 +487,7 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST, /* 300 */ "sdl-gl", "screendump_device", + "tpm-emulator", ); @@ -2379,6 +2380,10 @@ static const struct tpmTypeToCaps virQEMUCapsTPMTypesToCaps[] = { .type = VIR_DOMAIN_TPM_TYPE_PASSTHROUGH, .caps = QEMU_CAPS_DEVICE_TPM_PASSTHROUGH, }, + { + .type = VIR_DOMAIN_TPM_TYPE_EMULATOR, + .caps = QEMU_CAPS_DEVICE_TPM_EMULATOR, + }, }; const struct tpmTypeToCaps virQEMUCapsTPMModelsToCaps[] = { diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h index 6f9953478a..6ad8bf6a23 100644 --- a/src/qemu/qemu_capabilities.h +++ b/src/qemu/qemu_capabilities.h @@ -471,6 +471,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check */ /* 300 */ QEMU_CAPS_SDL_GL, /* -sdl gl */ QEMU_CAPS_SCREENDUMP_DEVICE, /* screendump command accepts device & head */ + QEMU_CAPS_DEVICE_TPM_EMULATOR, /* -tpmdev emulator */ QEMU_CAPS_LAST /* this must always be the last item */ } virQEMUCapsFlags; diff --git a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml index 9adca9d46b..a0946e319b 100644 --- a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml @@ -122,6 +122,7 @@ <flag name='pr-manager-helper'/> <flag name='virtual-css-bridge'/> <flag name='sdl-gl'/> + <flag name='tpm-emulator'/> <version>2011000</version> <kvmVersion>0</kvmVersion> <microcodeVersion>342166</microcodeVersion> diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml index de41d96cd0..54c8a92541 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml @@ -163,6 +163,7 @@ <flag name='memory-backend-file.discard-data'/> <flag name='sdl-gl'/> <flag name='screendump_device'/> + <flag name='tpm-emulator'/> <version>2011090</version> <kvmVersion>0</kvmVersion> <microcodeVersion>343099</microcodeVersion> diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml index fc26f934ee..98485e81b0 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml @@ -160,6 +160,7 @@ <flag name='memory-backend-file.discard-data'/> <flag name='sdl-gl'/> <flag name='screendump_device'/> + <flag name='tpm-emulator'/> <version>2011090</version> <kvmVersion>0</kvmVersion> <microcodeVersion>419968</microcodeVersion> diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml index bdfb81c998..832a04456b 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml @@ -128,6 +128,7 @@ <flag name='vfio-ccw'/> <flag name='sdl-gl'/> <flag name='screendump_device'/> + <flag name='tpm-emulator'/> <version>2012000</version> <kvmVersion>0</kvmVersion> <microcodeVersion>371055</microcodeVersion> diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml index 820b3ef759..6ff0485af8 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml @@ -201,6 +201,7 @@ <flag name='memory-backend-file.discard-data'/> <flag name='sdl-gl'/> <flag name='screendump_device'/> + <flag name='tpm-emulator'/> <version>2011090</version> <kvmVersion>0</kvmVersion> <microcodeVersion>390813</microcodeVersion> -- 2.14.3
Implement virFileChownFiles() which changes file ownership of all files in a given directory. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- src/libvirt_private.syms | 1 + src/util/virfile.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++ src/util/virfile.h | 3 +++ 3 files changed, 59 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 3dece252df..e378c73057 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1764,6 +1764,7 @@ virFileActivateDirOverride; virFileBindMountDevice; virFileBuildPath; virFileCanonicalizePath; +virFileChownFiles; virFileClose; virFileComparePaths; virFileCopyACLs; diff --git a/src/util/virfile.c b/src/util/virfile.c index 523241f64f..629aa67f16 100644 --- a/src/util/virfile.c +++ b/src/util/virfile.c @@ -2990,6 +2990,61 @@ void virDirClose(DIR **dirp) *dirp = NULL; } + +/* + * virFileChownFiles: + * @name: name of the directory + * @uid: uid + * @gid: gid + * + * Change ownership of all regular files in a directory. + * + * Returns -1 on error, with error already reported, 0 on success. + */ +int virFileChownFiles(const char *name, + uid_t uid, + gid_t gid) +{ + struct dirent *ent; + int ret = -1; + int direrr; + DIR *dir; + char *path = NULL; + + if (virDirOpen(&dir, name) < 0) + return -1; + + while ((direrr = virDirRead(dir, &ent, name)) > 0) { + if (ent->d_type != DT_REG) + continue; + + if (virAsprintf(&path, "%s/%s", name, ent->d_name) < 0) + goto cleanup; + + if (chown(path, uid, gid) < 0) { + virReportSystemError(errno, + _("cannot chown '%s' to (%u, %u)"), + ent->d_name, (unsigned int) uid, + (unsigned int) gid); + goto cleanup; + } + VIR_FREE(path); + } + + if (direrr < 0) + goto cleanup; + + ret = 0; + + cleanup: + VIR_FREE(path); + + virDirClose(&dir); + + return ret; +} + + static int virFileMakePathHelper(char *path, mode_t mode) { diff --git a/src/util/virfile.h b/src/util/virfile.h index 6b0cbad4d1..c7a32c30a8 100644 --- a/src/util/virfile.h +++ b/src/util/virfile.h @@ -238,6 +238,9 @@ int virFileOpenAs(const char *path, int openflags, mode_t mode, ATTRIBUTE_NONNULL(1) ATTRIBUTE_RETURN_CHECK; int virFileRemove(const char *path, uid_t uid, gid_t gid); +int virFileChownFiles(const char *name, uid_t uid, gid_t gid) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_RETURN_CHECK; + enum { VIR_DIR_CREATE_NONE = 0, VIR_DIR_CREATE_AS_UID = (1 << 0), -- 2.14.3
Extend the DAC and SELinux modules with support for the tpm-emulator. We label the Unix socket that QEMU connects to after starting swtmp with DAC and SELinux labels. We do not have to restore the labels in this case since the tpm-emulator will remove the Unix socket when it terminates. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- src/security/security_dac.c | 5 +++++ src/security/security_selinux.c | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 3ab229992a..4b623dcf39 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1373,6 +1373,10 @@ virSecurityDACSetTPMFileLabel(virSecurityManagerPtr mgr, false); break; case VIR_DOMAIN_TPM_TYPE_EMULATOR: + ret = virSecurityDACSetChardevLabel(mgr, def, + &tpm->data.emulator.source, + false); + break; case VIR_DOMAIN_TPM_TYPE_LAST: break; } @@ -1395,6 +1399,7 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr, false); break; case VIR_DOMAIN_TPM_TYPE_EMULATOR: + /* swtpm will have removed the Unix socket upon termination */ case VIR_DOMAIN_TPM_TYPE_LAST: break; } diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 5d20fdae70..92e84155d1 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1473,6 +1473,11 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr, } break; case VIR_DOMAIN_TPM_TYPE_EMULATOR: + tpmdev = tpm->data.emulator.source.data.nix.path; + rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel); + if (rc < 0) + return -1; + break; case VIR_DOMAIN_TPM_TYPE_LAST: break; } @@ -1507,6 +1512,7 @@ virSecuritySELinuxRestoreTPMFileLabelInt(virSecurityManagerPtr mgr, } break; case VIR_DOMAIN_TPM_TYPE_EMULATOR: + /* swtpm will have removed the Unix socket upon termination */ case VIR_DOMAIN_TPM_TYPE_LAST: break; } -- 2.14.3
Extend qemu_conf with user and group for running the tpm-emulator and add directories to the configuration for the locations of the log, state, and socket of the tpm-emulator. Also add these new directories to the QEMU Makefile.inc.am and the RPM spec file libvirt.spec.in. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- libvirt.spec.in | 2 ++ src/qemu/Makefile.inc.am | 6 ++++++ src/qemu/libvirtd_qemu.aug | 5 +++++ src/qemu/qemu.conf | 8 +++++++ src/qemu/qemu_conf.c | 43 ++++++++++++++++++++++++++++++++++++++ src/qemu/qemu_conf.h | 6 ++++++ src/qemu/test_libvirtd_qemu.aug.in | 2 ++ 7 files changed, 72 insertions(+) diff --git a/libvirt.spec.in b/libvirt.spec.in index 0e4a84c98c..6ec3dcdce4 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1903,6 +1903,8 @@ exit 0 %{_datadir}/augeas/lenses/libvirtd_qemu.aug %{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug %{_libdir}/%{name}/connection-driver/libvirt_driver_qemu.so +%dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/swtpm/ +%dir %attr(0711, root, root) %{_localstatedir}/log/swtpm/libvirt/qemu/ %endif %if %{with_lxc} diff --git a/src/qemu/Makefile.inc.am b/src/qemu/Makefile.inc.am index 63e7c878d1..7f50501f18 100644 --- a/src/qemu/Makefile.inc.am +++ b/src/qemu/Makefile.inc.am @@ -129,12 +129,18 @@ install-data-qemu: $(MKDIR_P) "$(DESTDIR)$(localstatedir)/run/libvirt/qemu" $(MKDIR_P) "$(DESTDIR)$(localstatedir)/cache/libvirt/qemu" $(MKDIR_P) "$(DESTDIR)$(localstatedir)/log/libvirt/qemu" + $(MKDIR_P) "$(DESTDIR)$(localstatedir)/lib/libvirt/swtpm" + $(MKDIR_P) "$(DESTDIR)$(localstatedir)/run/libvirt/qemu/swtpm" + $(MKDIR_P) "$(DESTDIR)$(localstatedir)/log/swtpm/libvirt/qemu" uninstall-data-qemu: rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/qemu" ||: rmdir "$(DESTDIR)$(localstatedir)/run/libvirt/qemu" ||: rmdir "$(DESTDIR)$(localstatedir)/cache/libvirt/qemu" ||: rmdir "$(DESTDIR)$(localstatedir)/log/libvirt/qemu" ||: + rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/swtpm" + rmdir "$(DESTDIR)$(localstatedir)/run/libvirt/qemu/swtpm" ||: + rmdir "$(DESTDIR)$(localstatedir)/log/swtpm/libvirt/qemu" ||: endif WITH_QEMU diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index 2dc16e91fd..98bf617049 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -119,6 +119,9 @@ module Libvirtd_qemu = let vxhs_entry = bool_entry "vxhs_tls" | str_entry "vxhs_tls_x509_cert_dir" + let swtpm_user_entry = str_entry "swtpm_user" + let swtpm_group_entry = str_entry "swtpm_group" + (* Each entry in the config is one of the following ... *) let entry = default_tls_entry | vnc_entry @@ -138,6 +141,8 @@ module Libvirtd_qemu = | gluster_debug_level_entry | memory_entry | vxhs_entry + | swtpm_user_entry + | swtpm_group_entry let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ] let empty = [ label "#empty" . eol ] diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 31738ff19c..54a8ffb2bf 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -783,3 +783,11 @@ # Path to the SCSI persistent reservations helper. This helper is # used whenever <reservations/> are enabled for SCSI LUN devices. #pr_helper = "/usr/bin/qemu-pr-helper" + +# User for the swtpm TPM Emulator +# +# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs +# and uses; alternative is 'root' +# +#swtpm_user = "tss" +#swtpm_group = "tss" diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 277ab833a8..674b6e847b 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -159,6 +159,10 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged) "%s/log/libvirt/qemu", LOCALSTATEDIR) < 0) goto error; + if (virAsprintf(&cfg->swtpmLogDir, + "%s/log/swtpm/libvirt/qemu", LOCALSTATEDIR) < 0) + goto error; + if (VIR_STRDUP(cfg->configBaseDir, SYSCONFDIR "/libvirt") < 0) goto error; @@ -166,6 +170,10 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged) "%s/run/libvirt/qemu", LOCALSTATEDIR) < 0) goto error; + if (virAsprintf(&cfg->swtpmStateDir, + "%s/run/libvirt/qemu/swtpm", LOCALSTATEDIR) < 0) + goto error; + if (virAsprintf(&cfg->cacheDir, "%s/cache/libvirt/qemu", LOCALSTATEDIR) < 0) goto error; @@ -186,6 +194,13 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged) goto error; if (virAsprintf(&cfg->memoryBackingDir, "%s/ram", cfg->libDir) < 0) goto error; + if (virAsprintf(&cfg->swtpmStorageDir, "%s/lib/libvirt/swtpm", + LOCALSTATEDIR) < 0) + goto error; + if (virGetUserID("tss", &cfg->swtpm_user) < 0) + cfg->swtpm_user = 0; /* fall back to root */ + if (virGetGroupID("tss", &cfg->swtpm_group) < 0) + cfg->swtpm_group = 0; /* fall back to root */ } else { char *rundir; char *cachedir; @@ -199,6 +214,11 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged) VIR_FREE(cachedir); goto error; } + if (virAsprintf(&cfg->swtpmLogDir, + "%s/qemu/log", cachedir) < 0) { + VIR_FREE(cachedir); + goto error; + } if (virAsprintf(&cfg->cacheDir, "%s/qemu/cache", cachedir) < 0) { VIR_FREE(cachedir); goto error; @@ -214,6 +234,9 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged) } VIR_FREE(rundir); + if (virAsprintf(&cfg->swtpmStateDir, "%s/swtpm", cfg->stateDir) < 0) + goto error; + if (!(cfg->configBaseDir = virGetUserConfigDirectory())) goto error; @@ -233,6 +256,10 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged) goto error; if (virAsprintf(&cfg->memoryBackingDir, "%s/qemu/ram", cfg->configBaseDir) < 0) goto error; + if (virAsprintf(&cfg->swtpmStorageDir, "%s/qemu/swtpm", cfg->configBaseDir) < 0) + goto error; + cfg->swtpm_user = (uid_t)-1; + cfg->swtpm_group = (gid_t)-1; } if (virAsprintf(&cfg->configDir, "%s/qemu", cfg->configBaseDir) < 0) @@ -352,7 +379,9 @@ static void virQEMUDriverConfigDispose(void *obj) VIR_FREE(cfg->configDir); VIR_FREE(cfg->autostartDir); VIR_FREE(cfg->logDir); + VIR_FREE(cfg->swtpmLogDir); VIR_FREE(cfg->stateDir); + VIR_FREE(cfg->swtpmStateDir); VIR_FREE(cfg->libDir); VIR_FREE(cfg->cacheDir); @@ -402,6 +431,7 @@ static void virQEMUDriverConfigDispose(void *obj) virFirmwareFreeList(cfg->firmwares, cfg->nfirmwares); VIR_FREE(cfg->memoryBackingDir); + VIR_FREE(cfg->swtpmStorageDir); } @@ -473,6 +503,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg, size_t i, j; char *stdioHandler = NULL; char *user = NULL, *group = NULL; + char *swtpm_user = NULL, *swtpm_group = NULL; char **controllers = NULL; char **hugetlbfs = NULL; char **nvram = NULL; @@ -912,6 +943,16 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg, if (virConfGetValueString(conf, "memory_backing_dir", &cfg->memoryBackingDir) < 0) goto cleanup; + if (virConfGetValueString(conf, "swtpm_user", &swtpm_user) < 0) + goto cleanup; + if (swtpm_user && virGetUserID(swtpm_user, &cfg->swtpm_user) < 0) + goto cleanup; + + if (virConfGetValueString(conf, "swtpm_group", &swtpm_group) < 0) + goto cleanup; + if (swtpm_group && virGetGroupID(swtpm_group, &cfg->swtpm_group) < 0) + goto cleanup; + ret = 0; cleanup: @@ -922,6 +963,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg, VIR_FREE(corestr); VIR_FREE(user); VIR_FREE(group); + VIR_FREE(swtpm_user); + VIR_FREE(swtpm_group); virConfFree(conf); return ret; } diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index 7a63780c48..70fcc08f37 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -102,7 +102,9 @@ struct _virQEMUDriverConfig { char *configDir; char *autostartDir; char *logDir; + char *swtpmLogDir; char *stateDir; + char *swtpmStateDir; /* These two directories are ones QEMU processes use (so must match * the QEMU user/group */ char *libDir; @@ -111,6 +113,7 @@ struct _virQEMUDriverConfig { char *snapshotDir; char *channelTargetDir; char *nvramDir; + char *swtpmStorageDir; char *defaultTLSx509certdir; bool checkdefaultTLSx509certdir; @@ -207,6 +210,9 @@ struct _virQEMUDriverConfig { bool vxhsTLS; char *vxhsTLSx509certdir; + + uid_t swtpm_user; + gid_t swtpm_group; }; /* Main driver state */ diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in index 95885e9f06..a875fc2819 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -101,3 +101,5 @@ module Test_libvirtd_qemu = } { "memory_backing_dir" = "/var/lib/libvirt/qemu/ram" } { "pr_helper" = "/usr/bin/qemu-pr-helper" } +{ "swtpm_user" = "tss" } +{ "swtpm_group" = "tss" } -- 2.14.3
Implement functions for managing the storage of the external swtpm as well as starting and stopping it. Also implement functions to use swtpm_setup, which simulates the manufacturing of a TPM, which includes creation of certificates for the device. Further, the external TPM needs storage on the host that we need to set up before it can be run. We can clean up the host once the domain is undefined. This patch also implements a small layer for external device support that calls into the TPM device layer if a domain has an attached TPM. This is the layer we will wire up later on. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- src/qemu/Makefile.inc.am | 4 + src/qemu/qemu_domain.c | 2 + src/qemu/qemu_extdevice.c | 154 ++++++++++ src/qemu/qemu_extdevice.h | 53 ++++ src/qemu/qemu_process.c | 12 + src/qemu/qemu_tpm.c | 751 ++++++++++++++++++++++++++++++++++++++++++++++ src/qemu/qemu_tpm.h | 50 +++ 7 files changed, 1026 insertions(+) create mode 100644 src/qemu/qemu_extdevice.c create mode 100644 src/qemu/qemu_extdevice.h create mode 100644 src/qemu/qemu_tpm.c create mode 100644 src/qemu/qemu_tpm.h diff --git a/src/qemu/Makefile.inc.am b/src/qemu/Makefile.inc.am index 7f50501f18..46797af4be 100644 --- a/src/qemu/Makefile.inc.am +++ b/src/qemu/Makefile.inc.am @@ -19,6 +19,8 @@ QEMU_DRIVER_SOURCES = \ qemu/qemu_domain_address.h \ qemu/qemu_cgroup.c \ qemu/qemu_cgroup.h \ + qemu/qemu_extdevice.c \ + qemu/qemu_extdevice.h \ qemu/qemu_hostdev.c \ qemu/qemu_hostdev.h \ qemu/qemu_hotplug.c \ @@ -51,6 +53,8 @@ QEMU_DRIVER_SOURCES = \ qemu/qemu_security.h \ qemu/qemu_qapi.c \ qemu/qemu_qapi.h \ + qemu/qemu_tpm.c \ + qemu/qemu_tpm.h \ $(NULL) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index ca5b2c3485..bbf52baa0e 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -34,6 +34,7 @@ #include "qemu_migration.h" #include "qemu_migration_params.h" #include "qemu_security.h" +#include "qemu_extdevice.h" #include "viralloc.h" #include "virlog.h" #include "virerror.h" @@ -7217,6 +7218,7 @@ qemuDomainRemoveInactive(virQEMUDriverPtr driver, VIR_WARN("unable to remove snapshot directory %s", snapDir); VIR_FREE(snapDir); } + qemuExtDevicesCleanupHost(driver, vm->def); virDomainObjListRemove(driver->domains, vm); diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c new file mode 100644 index 0000000000..790b19be9e --- /dev/null +++ b/src/qemu/qemu_extdevice.c @@ -0,0 +1,154 @@ +/* + * qemu_extdevice.c: QEMU external devices support + * + * Copyright (C) 2014, 2018 IBM Corporation + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + * + * Author: Stefan Berger <stefanb@linux.vnet.ibm.com> + */ + +#include <config.h> + +#include "qemu_extdevice.h" +#include "qemu_domain.h" +#include "qemu_tpm.h" + +#include "viralloc.h" +#include "virlog.h" +#include "virstring.h" +#include "virtime.h" + +#define VIR_FROM_THIS VIR_FROM_QEMU + +VIR_LOG_INIT("qemu.qemu_extdevice") + +int +qemuExtDeviceLogCommand(qemuDomainLogContextPtr logCtxt, + virCommandPtr cmd, + const char *info) +{ + int ret = -1; + char *timestamp = NULL; + char *logline = NULL; + int logFD; + + logFD = qemuDomainLogContextGetWriteFD(logCtxt); + + if ((timestamp = virTimeStringNow()) == NULL) + goto cleanup; + + if (virAsprintf(&logline, "%s: Starting external device: %s\n", + timestamp, info) < 0) + goto cleanup; + + if (safewrite(logFD, logline, strlen(logline)) < 0) + goto cleanup; + + virCommandWriteArgLog(cmd, logFD); + + ret = 0; + + cleanup: + VIR_FREE(timestamp); + VIR_FREE(logline); + + return ret; +} + + +/* + * qemuExtDevicesInitPaths: + * + * @driver: QEMU driver + * @def: domain definition + * + * Initialize paths of external devices so that it is known where state is + * stored and we can remove directories and files in case of domain XML + * changes. + */ +static int +qemuExtDevicesInitPaths(virQEMUDriverPtr driver, + virDomainDefPtr def) +{ + int ret = 0; + + if (def->tpm) + ret = qemuExtTPMInitPaths(driver, def); + + return ret; +} + + +/* + * qemuExtDevicesPrepareHost: + * + * @driver: QEMU driver + * @def: domain definition + * + * Prepare host storage paths for external devices. + */ +int +qemuExtDevicesPrepareHost(virQEMUDriverPtr driver, + virDomainDefPtr def) +{ + int ret = 0; + + if (def->tpm) + ret = qemuExtTPMPrepareHost(driver, def); + + return ret; +} + + +void +qemuExtDevicesCleanupHost(virQEMUDriverPtr driver, + virDomainDefPtr def) +{ + if (qemuExtDevicesInitPaths(driver, def) < 0) + return; + + if (def->tpm) + qemuExtTPMCleanupHost(def); +} + + +int +qemuExtDevicesStart(virQEMUDriverPtr driver, + virDomainDefPtr def, + qemuDomainLogContextPtr logCtxt) +{ + int ret = 0; + + if (qemuExtDevicesInitPaths(driver, def) < 0) + return -1; + + if (def->tpm) + ret = qemuExtTPMStart(driver, def, logCtxt); + + return ret; +} + + +void +qemuExtDevicesStop(virQEMUDriverPtr driver, + virDomainDefPtr def) +{ + if (qemuExtDevicesInitPaths(driver, def) < 0) + return; + + if (def->tpm) + qemuExtTPMStop(driver, def); +} diff --git a/src/qemu/qemu_extdevice.h b/src/qemu/qemu_extdevice.h new file mode 100644 index 0000000000..6de858b2a3 --- /dev/null +++ b/src/qemu/qemu_extdevice.h @@ -0,0 +1,53 @@ +/* + * qemu_extdevice.h: QEMU external devices support + * + * Copyright (C) 2018 IBM Corporation + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + * + * Author: Stefan Berger <stefanb@linux.vnet.ibm.com> + */ +#ifndef __QEMU_EXTDEVICE_H__ +# define __QEMU_EXTDEVICE_H__ + +# include "qemu_conf.h" +# include "qemu_domain.h" + +int qemuExtDeviceLogCommand(qemuDomainLogContextPtr logCtxt, + virCommandPtr cmd, + const char *info) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) + ATTRIBUTE_RETURN_CHECK; + +int qemuExtDevicesPrepareHost(virQEMUDriverPtr driver, + virDomainDefPtr def) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) + ATTRIBUTE_RETURN_CHECK; + +void qemuExtDevicesCleanupHost(virQEMUDriverPtr driver, + virDomainDefPtr def) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); + +int qemuExtDevicesStart(virQEMUDriverPtr driver, + virDomainDefPtr def, + qemuDomainLogContextPtr logCtxt) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) + ATTRIBUTE_RETURN_CHECK; + +void qemuExtDevicesStop(virQEMUDriverPtr driver, + virDomainDefPtr def) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); + +#endif /* __QEMU_EXTDEVICE_H__ */ diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 174d932ae7..45a4750178 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -50,6 +50,7 @@ #include "qemu_migration_params.h" #include "qemu_interface.h" #include "qemu_security.h" +#include "qemu_extdevice.h" #include "cpu/cpu.h" #include "datatypes.h" @@ -6071,6 +6072,10 @@ qemuProcessPrepareHost(virQEMUDriverPtr driver, if (qemuProcessPrepareHostStorage(driver, vm, flags) < 0) goto cleanup; + VIR_DEBUG("Preparing external devices"); + if (qemuExtDevicesPrepareHost(driver, vm->def) < 0) + goto cleanup; + ret = 0; cleanup: virObjectUnref(cfg); @@ -6154,6 +6159,9 @@ qemuProcessLaunch(virConnectPtr conn, goto cleanup; logfile = qemuDomainLogContextGetWriteFD(logCtxt); + if (qemuExtDevicesStart(driver, vm->def, logCtxt) < 0) + goto cleanup; + VIR_DEBUG("Building emulator command line"); if (!(cmd = qemuBuildCommandLine(driver, qemuDomainLogContextGetManager(logCtxt), @@ -6398,6 +6406,8 @@ qemuProcessLaunch(virConnectPtr conn, ret = 0; cleanup: + if (ret < 0) + qemuExtDevicesStop(driver, vm->def); qemuDomainSecretDestroy(vm); virCommandFree(cmd); virObjectUnref(logCtxt); @@ -6821,6 +6831,8 @@ void qemuProcessStop(virQEMUDriverPtr driver, qemuDomainCleanupRun(driver, vm); + qemuExtDevicesStop(driver, vm->def); + /* Stop autodestroy in case guest is restarted */ qemuProcessAutoDestroyRemove(driver, vm); diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c new file mode 100644 index 0000000000..18e69c129e --- /dev/null +++ b/src/qemu/qemu_tpm.c @@ -0,0 +1,751 @@ +/* + * qemu_tpm.c: QEMU TPM support + * + * Copyright (C) 2018 IBM Corporation + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + * + * Author: Stefan Berger <stefanb@linux.vnet.ibm.com> + */ + +#include <config.h> + +#include <sys/types.h> +#include <unistd.h> +#include <fcntl.h> +#include <cap-ng.h> + +#include "qemu_extdevice.h" +#include "qemu_domain.h" + +#include "conf/domain_conf.h" +#include "vircommand.h" +#include "viralloc.h" +#include "virkmod.h" +#include "virlog.h" +#include "virutil.h" +#include "viruuid.h" +#include "virfile.h" +#include "virstring.h" +#include "configmake.h" +#include "qemu_tpm.h" + +#define VIR_FROM_THIS VIR_FROM_NONE + +VIR_LOG_INIT("qemu.tpm") + +/* + * executables for the swtpm; to be found on the host + */ +static char *swtpm_path; +static char *swtpm_setup; +static char *swtpm_ioctl; + +/* + * qemuTPMEmulatorInit + * + * Initialize the Emulator functions by searching for necessary + * executables that we will use to start and setup the swtpm + */ +static int +qemuTPMEmulatorInit(void) +{ + if (!swtpm_path) { + swtpm_path = virFindFileInPath("swtpm"); + if (!swtpm_path) { + virReportSystemError(ENOENT, "%s", + _("Unable to find 'swtpm' binary in $PATH")); + return -1; + } + if (!virFileIsExecutable(swtpm_path)) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("TPM emulator %s is not an executable"), + swtpm_path); + VIR_FREE(swtpm_path); + return -1; + } + } + + if (!swtpm_setup) { + swtpm_setup = virFindFileInPath("swtpm_setup"); + if (!swtpm_setup) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Could not find 'swtpm_setup' in PATH")); + return -1; + } + if (!virFileIsExecutable(swtpm_setup)) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("'%s' is not an executable"), + swtpm_setup); + VIR_FREE(swtpm_setup); + return -1; + } + } + + if (!swtpm_ioctl) { + swtpm_ioctl = virFindFileInPath("swtpm_ioctl"); + if (!swtpm_ioctl) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Could not find swtpm_ioctl in PATH")); + return -1; + } + if (!virFileIsExecutable(swtpm_ioctl)) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("swtpm_ioctl program %s is not an executable"), + swtpm_ioctl); + VIR_FREE(swtpm_ioctl); + return -1; + } + } + + return 0; +} + + +/* + * qemuTPMCreateEmulatorStoragePath + * + * @swtpmStorageDir: directory for swtpm persistent state + * @uuid: The UUID of the VM for which to create the storage + * + * Create the swtpm's storage path + */ +static char * +qemuTPMCreateEmulatorStoragePath(const char *swtpmStorageDir, + const char *uuidstr) +{ + char *path = NULL; + + ignore_value(virAsprintf(&path, "%s/%s/tpm1.2", swtpmStorageDir, uuidstr)); + + return path; +} + + +/* + * virtTPMGetTPMStorageDir: + * + * @storagepath: directory for swtpm's persistent state + * + * Derive the 'TPMStorageDir' from the storagepath by searching + * for the last '/'. + */ +static char * +qemuTPMGetTPMStorageDir(const char *storagepath) +{ + const char *tail = strrchr(storagepath, '/'); + char *path = NULL; + + if (!tail) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Could not get tail of storagedir %s"), + storagepath); + return NULL; + } + ignore_value(VIR_STRNDUP(path, storagepath, tail - storagepath)); + + return path; +} + + +/* + * qemuTPMEmulatorInitStorage + * + * Initialize the TPM Emulator storage by creating its root directory, + * which is typically found in /var/lib/libvirt/tpm. + * + */ +static int +qemuTPMEmulatorInitStorage(const char *swtpmStorageDir) +{ + int rc = 0; + + /* allow others to cd into this dir */ + if (virFileMakePathWithMode(swtpmStorageDir, 0711) < 0) { + virReportSystemError(errno, + _("Could not create TPM directory %s"), + swtpmStorageDir); + rc = -1; + } + + return rc; +} + + +/* + * qemuTPMCreateEmulatorStorage + * + * @storagepath: directory for swtpm's persistent state + * @created: a pointer to a bool that will be set to true if the + * storage was created because it did not exist yet + * @swtpm_user: The uid that needs to be able to access the directory + * @swtpm_group: The gid that needs to be able to access the directory + * + * Unless the storage path for the swtpm for the given VM + * already exists, create it and make it accessible for the given userid. + * Adapt ownership of the directory and all swtpm's state files there. + */ +static int +qemuTPMCreateEmulatorStorage(const char *storagepath, + bool *created, + uid_t swtpm_user, + gid_t swtpm_group) +{ + int ret = -1; + char *swtpmStorageDir = qemuTPMGetTPMStorageDir(storagepath); + + if (!swtpmStorageDir) + return -1; + + if (qemuTPMEmulatorInitStorage(swtpmStorageDir) < 0) + goto cleanup; + + *created = false; + + if (!virFileExists(storagepath)) + *created = true; + + if (virDirCreate(storagepath, 0700, swtpm_user, swtpm_group, + VIR_DIR_CREATE_ALLOW_EXIST) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Could not create directory %s as %u:%d"), + storagepath, swtpm_user, swtpm_group); + goto cleanup; + } + + if (virFileChownFiles(storagepath, swtpm_user, swtpm_group) < 0) + goto cleanup; + + ret = 0; + + cleanup: + VIR_FREE(swtpmStorageDir); + + return ret; +} + + +static void +qemuTPMDeleteEmulatorStorage(virDomainTPMDefPtr tpm) +{ + char *path = qemuTPMGetTPMStorageDir(tpm->data.emulator.storagepath); + + if (path) { + ignore_value(virFileDeleteTree(path)); + VIR_FREE(path); + } +} + + +/* + * qemuTPMCreateEmulatorSocket: + * + * @swtpmStateDir: the directory where to create the socket in + * @shortName: short and unique name of the domain + * + * Create the Unix socket path from the given parameters + */ +static char * +qemuTPMCreateEmulatorSocket(const char *swtpmStateDir, + const char *shortName) +{ + char *path = NULL; + + ignore_value(virAsprintf(&path, "%s/%s-swtpm.sock", swtpmStateDir, + shortName)); + + return path; +} + + +/* + * qemuTPMEmulatorInitPaths: + * + * @tpm: TPM definition for an emulator type + * @swtpmStorageDir: the general swtpm storage dir which is used as a base + * directory for creating VM specific directories + * @uuid: the UUID of the VM + */ +static int +qemuTPMEmulatorInitPaths(virDomainTPMDefPtr tpm, + const char *swtpmStorageDir, + const unsigned char *uuid) +{ + char uuidstr[VIR_UUID_STRING_BUFLEN]; + + virUUIDFormat(uuid, uuidstr); + + if (!tpm->data.emulator.storagepath && + !(tpm->data.emulator.storagepath = + qemuTPMCreateEmulatorStoragePath(swtpmStorageDir, uuidstr))) + return -1; + + return 0; +} + + +/* + * qemuTPMEmulatorPrepareHost: + * + * @tpm: tpm definition + * @logDir: directory where swtpm writes its logs into + * @vmname: name of the VM + * @swtpm_user: uid to run the swtpm with + * @swtpm_group: gid to run the swtpm with + * @swtpmStateDir: directory for swtpm's persistent state + * @qemu_user: uid that qemu will run with; we share the socket file with it + * @shortName: short and unique name of the domain + * + * Prepare the log directory for the swtpm and adjust ownership of it and the + * log file we will be using. Prepare the state directory where we will share + * the socket between tss and qemu users. + */ +static int +qemuTPMEmulatorPrepareHost(virDomainTPMDefPtr tpm, + const char *logDir, + const char *vmname, + uid_t swtpm_user, + gid_t swtpm_group, + const char *swtpmStateDir, + uid_t qemu_user, + const char *shortName) +{ + int ret = -1; + + if (qemuTPMEmulatorInit() < 0) + return -1; + + /* create log dir ... allow 'tss' user to cd into it */ + if (virFileMakePathWithMode(logDir, 0711) < 0) + return -1; + + /* ... and adjust ownership */ + if (virDirCreate(logDir, 0730, swtpm_user, swtpm_group, + VIR_DIR_CREATE_ALLOW_EXIST) < 0) + goto cleanup; + + /* create logfile name ... */ + if (!tpm->data.emulator.logfile && + virAsprintf(&tpm->data.emulator.logfile, "%s/%s-swtpm.log", + logDir, vmname) < 0) + goto cleanup; + + /* ... and make sure it can be accessed by swtpm_user */ + if (virFileExists(tpm->data.emulator.logfile) && + chown(tpm->data.emulator.logfile, swtpm_user, swtpm_group) < 0) { + virReportSystemError(errno, + _("Could not chown on swtpm logfile %s"), + tpm->data.emulator.logfile); + goto cleanup; + } + + /* + create our swtpm state dir ... + - QEMU user needs to be able to access the socket there + - swtpm group needs to be able to create files there + - in privileged mode 0570 would be enough, for non-privileged mode + we need 0770 + */ + if (virDirCreate(swtpmStateDir, 0770, qemu_user, swtpm_group, + VIR_DIR_CREATE_ALLOW_EXIST) < 0) + goto cleanup; + + /* create the socket filename */ + if (!tpm->data.emulator.source.data.nix.path && + !(tpm->data.emulator.source.data.nix.path = + qemuTPMCreateEmulatorSocket(swtpmStateDir, shortName))) + goto cleanup; + tpm->data.emulator.source.type = VIR_DOMAIN_CHR_TYPE_UNIX; + + ret = 0; + + cleanup: + + return ret; +} + + +/* + * qemuTPMEmulatorRunSetup + * + * @storagepath: path to the directory for TPM state + * @vmname: the name of the VM + * @vmuuid: the UUID of the VM + * @privileged: whether we are running in privileged mode + * @swtpm_user: The userid to switch to when setting up the TPM; + * typically this should be the uid of 'tss' or 'root' + * @swtpm_group: The group id to switch to + * @logfile: The file to write the log into; it must be writable + * for the user given by userid or 'tss' + * + * Setup the external swtpm by creating endorsement key and + * certificates for it. + */ +static int +qemuTPMEmulatorRunSetup(const char *storagepath, + const char *vmname, + const unsigned char *vmuuid, + bool privileged, + uid_t swtpm_user, + gid_t swtpm_group, + const char *logfile) +{ + virCommandPtr cmd = NULL; + int exitstatus; + int ret = -1; + char uuid[VIR_UUID_STRING_BUFLEN]; + char *vmid = NULL; + + if (!privileged) + return virFileWriteStr(logfile, + _("Did not create EK and certificates since " + "this requires privileged mode\n"), + 0600); + + cmd = virCommandNew(swtpm_setup); + if (!cmd) + goto cleanup; + + virUUIDFormat(vmuuid, uuid); + if (virAsprintf(&vmid, "%s:%s", vmname, uuid) < 0) + goto cleanup; + + virCommandSetUID(cmd, swtpm_user); + virCommandSetGID(cmd, swtpm_group); + + virCommandAddArgList(cmd, + "--tpm-state", storagepath, + "--vmid", vmid, + "--logfile", logfile, + "--createek", + "--create-ek-cert", + "--create-platform-cert", + "--lock-nvram", + "--not-overwrite", + NULL); + + virCommandClearCaps(cmd); + + if (virCommandRun(cmd, &exitstatus) < 0 || exitstatus != 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Could not run '%s'. exitstatus: %d; " + "Check error log '%s' for details."), + swtpm_setup, exitstatus, logfile); + goto cleanup; + } + + ret = 0; + + cleanup: + VIR_FREE(vmid); + virCommandFree(cmd); + + return ret; +} + + +/* + * qemuTPMEmulatorBuildCommand: + * + * @tpm: TPM definition + * @vmname: The name of the VM + * @vmuuid: The UUID of the VM + * @privileged: whether we are running in privileged mode + * @swtpm_user: The uid for the swtpm to run as (drop privileges to from root) + * @swtpm_group: The gid for the swtpm to run as + * + * Create the virCommand use for starting the emulator + * Do some initializations on the way, such as creation of storage + * and emulator setup. + */ +static virCommandPtr +qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm, + const char *vmname, + const unsigned char *vmuuid, + bool privileged, + uid_t swtpm_user, + gid_t swtpm_group) +{ + virCommandPtr cmd = NULL; + bool created = false; + + if (qemuTPMCreateEmulatorStorage(tpm->data.emulator.storagepath, + &created, swtpm_user, swtpm_group) < 0) + return NULL; + + if (created && + qemuTPMEmulatorRunSetup(tpm->data.emulator.storagepath, vmname, vmuuid, + privileged, swtpm_user, swtpm_group, + tpm->data.emulator.logfile) < 0) + goto error; + + unlink(tpm->data.emulator.source.data.nix.path); + + cmd = virCommandNew(swtpm_path); + if (!cmd) + goto error; + + virCommandClearCaps(cmd); + + virCommandAddArgList(cmd, "socket", "--daemon", "--ctrl", NULL); + virCommandAddArgFormat(cmd, "type=unixio,path=%s,mode=0600", + tpm->data.emulator.source.data.nix.path); + + virCommandAddArg(cmd, "--tpmstate"); + virCommandAddArgFormat(cmd, "dir=%s,mode=0600", + tpm->data.emulator.storagepath); + + virCommandAddArg(cmd, "--log"); + virCommandAddArgFormat(cmd, "file=%s", tpm->data.emulator.logfile); + + virCommandSetUID(cmd, swtpm_user); + virCommandSetGID(cmd, swtpm_group); + + return cmd; + + error: + if (created) + qemuTPMDeleteEmulatorStorage(tpm); + + virCommandFree(cmd); + + return NULL; +} + + +/* + * qemuTPMEmulatorStop + * @swtpmStateDir: A directory where the socket is located + * @shortName: short and unique name of the domain + * + * Gracefully stop the swptm + */ +static void +qemuTPMEmulatorStop(const char *swtpmStateDir, + const char *shortName) +{ + virCommandPtr cmd; + char *pathname; + char *errbuf = NULL; + + if (qemuTPMEmulatorInit() < 0) + return; + + if (!(pathname = qemuTPMCreateEmulatorSocket(swtpmStateDir, shortName))) + return; + + if (!virFileExists(pathname)) + goto cleanup; + + cmd = virCommandNew(swtpm_ioctl); + if (!cmd) + goto cleanup; + + virCommandAddArgList(cmd, "--unix", pathname, "-s", NULL); + + virCommandSetErrorBuffer(cmd, &errbuf); + + ignore_value(virCommandRun(cmd, NULL)); + + virCommandFree(cmd); + + /* clean up the socket */ + unlink(pathname); + + cleanup: + VIR_FREE(pathname); + VIR_FREE(errbuf); +} + + +int +qemuExtTPMInitPaths(virQEMUDriverPtr driver, + virDomainDefPtr def) +{ + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); + int ret = 0; + + switch (def->tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + ret = qemuTPMEmulatorInitPaths(def->tpm, cfg->swtpmStorageDir, + def->uuid); + break; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + } + + virObjectUnref(cfg); + + return ret; +} + + +int +qemuExtTPMPrepareHost(virQEMUDriverPtr driver, + virDomainDefPtr def) +{ + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); + int ret = 0; + char *shortName = NULL; + + switch (def->tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + shortName = virDomainDefGetShortName(def); + if (!shortName) + goto cleanup; + + ret = qemuTPMEmulatorPrepareHost(def->tpm, cfg->swtpmLogDir, + def->name, cfg->swtpm_user, + cfg->swtpm_group, + cfg->swtpmStateDir, cfg->user, + shortName); + break; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + } + + cleanup: + VIR_FREE(shortName); + virObjectUnref(cfg); + + return ret; +} + + +void +qemuExtTPMCleanupHost(virDomainDefPtr def) +{ + switch (def->tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + qemuTPMDeleteEmulatorStorage(def->tpm); + break; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_LAST: + /* nothing to do */ + break; + } +} + + +/* + * qemuExtTPMStartEmulator: + * + * @driver: QEMU driver + * @def: domain definition + * @logCtxt: log context + * + * Start the external TPM Emulator: + * - have the command line built + * - start the external TPM Emulator and sync with it before QEMU start + */ +static int +qemuExtTPMStartEmulator(virQEMUDriverPtr driver, + virDomainDefPtr def, + qemuDomainLogContextPtr logCtxt) +{ + int ret = -1; + virCommandPtr cmd = NULL; + int exitstatus; + char *errbuf = NULL; + virQEMUDriverConfigPtr cfg; + virDomainTPMDefPtr tpm = def->tpm; + char *shortName = virDomainDefGetShortName(def); + + if (!shortName) + return -1; + + cfg = virQEMUDriverGetConfig(driver); + + /* stop any left-over TPM emulator for this VM */ + qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName); + + if (!(cmd = qemuTPMEmulatorBuildCommand(tpm, def->name, def->uuid, + driver->privileged, + cfg->swtpm_user, + cfg->swtpm_group))) + goto cleanup; + + if (qemuExtDeviceLogCommand(logCtxt, cmd, "TPM Emulator") < 0) + goto cleanup; + + virCommandSetErrorBuffer(cmd, &errbuf); + + if (virCommandRun(cmd, &exitstatus) < 0 || exitstatus != 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Could not start 'swtpm'. exitstatus: %d, " + "error: %s"), exitstatus, errbuf); + goto cleanup; + } + + ret = 0; + + cleanup: + VIR_FREE(shortName); + VIR_FREE(errbuf); + virCommandFree(cmd); + + virObjectUnref(cfg); + + return ret; +} + + +int +qemuExtTPMStart(virQEMUDriverPtr driver, + virDomainDefPtr def, + qemuDomainLogContextPtr logCtxt) +{ + int ret = 0; + virDomainTPMDefPtr tpm = def->tpm; + + switch (tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + ret = qemuExtTPMStartEmulator(driver, def, logCtxt); + break; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + } + + return ret; +} + + +void +qemuExtTPMStop(virQEMUDriverPtr driver, + virDomainDefPtr def) +{ + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); + char *shortName = NULL; + + switch (def->tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + shortName = virDomainDefGetShortName(def); + if (!shortName) + goto cleanup; + + qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName); + break; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + } + + cleanup: + VIR_FREE(shortName); + virObjectUnref(cfg); +} diff --git a/src/qemu/qemu_tpm.h b/src/qemu/qemu_tpm.h new file mode 100644 index 0000000000..20f3a9ccc4 --- /dev/null +++ b/src/qemu/qemu_tpm.h @@ -0,0 +1,50 @@ +/* + * qemu_tpm.h: QEMU TPM support + * + * Copyright (C) 2018 IBM Corporation + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + * + * Author: Stefan Berger <stefanb@linux.vnet.ibm.com> + */ +#ifndef __QEMU_TPM_H__ +# define __QEMU_TPM_H__ + +# include "vircommand.h" + +int qemuExtTPMInitPaths(virQEMUDriverPtr driver, + virDomainDefPtr def) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) + ATTRIBUTE_RETURN_CHECK; + +int qemuExtTPMPrepareHost(virQEMUDriverPtr driver, + virDomainDefPtr def) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) + ATTRIBUTE_RETURN_CHECK; + +void qemuExtTPMCleanupHost(virDomainDefPtr def) + ATTRIBUTE_NONNULL(1); + +int qemuExtTPMStart(virQEMUDriverPtr driver, + virDomainDefPtr def, + qemuDomainLogContextPtr logCtxt) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) + ATTRIBUTE_RETURN_CHECK; + +void qemuExtTPMStop(virQEMUDriverPtr driver, + virDomainDefPtr def) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); + +#endif /* __QEMU_TPM_H__ */ -- 2.14.3
On Tue, May 22, 2018 at 04:44:47PM -0400, Stefan Berger wrote:
Implement functions for managing the storage of the external swtpm as well as starting and stopping it. Also implement functions to use swtpm_setup, which simulates the manufacturing of a TPM, which includes creation of certificates for the device.
Further, the external TPM needs storage on the host that we need to set up before it can be run. We can clean up the host once the domain is undefined.
This patch also implements a small layer for external device support that calls into the TPM device layer if a domain has an attached TPM. This is the layer we will wire up later on.
Later on meaning in other patch series? Adding it for just one device seems excessive, but that might be my personal opinion.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- src/qemu/Makefile.inc.am | 4 + src/qemu/qemu_domain.c | 2 + src/qemu/qemu_extdevice.c | 154 ++++++++++ src/qemu/qemu_extdevice.h | 53 ++++ src/qemu/qemu_process.c | 12 + src/qemu/qemu_tpm.c | 751 ++++++++++++++++++++++++++++++++++++++++++++++ src/qemu/qemu_tpm.h | 50 +++ 7 files changed, 1026 insertions(+) create mode 100644 src/qemu/qemu_extdevice.c create mode 100644 src/qemu/qemu_extdevice.h create mode 100644 src/qemu/qemu_tpm.c create mode 100644 src/qemu/qemu_tpm.h
+/* + * virtTPMGetTPMStorageDir: + * + * @storagepath: directory for swtpm's persistent state + * + * Derive the 'TPMStorageDir' from the storagepath by searching + * for the last '/'. + */ +static char * +qemuTPMGetTPMStorageDir(const char *storagepath) +{ + const char *tail = strrchr(storagepath, '/'); + char *path = NULL; + + if (!tail) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Could not get tail of storagedir %s"), + storagepath); + return NULL; + } + ignore_value(VIR_STRNDUP(path, storagepath, tail - storagepath)); + + return path; +}
In other places we already use mdir_name from gnulib for this functionality.
+/* + * qemuTPMCreateEmulatorStorage + * + * @storagepath: directory for swtpm's persistent state + * @created: a pointer to a bool that will be set to true if the + * storage was created because it did not exist yet
Can't the caller call virFileExists and act accordingly?
+ * @swtpm_user: The uid that needs to be able to access the directory + * @swtpm_group: The gid that needs to be able to access the directory + * + * Unless the storage path for the swtpm for the given VM + * already exists, create it and make it accessible for the given userid. + * Adapt ownership of the directory and all swtpm's state files there. + */
[...]
+static int +qemuTPMEmulatorPrepareHost(virDomainTPMDefPtr tpm, + const char *logDir, + const char *vmname, + uid_t swtpm_user, + gid_t swtpm_group, + const char *swtpmStateDir, + uid_t qemu_user, + const char *shortName) +{ + int ret = -1; + + if (qemuTPMEmulatorInit() < 0) + return -1; + + /* create log dir ... allow 'tss' user to cd into it */ + if (virFileMakePathWithMode(logDir, 0711) < 0) + return -1; + + /* ... and adjust ownership */ + if (virDirCreate(logDir, 0730, swtpm_user, swtpm_group, + VIR_DIR_CREATE_ALLOW_EXIST) < 0) + goto cleanup; + + /* create logfile name ... */ + if (!tpm->data.emulator.logfile && + virAsprintf(&tpm->data.emulator.logfile, "%s/%s-swtpm.log", + logDir, vmname) < 0)
This should also use shortName.
+ goto cleanup; + + /* ... and make sure it can be accessed by swtpm_user */ + if (virFileExists(tpm->data.emulator.logfile) && + chown(tpm->data.emulator.logfile, swtpm_user, swtpm_group) < 0) { + virReportSystemError(errno, + _("Could not chown on swtpm logfile %s"), + tpm->data.emulator.logfile); + goto cleanup; + } + + /* + create our swtpm state dir ... + - QEMU user needs to be able to access the socket there + - swtpm group needs to be able to create files there + - in privileged mode 0570 would be enough, for non-privileged mode + we need 0770 + */ + if (virDirCreate(swtpmStateDir, 0770, qemu_user, swtpm_group, + VIR_DIR_CREATE_ALLOW_EXIST) < 0) + goto cleanup; + + /* create the socket filename */ + if (!tpm->data.emulator.source.data.nix.path && + !(tpm->data.emulator.source.data.nix.path = + qemuTPMCreateEmulatorSocket(swtpmStateDir, shortName))) + goto cleanup; + tpm->data.emulator.source.type = VIR_DOMAIN_CHR_TYPE_UNIX; + + ret = 0; + + cleanup: + + return ret; +} +
[...]
+static int +qemuExtTPMStartEmulator(virQEMUDriverPtr driver, + virDomainDefPtr def, + qemuDomainLogContextPtr logCtxt) +{ + int ret = -1; + virCommandPtr cmd = NULL; + int exitstatus; + char *errbuf = NULL; + virQEMUDriverConfigPtr cfg; + virDomainTPMDefPtr tpm = def->tpm; + char *shortName = virDomainDefGetShortName(def); + + if (!shortName) + return -1; + + cfg = virQEMUDriverGetConfig(driver); + + /* stop any left-over TPM emulator for this VM */ + qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName); + + if (!(cmd = qemuTPMEmulatorBuildCommand(tpm, def->name, def->uuid, + driver->privileged, + cfg->swtpm_user, + cfg->swtpm_group))) + goto cleanup; + + if (qemuExtDeviceLogCommand(logCtxt, cmd, "TPM Emulator") < 0) + goto cleanup; + + virCommandSetErrorBuffer(cmd, &errbuf); + + if (virCommandRun(cmd, &exitstatus) < 0 || exitstatus != 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Could not start 'swtpm'. exitstatus: %d, " + "error: %s"), exitstatus, errbuf);
Indentation is off here ^
+ goto cleanup; + } + + ret = 0; +
Jano
On 05/23/2018 11:41 AM, Ján Tomko wrote:
On Tue, May 22, 2018 at 04:44:47PM -0400, Stefan Berger wrote:
Implement functions for managing the storage of the external swtpm as well as starting and stopping it. Also implement functions to use swtpm_setup, which simulates the manufacturing of a TPM, which includes creation of certificates for the device.
Further, the external TPM needs storage on the host that we need to set up before it can be run. We can clean up the host once the domain is undefined.
This patch also implements a small layer for external device support that calls into the TPM device layer if a domain has an attached TPM. This is the layer we will wire up later on.
Later on meaning in other patch series? Adding it for just one device seems excessive, but that might be my personal opinion.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- src/qemu/Makefile.inc.am | 4 + src/qemu/qemu_domain.c | 2 + src/qemu/qemu_extdevice.c | 154 ++++++++++ src/qemu/qemu_extdevice.h | 53 ++++ src/qemu/qemu_process.c | 12 + src/qemu/qemu_tpm.c | 751 ++++++++++++++++++++++++++++++++++++++++++++++ src/qemu/qemu_tpm.h | 50 +++ 7 files changed, 1026 insertions(+) create mode 100644 src/qemu/qemu_extdevice.c create mode 100644 src/qemu/qemu_extdevice.h create mode 100644 src/qemu/qemu_tpm.c create mode 100644 src/qemu/qemu_tpm.h
+/* + * virtTPMGetTPMStorageDir: + * + * @storagepath: directory for swtpm's persistent state + * + * Derive the 'TPMStorageDir' from the storagepath by searching + * for the last '/'. + */ +static char * +qemuTPMGetTPMStorageDir(const char *storagepath) +{ + const char *tail = strrchr(storagepath, '/'); + char *path = NULL; + + if (!tail) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Could not get tail of storagedir %s"), + storagepath); + return NULL; + } + ignore_value(VIR_STRNDUP(path, storagepath, tail - storagepath)); + + return path; +}
In other places we already use mdir_name from gnulib for this functionality.
I didn't know about this API. I will change it to that.
+/* + * qemuTPMCreateEmulatorStorage + * + * @storagepath: directory for swtpm's persistent state + * @created: a pointer to a bool that will be set to true if the + * storage was created because it did not exist yet
Can't the caller call virFileExists and act accordingly?
We could, except that we have to call this function since it is adjusting access rights to files for the swtpm_user and swtpm_group.
+ * @swtpm_user: The uid that needs to be able to access the directory + * @swtpm_group: The gid that needs to be able to access the directory + * + * Unless the storage path for the swtpm for the given VM + * already exists, create it and make it accessible for the given userid. + * Adapt ownership of the directory and all swtpm's state files there. + */
[...]
+static int +qemuTPMEmulatorPrepareHost(virDomainTPMDefPtr tpm, + const char *logDir, + const char *vmname, + uid_t swtpm_user, + gid_t swtpm_group, + const char *swtpmStateDir, + uid_t qemu_user, + const char *shortName) +{ + int ret = -1; + + if (qemuTPMEmulatorInit() < 0) + return -1; + + /* create log dir ... allow 'tss' user to cd into it */ + if (virFileMakePathWithMode(logDir, 0711) < 0) + return -1; + + /* ... and adjust ownership */ + if (virDirCreate(logDir, 0730, swtpm_user, swtpm_group, + VIR_DIR_CREATE_ALLOW_EXIST) < 0) + goto cleanup; + + /* create logfile name ... */ + if (!tpm->data.emulator.logfile && + virAsprintf(&tpm->data.emulator.logfile, "%s/%s-swtpm.log", + logDir, vmname) < 0)
This should also use shortName.
The shortName has the ID of the domain in the name. So for short-lived logs I would say yes. Though this should be a log like the one for the VM that gets appended to every time the VM restarts. I'd rather not change this.
+ goto cleanup; + + /* ... and make sure it can be accessed by swtpm_user */ + if (virFileExists(tpm->data.emulator.logfile) && + chown(tpm->data.emulator.logfile, swtpm_user, swtpm_group) < 0) { + virReportSystemError(errno, + _("Could not chown on swtpm logfile %s"), + tpm->data.emulator.logfile); + goto cleanup; + } + + /* + create our swtpm state dir ... + - QEMU user needs to be able to access the socket there + - swtpm group needs to be able to create files there + - in privileged mode 0570 would be enough, for non-privileged mode + we need 0770 + */ + if (virDirCreate(swtpmStateDir, 0770, qemu_user, swtpm_group, + VIR_DIR_CREATE_ALLOW_EXIST) < 0) + goto cleanup; + + /* create the socket filename */ + if (!tpm->data.emulator.source.data.nix.path && + !(tpm->data.emulator.source.data.nix.path = + qemuTPMCreateEmulatorSocket(swtpmStateDir, shortName))) + goto cleanup; + tpm->data.emulator.source.type = VIR_DOMAIN_CHR_TYPE_UNIX; + + ret = 0; + + cleanup: + + return ret; +} +
[...]
+static int +qemuExtTPMStartEmulator(virQEMUDriverPtr driver, + virDomainDefPtr def, + qemuDomainLogContextPtr logCtxt) +{ + int ret = -1; + virCommandPtr cmd = NULL; + int exitstatus; + char *errbuf = NULL; + virQEMUDriverConfigPtr cfg; + virDomainTPMDefPtr tpm = def->tpm; + char *shortName = virDomainDefGetShortName(def); + + if (!shortName) + return -1; + + cfg = virQEMUDriverGetConfig(driver); + + /* stop any left-over TPM emulator for this VM */ + qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName); + + if (!(cmd = qemuTPMEmulatorBuildCommand(tpm, def->name, def->uuid, + driver->privileged, + cfg->swtpm_user, + cfg->swtpm_group))) + goto cleanup; + + if (qemuExtDeviceLogCommand(logCtxt, cmd, "TPM Emulator") < 0) + goto cleanup; + + virCommandSetErrorBuffer(cmd, &errbuf); + + if (virCommandRun(cmd, &exitstatus) < 0 || exitstatus != 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Could not start 'swtpm'. exitstatus: %d, " + "error: %s"), exitstatus, errbuf);
Indentation is off here ^
Fixed.
+ goto cleanup; + } + + ret = 0; +
Jano
Thanks.. Stefan
On Wed, May 23, 2018 at 01:59:33PM -0400, Stefan Berger wrote:
On 05/23/2018 11:41 AM, Ján Tomko wrote:
On Tue, May 22, 2018 at 04:44:47PM -0400, Stefan Berger wrote:
+ * @swtpm_user: The uid that needs to be able to access the directory + * @swtpm_group: The gid that needs to be able to access the directory + * + * Unless the storage path for the swtpm for the given VM + * already exists, create it and make it accessible for the given userid. + * Adapt ownership of the directory and all swtpm's state files there. + */
[...]
+static int +qemuTPMEmulatorPrepareHost(virDomainTPMDefPtr tpm, + const char *logDir, + const char *vmname, + uid_t swtpm_user, + gid_t swtpm_group, + const char *swtpmStateDir, + uid_t qemu_user, + const char *shortName) +{ + int ret = -1; + + if (qemuTPMEmulatorInit() < 0) + return -1; + + /* create log dir ... allow 'tss' user to cd into it */ + if (virFileMakePathWithMode(logDir, 0711) < 0) + return -1; + + /* ... and adjust ownership */ + if (virDirCreate(logDir, 0730, swtpm_user, swtpm_group, + VIR_DIR_CREATE_ALLOW_EXIST) < 0) + goto cleanup; + + /* create logfile name ... */ + if (!tpm->data.emulator.logfile && + virAsprintf(&tpm->data.emulator.logfile, "%s/%s-swtpm.log", + logDir, vmname) < 0)
This should also use shortName.
The shortName has the ID of the domain in the name. So for short-lived logs I would say yes. Though this should be a log like the one for the VM that gets appended to every time the VM restarts. I'd rather not change this.
My concern was the file name length, but even for qemu.logs we use vm->def->name directly. So this should probably be okay. Jano
This patch adds support for an external swtpm TPM emulator. The XML for this type of TPM looks as follows: <tpm model='tpm-tis'> <backend type='emulator'/> </tpm> The XML will currently only start a TPM 1.2. Upon first start, libvirt will run `swtpm_setup`, which will simulate the manufacturing of a TPM and create certificates for it and write them into NVRAM locations of the emulated TPM. After that libvirt starts the swtpm TPM emulator using the `swtpm` executable. Once the VM terminates, libvirt uses the swtpm_ioctl executable to gracefully shut down the `swtpm` in case it is still running (QEMU did not send shutdown) or clean up the socket file. The above mentioned executables must be found in the PATH. The executables can either be run as root or started as root and switch to the tss user. The requirement for the tss user comes through 'tcsd', which is used for the simulation of the manufacturing. Which user is used can be configured through qemu.conf. By default 'tss' is used. The swtpm writes out state into files. The state is kept in /var/lib/libvirt/swtpm: [root@localhost libvirt]# ls -lZ | grep swtpm drwx--x--x. 7 root root unconfined_u:object_r:virt_var_lib_t:s0 4096 Apr 5 16:22 swtpm The directory /var/lib/libvirt/swtpm maintains per-TPM state directories. (Using the uuid of the VM for that since the name can change per VM renaming but we need a stable directory name.) [root@localhost swtpm]# ls -lZ total 4 drwx------. 2 tss tss system_u:object_r:virt_var_lib_t:s0 4096 Apr 5 16:46 485d0004-a48f-436a-8457-8a3b73e28568 [root@localhost 485d0004-a48f-436a-8457-8a3b73e28568]# ls -lZ total 4 drwx------. 2 tss tss system_u:object_r:virt_var_lib_t:s0 4096 Apr 10 21:34 tpm1.2 [root@localhost tpm1.2]# ls -lZ total 8 -rw-r--r--. 1 tss tss system_u:object_r:virt_var_lib_t:s0 3648 Apr 5 16:46 tpm-00.permall The directory /var/run/libvirt/qemu/swtpm/ hosts the swtpm.sock that QEMU uses to communicate with the swtpm: root@localhost domain-1-testvm]# ls -lZ total 0 srw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c597,c632 0 Apr 6 10:24 1-testvm-swtpm.sock The logfile for the swtpm is in /var/log/swtpm/libvirt/qemu: [root@localhost-3 qemu]# ls -lZ total 4 -rw-------. 1 tss tss unconfined_u:object_r:var_log_t:s0 2199 Apr 6 14:01 testvm-swtpm.log The processes are labeled as follows: [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep socket | grep -v grep system_u:system_r:virtd_t:s0-s0:c0.c1023 tss 18697 0.0 0.0 28172 3892 ? Ss 16:46 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/1-testvm-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/485d0004-a48f-436a-8457-8a3b73e28568/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep system_u:system_r:svirt_t:s0:c413,c430 qemu 18702 2.5 0.0 3036052 48676 ? Sl 16:46 0:08 /bin/qemu-system-x86_64 [...] Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_command.c | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index fe6d0912cb..3060b68545 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -9421,17 +9421,27 @@ qemuBuildTPMBackendStr(const virDomainDef *def, virCommandPtr cmd, virQEMUCapsPtr qemuCaps, int *tpmfd, - int *cancelfd) + int *cancelfd, + char **chardev) { const virDomainTPMDef *tpm = def->tpm; virBuffer buf = VIR_BUFFER_INITIALIZER; - const char *type = virDomainTPMBackendTypeToString(tpm->type); + const char *type = NULL; char *cancel_path = NULL, *devset = NULL; const char *tpmdev; *tpmfd = -1; *cancelfd = -1; + switch (tpm->type) { + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + type = virDomainTPMBackendTypeToString(tpm->type); + break; + case VIR_DOMAIN_TPM_TYPE_LAST: + goto error; + } + virBufferAsprintf(&buf, "%s,id=tpm-%s", type, tpm->info.alias); switch (tpm->type) { @@ -9483,6 +9493,16 @@ qemuBuildTPMBackendStr(const virDomainDef *def, break; case VIR_DOMAIN_TPM_TYPE_EMULATOR: + if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_DEVICE_TPM_EMULATOR)) + goto no_support; + + virBufferAddLit(&buf, ",chardev=chrtpm"); + + if (virAsprintf(chardev, "socket,id=chrtpm,path=%s", + tpm->data.emulator.source.data.nix.path) < 0) + goto error; + + break; case VIR_DOMAIN_TPM_TYPE_LAST: goto error; } @@ -9513,6 +9533,7 @@ qemuBuildTPMCommandLine(virCommandPtr cmd, virQEMUCapsPtr qemuCaps) { char *optstr; + char *chardev = NULL; int tpmfd = -1; int cancelfd = -1; char *fdset; @@ -9521,12 +9542,18 @@ qemuBuildTPMCommandLine(virCommandPtr cmd, return 0; if (!(optstr = qemuBuildTPMBackendStr(def, cmd, qemuCaps, - &tpmfd, &cancelfd))) + &tpmfd, &cancelfd, + &chardev))) return -1; virCommandAddArgList(cmd, "-tpmdev", optstr, NULL); VIR_FREE(optstr); + if (chardev) { + virCommandAddArgList(cmd, "-chardev", chardev, NULL); + VIR_FREE(chardev); + } + if (tpmfd >= 0) { fdset = qemuVirCommandGetFDSet(cmd, tpmfd); if (!fdset) -- 2.14.3
This patch adds extensions to existing test cases and specific test cases for the tpm-emulator. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- .../tpm-emulator.x86_64-latest.args | 33 ++++++++++++++++++++++ tests/qemuxml2argvtest.c | 15 +++++++++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args diff --git a/tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args b/tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args new file mode 100644 index 0000000000..82b676f966 --- /dev/null +++ b/tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args @@ -0,0 +1,33 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/home/test \ +USER=test \ +LOGNAME=test \ +QEMU_AUDIO_DRV=none \ +/usr/bin/qemu-system-x86_64 \ +-name guest=TPM-VM,debug-threads=on \ +-S \ +-object secret,id=masterKey0,format=raw,\ +file=/tmp/lib/domain--1-TPM-VM/master-key.aes \ +-machine pc-i440fx-2.12,accel=tcg,usb=off,dump-guest-core=off \ +-m 2048 \ +-realtime mlock=off \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid 11d7cd22-da89-3094-6212-079a48a309a1 \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=charmonitor,path=/tmp/lib/domain--1-TPM-VM/monitor.sock,\ +server,nowait \ +-mon chardev=charmonitor,id=monitor,mode=control \ +-rtc base=utc \ +-no-shutdown \ +-boot menu=on,strict=on \ +-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \ +-tpmdev emulator,id=tpm-tpm0,chardev=chrtpm \ +-chardev socket,id=chrtpm,path=/dev/test \ +-device tpm-tis,tpmdev=tpm-tpm0,id=tpm0 \ +-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 \ +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\ +resourcecontrol=deny \ +-msg timestamp=on diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 78454acb1a..587f15242e 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -532,6 +532,19 @@ testCompareXMLToArgv(const void *data) } } + if (vm->def->tpm) { + switch (vm->def->tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + if (VIR_STRDUP(vm->def->tpm->data.emulator.source.data.file.path, + "/dev/test") < 0) + goto cleanup; + break; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + } + } + if (!(cmd = qemuProcessCreatePretendCmd(&driver, vm, migrateURI, (flags & FLAG_FIPS), false, VIR_QEMU_PROCESS_START_COLD))) { @@ -2013,7 +2026,7 @@ mymain(void) QEMU_CAPS_DEVICE_TPM_PASSTHROUGH, QEMU_CAPS_DEVICE_TPM_CRB); DO_TEST_PARSE_ERROR("tpm-no-backend-invalid", QEMU_CAPS_DEVICE_TPM_PASSTHROUGH, QEMU_CAPS_DEVICE_TPM_TIS); - + DO_TEST_CAPS_LATEST("tpm-emulator"); DO_TEST_PARSE_ERROR("pci-domain-invalid", NONE); DO_TEST_PARSE_ERROR("pci-bus-invalid", NONE); -- 2.14.3
On Tue, May 22, 2018 at 04:44:49PM -0400, Stefan Berger wrote:
This patch adds extensions to existing test cases and specific test cases for the tpm-emulator.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- .../tpm-emulator.x86_64-latest.args | 33 ++++++++++++++++++++++ tests/qemuxml2argvtest.c | 15 +++++++++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 78454acb1a..587f15242e 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -532,6 +532,19 @@ testCompareXMLToArgv(const void *data) } }
+ if (vm->def->tpm) { + switch (vm->def->tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + if (VIR_STRDUP(vm->def->tpm->data.emulator.source.data.file.path, + "/dev/test") < 0) + goto cleanup; + break; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + }
This is indented by three spaces instead of four. Jano
On 05/23/2018 11:43 AM, Ján Tomko wrote:
On Tue, May 22, 2018 at 04:44:49PM -0400, Stefan Berger wrote:
This patch adds extensions to existing test cases and specific test cases for the tpm-emulator.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- .../tpm-emulator.x86_64-latest.args | 33 ++++++++++++++++++++++ tests/qemuxml2argvtest.c | 15 +++++++++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 78454acb1a..587f15242e 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -532,6 +532,19 @@ testCompareXMLToArgv(const void *data) } }
+ if (vm->def->tpm) { + switch (vm->def->tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + if (VIR_STRDUP(vm->def->tpm->data.emulator.source.data.file.path, + "/dev/test") < 0) + goto cleanup; + break; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + }
This is indented by three spaces instead of four.
Fixed.
Jano
In this patch we label the swtpm process with SELinux labels. We give it the same label as the QEMU process has. We label its state directory and files as well. We restore the old security labels once the swtpm has terminated. The file and process labels now look as follows: Directory: /var/lib/libvirt/swtpm [root@localhost swtpm]# ls -lZ total 4 rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr 5 16:46 testvm [root@localhost testvm]# ls -lZ total 8 -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr 5 16:46 tpm-00.permall The log in /var/log/swtpm/libvirt/qemu is labeled as follows: -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr 5 16:46 vtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..] Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- src/libvirt_private.syms | 2 + src/qemu/qemu_security.c | 69 +++++++++++++++++ src/qemu/qemu_security.h | 11 +++ src/qemu/qemu_tpm.c | 12 ++- src/security/security_driver.h | 7 ++ src/security/security_manager.c | 36 +++++++++ src/security/security_manager.h | 6 ++ src/security/security_selinux.c | 164 ++++++++++++++++++++++++++++++++++++++++ src/security/security_stack.c | 40 ++++++++++ 9 files changed, 345 insertions(+), 2 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index e378c73057..6afbea7160 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1321,6 +1321,7 @@ virSecurityManagerRestoreImageLabel; virSecurityManagerRestoreInputLabel; virSecurityManagerRestoreMemoryLabel; virSecurityManagerRestoreSavedStateLabel; +virSecurityManagerRestoreTPMLabels; virSecurityManagerSetAllLabel; virSecurityManagerSetChardevLabel; virSecurityManagerSetChildProcessLabel; @@ -1335,6 +1336,7 @@ virSecurityManagerSetProcessLabel; virSecurityManagerSetSavedStateLabel; virSecurityManagerSetSocketLabel; virSecurityManagerSetTapFDLabel; +virSecurityManagerSetTPMLabels; virSecurityManagerStackAddNested; virSecurityManagerTransactionAbort; virSecurityManagerTransactionCommit; diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c index 2aced22d2d..af3be42854 100644 --- a/src/qemu/qemu_security.c +++ b/src/qemu/qemu_security.c @@ -424,3 +424,72 @@ qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver, virSecurityManagerTransactionAbort(driver->securityManager); return ret; } + + +/* + * qemuSecurityStartTPMEmulator: + * + * @driver: the QEMU driver + * @def: the domain definition + * @cmd: the command to run + * @uid: the uid to run the emulator + * @gid: the gid to run the emulator + * @existstatus: pointer to int returning exit status of process + * @cmdret: pointer to int returning result of virCommandRun + * + * Start the TPM emulator with approriate labels. Apply security + * labels to files first. + * This function returns -1 on security setup error, 0 if all the + * setup was done properly. In case the virCommand failed to run + * 0 is returned but cmdret is set appropriately with the process + * exitstatus also set. + */ +int +qemuSecurityStartTPMEmulator(virQEMUDriverPtr driver, + virDomainDefPtr def, + virCommandPtr cmd, + uid_t uid, + gid_t gid, + int *exitstatus, + int *cmdret) +{ + int ret = -1; + + if (virSecurityManagerSetTPMLabels(driver->securityManager, + def) < 0) + goto cleanup; + + if (virSecurityManagerSetChildProcessLabel(driver->securityManager, + def, cmd) < 0) + goto cleanup; + + if (virSecurityManagerPreFork(driver->securityManager) < 0) + goto cleanup; + + ret = 0; + /* make sure we run this with the appropriate user */ + virCommandSetUID(cmd, uid); + virCommandSetGID(cmd, gid); + + *cmdret = virCommandRun(cmd, exitstatus); + + virSecurityManagerPostFork(driver->securityManager); + + if (*cmdret < 0) + goto cleanup; + + return 0; + + cleanup: + virSecurityManagerRestoreTPMLabels(driver->securityManager, def); + + return ret; +} + + +void +qemuSecurityCleanupTPMEmulator(virQEMUDriverPtr driver, + virDomainDefPtr def) +{ + virSecurityManagerRestoreTPMLabels(driver->securityManager, def); +} diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h index d54ce6fead..a189b63828 100644 --- a/src/qemu/qemu_security.h +++ b/src/qemu/qemu_security.h @@ -84,6 +84,17 @@ int qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainChrDefPtr chr); +int qemuSecurityStartTPMEmulator(virQEMUDriverPtr driver, + virDomainDefPtr def, + virCommandPtr cmd, + uid_t uid, + gid_t gid, + int *exitstatus, + int *cmdret); + +void qemuSecurityCleanupTPMEmulator(virQEMUDriverPtr driver, + virDomainDefPtr def); + /* Please note that for these APIs there is no wrapper yet. Do NOT blindly add * new APIs here. If an API can touch a /dev file add a proper wrapper instead. */ diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 18e69c129e..11b91aa915 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -29,6 +29,7 @@ #include "qemu_extdevice.h" #include "qemu_domain.h" +#include "qemu_security.h" #include "conf/domain_conf.h" #include "vircommand.h" @@ -659,11 +660,12 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver, { int ret = -1; virCommandPtr cmd = NULL; - int exitstatus; + int exitstatus = 0; char *errbuf = NULL; virQEMUDriverConfigPtr cfg; virDomainTPMDefPtr tpm = def->tpm; char *shortName = virDomainDefGetShortName(def); + int cmdret = 0; if (!shortName) return -1; @@ -684,7 +686,12 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver, virCommandSetErrorBuffer(cmd, &errbuf); - if (virCommandRun(cmd, &exitstatus) < 0 || exitstatus != 0) { + if (qemuSecurityStartTPMEmulator(driver, def, cmd, + cfg->swtpm_user, cfg->swtpm_group, + &exitstatus, &cmdret) < 0) + goto cleanup; + + if (cmdret < 0 || exitstatus != 0) { virReportError(VIR_ERR_INTERNAL_ERROR, _("Could not start 'swtpm'. exitstatus: %d, " "error: %s"), exitstatus, errbuf); @@ -739,6 +746,7 @@ qemuExtTPMStop(virQEMUDriverPtr driver, goto cleanup; qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName); + qemuSecurityCleanupTPMEmulator(driver, def); break; case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: case VIR_DOMAIN_TPM_TYPE_LAST: diff --git a/src/security/security_driver.h b/src/security/security_driver.h index 95e7c4de07..cbf0ecff6e 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -149,6 +149,10 @@ typedef int (*virSecurityDomainRestoreChardevLabel) (virSecurityManagerPtr mgr, virDomainDefPtr def, virDomainChrSourceDefPtr dev_source, bool chardevStdioLogd); +typedef int (*virSecurityDomainSetTPMLabels) (virSecurityManagerPtr mgr, + virDomainDefPtr def); +typedef int (*virSecurityDomainRestoreTPMLabels) (virSecurityManagerPtr mgr, + virDomainDefPtr def); struct _virSecurityDriver { @@ -213,6 +217,9 @@ struct _virSecurityDriver { virSecurityDomainSetChardevLabel domainSetSecurityChardevLabel; virSecurityDomainRestoreChardevLabel domainRestoreSecurityChardevLabel; + + virSecurityDomainSetTPMLabels domainSetSecurityTPMLabels; + virSecurityDomainRestoreTPMLabels domainRestoreSecurityTPMLabels; }; virSecurityDriverPtr virSecurityDriverLookup(const char *name, diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 71f7f59b9c..8683ad7d36 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -1204,3 +1204,39 @@ virSecurityManagerRestoreChardevLabel(virSecurityManagerPtr mgr, virReportUnsupportedError(); return -1; } + + +int +virSecurityManagerSetTPMLabels(virSecurityManagerPtr mgr, + virDomainDefPtr vm) +{ + int ret; + + if (mgr->drv->domainSetSecurityTPMLabels) { + virObjectLock(mgr); + ret = mgr->drv->domainSetSecurityTPMLabels(mgr, vm); + virObjectUnlock(mgr); + + return ret; + } + + return 0; +} + + +int +virSecurityManagerRestoreTPMLabels(virSecurityManagerPtr mgr, + virDomainDefPtr vm) +{ + int ret; + + if (mgr->drv->domainRestoreSecurityTPMLabels) { + virObjectLock(mgr); + ret = mgr->drv->domainRestoreSecurityTPMLabels(mgr, vm); + virObjectUnlock(mgr); + + return ret; + } + + return 0; +} diff --git a/src/security/security_manager.h b/src/security/security_manager.h index c36a8b488f..e772b6165e 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -194,4 +194,10 @@ int virSecurityManagerRestoreChardevLabel(virSecurityManagerPtr mgr, virDomainChrSourceDefPtr dev_source, bool chardevStdioLogd); +int virSecurityManagerSetTPMLabels(virSecurityManagerPtr mgr, + virDomainDefPtr vm); + +int virSecurityManagerRestoreTPMLabels(virSecurityManagerPtr mgr, + virDomainDefPtr vm); + #endif /* VIR_SECURITY_MANAGER_H__ */ diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 92e84155d1..6377fb7947 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -3048,6 +3048,167 @@ virSecuritySELinuxDomainSetPathLabel(virSecurityManagerPtr mgr, return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel); } + +/* + * _virSecuritySELinuxSetFileLabels: + * + * @mgr: the virSecurityManager + * @path: path to a directory or a file + * @seclabel: the security label + * + * Set the file labels on the given path; if the path is a directory + * we label all files found there, including the directory itself, + * otherwise we just label the file. + */ +static int +_virSecuritySELinuxSetFileLabels(virSecurityManagerPtr mgr, + const char *path, + virSecurityLabelDefPtr seclabel) +{ + int ret = 0; + struct dirent *ent; + char *filename = NULL; + DIR *dir; + + if ((ret = virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel))) + return ret; + + if (!virFileIsDir(path)) + return 0; + + if (virDirOpen(&dir, path) < 0) + return -1; + + while ((ret = virDirRead(dir, &ent, path)) > 0) { + if (ent->d_type != DT_REG) + continue; + + if (virAsprintf(&filename, "%s/%s", path, ent->d_name) < 0) { + ret = -1; + break; + } + ret = virSecuritySELinuxSetFilecon(mgr, filename, + seclabel->imagelabel); + VIR_FREE(filename); + if (ret < 0) + break; + } + if (ret < 0) + virReportSystemError(errno, _("Unable to label files under %s"), + path); + + virDirClose(&dir); + + return ret; +} + + +/* + * _virSecuritySELinuxRestoreFileLabels: + * + * @mgr: the virSecurityManager + * @path: path to a directory or a file + * + * Restore the file labels on the given path; if the path is a directory + * we restore all file labels found there, including the label of the + * directory itself, otherwise we just restore the label on the file. + */ +static int +_virSecuritySELinuxRestoreFileLabels(virSecurityManagerPtr mgr, + const char *path) +{ + int ret = 0; + struct dirent *ent; + char *filename = NULL; + DIR *dir; + + if ((ret = virSecuritySELinuxRestoreFileLabel(mgr, path))) + return ret; + + if (!virFileIsDir(path)) + return 0; + + if (virDirOpen(&dir, path) < 0) + return -1; + + while ((ret = virDirRead(dir, &ent, path)) > 0) { + if (ent->d_type != DT_REG) + continue; + + if (virAsprintf(&filename, "%s/%s", path, ent->d_name) < 0) { + ret = -1; + break; + } + ret = virSecuritySELinuxRestoreFileLabel(mgr, filename); + VIR_FREE(filename); + if (ret < 0) + break; + } + if (ret < 0) + virReportSystemError(errno, _("Unable to restore file labels under %s"), + path); + + virDirClose(&dir); + + return ret; +} + + +static int +virSecuritySELinuxSetTPMLabels(virSecurityManagerPtr mgr, + virDomainDefPtr def) +{ + int ret = 0; + virSecurityLabelDefPtr seclabel; + + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); + if (seclabel == NULL) + return 0; + + switch (def->tpm->type) { + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + break; + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + ret = _virSecuritySELinuxSetFileLabels( + mgr, def->tpm->data.emulator.storagepath, + seclabel); + if (ret == 0 && def->tpm->data.emulator.logfile) + ret = _virSecuritySELinuxSetFileLabels( + mgr, def->tpm->data.emulator.logfile, + seclabel); + break; + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + } + + return ret; +} + + +static int +virSecuritySELinuxRestoreTPMLabels(virSecurityManagerPtr mgr, + virDomainDefPtr def) +{ + int ret = 0; + + switch (def->tpm->type) { + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + break; + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + ret = _virSecuritySELinuxRestoreFileLabels( + mgr, def->tpm->data.emulator.storagepath); + if (ret == 0 && def->tpm->data.emulator.logfile) + ret = _virSecuritySELinuxRestoreFileLabels( + mgr, def->tpm->data.emulator.logfile); + break; + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + } + + return ret; +} + + virSecurityDriver virSecurityDriverSELinux = { .privateDataLen = sizeof(virSecuritySELinuxData), .name = SECURITY_SELINUX_NAME, @@ -3107,4 +3268,7 @@ virSecurityDriver virSecurityDriverSELinux = { .domainSetSecurityChardevLabel = virSecuritySELinuxSetChardevLabel, .domainRestoreSecurityChardevLabel = virSecuritySELinuxRestoreChardevLabel, + + .domainSetSecurityTPMLabels = virSecuritySELinuxSetTPMLabels, + .domainRestoreSecurityTPMLabels = virSecuritySELinuxRestoreTPMLabels, }; diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 9615f9f972..e37a681293 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -760,6 +760,43 @@ virSecurityStackDomainRestoreChardevLabel(virSecurityManagerPtr mgr, return rc; } + +static int +virSecurityStackSetTPMLabels(virSecurityManagerPtr mgr, + virDomainDefPtr vm) +{ + virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityStackItemPtr item = priv->itemsHead; + int rc = 0; + + for (; item; item = item->next) { + if (virSecurityManagerSetTPMLabels(item->securityManager, + vm) < 0) + rc = -1; + } + + return rc; +} + + +static int +virSecurityStackRestoreTPMLabels(virSecurityManagerPtr mgr, + virDomainDefPtr vm) +{ + virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityStackItemPtr item = priv->itemsHead; + int rc = 0; + + for (; item; item = item->next) { + if (virSecurityManagerRestoreTPMLabels(item->securityManager, + vm) < 0) + rc = -1; + } + + return rc; +} + + virSecurityDriver virSecurityDriverStack = { .privateDataLen = sizeof(virSecurityStackData), .name = "stack", @@ -822,4 +859,7 @@ virSecurityDriver virSecurityDriverStack = { .domainSetSecurityChardevLabel = virSecurityStackDomainSetChardevLabel, .domainRestoreSecurityChardevLabel = virSecurityStackDomainRestoreChardevLabel, + + .domainSetSecurityTPMLabels = virSecurityStackSetTPMLabels, + .domainRestoreSecurityTPMLabels = virSecurityStackRestoreTPMLabels, }; -- 2.14.3
This patch extends the TPM's device XML with TPM 2 support. This only works for the emulator type backend and looks as follows: <tpm model='tpm-tis'> <backend type='emulator' version='2'/> </tpm> The swtpm process now has --tpm2 as an additional parameter: system_u:system_r:svirt_t:s0:c597,c632 tss 18477 11.8 0.0 28364 3868 ? Rs 11:13 13:50 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm2,mode=0640 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log --tpm2 --pid file=/var/run/libvirt/qemu/swtpm/testvm-swtpm.pid The version of the TPM can be changed and the state of the TPM is preserved. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- docs/formatdomain.html.in | 15 ++++- docs/schemas/domaincommon.rng | 12 ++++ src/conf/domain_conf.c | 27 ++++++++- src/conf/domain_conf.h | 6 ++ src/qemu/qemu_tpm.c | 64 +++++++++++++++++++++- .../tpm-emulator-tpm2.x86_64-latest.args | 33 +++++++++++ tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 ++++++++++ tests/qemuxml2argvtest.c | 1 + tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 ++++++++++++ 9 files changed, 217 insertions(+), 5 deletions(-) create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 08a57bd751..043c8da56f 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -7719,7 +7719,7 @@ qemu-kvm -net nic,model=? /dev/null ... <devices> <tpm model='tpm-tis'> - <backend type='emulator'> + <backend type='emulator' version='2'> </backend> </tpm> </devices> @@ -7769,6 +7769,19 @@ qemu-kvm -net nic,model=? /dev/null </dd> </dl> </dd> + <dt><code>version</code></dt> + <dd> + <p> + The <code>version</code> attribute indicates the version + of the TPM. By default a TPM 1.2 is created. This attribute + only works with the <code>emulator</code> backend. The following + versions are supported: + </p> + <ul> + <li>'1.2' : creates a TPM 1.2</li> + <li>'2' : creates a TPM 2</li> + </ul> + </dd> </dl> <h4><a id="elementsNVRAM">NVRAM device</a></h4> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 3582cb5019..f11833075a 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -4130,6 +4130,18 @@ </attribute> </group> </choice> + <choice> + <group> + <optional> + <attribute name="version"> + <choice> + <value>1.2</value> + <value>2</value> + </choice> + </attribute> + </optional> + </group> + </choice> </element> </define> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 15dd490d17..79904789ee 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -12657,7 +12657,7 @@ virDomainSmartcardDefParseXML(virDomainXMLOptionPtr xmlopt, * or like this: * * <tpm model='tpm-tis'> - * <backend type='emulator'/> + * <backend type='emulator' version='2'/> * </tpm> */ static virDomainTPMDefPtr @@ -12670,6 +12670,7 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, char *path = NULL; char *model = NULL; char *backend = NULL; + char *version = NULL; virDomainTPMDefPtr def; xmlNodePtr save = ctxt->node; xmlNodePtr *backends = NULL; @@ -12716,6 +12717,20 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, goto error; } + version = virXMLPropString(backends[0], "version"); + if (!version || STREQ(version, "1.2")) { + def->version = VIR_DOMAIN_TPM_VERSION_1_2; + /* only TIS available for emulator */ + if (def->type == VIR_DOMAIN_TPM_TYPE_EMULATOR) + def->model = VIR_DOMAIN_TPM_MODEL_TIS; + } else if (STREQ(version, "2")) { + def->version = VIR_DOMAIN_TPM_VERSION_2; + } else { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("Unsupported TPM version '%s'"), + version); + } + switch (def->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: path = virXPathString("string(./backend/device/@path)", ctxt); @@ -12740,6 +12755,7 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, VIR_FREE(model); VIR_FREE(backend); VIR_FREE(backends); + VIR_FREE(version); ctxt->node = save; return def; @@ -21836,6 +21852,12 @@ virDomainTPMDefCheckABIStability(virDomainTPMDefPtr src, return false; } + if (src->version != dst->version) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Target TPM version doesn't match source")); + return false; + } + return virDomainDeviceInfoCheckABIStability(&src->info, &dst->info); } @@ -24941,6 +24963,9 @@ virDomainTPMDefFormat(virBufferPtr buf, virBufferAsprintf(buf, "<backend type='%s'", virDomainTPMBackendTypeToString(def->type)); + if (def->version == VIR_DOMAIN_TPM_VERSION_2) + virBufferAddLit(buf, " version='2'"); + switch (def->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: virBufferAddLit(buf, ">\n"); diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 92466278ab..e2409899bc 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -1291,12 +1291,18 @@ typedef enum { VIR_DOMAIN_TPM_TYPE_LAST } virDomainTPMBackendType; +typedef enum { + VIR_DOMAIN_TPM_VERSION_1_2, + VIR_DOMAIN_TPM_VERSION_2, +} virDomainTPMVersion; + # define VIR_DOMAIN_TPM_DEFAULT_DEVICE "/dev/tpm0" struct _virDomainTPMDef { virDomainTPMBackendType type; virDomainDeviceInfo info; virDomainTPMModel model; + virDomainTPMVersion version; union { struct { virDomainChrSourceDef source; diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 11b91aa915..508685c455 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -54,6 +54,41 @@ static char *swtpm_path; static char *swtpm_setup; static char *swtpm_ioctl; +bool swtpm_supports_tpm2; + +/* + * qemuTPMCheckForTPM2Support + * + * Check whether swtpm_setup supports TPM 2 + */ +static void +qemuTPMCheckForTPM2Support(void) +{ + virCommandPtr cmd; + char *help = NULL; + + if (!swtpm_setup) + return; + + cmd = virCommandNew(swtpm_setup); + if (!cmd) + return; + + virCommandAddArg(cmd, "--help"); + virCommandSetOutputBuffer(cmd, &help); + + if (virCommandRun(cmd, NULL) < 0) + goto cleanup; + + if (strstr(help, "--tpm2")) + swtpm_supports_tpm2 = true; + + cleanup: + virCommandFree(cmd); + VIR_FREE(help); +} + + /* * qemuTPMEmulatorInit * @@ -93,6 +128,7 @@ qemuTPMEmulatorInit(void) VIR_FREE(swtpm_setup); return -1; } + qemuTPMCheckForTPM2Support(); } if (!swtpm_ioctl) { @@ -120,16 +156,29 @@ qemuTPMEmulatorInit(void) * * @swtpmStorageDir: directory for swtpm persistent state * @uuid: The UUID of the VM for which to create the storage + * @tpmversion: version of the TPM * * Create the swtpm's storage path */ static char * qemuTPMCreateEmulatorStoragePath(const char *swtpmStorageDir, - const char *uuidstr) + const char *uuidstr, + virDomainTPMVersion tpmversion) { char *path = NULL; + const char *dir = ""; - ignore_value(virAsprintf(&path, "%s/%s/tpm1.2", swtpmStorageDir, uuidstr)); + switch (tpmversion) { + case VIR_DOMAIN_TPM_VERSION_1_2: + dir = "tpm1.2"; + break; + case VIR_DOMAIN_TPM_VERSION_2: + dir = "tpm2"; + break; + } + + ignore_value(virAsprintf(&path, "%s/%s/%s", swtpmStorageDir, uuidstr, + dir)); return path; } @@ -290,7 +339,8 @@ qemuTPMEmulatorInitPaths(virDomainTPMDefPtr tpm, if (!tpm->data.emulator.storagepath && !(tpm->data.emulator.storagepath = - qemuTPMCreateEmulatorStoragePath(swtpmStorageDir, uuidstr))) + qemuTPMCreateEmulatorStoragePath(swtpmStorageDir, uuidstr, + tpm->version))) return -1; return 0; @@ -514,6 +564,14 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm, virCommandSetUID(cmd, swtpm_user); virCommandSetGID(cmd, swtpm_group); + switch (tpm->version) { + case VIR_DOMAIN_TPM_VERSION_1_2: + break; + case VIR_DOMAIN_TPM_VERSION_2: + virCommandAddArg(cmd, "--tpm2"); + break; + } + return cmd; error: diff --git a/tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args b/tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args new file mode 100644 index 0000000000..82b676f966 --- /dev/null +++ b/tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args @@ -0,0 +1,33 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/home/test \ +USER=test \ +LOGNAME=test \ +QEMU_AUDIO_DRV=none \ +/usr/bin/qemu-system-x86_64 \ +-name guest=TPM-VM,debug-threads=on \ +-S \ +-object secret,id=masterKey0,format=raw,\ +file=/tmp/lib/domain--1-TPM-VM/master-key.aes \ +-machine pc-i440fx-2.12,accel=tcg,usb=off,dump-guest-core=off \ +-m 2048 \ +-realtime mlock=off \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid 11d7cd22-da89-3094-6212-079a48a309a1 \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=charmonitor,path=/tmp/lib/domain--1-TPM-VM/monitor.sock,\ +server,nowait \ +-mon chardev=charmonitor,id=monitor,mode=control \ +-rtc base=utc \ +-no-shutdown \ +-boot menu=on,strict=on \ +-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \ +-tpmdev emulator,id=tpm-tpm0,chardev=chrtpm \ +-chardev socket,id=chrtpm,path=/dev/test \ +-device tpm-tis,tpmdev=tpm-tpm0,id=tpm0 \ +-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 \ +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\ +resourcecontrol=deny \ +-msg timestamp=on diff --git a/tests/qemuxml2argvdata/tpm-emulator-tpm2.xml b/tests/qemuxml2argvdata/tpm-emulator-tpm2.xml new file mode 100644 index 0000000000..7546930d19 --- /dev/null +++ b/tests/qemuxml2argvdata/tpm-emulator-tpm2.xml @@ -0,0 +1,30 @@ +<domain type='qemu'> + <name>TPM-VM</name> + <uuid>11d7cd22-da89-3094-6212-079a48a309a1</uuid> + <memory unit='KiB'>2097152</memory> + <currentMemory unit='KiB'>512288</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='x86_64' machine='pc-i440fx-2.12'>hvm</type> + <boot dev='hd'/> + <bootmenu enable='yes'/> + </os> + <features> + <acpi/> + </features> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <controller type='usb' index='0'/> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <tpm model='tpm-tis'> + <backend type='emulator' version='2'/> + </tpm> + <memballoon model='virtio'/> + </devices> +</domain> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 587f15242e..a4801407b6 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -2027,6 +2027,7 @@ mymain(void) DO_TEST_PARSE_ERROR("tpm-no-backend-invalid", QEMU_CAPS_DEVICE_TPM_PASSTHROUGH, QEMU_CAPS_DEVICE_TPM_TIS); DO_TEST_CAPS_LATEST("tpm-emulator"); + DO_TEST_CAPS_LATEST("tpm-emulator-tpm2"); DO_TEST_PARSE_ERROR("pci-domain-invalid", NONE); DO_TEST_PARSE_ERROR("pci-bus-invalid", NONE); diff --git a/tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml b/tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml new file mode 100644 index 0000000000..eff55fc5df --- /dev/null +++ b/tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml @@ -0,0 +1,34 @@ +<domain type='qemu'> + <name>TPM-VM</name> + <uuid>11d7cd22-da89-3094-6212-079a48a309a1</uuid> + <memory unit='KiB'>2097152</memory> + <currentMemory unit='KiB'>512288</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='x86_64' machine='pc-i440fx-2.12'>hvm</type> + <boot dev='hd'/> + <bootmenu enable='yes'/> + </os> + <features> + <acpi/> + </features> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <controller type='usb' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <tpm model='tpm-tis'> + <backend type='emulator' version='2'/> + </tpm> + <memballoon model='virtio'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </memballoon> + </devices> +</domain> -- 2.14.3
On Tue, May 22, 2018 at 04:44:51PM -0400, Stefan Berger wrote:
This patch extends the TPM's device XML with TPM 2 support. This only works for the emulator type backend and looks as follows:
<tpm model='tpm-tis'> <backend type='emulator' version='2'/> </tpm>
The swtpm process now has --tpm2 as an additional parameter:
system_u:system_r:svirt_t:s0:c597,c632 tss 18477 11.8 0.0 28364 3868 ? Rs 11:13 13:50 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm2,mode=0640 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log --tpm2 --pid file=/var/run/libvirt/qemu/swtpm/testvm-swtpm.pid
The version of the TPM can be changed and the state of the TPM is preserved.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- docs/formatdomain.html.in | 15 ++++- docs/schemas/domaincommon.rng | 12 ++++ src/conf/domain_conf.c | 27 ++++++++- src/conf/domain_conf.h | 6 ++ src/qemu/qemu_tpm.c | 64 +++++++++++++++++++++- .../tpm-emulator-tpm2.x86_64-latest.args | 33 +++++++++++ tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 ++++++++++ tests/qemuxml2argvtest.c | 1 + tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 ++++++++++++ 9 files changed, 217 insertions(+), 5 deletions(-) create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
@@ -24941,6 +24963,9 @@ virDomainTPMDefFormat(virBufferPtr buf, virBufferAsprintf(buf, "<backend type='%s'", virDomainTPMBackendTypeToString(def->type));
+ if (def->version == VIR_DOMAIN_TPM_VERSION_2) + virBufferAddLit(buf, " version='2'"); +
Any reason for not formatting version 1.2? We should format implicit defaults in the XML if possible.
switch (def->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: virBufferAddLit(buf, ">\n"); diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 92466278ab..e2409899bc 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -1291,12 +1291,18 @@ typedef enum { VIR_DOMAIN_TPM_TYPE_LAST } virDomainTPMBackendType;
+typedef enum { + VIR_DOMAIN_TPM_VERSION_1_2, + VIR_DOMAIN_TPM_VERSION_2, +} virDomainTPMVersion;
With a corresponding VIR_ENUM_IMPL and VIR_ENUM_DECL, you can use the *{To,From}String functions for parsing/formatting the version.
+ # define VIR_DOMAIN_TPM_DEFAULT_DEVICE "/dev/tpm0"
struct _virDomainTPMDef { virDomainTPMBackendType type; virDomainDeviceInfo info; virDomainTPMModel model; + virDomainTPMVersion version; union { struct { virDomainChrSourceDef source; diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 11b91aa915..508685c455 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -54,6 +54,41 @@ static char *swtpm_path; static char *swtpm_setup; static char *swtpm_ioctl;
+bool swtpm_supports_tpm2; + +/* + * qemuTPMCheckForTPM2Support + * + * Check whether swtpm_setup supports TPM 2 + */ +static void +qemuTPMCheckForTPM2Support(void) +{ + virCommandPtr cmd; + char *help = NULL; + + if (!swtpm_setup) + return; + + cmd = virCommandNew(swtpm_setup); + if (!cmd) + return; + + virCommandAddArg(cmd, "--help"); + virCommandSetOutputBuffer(cmd, &help); + + if (virCommandRun(cmd, NULL) < 0) + goto cleanup; + + if (strstr(help, "--tpm2")) + swtpm_supports_tpm2 = true;
This bool is never read. Given that version 2 has to be requested in the XML and we don't try to use it automatically, I'd suggest just dropping this function. We don't need to parse another tool's --help output to make up for the removal of parsing --help of qemu and qemu-img. Jano
On 05/23/2018 11:55 AM, Ján Tomko wrote:
On Tue, May 22, 2018 at 04:44:51PM -0400, Stefan Berger wrote:
This patch extends the TPM's device XML with TPM 2 support. This only works for the emulator type backend and looks as follows:
<tpm model='tpm-tis'> <backend type='emulator' version='2'/> </tpm>
The swtpm process now has --tpm2 as an additional parameter:
system_u:system_r:svirt_t:s0:c597,c632 tss 18477 11.8 0.0 28364 3868 ? Rs 11:13 13:50 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm2,mode=0640 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log --tpm2 --pid file=/var/run/libvirt/qemu/swtpm/testvm-swtpm.pid
The version of the TPM can be changed and the state of the TPM is preserved.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- docs/formatdomain.html.in | 15 ++++- docs/schemas/domaincommon.rng | 12 ++++ src/conf/domain_conf.c | 27 ++++++++- src/conf/domain_conf.h | 6 ++ src/qemu/qemu_tpm.c | 64 +++++++++++++++++++++- .../tpm-emulator-tpm2.x86_64-latest.args | 33 +++++++++++ tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 ++++++++++ tests/qemuxml2argvtest.c | 1 + tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 ++++++++++++ 9 files changed, 217 insertions(+), 5 deletions(-) create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
@@ -24941,6 +24963,9 @@ virDomainTPMDefFormat(virBufferPtr buf, virBufferAsprintf(buf, "<backend type='%s'", virDomainTPMBackendTypeToString(def->type));
+ if (def->version == VIR_DOMAIN_TPM_VERSION_2) + virBufferAddLit(buf, " version='2'"); +
Any reason for not formatting version 1.2? We should format implicit defaults in the XML if possible.
Basically I did it because the previous default 1.2 didn't have it. So I though I'd keep it as is for 1.2 and only write out 2.
switch (def->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: virBufferAddLit(buf, ">\n"); diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 92466278ab..e2409899bc 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -1291,12 +1291,18 @@ typedef enum { VIR_DOMAIN_TPM_TYPE_LAST } virDomainTPMBackendType;
+typedef enum { + VIR_DOMAIN_TPM_VERSION_1_2, + VIR_DOMAIN_TPM_VERSION_2, +} virDomainTPMVersion;
With a corresponding VIR_ENUM_IMPL and VIR_ENUM_DECL, you can use the *{To,From}String functions for parsing/formatting the version.
+ # define VIR_DOMAIN_TPM_DEFAULT_DEVICE "/dev/tpm0"
struct _virDomainTPMDef { virDomainTPMBackendType type; virDomainDeviceInfo info; virDomainTPMModel model; + virDomainTPMVersion version; union { struct { virDomainChrSourceDef source; diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 11b91aa915..508685c455 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -54,6 +54,41 @@ static char *swtpm_path; static char *swtpm_setup; static char *swtpm_ioctl;
+bool swtpm_supports_tpm2; + +/* + * qemuTPMCheckForTPM2Support + * + * Check whether swtpm_setup supports TPM 2 + */ +static void +qemuTPMCheckForTPM2Support(void) +{ + virCommandPtr cmd; + char *help = NULL; + + if (!swtpm_setup) + return; + + cmd = virCommandNew(swtpm_setup); + if (!cmd) + return; + + virCommandAddArg(cmd, "--help"); + virCommandSetOutputBuffer(cmd, &help); + + if (virCommandRun(cmd, NULL) < 0) + goto cleanup; + + if (strstr(help, "--tpm2")) + swtpm_supports_tpm2 = true;
This bool is never read.
Maybe while doing some of the recent changes the reading of the variable got lost.
Given that version 2 has to be requested in the XML and we don't try to use it automatically, I'd suggest just dropping this function. We don't need to parse another tool's --help output to make up for the removal of parsing --help of qemu and qemu-img.
swtpm doesn't have all the bells and whistles of QEMU that we would have a JSON interface to query the features from. So if a bad command line parameter is passed to swtpm, it will dump the help screen. Here's the output I get from trying to run a VM with an attached TPM 2 but there's no TPM 2 support compiled into swtpm (basically because it was created from the master branch not from the preview branch): # virsh start testvm-tpm2 Error: Failed to start domain testvm-tpm2 error: internal error: Could not start 'swtpm'. exitstatus: 1, error: socket: unrecognized option '--tpm2' Usage: /usr/bin/swtpm socket [options] The following options are supported: -p|--port <port> : use the given port -f|--fd <fd> : use the given socket file descriptor [...] I think a more controlled error message would be better basically stating 'Local swtpm installation does not support TPM 2'. Stefan
Jano
On Wed, May 23, 2018 at 02:33:08PM -0400, Stefan Berger wrote:
On 05/23/2018 11:55 AM, Ján Tomko wrote:
On Tue, May 22, 2018 at 04:44:51PM -0400, Stefan Berger wrote:
@@ -24941,6 +24963,9 @@ virDomainTPMDefFormat(virBufferPtr buf, virBufferAsprintf(buf, "<backend type='%s'", virDomainTPMBackendTypeToString(def->type));
+ if (def->version == VIR_DOMAIN_TPM_VERSION_2) + virBufferAddLit(buf, " version='2'"); +
Any reason for not formatting version 1.2? We should format implicit defaults in the XML if possible.
Basically I did it because the previous default 1.2 didn't have it. So I though I'd keep it as is for 1.2 and only write out 2.
What previous default? <backend type='emulator'/> is introduced by this series. We should format the configurable attributes even when they are at their default values.
switch (def->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: virBufferAddLit(buf, ">\n");
Given that version 2 has to be requested in the XML and we don't try to use it automatically, I'd suggest just dropping this function. We don't need to parse another tool's --help output to make up for the removal of parsing --help of qemu and qemu-img.
swtpm doesn't have all the bells and whistles of QEMU that we would have a JSON interface to query the features from.
With QEMU, we actually need to know some capabilities upfront, because different versions have had different ways of requesting the same functionality. Giving nicer errors for unsupported features is just a bonus. With qemu-img, we only care about one way of representing the functionality and let it print an error if something's compiled out.
So if a bad command line parameter is passed to swtpm, it will dump the help screen. Here's the output I get from trying to run a VM with an attached TPM 2 but there's no TPM 2 support compiled into swtpm (basically because it was created from the master branch not from the preview branch):
# virsh start testvm-tpm2 Error: Failed to start domain testvm-tpm2 error: internal error: Could not start 'swtpm'. exitstatus: 1, error: socket: unrecognized option '--tpm2' Usage: /usr/bin/swtpm socket [options]
The following options are supported:
-p|--port <port> : use the given port -f|--fd <fd> : use the given socket file descriptor [...]
I think a more controlled error message would be better basically stating 'Local swtpm installation does not support TPM 2'.
Yes, but not worth introducing all the code and extra exec() for all the successful starts. Jano
Stefan
Jano
On 05/24/2018 03:08 AM, Ján Tomko wrote:
On Wed, May 23, 2018 at 02:33:08PM -0400, Stefan Berger wrote:
On 05/23/2018 11:55 AM, Ján Tomko wrote:
On Tue, May 22, 2018 at 04:44:51PM -0400, Stefan Berger wrote:
@@ -24941,6 +24963,9 @@ virDomainTPMDefFormat(virBufferPtr buf, virBufferAsprintf(buf, "<backend type='%s'", virDomainTPMBackendTypeToString(def->type));
+ if (def->version == VIR_DOMAIN_TPM_VERSION_2) + virBufferAddLit(buf, " version='2'"); +
Any reason for not formatting version 1.2? We should format implicit defaults in the XML if possible.
Basically I did it because the previous default 1.2 didn't have it. So I though I'd keep it as is for 1.2 and only write out 2.
What previous default? <backend type='emulator'/> is introduced by this series.
We should format the configurable attributes even when they are at their default values.
I'll post a v7 with this and other changes.
switch (def->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: virBufferAddLit(buf, ">\n");
Given that version 2 has to be requested in the XML and we don't try to use it automatically, I'd suggest just dropping this function. We don't need to parse another tool's --help output to make up for the removal of parsing --help of qemu and qemu-img.
swtpm doesn't have all the bells and whistles of QEMU that we would have a JSON interface to query the features from.
With QEMU, we actually need to know some capabilities upfront, because different versions have had different ways of requesting the same functionality. Giving nicer errors for unsupported features is just a bonus.
With qemu-img, we only care about one way of representing the functionality and let it print an error if something's compiled out.
Ok, then let me remove it. v7 will have that change. Not sure what to do about the existing Reviewed-by's. Intend to keep them. Stefan
So if a bad command line parameter is passed to swtpm, it will dump the help screen. Here's the output I get from trying to run a VM with an attached TPM 2 but there's no TPM 2 support compiled into swtpm (basically because it was created from the master branch not from the preview branch):
# virsh start testvm-tpm2 Error: Failed to start domain testvm-tpm2 error: internal error: Could not start 'swtpm'. exitstatus: 1, error: socket: unrecognized option '--tpm2' Usage: /usr/bin/swtpm socket [options]
The following options are supported:
-p|--port <port> : use the given port -f|--fd <fd> : use the given socket file descriptor [...]
I think a more controlled error message would be better basically stating 'Local swtpm installation does not support TPM 2'.
Yes, but not worth introducing all the code and extra exec() for all the successful starts.
Jano
Stefan
Jano
On Thu, May 24, 2018 at 07:22:30AM -0400, Stefan Berger wrote:
On 05/24/2018 03:08 AM, Ján Tomko wrote:
On Wed, May 23, 2018 at 02:33:08PM -0400, Stefan Berger wrote:
swtpm doesn't have all the bells and whistles of QEMU that we would have a JSON interface to query the features from.
With QEMU, we actually need to know some capabilities upfront, because different versions have had different ways of requesting the same functionality. Giving nicer errors for unsupported features is just a bonus.
With qemu-img, we only care about one way of representing the functionality and let it print an error if something's compiled out.
Ok, then let me remove it. v7 will have that change. Not sure what to do about the existing Reviewed-by's. Intend to keep them.
The usual thing to do is keep them unless you make a significant change to the commit. Its presence in the commit message should tell the reviewer that he does not need to look at it again. Jano
On Tue, May 22, 2018 at 10:44 PM +0200, Stefan Berger <stefanb@linux.vnet.ibm.com> wrote:
This patch extends the TPM's device XML with TPM 2 support. This only works for the emulator type backend and looks as follows:
<tpm model='tpm-tis'> <backend type='emulator' version='2'/> </tpm>
The swtpm process now has --tpm2 as an additional parameter:
system_u:system_r:svirt_t:s0:c597,c632 tss 18477 11.8 0.0 28364 3868 ? Rs 11:13 13:50 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm2,mode=0640 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log --tpm2 --pid file=/var/run/libvirt/qemu/swtpm/testvm-swtpm.pid
The version of the TPM can be changed and the state of the TPM is preserved.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- docs/formatdomain.html.in | 15 ++++- docs/schemas/domaincommon.rng | 12 ++++ src/conf/domain_conf.c | 27 ++++++++- src/conf/domain_conf.h | 6 ++ src/qemu/qemu_tpm.c | 64 +++++++++++++++++++++- .../tpm-emulator-tpm2.x86_64-latest.args | 33 +++++++++++ tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 ++++++++++ tests/qemuxml2argvtest.c | 1 + tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 ++++++++++++ 9 files changed, 217 insertions(+), 5 deletions(-) create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 08a57bd751..043c8da56f 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -7719,7 +7719,7 @@ qemu-kvm -net nic,model=? /dev/null ... <devices> <tpm model='tpm-tis'> - <backend type='emulator'> + <backend type='emulator' version='2'> </backend> </tpm> </devices> @@ -7769,6 +7769,19 @@ qemu-kvm -net nic,model=? /dev/null </dd> </dl> </dd> + <dt><code>version</code></dt> + <dd> + <p> + The <code>version</code> attribute indicates the version + of the TPM. By default a TPM 1.2 is created. This attribute + only works with the <code>emulator</code> backend. The following + versions are supported: + </p> + <ul> + <li>'1.2' : creates a TPM 1.2</li> + <li>'2' : creates a TPM 2</li> + </ul> + </dd> </dl>
<h4><a id="elementsNVRAM">NVRAM device</a></h4> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 3582cb5019..f11833075a 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -4130,6 +4130,18 @@ </attribute> </group> </choice> + <choice> + <group> + <optional> + <attribute name="version"> + <choice> + <value>1.2</value> + <value>2</value> + </choice> + </attribute> + </optional> + </group> + </choice> </element> </define>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 15dd490d17..79904789ee 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -12657,7 +12657,7 @@ virDomainSmartcardDefParseXML(virDomainXMLOptionPtr xmlopt, * or like this: * * <tpm model='tpm-tis'> - * <backend type='emulator'/> + * <backend type='emulator' version='2'/> * </tpm> */ static virDomainTPMDefPtr @@ -12670,6 +12670,7 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, char *path = NULL; char *model = NULL; char *backend = NULL; + char *version = NULL; virDomainTPMDefPtr def; xmlNodePtr save = ctxt->node; xmlNodePtr *backends = NULL; @@ -12716,6 +12717,20 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, goto error; }
+ version = virXMLPropString(backends[0], "version"); + if (!version || STREQ(version, "1.2")) { + def->version = VIR_DOMAIN_TPM_VERSION_1_2; + /* only TIS available for emulator */ + if (def->type == VIR_DOMAIN_TPM_TYPE_EMULATOR) + def->model = VIR_DOMAIN_TPM_MODEL_TIS;
This will silently overwrite an already defined model - is this intended? Also this seems like some kind of validation logic - not sure if virDomainTPMDefParseXML is the right place for this.
+ } else if (STREQ(version, "2")) { + def->version = VIR_DOMAIN_TPM_VERSION_2;
[…snip] Beste Grüße / Kind regards Marc Hartmayer IBM Deutschland Research & Development GmbH Vorsitzende des Aufsichtsrats: Martina Koederitz Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294
On 05/24/2018 08:17 AM, Marc Hartmayer wrote:
On Tue, May 22, 2018 at 10:44 PM +0200, Stefan Berger <stefanb@linux.vnet.ibm.com> wrote:
This patch extends the TPM's device XML with TPM 2 support. This only works for the emulator type backend and looks as follows:
<tpm model='tpm-tis'> <backend type='emulator' version='2'/> </tpm>
The swtpm process now has --tpm2 as an additional parameter:
system_u:system_r:svirt_t:s0:c597,c632 tss 18477 11.8 0.0 28364 3868 ? Rs 11:13 13:50 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm2,mode=0640 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log --tpm2 --pid file=/var/run/libvirt/qemu/swtpm/testvm-swtpm.pid
The version of the TPM can be changed and the state of the TPM is preserved.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- docs/formatdomain.html.in | 15 ++++- docs/schemas/domaincommon.rng | 12 ++++ src/conf/domain_conf.c | 27 ++++++++- src/conf/domain_conf.h | 6 ++ src/qemu/qemu_tpm.c | 64 +++++++++++++++++++++- .../tpm-emulator-tpm2.x86_64-latest.args | 33 +++++++++++ tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 ++++++++++ tests/qemuxml2argvtest.c | 1 + tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 ++++++++++++ 9 files changed, 217 insertions(+), 5 deletions(-) create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 08a57bd751..043c8da56f 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -7719,7 +7719,7 @@ qemu-kvm -net nic,model=? /dev/null ... <devices> <tpm model='tpm-tis'> - <backend type='emulator'> + <backend type='emulator' version='2'> </backend> </tpm> </devices> @@ -7769,6 +7769,19 @@ qemu-kvm -net nic,model=? /dev/null </dd> </dl> </dd> + <dt><code>version</code></dt> + <dd> + <p> + The <code>version</code> attribute indicates the version + of the TPM. By default a TPM 1.2 is created. This attribute + only works with the <code>emulator</code> backend. The following + versions are supported: + </p> + <ul> + <li>'1.2' : creates a TPM 1.2</li> + <li>'2' : creates a TPM 2</li> + </ul> + </dd> </dl>
<h4><a id="elementsNVRAM">NVRAM device</a></h4> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 3582cb5019..f11833075a 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -4130,6 +4130,18 @@ </attribute> </group> </choice> + <choice> + <group> + <optional> + <attribute name="version"> + <choice> + <value>1.2</value> + <value>2</value> + </choice> + </attribute> + </optional> + </group> + </choice> </element> </define>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 15dd490d17..79904789ee 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -12657,7 +12657,7 @@ virDomainSmartcardDefParseXML(virDomainXMLOptionPtr xmlopt, * or like this: * * <tpm model='tpm-tis'> - * <backend type='emulator'/> + * <backend type='emulator' version='2'/> * </tpm> */ static virDomainTPMDefPtr @@ -12670,6 +12670,7 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, char *path = NULL; char *model = NULL; char *backend = NULL; + char *version = NULL; virDomainTPMDefPtr def; xmlNodePtr save = ctxt->node; xmlNodePtr *backends = NULL; @@ -12716,6 +12717,20 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, goto error; }
+ version = virXMLPropString(backends[0], "version"); + if (!version || STREQ(version, "1.2")) { + def->version = VIR_DOMAIN_TPM_VERSION_1_2; + /* only TIS available for emulator */ + if (def->type == VIR_DOMAIN_TPM_TYPE_EMULATOR) + def->model = VIR_DOMAIN_TPM_MODEL_TIS; This will silently overwrite an already defined model - is this intended? Also this seems like some kind of validation logic - not sure if virDomainTPMDefParseXML is the right place for this.
TPM 1.2 can typically only be used with the TIS. The CRB interface works only with TPM 2. So, yes, it's intentional. Stefan
+ } else if (STREQ(version, "2")) { + def->version = VIR_DOMAIN_TPM_VERSION_2; […snip]
Beste Grüße / Kind regards Marc Hartmayer
IBM Deutschland Research & Development GmbH Vorsitzende des Aufsichtsrats: Martina Koederitz Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294
On Thu, May 24, 2018 at 02:17:13PM +0200, Marc Hartmayer wrote:
On Tue, May 22, 2018 at 10:44 PM +0200, Stefan Berger <stefanb@linux.vnet.ibm.com> wrote:
This patch extends the TPM's device XML with TPM 2 support. This only works for the emulator type backend and looks as follows:
<tpm model='tpm-tis'> <backend type='emulator' version='2'/> </tpm>
The swtpm process now has --tpm2 as an additional parameter:
system_u:system_r:svirt_t:s0:c597,c632 tss 18477 11.8 0.0 28364 3868 ? Rs 11:13 13:50 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm2,mode=0640 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log --tpm2 --pid file=/var/run/libvirt/qemu/swtpm/testvm-swtpm.pid
The version of the TPM can be changed and the state of the TPM is preserved.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- docs/formatdomain.html.in | 15 ++++- docs/schemas/domaincommon.rng | 12 ++++ src/conf/domain_conf.c | 27 ++++++++- src/conf/domain_conf.h | 6 ++ src/qemu/qemu_tpm.c | 64 +++++++++++++++++++++- .../tpm-emulator-tpm2.x86_64-latest.args | 33 +++++++++++ tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 ++++++++++ tests/qemuxml2argvtest.c | 1 + tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 ++++++++++++ 9 files changed, 217 insertions(+), 5 deletions(-) create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 08a57bd751..043c8da56f 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -7719,7 +7719,7 @@ qemu-kvm -net nic,model=? /dev/null ... <devices> <tpm model='tpm-tis'> - <backend type='emulator'> + <backend type='emulator' version='2'> </backend> </tpm> </devices> @@ -7769,6 +7769,19 @@ qemu-kvm -net nic,model=? /dev/null </dd> </dl> </dd> + <dt><code>version</code></dt> + <dd> + <p> + The <code>version</code> attribute indicates the version + of the TPM. By default a TPM 1.2 is created. This attribute + only works with the <code>emulator</code> backend. The following + versions are supported: + </p> + <ul> + <li>'1.2' : creates a TPM 1.2</li> + <li>'2' : creates a TPM 2</li> + </ul> + </dd> </dl>
<h4><a id="elementsNVRAM">NVRAM device</a></h4> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 3582cb5019..f11833075a 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -4130,6 +4130,18 @@ </attribute> </group> </choice> + <choice> + <group> + <optional> + <attribute name="version"> + <choice> + <value>1.2</value> + <value>2</value> + </choice> + </attribute> + </optional> + </group> + </choice> </element> </define>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 15dd490d17..79904789ee 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -12657,7 +12657,7 @@ virDomainSmartcardDefParseXML(virDomainXMLOptionPtr xmlopt, * or like this: * * <tpm model='tpm-tis'> - * <backend type='emulator'/> + * <backend type='emulator' version='2'/> * </tpm> */ static virDomainTPMDefPtr @@ -12670,6 +12670,7 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, char *path = NULL; char *model = NULL; char *backend = NULL; + char *version = NULL; virDomainTPMDefPtr def; xmlNodePtr save = ctxt->node; xmlNodePtr *backends = NULL; @@ -12716,6 +12717,20 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, goto error; }
+ version = virXMLPropString(backends[0], "version"); + if (!version || STREQ(version, "1.2")) { + def->version = VIR_DOMAIN_TPM_VERSION_1_2; + /* only TIS available for emulator */ + if (def->type == VIR_DOMAIN_TPM_TYPE_EMULATOR) + def->model = VIR_DOMAIN_TPM_MODEL_TIS;
This will silently overwrite an already defined model - is this intended? Also this seems like some kind of validation logic - not sure if virDomainTPMDefParseXML is the right place for this.
Yes, DefParse would ideally just convert what was provided in the XML to our internal data types. Setting defaults belongs in PostParse (either in src/conf or in src/qemu) and for validation we have qemu.*DefValidate. Jano
Add the external swtpm to the emulator cgroup so that upper limits of CPU usage can be enforced on the emulated TPM. To enable this we need to have the swtpm write its process id (pid) into a file. We then read it from the file to configure the emulator cgroup. The PID file is created in /var/run/libvirt/qemu/swtpm: [root@localhost swtpm]# ls -lZ /var/run/libvirt/qemu/swtpm/ total 4 -rw-r--r--. 1 tss tss system_u:object_r:qemu_var_run_t:s0 5 Apr 10 12:26 1-testvm-swtpm.pid srw-rw----. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c597,c632 0 Apr 10 12:26 1-testvm-swtpm.sock The swtpm command line now looks as follows: root@localhost testvm]# ps auxZ | grep swtpm | grep socket | grep -v grep system_u:system_r:virtd_t:s0:c597,c632 tss 18697 0.0 0.0 28172 3892 ? Ss 16:46 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/1-testvm-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/485d0004-a48f-436a-8457-8a3b73e28568/tpm1.2/ --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log --pid file=/var/run/libvirt/qemu/swtpm/1-testvm-swtpm.pid Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_cgroup.c | 35 ++++++++++++ src/qemu/qemu_cgroup.h | 2 + src/qemu/qemu_extdevice.c | 26 +++++++++ src/qemu/qemu_extdevice.h | 6 +++ src/qemu/qemu_process.c | 4 ++ src/qemu/qemu_tpm.c | 135 ++++++++++++++++++++++++++++++++++++++++++++-- src/qemu/qemu_tpm.h | 6 +++ 7 files changed, 211 insertions(+), 3 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 54b00a5da5..12b3f3bf40 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -26,6 +26,7 @@ #include "qemu_cgroup.h" #include "qemu_domain.h" #include "qemu_process.h" +#include "qemu_extdevice.h" #include "vircgroup.h" #include "virlog.h" #include "viralloc.h" @@ -1172,6 +1173,40 @@ qemuSetupCgroupCpusetCpus(virCgroupPtr cgroup, } +int +qemuSetupCgroupForExtDevices(virDomainObjPtr vm, + virQEMUDriverPtr driver) +{ + qemuDomainObjPrivatePtr priv = vm->privateData; + virCgroupPtr cgroup_temp = NULL; + int ret = -1; + + if (!qemuExtDevicesHasDevice(vm->def) || + priv->cgroup == NULL) + return 0; /* Not supported, so claim success */ + + /* + * If CPU cgroup controller is not initialized here, then we need + * neither period nor quota settings. And if CPUSET controller is + * not initialized either, then there's nothing to do anyway. + */ + if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPU) && + !virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET)) + return 0; + + if (virCgroupNewThread(priv->cgroup, VIR_CGROUP_THREAD_EMULATOR, 0, + false, &cgroup_temp) < 0) + goto cleanup; + + ret = qemuExtDevicesSetupCgroup(driver, vm->def, cgroup_temp); + + cleanup: + virCgroupFree(&cgroup_temp); + + return ret; +} + + int qemuSetupGlobalCpuCgroup(virDomainObjPtr vm) { diff --git a/src/qemu/qemu_cgroup.h b/src/qemu/qemu_cgroup.h index 3b8ff6055d..c2fca7fc1d 100644 --- a/src/qemu/qemu_cgroup.h +++ b/src/qemu/qemu_cgroup.h @@ -69,6 +69,8 @@ int qemuSetupCgroupVcpuBW(virCgroupPtr cgroup, long long quota); int qemuSetupCgroupCpusetCpus(virCgroupPtr cgroup, virBitmapPtr cpumask); int qemuSetupGlobalCpuCgroup(virDomainObjPtr vm); +int qemuSetupCgroupForExtDevices(virDomainObjPtr vm, + virQEMUDriverPtr driver); int qemuRemoveCgroup(virDomainObjPtr vm); typedef struct _qemuCgroupEmulatorAllNodesData qemuCgroupEmulatorAllNodesData; diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c index 790b19be9e..d982922470 100644 --- a/src/qemu/qemu_extdevice.c +++ b/src/qemu/qemu_extdevice.c @@ -30,6 +30,8 @@ #include "virlog.h" #include "virstring.h" #include "virtime.h" +#include "virtpm.h" +#include "virpidfile.h" #define VIR_FROM_THIS VIR_FROM_QEMU @@ -152,3 +154,27 @@ qemuExtDevicesStop(virQEMUDriverPtr driver, if (def->tpm) qemuExtTPMStop(driver, def); } + + +bool +qemuExtDevicesHasDevice(virDomainDefPtr def) +{ + if (def->tpm && def->tpm->type == VIR_DOMAIN_TPM_TYPE_EMULATOR) + return true; + + return false; +} + + +int +qemuExtDevicesSetupCgroup(virQEMUDriverPtr driver, + virDomainDefPtr def, + virCgroupPtr cgroup) +{ + int ret = 0; + + if (def->tpm) + ret = qemuExtTPMSetupCgroup(driver, def, cgroup); + + return ret; +} diff --git a/src/qemu/qemu_extdevice.h b/src/qemu/qemu_extdevice.h index 6de858b2a3..c557778ddb 100644 --- a/src/qemu/qemu_extdevice.h +++ b/src/qemu/qemu_extdevice.h @@ -50,4 +50,10 @@ void qemuExtDevicesStop(virQEMUDriverPtr driver, virDomainDefPtr def) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); +bool qemuExtDevicesHasDevice(virDomainDefPtr def); + +int qemuExtDevicesSetupCgroup(virQEMUDriverPtr driver, + virDomainDefPtr def, + virCgroupPtr cgroup); + #endif /* __QEMU_EXTDEVICE_H__ */ diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 45a4750178..6c5538db11 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -6274,6 +6274,10 @@ qemuProcessLaunch(virConnectPtr conn, if (qemuProcessSetupEmulator(vm) < 0) goto cleanup; + VIR_DEBUG("Setting cgroup for external devices (if required)"); + if (qemuSetupCgroupForExtDevices(vm, driver) < 0) + goto cleanup; + VIR_DEBUG("Setting up resctrl"); if (qemuProcessResctrlCreate(driver, vm) < 0) goto cleanup; diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 508685c455..e032d587b6 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -40,6 +40,7 @@ #include "viruuid.h" #include "virfile.h" #include "virstring.h" +#include "virpidfile.h" #include "configmake.h" #include "qemu_tpm.h" @@ -347,6 +348,57 @@ qemuTPMEmulatorInitPaths(virDomainTPMDefPtr tpm, } +/* + * qemuTPMCreatePidFilename + */ +static char * +qemuTPMEmulatorCreatePidFilename(const char *swtpmStateDir, + const char *shortName) +{ + char *pidfile = NULL; + char *devicename = NULL; + + if (virAsprintf(&devicename, "%s-swtpm", shortName) < 0) + return NULL; + + pidfile = virPidFileBuildPath(swtpmStateDir, devicename); + + VIR_FREE(devicename); + + return pidfile; +} + + +/* + * qemuTPMEmulatorGetPid + * + * @swtpmStateDir: the directory where swtpm writes the pidfile into + * @shortName: short name of the domain + * @pid: pointer to pid + * + * Return -errno upon error, or zero on successful reading of the pidfile. + * If the PID was not still alive, zero will be returned, and @pid will be + * set to -1; + */ +static int +qemuTPMEmulatorGetPid(const char *swtpmStateDir, + const char *shortName, + pid_t *pid) +{ + int ret; + char *pidfile = qemuTPMEmulatorCreatePidFilename(swtpmStateDir, + shortName); + if (!pidfile) + return -ENOMEM; + + ret = virPidFileReadPathIfAlive(pidfile, pid, swtpm_path); + + VIR_FREE(pidfile); + + return ret; +} + + /* * qemuTPMEmulatorPrepareHost: * @@ -516,6 +568,9 @@ qemuTPMEmulatorRunSetup(const char *storagepath, * @privileged: whether we are running in privileged mode * @swtpm_user: The uid for the swtpm to run as (drop privileges to from root) * @swtpm_group: The gid for the swtpm to run as + * @swtpmStateDir: the directory where swtpm writes the pid file and creates the + * Unix socket + * @shortName: the short name of the VM * * Create the virCommand use for starting the emulator * Do some initializations on the way, such as creation of storage @@ -527,10 +582,13 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm, const unsigned char *vmuuid, bool privileged, uid_t swtpm_user, - gid_t swtpm_group) + gid_t swtpm_group, + const char *swtpmStateDir, + const char *shortName) { virCommandPtr cmd = NULL; bool created = false; + char *pidfile; if (qemuTPMCreateEmulatorStorage(tpm->data.emulator.storagepath, &created, swtpm_user, swtpm_group) < 0) @@ -572,6 +630,13 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm, break; } + if (!(pidfile = qemuTPMEmulatorCreatePidFilename(swtpmStateDir, shortName))) + goto error; + + virCommandAddArg(cmd, "--pid"); + virCommandAddArgFormat(cmd, "file=%s", pidfile); + VIR_FREE(pidfile); + return cmd; error: @@ -723,7 +788,8 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver, virQEMUDriverConfigPtr cfg; virDomainTPMDefPtr tpm = def->tpm; char *shortName = virDomainDefGetShortName(def); - int cmdret = 0; + int cmdret = 0, timeout, rc; + pid_t pid; if (!shortName) return -1; @@ -736,7 +802,8 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver, if (!(cmd = qemuTPMEmulatorBuildCommand(tpm, def->name, def->uuid, driver->privileged, cfg->swtpm_user, - cfg->swtpm_group))) + cfg->swtpm_group, + cfg->swtpmStateDir, shortName))) goto cleanup; if (qemuExtDeviceLogCommand(logCtxt, cmd, "TPM Emulator") < 0) @@ -756,6 +823,22 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver, goto cleanup; } + /* check that the swtpm has written its pid into the file */ + timeout = 1000; /* ms */ + while (timeout > 0) { + rc = qemuTPMEmulatorGetPid(cfg->swtpmStateDir, shortName, &pid); + if (rc < 0) { + timeout -= 50; + usleep(50 * 1000); + continue; + } + if (rc == 0 && pid == (pid_t)-1) + goto error; + break; + } + if (timeout <= 0) + goto error; + ret = 0; cleanup: @@ -766,6 +849,11 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver, virObjectUnref(cfg); return ret; + + error: + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("swtpm failed to start")); + goto cleanup; } @@ -815,3 +903,44 @@ qemuExtTPMStop(virQEMUDriverPtr driver, VIR_FREE(shortName); virObjectUnref(cfg); } + + +int +qemuExtTPMSetupCgroup(virQEMUDriverPtr driver, + virDomainDefPtr def, + virCgroupPtr cgroup) +{ + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); + char *pidfile = NULL; + char *shortName = NULL; + int ret = -1, rc; + pid_t pid; + + switch (def->tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + shortName = virDomainDefGetShortName(def); + if (!shortName) + goto cleanup; + rc = qemuTPMEmulatorGetPid(cfg->swtpmStateDir, shortName, &pid); + if (rc < 0 || (rc == 0 && pid == (pid_t)-1)) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Could not get process id of swtpm")); + goto cleanup; + } + if (virCgroupAddTask(cgroup, pid) < 0) + goto cleanup; + break; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + } + + ret = 0; + + cleanup: + VIR_FREE(pidfile); + VIR_FREE(shortName); + virObjectUnref(cfg); + + return ret; +} diff --git a/src/qemu/qemu_tpm.h b/src/qemu/qemu_tpm.h index 20f3a9ccc4..6eb1294da0 100644 --- a/src/qemu/qemu_tpm.h +++ b/src/qemu/qemu_tpm.h @@ -47,4 +47,10 @@ void qemuExtTPMStop(virQEMUDriverPtr driver, virDomainDefPtr def) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); +int qemuExtTPMSetupCgroup(virQEMUDriverPtr driver, + virDomainDefPtr def, + virCgroupPtr cgroup) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) + ATTRIBUTE_RETURN_CHECK; + #endif /* __QEMU_TPM_H__ */ -- 2.14.3
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> --- docs/news.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/news.xml b/docs/news.xml index 7d40e85b9a..43a7ca48b6 100644 --- a/docs/news.xml +++ b/docs/news.xml @@ -54,6 +54,15 @@ a QEMU virtual machine. </description> </change> + <change> + <summary> + qemu: Provide TPM emulator support + </summary> + <description> + Support QEMU's TPM emulator based on swtpm. Each QEMU guest gets + its own virtual TPM. + </description> + </change> </section> <section title="Improvements"> <change> -- 2.14.3
On 05/22/2018 04:44 PM, Stefan Berger wrote:
This series of patches adds support for the TPM emulator backend that is available in QEMU and based on swtpm + libtpms. It allows to attach a TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm process, its Unix socket, and log file with the same label that the QEMU process gets. Besides that swtpm is added to the emulator cgroup to restrict its CPU usage.
The device XML can be changed from a TPM 1.2 to a TPM 2 and back to a TPM 1.2. The device state is not removed during those changes but only when the domain is undefined.
The swtpm needs persistent storage to store its state. For that I am using the uuid of the VM as part of the path since the name of the VM can be changed. Logfiles, PID files, and socket names are based on the name of the VM, though.
Stefan
v5->v6: - Addressed John Ferlan's comments - rebased on latest tip - Added patch 12.
v4->v5: - Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments - rebased on latest tip
v3->v4: - Addressed John Ferlan's comments - Fixed bugs I found while testing - rebased on latest tip
Stefan Berger (12): conf: Add support for external swtpm TPM emulator to domain XML qemu: Extend QEMU capabilities with 'tpm-emulator' util: Implement virFileChownFiles() security: Add DAC and SELinux security for tpm-emulator qemu: Extend qemu_conf with tpm-emulator support qemu: Extend QEMU with external TPM support qemu: Add support for external swtpm TPM emulator tests: Add test cases for external swtpm TPM emulator security: Label the external swtpm with SELinux labels conf: Add support for choosing emulation of a TPM 2 qemu: Add swtpm to emulator cgroup news: Update news with new TPM emulator feature
docs/formatdomain.html.in | 43 + docs/news.xml | 9 + docs/schemas/domaincommon.rng | 17 + libvirt.spec.in | 2 + src/conf/domain_audit.c | 2 + src/conf/domain_conf.c | 53 +- src/conf/domain_conf.h | 12 + src/libvirt_private.syms | 3 + src/qemu/Makefile.inc.am | 10 + src/qemu/libvirtd_qemu.aug | 5 + src/qemu/qemu.conf | 8 + src/qemu/qemu_capabilities.c | 5 + src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_cgroup.c | 36 + src/qemu/qemu_cgroup.h | 2 + src/qemu/qemu_command.c | 34 +- src/qemu/qemu_conf.c | 43 + src/qemu/qemu_conf.h | 6 + src/qemu/qemu_domain.c | 3 + src/qemu/qemu_extdevice.c | 180 ++++ src/qemu/qemu_extdevice.h | 59 ++ src/qemu/qemu_process.c | 16 + src/qemu/qemu_security.c | 69 ++ src/qemu/qemu_security.h | 11 + src/qemu/qemu_tpm.c | 946 +++++++++++++++++++++ src/qemu/qemu_tpm.h | 56 ++ src/qemu/test_libvirtd_qemu.aug.in | 2 + src/security/security_dac.c | 7 + src/security/security_driver.h | 7 + src/security/security_manager.c | 36 + src/security/security_manager.h | 6 + src/security/security_selinux.c | 172 ++++ src/security/security_stack.c | 40 + src/util/virfile.c | 55 ++ src/util/virfile.h | 3 + tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + .../tpm-emulator-tpm2.x86_64-latest.args | 33 + tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 + .../tpm-emulator.x86_64-latest.args | 33 + tests/qemuxml2argvdata/tpm-emulator.xml | 30 + tests/qemuxml2argvtest.c | 16 +- tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 + tests/qemuxml2xmloutdata/tpm-emulator.xml | 34 + tests/qemuxml2xmltest.c | 1 + 48 files changed, 2165 insertions(+), 10 deletions(-) create mode 100644 src/qemu/qemu_extdevice.c create mode 100644 src/qemu/qemu_extdevice.h create mode 100644 src/qemu/qemu_tpm.c create mode 100644 src/qemu/qemu_tpm.h create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml
This all looks good to me - thanks for the news.xml adjustment. Barring anyone else making a late/additional review - I will look to push the series later on today. John
On 05/23/2018 08:07 AM, John Ferlan wrote:
On 05/22/2018 04:44 PM, Stefan Berger wrote:
This series of patches adds support for the TPM emulator backend that is available in QEMU and based on swtpm + libtpms. It allows to attach a TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm process, its Unix socket, and log file with the same label that the QEMU process gets. Besides that swtpm is added to the emulator cgroup to restrict its CPU usage.
The device XML can be changed from a TPM 1.2 to a TPM 2 and back to a TPM 1.2. The device state is not removed during those changes but only when the domain is undefined.
The swtpm needs persistent storage to store its state. For that I am using the uuid of the VM as part of the path since the name of the VM can be changed. Logfiles, PID files, and socket names are based on the name of the VM, though.
Stefan
v5->v6: - Addressed John Ferlan's comments - rebased on latest tip - Added patch 12.
v4->v5: - Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments - rebased on latest tip
v3->v4: - Addressed John Ferlan's comments - Fixed bugs I found while testing - rebased on latest tip
Stefan Berger (12): conf: Add support for external swtpm TPM emulator to domain XML qemu: Extend QEMU capabilities with 'tpm-emulator' util: Implement virFileChownFiles() security: Add DAC and SELinux security for tpm-emulator qemu: Extend qemu_conf with tpm-emulator support qemu: Extend QEMU with external TPM support qemu: Add support for external swtpm TPM emulator tests: Add test cases for external swtpm TPM emulator security: Label the external swtpm with SELinux labels conf: Add support for choosing emulation of a TPM 2 qemu: Add swtpm to emulator cgroup news: Update news with new TPM emulator feature
docs/formatdomain.html.in | 43 + docs/news.xml | 9 + docs/schemas/domaincommon.rng | 17 + libvirt.spec.in | 2 + src/conf/domain_audit.c | 2 + src/conf/domain_conf.c | 53 +- src/conf/domain_conf.h | 12 + src/libvirt_private.syms | 3 + src/qemu/Makefile.inc.am | 10 + src/qemu/libvirtd_qemu.aug | 5 + src/qemu/qemu.conf | 8 + src/qemu/qemu_capabilities.c | 5 + src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_cgroup.c | 36 + src/qemu/qemu_cgroup.h | 2 + src/qemu/qemu_command.c | 34 +- src/qemu/qemu_conf.c | 43 + src/qemu/qemu_conf.h | 6 + src/qemu/qemu_domain.c | 3 + src/qemu/qemu_extdevice.c | 180 ++++ src/qemu/qemu_extdevice.h | 59 ++ src/qemu/qemu_process.c | 16 + src/qemu/qemu_security.c | 69 ++ src/qemu/qemu_security.h | 11 + src/qemu/qemu_tpm.c | 946 +++++++++++++++++++++ src/qemu/qemu_tpm.h | 56 ++ src/qemu/test_libvirtd_qemu.aug.in | 2 + src/security/security_dac.c | 7 + src/security/security_driver.h | 7 + src/security/security_manager.c | 36 + src/security/security_manager.h | 6 + src/security/security_selinux.c | 172 ++++ src/security/security_stack.c | 40 + src/util/virfile.c | 55 ++ src/util/virfile.h | 3 + tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + .../tpm-emulator-tpm2.x86_64-latest.args | 33 + tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 + .../tpm-emulator.x86_64-latest.args | 33 + tests/qemuxml2argvdata/tpm-emulator.xml | 30 + tests/qemuxml2argvtest.c | 16 +- tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 + tests/qemuxml2xmloutdata/tpm-emulator.xml | 34 + tests/qemuxml2xmltest.c | 1 + 48 files changed, 2165 insertions(+), 10 deletions(-) create mode 100644 src/qemu/qemu_extdevice.c create mode 100644 src/qemu/qemu_extdevice.h create mode 100644 src/qemu/qemu_tpm.c create mode 100644 src/qemu/qemu_tpm.h create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml
This all looks good to me - thanks for the news.xml adjustment. Barring anyone else making a late/additional review - I will look to push the series later on today.
Thanks. As mentioned, I will need to follow up with AppArmor support. What I am currently experimenting with is a subprofile of the libvirt profile. The problem with it is it's 'suboptimal' in terms of 'unspecific' paths containing wild-cards so that this single sub profile can accommodate the paths of all domains. This profile is static and not dynamically generated. diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 3102cab382..dcab4feb6c 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -126,4 +126,15 @@ /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } + /usr/bin/swtpm Cx -> usr_bin_swtpm, + profile usr_bin_swtpm flags=(complain) { + #include <abstractions/base> + + /usr/bin/swtpm rm, + + /run/libvirt/qemu/swtpm/*-swtpm.pid rw, + /run/libvirt/qemu/swtpm/*-swtpm.sock w, + /var/log/swtpm/libvirt/qemu/*-swtpm.log w, + /var/lib/libvirt/swtpm/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*/{tpm1.2,tpm2}/{tpm,tpm2}-00.permall rw, + } } A better solution would be to extend the QEMU domain profile with these additional paths, which, as a side-effect, would give a QEMU instance access to these paths as well. Basically QEMU and swtpm would share that profile. To good thing is we can use specific paths (no wild cards) for the files that the swtpm needs to access. Yet a stricter solution would be to dynamically create a profile specifically for the swtpm that contains only the necessary paths. Though I think the code in src/security/security_apparmor.c is not prepared for that and it may end up being a bigger undertaking. Anyone who would be willing to give an opinion on the latter two cases ? I am cc'ing Christian Ehrhard who seems to have worked on AppArmor related code. Stefan
John
On 05/23/2018 09:20 AM, Stefan Berger wrote:
On 05/23/2018 08:07 AM, John Ferlan wrote:
On 05/22/2018 04:44 PM, Stefan Berger wrote:
This series of patches adds support for the TPM emulator backend that is available in QEMU and based on swtpm + libtpms. It allows to attach a TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm process, its Unix socket, and log file with the same label that the QEMU process gets. Besides that swtpm is added to the emulator cgroup to restrict its CPU usage.
The device XML can be changed from a TPM 1.2 to a TPM 2 and back to a TPM 1.2. The device state is not removed during those changes but only when the domain is undefined.
The swtpm needs persistent storage to store its state. For that I am using the uuid of the VM as part of the path since the name of the VM can be changed. Logfiles, PID files, and socket names are based on the name of the VM, though.
Stefan
v5->v6: - Addressed John Ferlan's comments - rebased on latest tip - Added patch 12.
v4->v5: - Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments - rebased on latest tip
v3->v4: - Addressed John Ferlan's comments - Fixed bugs I found while testing - rebased on latest tip
Stefan Berger (12): conf: Add support for external swtpm TPM emulator to domain XML qemu: Extend QEMU capabilities with 'tpm-emulator' util: Implement virFileChownFiles() security: Add DAC and SELinux security for tpm-emulator qemu: Extend qemu_conf with tpm-emulator support qemu: Extend QEMU with external TPM support qemu: Add support for external swtpm TPM emulator tests: Add test cases for external swtpm TPM emulator security: Label the external swtpm with SELinux labels conf: Add support for choosing emulation of a TPM 2 qemu: Add swtpm to emulator cgroup news: Update news with new TPM emulator feature
docs/formatdomain.html.in | 43 + docs/news.xml | 9 + docs/schemas/domaincommon.rng | 17 + libvirt.spec.in | 2 + src/conf/domain_audit.c | 2 + src/conf/domain_conf.c | 53 +- src/conf/domain_conf.h | 12 + src/libvirt_private.syms | 3 + src/qemu/Makefile.inc.am | 10 + src/qemu/libvirtd_qemu.aug | 5 + src/qemu/qemu.conf | 8 + src/qemu/qemu_capabilities.c | 5 + src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_cgroup.c | 36 + src/qemu/qemu_cgroup.h | 2 + src/qemu/qemu_command.c | 34 +- src/qemu/qemu_conf.c | 43 + src/qemu/qemu_conf.h | 6 + src/qemu/qemu_domain.c | 3 + src/qemu/qemu_extdevice.c | 180 ++++ src/qemu/qemu_extdevice.h | 59 ++ src/qemu/qemu_process.c | 16 + src/qemu/qemu_security.c | 69 ++ src/qemu/qemu_security.h | 11 + src/qemu/qemu_tpm.c | 946 +++++++++++++++++++++ src/qemu/qemu_tpm.h | 56 ++ src/qemu/test_libvirtd_qemu.aug.in | 2 + src/security/security_dac.c | 7 + src/security/security_driver.h | 7 + src/security/security_manager.c | 36 + src/security/security_manager.h | 6 + src/security/security_selinux.c | 172 ++++ src/security/security_stack.c | 40 + src/util/virfile.c | 55 ++ src/util/virfile.h | 3 + tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + .../tpm-emulator-tpm2.x86_64-latest.args | 33 + tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 + .../tpm-emulator.x86_64-latest.args | 33 + tests/qemuxml2argvdata/tpm-emulator.xml | 30 + tests/qemuxml2argvtest.c | 16 +- tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 + tests/qemuxml2xmloutdata/tpm-emulator.xml | 34 + tests/qemuxml2xmltest.c | 1 + 48 files changed, 2165 insertions(+), 10 deletions(-) create mode 100644 src/qemu/qemu_extdevice.c create mode 100644 src/qemu/qemu_extdevice.h create mode 100644 src/qemu/qemu_tpm.c create mode 100644 src/qemu/qemu_tpm.h create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml
This all looks good to me - thanks for the news.xml adjustment. Barring anyone else making a late/additional review - I will look to push the series later on today.
Thanks.
As mentioned, I will need to follow up with AppArmor support. What I am currently experimenting with is a subprofile of the libvirt profile. The problem with it is it's 'suboptimal' in terms of 'unspecific' paths containing wild-cards so that this single sub profile can accommodate the paths of all domains. This profile is static and not dynamically generated.
I see that Jano had some comments... I also was reminded today that you still have libvirt.git commit access - so once you feel comfortable with addressing those comments, I guess you have the capability to push and won't need me for that! I'll defer to those with AppArmor experience for the rest! John
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 3102cab382..dcab4feb6c 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -126,4 +126,15 @@
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } + /usr/bin/swtpm Cx -> usr_bin_swtpm, + profile usr_bin_swtpm flags=(complain) { + #include <abstractions/base> + + /usr/bin/swtpm rm, + + /run/libvirt/qemu/swtpm/*-swtpm.pid rw, + /run/libvirt/qemu/swtpm/*-swtpm.sock w, + /var/log/swtpm/libvirt/qemu/*-swtpm.log w, + /var/lib/libvirt/swtpm/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*/{tpm1.2,tpm2}/{tpm,tpm2}-00.permall rw, + } }
A better solution would be to extend the QEMU domain profile with these additional paths, which, as a side-effect, would give a QEMU instance access to these paths as well. Basically QEMU and swtpm would share that profile. To good thing is we can use specific paths (no wild cards) for the files that the swtpm needs to access.
Yet a stricter solution would be to dynamically create a profile specifically for the swtpm that contains only the necessary paths. Though I think the code in src/security/security_apparmor.c is not prepared for that and it may end up being a bigger undertaking.
Anyone who would be willing to give an opinion on the latter two cases ? I am cc'ing Christian Ehrhard who seems to have worked on AppArmor related code.
Stefan
John
On 05/23/2018 02:03 PM, John Ferlan wrote:
On 05/23/2018 09:20 AM, Stefan Berger wrote:
On 05/23/2018 08:07 AM, John Ferlan wrote:
On 05/22/2018 04:44 PM, Stefan Berger wrote:
This series of patches adds support for the TPM emulator backend that is available in QEMU and based on swtpm + libtpms. It allows to attach a TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm process, its Unix socket, and log file with the same label that the QEMU process gets. Besides that swtpm is added to the emulator cgroup to restrict its CPU usage.
The device XML can be changed from a TPM 1.2 to a TPM 2 and back to a TPM 1.2. The device state is not removed during those changes but only when the domain is undefined.
The swtpm needs persistent storage to store its state. For that I am using the uuid of the VM as part of the path since the name of the VM can be changed. Logfiles, PID files, and socket names are based on the name of the VM, though.
Stefan
v5->v6: - Addressed John Ferlan's comments - rebased on latest tip - Added patch 12.
v4->v5: - Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments - rebased on latest tip
v3->v4: - Addressed John Ferlan's comments - Fixed bugs I found while testing - rebased on latest tip
Stefan Berger (12): conf: Add support for external swtpm TPM emulator to domain XML qemu: Extend QEMU capabilities with 'tpm-emulator' util: Implement virFileChownFiles() security: Add DAC and SELinux security for tpm-emulator qemu: Extend qemu_conf with tpm-emulator support qemu: Extend QEMU with external TPM support qemu: Add support for external swtpm TPM emulator tests: Add test cases for external swtpm TPM emulator security: Label the external swtpm with SELinux labels conf: Add support for choosing emulation of a TPM 2 qemu: Add swtpm to emulator cgroup news: Update news with new TPM emulator feature
docs/formatdomain.html.in | 43 + docs/news.xml | 9 + docs/schemas/domaincommon.rng | 17 + libvirt.spec.in | 2 + src/conf/domain_audit.c | 2 + src/conf/domain_conf.c | 53 +- src/conf/domain_conf.h | 12 + src/libvirt_private.syms | 3 + src/qemu/Makefile.inc.am | 10 + src/qemu/libvirtd_qemu.aug | 5 + src/qemu/qemu.conf | 8 + src/qemu/qemu_capabilities.c | 5 + src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_cgroup.c | 36 + src/qemu/qemu_cgroup.h | 2 + src/qemu/qemu_command.c | 34 +- src/qemu/qemu_conf.c | 43 + src/qemu/qemu_conf.h | 6 + src/qemu/qemu_domain.c | 3 + src/qemu/qemu_extdevice.c | 180 ++++ src/qemu/qemu_extdevice.h | 59 ++ src/qemu/qemu_process.c | 16 + src/qemu/qemu_security.c | 69 ++ src/qemu/qemu_security.h | 11 + src/qemu/qemu_tpm.c | 946 +++++++++++++++++++++ src/qemu/qemu_tpm.h | 56 ++ src/qemu/test_libvirtd_qemu.aug.in | 2 + src/security/security_dac.c | 7 + src/security/security_driver.h | 7 + src/security/security_manager.c | 36 + src/security/security_manager.h | 6 + src/security/security_selinux.c | 172 ++++ src/security/security_stack.c | 40 + src/util/virfile.c | 55 ++ src/util/virfile.h | 3 + tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + .../tpm-emulator-tpm2.x86_64-latest.args | 33 + tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 + .../tpm-emulator.x86_64-latest.args | 33 + tests/qemuxml2argvdata/tpm-emulator.xml | 30 + tests/qemuxml2argvtest.c | 16 +- tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 + tests/qemuxml2xmloutdata/tpm-emulator.xml | 34 + tests/qemuxml2xmltest.c | 1 + 48 files changed, 2165 insertions(+), 10 deletions(-) create mode 100644 src/qemu/qemu_extdevice.c create mode 100644 src/qemu/qemu_extdevice.h create mode 100644 src/qemu/qemu_tpm.c create mode 100644 src/qemu/qemu_tpm.h create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml
This all looks good to me - thanks for the news.xml adjustment. Barring anyone else making a late/additional review - I will look to push the series later on today. Thanks.
As mentioned, I will need to follow up with AppArmor support. What I am currently experimenting with is a subprofile of the libvirt profile. The problem with it is it's 'suboptimal' in terms of 'unspecific' paths containing wild-cards so that this single sub profile can accommodate the paths of all domains. This profile is static and not dynamically generated.
I see that Jano had some comments... I also was reminded today that you still have libvirt.git commit access - so once you feel comfortable with addressing those comments, I guess you have the capability to push and won't need me for that!
Thanks. Between v3 and v4 it looks like some hunks got lost related to the TPM 2 enablement. I readded them and added an error message in case TPM 2 is not supported by swtpm_setup/swptm. I am keeping your Reviewed-by's - no 'abuse' intended :-)
I'll defer to those with AppArmor experience for the rest!
Stefan
John
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 3102cab382..dcab4feb6c 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -126,4 +126,15 @@
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } + /usr/bin/swtpm Cx -> usr_bin_swtpm, + profile usr_bin_swtpm flags=(complain) { + #include <abstractions/base> + + /usr/bin/swtpm rm, + + /run/libvirt/qemu/swtpm/*-swtpm.pid rw, + /run/libvirt/qemu/swtpm/*-swtpm.sock w, + /var/log/swtpm/libvirt/qemu/*-swtpm.log w, + /var/lib/libvirt/swtpm/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*/{tpm1.2,tpm2}/{tpm,tpm2}-00.permall rw, + } }
A better solution would be to extend the QEMU domain profile with these additional paths, which, as a side-effect, would give a QEMU instance access to these paths as well. Basically QEMU and swtpm would share that profile. To good thing is we can use specific paths (no wild cards) for the files that the swtpm needs to access.
Yet a stricter solution would be to dynamically create a profile specifically for the swtpm that contains only the necessary paths. Though I think the code in src/security/security_apparmor.c is not prepared for that and it may end up being a bigger undertaking.
Anyone who would be willing to give an opinion on the latter two cases ? I am cc'ing Christian Ehrhard who seems to have worked on AppArmor related code.
Stefan
John
participants (4)
-
John Ferlan -
Ján Tomko -
Marc Hartmayer -
Stefan Berger