1:21 p.m.
This series of patches addresses the RFE in BZ 172830:
https://bugzilla.redhat.com/show_bug.cgi?id=1728030
This series of patches adds support for vTPM state encryption by passing
the read-end of a pipe's file descriptor to 'swtpm_setup' and 'swtpm'
where they can read a passphrase from and derive a key from that passphrase.
The TPM's domain XML looks to enable state encryption looks like this:
<tpm model='tpm-tis'>
<backend type='emulator' version='1.2'>
<encryption secret='2c9ceaba-c6ef-4f38-86fd-6e3adb2df5cd'/>
</backend>
</tpm>
The vTPM secret holding the passphrase looks like this:
<secret ephemeral='no' private='yes'>
<uuid>2c9ceaba-c6ef-4f38-86fd-6e3adb2df5cd</uuid>
<description>vTPM passphrase example</description>
<usage type='vtpm'>
<name>vtpm_example</name>
</usage>
</secret>
The swtpm v0.2 is needed that supports the command line option
--print-capabilities returning a JSON object that identifies features added
since v0.1. One such features is the possibility to pass a passphrase via a
file descriptor.
The patches do some refactoring of existing code on the way.
Stefan
v1->v2:
- Added Marc-André's R-bs
- Addressed comments
- Added patches to extend virCommand to be able to write contents of multiple
buffers to file descriptors for a spawned process to read from
v2->v3:
- Fixed some pointer issues following conversion to use VIR_AUTOFREE
v3->v4:
- Added test case for virCommandSetSendBuffer() to commantest.c
- Addressed other issues raised by Marc-André
v4->v5:
- Simplified encryption node in TPM's domain XML and adapted everything that
depends on this; dropped some patches and removed some R-bs for non-trivial
stuff
- Not limiting write size for fd's with O_NONBLOCK set
v5->v6:
- Addressed comments on v5
v6->v7:
- Stubbed out virCommandSetSendBuffer if F_SETFL is not defined. Also having
'the other' occurrence of F_SETFL cause an error if F_SETFL is not defined.
Stefan Berger (19):
secret: Add support for usage type vTPM, extend schema and test case
tests: Add already existing test case tpm-emulator-tpm2
conf: Extend TPM XML parser with encryption support
tests: Add test for TPM XML encryption parser and formatter
tests: Add tests for QEMU command line generation with encrypted TPM
tpm: Move qemuTPMEmulatorInit to virTPMEmulatorInit in virtpm.c
tpm: Refactor virTPMEmulatorInit to use loop
tpm: Check whether previously found executables were updated
tpm: Parse the capabilities supported by swtpm and swtpm_setup
utils: Implement function to pass a buffer to send via a fd to
virCommand
utils: Convert pollfd array to be allocated
utils: Mark inpipe as non-blocking
utils: Extend virCommandProcessIO to include the send buffers
tests: Extend command test to transfer large data to process on
multiple fds
tpm: Use fd to pass password to swtpm_setup and swtpm
tpm: Pass migration key passphrase via fd to swtpm
tpm: Check TPM XML device configuration changes after edit
docs: Extend Secret XML documentation with vtpm usage type
docs: Extend TPM docs with new encryption element
docs/formatdomain.html.in | 12 +
docs/formatsecret.html.in | 61 +++-
docs/schemas/domaincommon.rng | 11 +
docs/schemas/secret.rng | 10 +
include/libvirt/libvirt-secret.h | 1 +
include/libvirt/virterror.h | 2 +
src/conf/domain_conf.c | 87 ++++-
src/conf/domain_conf.h | 6 +
src/conf/secret_conf.c | 13 +
src/libvirt_private.syms | 10 +
src/qemu/qemu_driver.c | 28 ++
src/qemu/qemu_extdevice.c | 2 +-
src/qemu/qemu_extdevice.h | 3 +
src/qemu/qemu_tpm.c | 211 ++++++++-----
src/util/vircommand.c | 171 +++++++++-
src/util/vircommand.h | 5 +
src/util/virerror.c | 2 +
src/util/virsecret.c | 2 +-
src/util/virtpm.c | 298 +++++++++++++++++-
src/util/virtpm.h | 23 ++
tests/commandhelper.c | 70 +++-
tests/commandtest.c | 113 +++++++
.../tpm-emulator-tpm2-enc.x86_64-latest.args | 35 ++
.../tpm-emulator-tpm2-enc.xml | 32 ++
tests/qemuxml2argvtest.c | 1 +
.../tpm-emulator-tpm2-enc.xml | 36 +++
tests/qemuxml2xmltest.c | 2 +
tests/secretxml2xmlin/usage-vtpm.xml | 7 +
tests/secretxml2xmltest.c | 1 +
29 files changed, 1168 insertions(+), 87 deletions(-)
create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2-enc.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2-enc.xml
create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2-enc.xml
create mode 100644 tests/secretxml2xmlin/usage-vtpm.xml
--
2.20.1
1:21 p.m.
New subject: [libvirt] [PATCH v7 01/19] secret: Add support for usage type vTPM, extend schema and test case
Add support for usage type vTPM to secret.
Extend the schema for the Secret to support the vTPM usage type
and add a test case for parsing the Secret with usage type vTPM.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
docs/schemas/secret.rng | 10 ++++++++++
include/libvirt/libvirt-secret.h | 1 +
src/conf/secret_conf.c | 13 +++++++++++++
src/util/virsecret.c | 2 +-
tests/secretxml2xmlin/usage-vtpm.xml | 7 +++++++
tests/secretxml2xmltest.c | 1 +
6 files changed, 33 insertions(+), 1 deletion(-)
create mode 100644 tests/secretxml2xmlin/usage-vtpm.xml
diff --git a/docs/schemas/secret.rng b/docs/schemas/secret.rng
index 1e94d66e48..e0add8a5e9 100644
--- a/docs/schemas/secret.rng
+++ b/docs/schemas/secret.rng
@@ -37,6 +37,7 @@
<ref name='usageceph'/>
<ref name='usageiscsi'/>
<ref name='usagetls'/>
+ <ref name='usagevtpm'/>
<!-- More choices later -->
</choice>
</element>
@@ -81,4 +82,13 @@
</element>
</define>
+ <define name='usagevtpm'>
+ <attribute name='type'>
+ <value>vtpm</value>
+ </attribute>
+ <element name='name'>
+ <ref name='genericName'/>
+ </element>
+ </define>
+
</grammar>
diff --git a/include/libvirt/libvirt-secret.h b/include/libvirt/libvirt-secret.h
index 9a1065f0f3..e5aaac9450 100644
--- a/include/libvirt/libvirt-secret.h
+++ b/include/libvirt/libvirt-secret.h
@@ -43,6 +43,7 @@ typedef enum {
VIR_SECRET_USAGE_TYPE_CEPH = 2,
VIR_SECRET_USAGE_TYPE_ISCSI = 3,
VIR_SECRET_USAGE_TYPE_TLS = 4,
+ VIR_SECRET_USAGE_TYPE_VTPM = 5,
# ifdef VIR_ENUM_SENTINELS
VIR_SECRET_USAGE_TYPE_LAST
diff --git a/src/conf/secret_conf.c b/src/conf/secret_conf.c
index 5b85a7c0be..b291339e77 100644
--- a/src/conf/secret_conf.c
+++ b/src/conf/secret_conf.c
@@ -110,6 +110,15 @@ virSecretDefParseUsage(xmlXPathContextPtr ctxt,
}
break;
+ case VIR_SECRET_USAGE_TYPE_VTPM:
+ def->usage_id = virXPathString("string(./usage/name)", ctxt);
+ if (!def->usage_id) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("vTPM usage specified, but name is missing"));
+ return -1;
+ }
+ break;
+
default:
virReportError(VIR_ERR_INTERNAL_ERROR,
_("unexpected secret usage type %d"),
@@ -257,6 +266,10 @@ virSecretDefFormatUsage(virBufferPtr buf,
virBufferEscapeString(buf, "<name>%s</name>\n",
def->usage_id);
break;
+ case VIR_SECRET_USAGE_TYPE_VTPM:
+ virBufferEscapeString(buf, "<name>%s</name>\n",
def->usage_id);
+ break;
+
default:
virReportError(VIR_ERR_INTERNAL_ERROR,
_("unexpected secret usage type %d"),
diff --git a/src/util/virsecret.c b/src/util/virsecret.c
index 854dc72b06..7844a76a56 100644
--- a/src/util/virsecret.c
+++ b/src/util/virsecret.c
@@ -34,7 +34,7 @@ VIR_LOG_INIT("util.secret");
VIR_ENUM_IMPL(virSecretUsage,
VIR_SECRET_USAGE_TYPE_LAST,
- "none", "volume", "ceph", "iscsi",
"tls",
+ "none", "volume", "ceph", "iscsi",
"tls", "vtpm",
);
void
diff --git a/tests/secretxml2xmlin/usage-vtpm.xml b/tests/secretxml2xmlin/usage-vtpm.xml
new file mode 100644
index 0000000000..5baff3034d
--- /dev/null
+++ b/tests/secretxml2xmlin/usage-vtpm.xml
@@ -0,0 +1,7 @@
+<secret ephemeral='no' private='yes'>
+ <uuid>aa6c7af2-45a7-477c-85a2-fe86d9f2514e</uuid>
+ <description>vTPM secret</description>
+ <usage type='vtpm'>
+ <name>vTPMvTPMvTPM</name>
+ </usage>
+</secret>
diff --git a/tests/secretxml2xmltest.c b/tests/secretxml2xmltest.c
index fd93703424..595583346a 100644
--- a/tests/secretxml2xmltest.c
+++ b/tests/secretxml2xmltest.c
@@ -80,6 +80,7 @@ mymain(void)
DO_TEST("usage-ceph");
DO_TEST("usage-iscsi");
DO_TEST("usage-tls");
+ DO_TEST("usage-vtpm");
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
--
2.20.1
1:21 p.m.
New subject: [libvirt] [PATCH v7 02/19] tests: Add already existing test case tpm-emulator-tpm2
Add an already existing test case tpm-emulator-tpm2 to qemuxml2xmltest.c
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
tests/qemuxml2xmltest.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 09c86eda2a..f9e1151906 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -655,6 +655,7 @@ mymain(void)
DO_TEST("tpm-passthrough", NONE);
DO_TEST("tpm-passthrough-crb", NONE);
DO_TEST("tpm-emulator", NONE);
+ DO_TEST("tpm-emulator-tpm2", NONE);
DO_TEST("metadata", NONE);
DO_TEST("metadata-duplicate", NONE);
--
2.20.1
1:21 p.m.
New subject: [libvirt] [PATCH v7 03/19] conf: Extend TPM XML parser with encryption support
Extend the TPM device XML parser and XML generator with emulator
state encryption support.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
docs/schemas/domaincommon.rng | 11 +++++++++++
src/conf/domain_conf.c | 31 ++++++++++++++++++++++++++++++-
src/conf/domain_conf.h | 2 ++
3 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 763480440c..a0771da45b 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -4317,6 +4317,7 @@
<attribute name="type">
<value>emulator</value>
</attribute>
+ <ref name="tpm-backend-emulator-encryption"/>
</group>
</choice>
<choice>
@@ -4346,6 +4347,16 @@
</optional>
</define>
+ <define name="tpm-backend-emulator-encryption">
+ <optional>
+ <element name="encryption">
+ <attribute name="secret">
+ <ref name="UUID"/>
+ </attribute>
+ </element>
+ </optional>
+ </define>
+
<define name="vsock">
<element name="vsock">
<optional>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 0574c69a46..6673a323c6 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -13049,6 +13049,14 @@ virDomainSmartcardDefParseXML(virDomainXMLOptionPtr xmlopt,
* <tpm model='tpm-tis'>
* <backend type='emulator' version='2'/>
* </tpm>
+ *
+ * Emulator state encryption is supported with the following:
+ *
+ * <tpm model='tpm-tis'>
+ * <backend type='emulator' version='2'>
+ * <encryption uuid='32ee7e76-2178-47a1-ab7b-269e6e348015'/>
+ * </backend>
+ * </tpm>
*/
static virDomainTPMDefPtr
virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt,
@@ -13063,6 +13071,7 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt,
VIR_AUTOFREE(char *) model = NULL;
VIR_AUTOFREE(char *) backend = NULL;
VIR_AUTOFREE(char *) version = NULL;
+ VIR_AUTOFREE(char *) secretuuid = NULL;
VIR_AUTOFREE(xmlNodePtr *) backends = NULL;
if (VIR_ALLOC(def) < 0)
@@ -13127,6 +13136,15 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt,
def->data.passthrough.source.type = VIR_DOMAIN_CHR_TYPE_DEV;
break;
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ secretuuid = virXPathString("string(./backend/encryption/@secret)",
ctxt);
+ if (secretuuid) {
+ if (virUUIDParse(secretuuid, def->data.emulator.secretuuid) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unable to parse secret uuid '%s'"),
secretuuid);
+ goto error;
+ }
+ def->data.emulator.hassecretuuid = true;
+ }
break;
case VIR_DOMAIN_TPM_TYPE_LAST:
goto error;
@@ -25953,8 +25971,19 @@ virDomainTPMDefFormat(virBufferPtr buf,
virBufferAddLit(buf, "</backend>\n");
break;
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
- virBufferAsprintf(buf, " version='%s'/>\n",
+ virBufferAsprintf(buf, " version='%s'",
virDomainTPMVersionTypeToString(def->version));
+ if (def->data.emulator.hassecretuuid) {
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ virBufferAddLit(buf, ">\n");
+ virBufferAdjustIndent(buf, 2);
+ virBufferAsprintf(buf, "<encryption
secret='%s'/>\n",
+ virUUIDFormat(def->data.emulator.secretuuid, uuidstr));
+ virBufferAdjustIndent(buf, -2);
+ virBufferAddLit(buf, "</backend>\n");
+ } else {
+ virBufferAddLit(buf, "/>\n");
+ }
break;
case VIR_DOMAIN_TPM_TYPE_LAST:
break;
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 822f9af265..8092893c2a 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1269,6 +1269,8 @@ struct _virDomainTPMDef {
virDomainChrSourceDef source;
char *storagepath;
char *logfile;
+ unsigned char secretuuid[VIR_UUID_BUFLEN];
+ bool hassecretuuid;
} emulator;
} data;
};
--
2.20.1
1:22 p.m.
New subject: [libvirt] [PATCH v7 04/19] tests: Add test for TPM XML encryption parser and formatter
Add a test case for the TPM XML encryption parser and formatter.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
.../tpm-emulator-tpm2-enc.xml | 32 +++++++++++++++++
.../tpm-emulator-tpm2-enc.xml | 36 +++++++++++++++++++
tests/qemuxml2xmltest.c | 1 +
3 files changed, 69 insertions(+)
create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2-enc.xml
create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2-enc.xml
diff --git a/tests/qemuxml2argvdata/tpm-emulator-tpm2-enc.xml
b/tests/qemuxml2argvdata/tpm-emulator-tpm2-enc.xml
new file mode 100644
index 0000000000..d889aae4f6
--- /dev/null
+++ b/tests/qemuxml2argvdata/tpm-emulator-tpm2-enc.xml
@@ -0,0 +1,32 @@
+<domain type='qemu'>
+ <name>TPM-VM</name>
+ <uuid>11d7cd22-da89-3094-6212-079a48a309a1</uuid>
+ <memory unit='KiB'>2097152</memory>
+ <currentMemory unit='KiB'>512288</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-i440fx-2.12'>hvm</type>
+ <boot dev='hd'/>
+ <bootmenu enable='yes'/>
+ </os>
+ <features>
+ <acpi/>
+ </features>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <controller type='usb' index='0'/>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <tpm model='tpm-tis'>
+ <backend type='emulator' version='2.0'>
+ <encryption secret='32ee7e76-2178-47a1-ab7b-269e6e348015'/>
+ </backend>
+ </tpm>
+ <memballoon model='virtio'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmloutdata/tpm-emulator-tpm2-enc.xml
b/tests/qemuxml2xmloutdata/tpm-emulator-tpm2-enc.xml
new file mode 100644
index 0000000000..8902725097
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/tpm-emulator-tpm2-enc.xml
@@ -0,0 +1,36 @@
+<domain type='qemu'>
+ <name>TPM-VM</name>
+ <uuid>11d7cd22-da89-3094-6212-079a48a309a1</uuid>
+ <memory unit='KiB'>2097152</memory>
+ <currentMemory unit='KiB'>512288</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-i440fx-2.12'>hvm</type>
+ <boot dev='hd'/>
+ <bootmenu enable='yes'/>
+ </os>
+ <features>
+ <acpi/>
+ </features>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <controller type='usb' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <tpm model='tpm-tis'>
+ <backend type='emulator' version='2.0'>
+ <encryption secret='32ee7e76-2178-47a1-ab7b-269e6e348015'/>
+ </backend>
+ </tpm>
+ <memballoon model='virtio'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>
+ </memballoon>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index f9e1151906..525eb9a740 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -656,6 +656,7 @@ mymain(void)
DO_TEST("tpm-passthrough-crb", NONE);
DO_TEST("tpm-emulator", NONE);
DO_TEST("tpm-emulator-tpm2", NONE);
+ DO_TEST("tpm-emulator-tpm2-enc", NONE);
DO_TEST("metadata", NONE);
DO_TEST("metadata-duplicate", NONE);
--
2.20.1
1:22 p.m.
New subject: [libvirt] [PATCH v7 05/19] tests: Add tests for QEMU command line generation with encrypted TPM
The QEMU command line does not change when TPM state is encrypted
compared to when it is plain.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
.../tpm-emulator-tpm2-enc.x86_64-latest.args | 35 +++++++++++++++++++
tests/qemuxml2argvtest.c | 1 +
2 files changed, 36 insertions(+)
create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2-enc.x86_64-latest.args
diff --git a/tests/qemuxml2argvdata/tpm-emulator-tpm2-enc.x86_64-latest.args
b/tests/qemuxml2argvdata/tpm-emulator-tpm2-enc.x86_64-latest.args
new file mode 100644
index 0000000000..3c8dc8e483
--- /dev/null
+++ b/tests/qemuxml2argvdata/tpm-emulator-tpm2-enc.x86_64-latest.args
@@ -0,0 +1,35 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-TPM-VM \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-TPM-VM/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-TPM-VM/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-TPM-VM/.config \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-x86_64 \
+-name guest=TPM-VM,debug-threads=on \
+-S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-TPM-VM/master-key.aes \
+-machine pc-i440fx-2.12,accel=tcg,usb=off,dump-guest-core=off \
+-m 2048 \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid 11d7cd22-da89-3094-6212-079a48a309a1 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server,nowait \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-boot menu=on,strict=on \
+-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
+-tpmdev emulator,id=tpm-tpm0,chardev=chrtpm \
+-chardev socket,id=chrtpm,path=/dev/test \
+-device tpm-tis,tpmdev=tpm-tpm0,id=tpm0 \
+-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
+resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index d6e6272518..c166fd18d6 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -2107,6 +2107,7 @@ mymain(void)
QEMU_CAPS_DEVICE_TPM_PASSTHROUGH, QEMU_CAPS_DEVICE_TPM_TIS);
DO_TEST_CAPS_LATEST("tpm-emulator");
DO_TEST_CAPS_LATEST("tpm-emulator-tpm2");
+ DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-enc");
DO_TEST_PARSE_ERROR("pci-domain-invalid", NONE);
DO_TEST_PARSE_ERROR("pci-bus-invalid", NONE);
--
2.20.1
1:22 p.m.
New subject: [libvirt] [PATCH v7 06/19] tpm: Move qemuTPMEmulatorInit to virTPMEmulatorInit in virtpm.c
Move qemuTPMEmulatorInit to virTPMEmulatorInit in virtpm.c and introduce
a few functions to query the executables needed for virCommands.
Add locking to protect the tool paths and return a copy of the tool paths
to callers wanting to access them so that we can run the initialization
function multiples time later on and detect when the executable gets updated.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau(a)redhat.com>
---
src/libvirt_private.syms | 4 ++
src/qemu/qemu_tpm.c | 90 ++++++-----------------------
src/util/virtpm.c | 122 +++++++++++++++++++++++++++++++++++++++
src/util/virtpm.h | 5 ++
4 files changed, 149 insertions(+), 72 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index ff5a77b0e2..4cdbb80596 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -3177,6 +3177,10 @@ virTimeStringThenRaw;
# util/virtpm.h
virTPMCreateCancelPath;
+virTPMEmulatorInit;
+virTPMGetSwtpm;
+virTPMGetSwtpmIoctl;
+virTPMGetSwtpmSetup;
# util/virtypedparam.h
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index cc8c69433b..7282b01bfe 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -41,79 +41,12 @@
#include "configmake.h"
#include "dirname.h"
#include "qemu_tpm.h"
+#include "virtpm.h"
#define VIR_FROM_THIS VIR_FROM_NONE
VIR_LOG_INIT("qemu.tpm");
-/*
- * executables for the swtpm; to be found on the host
- */
-static char *swtpm_path;
-static char *swtpm_setup;
-static char *swtpm_ioctl;
-
-/*
- * qemuTPMEmulatorInit
- *
- * Initialize the Emulator functions by searching for necessary
- * executables that we will use to start and setup the swtpm
- */
-static int
-qemuTPMEmulatorInit(void)
-{
- if (!swtpm_path) {
- swtpm_path = virFindFileInPath("swtpm");
- if (!swtpm_path) {
- virReportSystemError(ENOENT, "%s",
- _("Unable to find 'swtpm' binary in
$PATH"));
- return -1;
- }
- if (!virFileIsExecutable(swtpm_path)) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("TPM emulator %s is not an executable"),
- swtpm_path);
- VIR_FREE(swtpm_path);
- return -1;
- }
- }
-
- if (!swtpm_setup) {
- swtpm_setup = virFindFileInPath("swtpm_setup");
- if (!swtpm_setup) {
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
- _("Could not find 'swtpm_setup' in PATH"));
- return -1;
- }
- if (!virFileIsExecutable(swtpm_setup)) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("'%s' is not an executable"),
- swtpm_setup);
- VIR_FREE(swtpm_setup);
- return -1;
- }
- }
-
- if (!swtpm_ioctl) {
- swtpm_ioctl = virFindFileInPath("swtpm_ioctl");
- if (!swtpm_ioctl) {
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
- _("Could not find swtpm_ioctl in PATH"));
- return -1;
- }
- if (!virFileIsExecutable(swtpm_ioctl)) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("swtpm_ioctl program %s is not an executable"),
- swtpm_ioctl);
- VIR_FREE(swtpm_ioctl);
- return -1;
- }
- }
-
- return 0;
-}
-
-
/*
* qemuTPMCreateEmulatorStoragePath
*
@@ -345,12 +278,13 @@ qemuTPMEmulatorGetPid(const char *swtpmStateDir,
pid_t *pid)
{
int ret;
+ VIR_AUTOFREE(char *) swtpm = virTPMGetSwtpm();
char *pidfile = qemuTPMEmulatorCreatePidFilename(swtpmStateDir,
shortName);
if (!pidfile)
return -ENOMEM;
- ret = virPidFileReadPathIfAlive(pidfile, pid, swtpm_path);
+ ret = virPidFileReadPathIfAlive(pidfile, pid, swtpm);
VIR_FREE(pidfile);
@@ -386,7 +320,7 @@ qemuTPMEmulatorPrepareHost(virDomainTPMDefPtr tpm,
{
int ret = -1;
- if (qemuTPMEmulatorInit() < 0)
+ if (virTPMEmulatorInit() < 0)
return -1;
/* create log dir ... allow 'tss' user to cd into it */
@@ -471,6 +405,10 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
int ret = -1;
char uuid[VIR_UUID_STRING_BUFLEN];
char *vmid = NULL;
+ VIR_AUTOFREE(char *)swtpm_setup = virTPMGetSwtpmSetup();
+
+ if (!swtpm_setup)
+ return -1;
if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2)
return virFileWriteStr(logfile,
@@ -562,6 +500,10 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
virCommandPtr cmd = NULL;
bool created = false;
char *pidfile;
+ VIR_AUTOFREE(char *) swtpm = virTPMGetSwtpm();
+
+ if (!swtpm)
+ return NULL;
if (qemuTPMCreateEmulatorStorage(tpm->data.emulator.storagepath,
&created, swtpm_user, swtpm_group) < 0)
@@ -575,7 +517,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
unlink(tpm->data.emulator.source.data.nix.path);
- cmd = virCommandNew(swtpm_path);
+ cmd = virCommandNew(swtpm);
if (!cmd)
goto error;
@@ -639,8 +581,12 @@ qemuTPMEmulatorStop(const char *swtpmStateDir,
virCommandPtr cmd;
char *pathname;
char *errbuf = NULL;
+ VIR_AUTOFREE(char *) swtpm_ioctl = virTPMGetSwtpmIoctl();
+
+ if (!swtpm_ioctl)
+ return;
- if (qemuTPMEmulatorInit() < 0)
+ if (virTPMEmulatorInit() < 0)
return;
if (!(pathname = qemuTPMCreateEmulatorSocket(swtpmStateDir, shortName)))
diff --git a/src/util/virtpm.c b/src/util/virtpm.c
index 583b9a64a4..d35848d2f2 100644
--- a/src/util/virtpm.c
+++ b/src/util/virtpm.c
@@ -72,3 +72,125 @@ virTPMCreateCancelPath(const char *devpath)
cleanup:
return path;
}
+
+/*
+ * executables for the swtpm; to be found on the host
+ */
+static virMutex swtpm_tools_lock = VIR_MUTEX_INITIALIZER;
+static char *swtpm_path;
+static char *swtpm_setup;
+static char *swtpm_ioctl;
+
+char *
+virTPMGetSwtpm(void)
+{
+ char *s;
+
+ if (!swtpm_path && virTPMEmulatorInit() < 0)
+ return NULL;
+
+ virMutexLock(&swtpm_tools_lock);
+ ignore_value(VIR_STRDUP(s, swtpm_path));
+ virMutexUnlock(&swtpm_tools_lock);
+
+ return s;
+}
+
+char *
+virTPMGetSwtpmSetup(void)
+{
+ char *s;
+
+ if (!swtpm_setup && virTPMEmulatorInit() < 0)
+ return NULL;
+
+ virMutexLock(&swtpm_tools_lock);
+ ignore_value(VIR_STRDUP(s, swtpm_setup));
+ virMutexUnlock(&swtpm_tools_lock);
+
+ return s;
+}
+
+char *
+virTPMGetSwtpmIoctl(void)
+{
+ char *s;
+
+ if (!swtpm_ioctl && virTPMEmulatorInit() < 0)
+ return NULL;
+
+ virMutexLock(&swtpm_tools_lock);
+ ignore_value(VIR_STRDUP(s, swtpm_ioctl));
+ virMutexUnlock(&swtpm_tools_lock);
+
+ return s;
+}
+
+/*
+ * virTPMEmulatorInit
+ *
+ * Initialize the Emulator functions by searching for necessary
+ * executables that we will use to start and setup the swtpm
+ */
+int
+virTPMEmulatorInit(void)
+{
+ int ret = -1;
+
+ virMutexLock(&swtpm_tools_lock);
+
+ if (!swtpm_path) {
+ swtpm_path = virFindFileInPath("swtpm");
+ if (!swtpm_path) {
+ virReportSystemError(ENOENT, "%s",
+ _("Unable to find 'swtpm' binary in
$PATH"));
+ goto cleanup;
+ }
+ if (!virFileIsExecutable(swtpm_path)) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("TPM emulator %s is not an executable"),
+ swtpm_path);
+ VIR_FREE(swtpm_path);
+ goto cleanup;
+ }
+ }
+
+ if (!swtpm_setup) {
+ swtpm_setup = virFindFileInPath("swtpm_setup");
+ if (!swtpm_setup) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("Could not find 'swtpm_setup' in PATH"));
+ goto cleanup;
+ }
+ if (!virFileIsExecutable(swtpm_setup)) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("'%s' is not an executable"),
+ swtpm_setup);
+ VIR_FREE(swtpm_setup);
+ goto cleanup;
+ }
+ }
+
+ if (!swtpm_ioctl) {
+ swtpm_ioctl = virFindFileInPath("swtpm_ioctl");
+ if (!swtpm_ioctl) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("Could not find swtpm_ioctl in PATH"));
+ goto cleanup;
+ }
+ if (!virFileIsExecutable(swtpm_ioctl)) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("swtpm_ioctl program %s is not an executable"),
+ swtpm_ioctl);
+ VIR_FREE(swtpm_ioctl);
+ goto cleanup;
+ }
+ }
+
+ ret = 0;
+
+ cleanup:
+ virMutexUnlock(&swtpm_tools_lock);
+
+ return ret;
+}
diff --git a/src/util/virtpm.h b/src/util/virtpm.h
index 4408bdb217..2311f04ae5 100644
--- a/src/util/virtpm.h
+++ b/src/util/virtpm.h
@@ -21,3 +21,8 @@
#pragma once
char *virTPMCreateCancelPath(const char *devpath) ATTRIBUTE_NOINLINE;
+
+char *virTPMGetSwtpm(void);
+char *virTPMGetSwtpmSetup(void);
+char *virTPMGetSwtpmIoctl(void);
+int virTPMEmulatorInit(void);
--
2.20.1
1:22 p.m.
New subject: [libvirt] [PATCH v7 07/19] tpm: Refactor virTPMEmulatorInit to use loop
Refactor virTPMEmulatorInit to use a loop with parameters. This allows
for easier extension later on.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau(a)redhat.com>
---
src/util/virtpm.c | 82 +++++++++++++++++++++--------------------------
1 file changed, 37 insertions(+), 45 deletions(-)
diff --git a/src/util/virtpm.c b/src/util/virtpm.c
index d35848d2f2..6df225f4e4 100644
--- a/src/util/virtpm.c
+++ b/src/util/virtpm.c
@@ -136,54 +136,46 @@ int
virTPMEmulatorInit(void)
{
int ret = -1;
-
- virMutexLock(&swtpm_tools_lock);
-
- if (!swtpm_path) {
- swtpm_path = virFindFileInPath("swtpm");
- if (!swtpm_path) {
- virReportSystemError(ENOENT, "%s",
- _("Unable to find 'swtpm' binary in
$PATH"));
- goto cleanup;
- }
- if (!virFileIsExecutable(swtpm_path)) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("TPM emulator %s is not an executable"),
- swtpm_path);
- VIR_FREE(swtpm_path);
- goto cleanup;
+ static const struct {
+ const char *name;
+ char **path;
+ } prgs[] = {
+ {
+ .name = "swtpm",
+ .path = &swtpm_path,
+ },
+ {
+ .name = "swtpm_setup",
+ .path = &swtpm_setup,
+ },
+ {
+ .name = "swtpm_ioctl",
+ .path = &swtpm_ioctl,
}
- }
+ };
+ size_t i;
- if (!swtpm_setup) {
- swtpm_setup = virFindFileInPath("swtpm_setup");
- if (!swtpm_setup) {
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
- _("Could not find 'swtpm_setup' in PATH"));
- goto cleanup;
- }
- if (!virFileIsExecutable(swtpm_setup)) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("'%s' is not an executable"),
- swtpm_setup);
- VIR_FREE(swtpm_setup);
- goto cleanup;
- }
- }
+ virMutexLock(&swtpm_tools_lock);
- if (!swtpm_ioctl) {
- swtpm_ioctl = virFindFileInPath("swtpm_ioctl");
- if (!swtpm_ioctl) {
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
- _("Could not find swtpm_ioctl in PATH"));
- goto cleanup;
- }
- if (!virFileIsExecutable(swtpm_ioctl)) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("swtpm_ioctl program %s is not an executable"),
- swtpm_ioctl);
- VIR_FREE(swtpm_ioctl);
- goto cleanup;
+ for (i = 0; i < ARRAY_CARDINALITY(prgs); i++) {
+ VIR_AUTOFREE(char *) path = NULL;
+ bool findit = *prgs[i].path == NULL;
+
+ if (findit) {
+ path = virFindFileInPath(prgs[i].name);
+ if (!path) {
+ virReportSystemError(ENOENT,
+ _("Unable to find '%s' binary in
$PATH"),
+ prgs[i].name);
+ goto cleanup;
+ }
+ if (!virFileIsExecutable(path)) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("%s is not an executable"),
+ path);
+ goto cleanup;
+ }
+ *prgs[i].path = path;
}
}
--
2.20.1
1:22 p.m.
New subject: [libvirt] [PATCH v7 08/19] tpm: Check whether previously found executables were updated
Check whether previously found executables were updated and if
so look for them again. This helps to use updated features of
swtpm and its tools upon updating them.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau(a)redhat.com>
---
src/qemu/qemu_tpm.c | 1 +
src/util/virtpm.c | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 35 insertions(+)
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 7282b01bfe..9f1e7e20ba 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -20,6 +20,7 @@
#include <config.h>
+#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <fcntl.h>
diff --git a/src/util/virtpm.c b/src/util/virtpm.c
index 6df225f4e4..bef6cff3dd 100644
--- a/src/util/virtpm.c
+++ b/src/util/virtpm.c
@@ -78,8 +78,13 @@ virTPMCreateCancelPath(const char *devpath)
*/
static virMutex swtpm_tools_lock = VIR_MUTEX_INITIALIZER;
static char *swtpm_path;
+static struct stat swtpm_stat;
+
static char *swtpm_setup;
+static struct stat swtpm_setup_stat;
+
static char *swtpm_ioctl;
+static struct stat swtpm_ioctl_stat;
char *
virTPMGetSwtpm(void)
@@ -139,18 +144,22 @@ virTPMEmulatorInit(void)
static const struct {
const char *name;
char **path;
+ struct stat *stat;
} prgs[] = {
{
.name = "swtpm",
.path = &swtpm_path,
+ .stat = &swtpm_stat,
},
{
.name = "swtpm_setup",
.path = &swtpm_setup,
+ .stat = &swtpm_setup_stat,
},
{
.name = "swtpm_ioctl",
.path = &swtpm_ioctl,
+ .stat = &swtpm_ioctl_stat,
}
};
size_t i;
@@ -160,8 +169,27 @@ virTPMEmulatorInit(void)
for (i = 0; i < ARRAY_CARDINALITY(prgs); i++) {
VIR_AUTOFREE(char *) path = NULL;
bool findit = *prgs[i].path == NULL;
+ struct stat statbuf;
+ char *tmp;
+
+ if (!findit) {
+ /* has executables changed? */
+ if (stat(*prgs[i].path, &statbuf) < 0)
+ findit = true;
+
+ if (!findit &&
+ memcmp(&statbuf.st_mtim,
+ &prgs[i].stat->st_mtime,
+ sizeof(statbuf.st_mtim))) {
+ findit = true;
+ }
+ }
if (findit) {
+ tmp = *prgs[i].path;
+ VIR_FREE(tmp);
+ *prgs[i].path = NULL;
+
path = virFindFileInPath(prgs[i].name);
if (!path) {
virReportSystemError(ENOENT,
@@ -175,7 +203,13 @@ virTPMEmulatorInit(void)
path);
goto cleanup;
}
+ if (stat(path, prgs[i].stat) < 0) {
+ virReportSystemError(errno,
+ _("Could not stat %s"), path);
+ goto cleanup;
+ }
*prgs[i].path = path;
+ path = NULL;
}
}
--
2.20.1
4:35 a.m.
New subject: [libvirt] [PATCH v7 08/19] tpm: Check whether previously found executables were updated
On Thu, Jul 25, 2019 at 02:22:04PM -0400, Stefan Berger wrote:
Check whether previously found executables were updated and if
so look for them again. This helps to use updated features of
swtpm and its tools upon updating them.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau(a)redhat.com>
---
src/qemu/qemu_tpm.c | 1 +
src/util/virtpm.c | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 35 insertions(+)
+ if (!findit &&
+ memcmp(&statbuf.st_mtim,
+ &prgs[i].stat->st_mtime,
You're comparing st_mtim against st_mtime, but luckily that works
due to the back magic for defining this struct.
More seriously though st_mtim is non-portable so this broke the
Windows build. I've just changed it to st_mtime and done a plain
integer comparison instead of memcmp. There's no compelling reason
for this to use nanosecond precision
+ sizeof(statbuf.st_mtim))) {
+ findit = true;
+ }
+ }
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
1:22 p.m.
New subject: [libvirt] [PATCH v7 09/19] tpm: Parse the capabilities supported by swtpm and swtpm_setup
Run 'swtpm socket --print-capabilities' and
'swtpm_setup --print-capabilities' to get the JSON object of the
features the programs are supporting and parse them into a bitmap.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
---
include/libvirt/virterror.h | 2 +
src/libvirt_private.syms | 2 +
src/util/virerror.c | 2 +
src/util/virtpm.c | 136 +++++++++++++++++++++++++++++++++++-
src/util/virtpm.h | 15 ++++
5 files changed, 155 insertions(+), 2 deletions(-)
diff --git a/include/libvirt/virterror.h b/include/libvirt/virterror.h
index 102a2573bf..6f4110185a 100644
--- a/include/libvirt/virterror.h
+++ b/include/libvirt/virterror.h
@@ -134,6 +134,8 @@ typedef enum {
VIR_FROM_FIREWALLD = 68, /* Error from firewalld */
VIR_FROM_DOMAIN_CHECKPOINT = 69, /* Error from domain checkpoint */
+ VIR_FROM_TPM = 70, /* Error from TPM */
+
# ifdef VIR_ENUM_SENTINELS
VIR_ERR_DOMAIN_LAST
# endif
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 4cdbb80596..cf80ea3e44 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -3181,6 +3181,8 @@ virTPMEmulatorInit;
virTPMGetSwtpm;
virTPMGetSwtpmIoctl;
virTPMGetSwtpmSetup;
+virTPMSwtpmFeatureTypeFromString;
+virTPMSwtpmSetupFeatureTypeFromString;
# util/virtypedparam.h
diff --git a/src/util/virerror.c b/src/util/virerror.c
index dfba8c5712..77f76a9abf 100644
--- a/src/util/virerror.c
+++ b/src/util/virerror.c
@@ -142,6 +142,8 @@ VIR_ENUM_IMPL(virErrorDomain,
"Resource control",
"FirewallD",
"Domain Checkpoint",
+
+ "TPM", /* 70 */
);
diff --git a/src/util/virtpm.c b/src/util/virtpm.c
index bef6cff3dd..99abbf3f8b 100644
--- a/src/util/virtpm.c
+++ b/src/util/virtpm.c
@@ -27,8 +27,24 @@
#include "viralloc.h"
#include "virfile.h"
#include "virtpm.h"
+#include "vircommand.h"
+#include "virbitmap.h"
+#include "virjson.h"
+#include "virlog.h"
-#define VIR_FROM_THIS VIR_FROM_NONE
+#define VIR_FROM_THIS VIR_FROM_TPM
+
+VIR_LOG_INIT("util.tpm");
+
+VIR_ENUM_IMPL(virTPMSwtpmFeature,
+ VIR_TPM_SWTPM_FEATURE_LAST,
+ "cmdarg-pwd-fd",
+);
+
+VIR_ENUM_IMPL(virTPMSwtpmSetupFeature,
+ VIR_TPM_SWTPM_SETUP_FEATURE_LAST,
+ "cmdarg-pwdfile-fd",
+);
/**
* virTPMCreateCancelPath:
@@ -74,18 +90,23 @@ virTPMCreateCancelPath(const char *devpath)
}
/*
- * executables for the swtpm; to be found on the host
+ * executables for the swtpm; to be found on the host along with
+ * capabilties bitmap
*/
static virMutex swtpm_tools_lock = VIR_MUTEX_INITIALIZER;
static char *swtpm_path;
static struct stat swtpm_stat;
+static virBitmapPtr swtpm_caps;
static char *swtpm_setup;
static struct stat swtpm_setup_stat;
+static virBitmapPtr swtpm_setup_caps;
static char *swtpm_ioctl;
static struct stat swtpm_ioctl_stat;
+typedef int (*TypeFromStringFn)(const char *);
+
char *
virTPMGetSwtpm(void)
{
@@ -131,6 +152,101 @@ virTPMGetSwtpmIoctl(void)
return s;
}
+/* virTPMExecGetCaps
+ *
+ * Execute the prepared command and parse the returned JSON object
+ * to get the capabilities supported by the executable.
+ * A JSON object like this is expected:
+ *
+ * {
+ * "type": "swtpm",
+ * "features": [
+ * "cmdarg-seccomp",
+ * "cmdarg-key-fd",
+ * "cmdarg-pwd-fd"
+ * ]
+ * }
+ */
+static virBitmapPtr
+virTPMExecGetCaps(virCommandPtr cmd,
+ TypeFromStringFn typeFromStringFn)
+{
+ int exitstatus;
+ virBitmapPtr bitmap;
+ VIR_AUTOFREE(char *) outbuf = NULL;
+ VIR_AUTOPTR(virJSONValue) json = NULL;
+ virJSONValuePtr featureList;
+ virJSONValuePtr item;
+ size_t idx;
+ const char *str;
+ int typ;
+
+ virCommandSetOutputBuffer(cmd, &outbuf);
+ if (virCommandRun(cmd, &exitstatus) < 0)
+ return NULL;
+
+ if (!(bitmap = virBitmapNewEmpty()))
+ return NULL;
+
+ /* older version does not support --print-capabilties -- that's fine */
+ if (exitstatus != 0) {
+ VIR_DEBUG("Found swtpm that doesn't support
--print-capabilities");
+ return bitmap;
+ }
+
+ json = virJSONValueFromString(outbuf);
+ if (!json)
+ goto error_bad_json;
+
+ featureList = virJSONValueObjectGetArray(json, "features");
+ if (!featureList)
+ goto error_bad_json;
+
+ if (!virJSONValueIsArray(featureList))
+ goto error_bad_json;
+
+ for (idx = 0; idx < virJSONValueArraySize(featureList); idx++) {
+ item = virJSONValueArrayGet(featureList, idx);
+ if (!item)
+ continue;
+
+ str = virJSONValueGetString(item);
+ if (!str)
+ goto error_bad_json;
+ typ = typeFromStringFn(str);
+ if (typ < 0)
+ continue;
+
+ if (virBitmapSetBitExpand(bitmap, typ) < 0)
+ goto cleanup;
+ }
+
+ cleanup:
+ return bitmap;
+
+ error_bad_json:
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unexpected JSON format: %s"), outbuf);
+ goto cleanup;
+}
+
+static virBitmapPtr
+virTPMGetCaps(TypeFromStringFn typeFromStringFn,
+ const char *exec, const char *param1)
+{
+ VIR_AUTOPTR(virCommand) cmd = NULL;
+
+ if (!(cmd = virCommandNew(exec)))
+ return NULL;
+
+ if (param1)
+ virCommandAddArg(cmd, param1);
+ virCommandAddArg(cmd, "--print-capabilities");
+ virCommandClearCaps(cmd);
+
+ return virTPMExecGetCaps(cmd, typeFromStringFn);
+}
+
/*
* virTPMEmulatorInit
*
@@ -145,16 +261,24 @@ virTPMEmulatorInit(void)
const char *name;
char **path;
struct stat *stat;
+ const char *parm;
+ virBitmapPtr *caps;
+ TypeFromStringFn typeFromStringFn;
} prgs[] = {
{
.name = "swtpm",
.path = &swtpm_path,
.stat = &swtpm_stat,
+ .parm = "socket",
+ .caps = &swtpm_caps,
+ .typeFromStringFn = virTPMSwtpmFeatureTypeFromString,
},
{
.name = "swtpm_setup",
.path = &swtpm_setup,
.stat = &swtpm_setup_stat,
+ .caps = &swtpm_setup_caps,
+ .typeFromStringFn = virTPMSwtpmSetupFeatureTypeFromString,
},
{
.name = "swtpm_ioctl",
@@ -209,6 +333,14 @@ virTPMEmulatorInit(void)
goto cleanup;
}
*prgs[i].path = path;
+
+ if (prgs[i].caps) {
+ *prgs[i].caps = virTPMGetCaps(prgs[i].typeFromStringFn,
+ path, prgs[i].parm);
+ path = NULL;
+ if (!*prgs[i].caps)
+ goto cleanup;
+ }
path = NULL;
}
}
diff --git a/src/util/virtpm.h b/src/util/virtpm.h
index 2311f04ae5..157b43ff17 100644
--- a/src/util/virtpm.h
+++ b/src/util/virtpm.h
@@ -26,3 +26,18 @@ char *virTPMGetSwtpm(void);
char *virTPMGetSwtpmSetup(void);
char *virTPMGetSwtpmIoctl(void);
int virTPMEmulatorInit(void);
+
+typedef enum {
+ VIR_TPM_SWTPM_FEATURE_CMDARG_PWD_FD,
+
+ VIR_TPM_SWTPM_FEATURE_LAST
+} virTPMSwtpmFeature;
+
+typedef enum {
+ VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PWDFILE_FD,
+
+ VIR_TPM_SWTPM_SETUP_FEATURE_LAST
+} virTPMSwtpmSetupFeature;
+
+VIR_ENUM_DECL(virTPMSwtpmFeature);
+VIR_ENUM_DECL(virTPMSwtpmSetupFeature);
--
2.20.1
1:22 p.m.
New subject: [libvirt] [PATCH v7 10/19] utils: Implement function to pass a buffer to send via a fd to virCommand
Implement virCommandSetSendBuffer() that allows the caller to pass a
file descriptor and buffer to virCommand. virCommand will write the
buffer into the file descriptor. That file descriptor could be the
write end of a pipe or one of the file descriptors of a socketpair.
The other file descriptor should be passed to the launched process to
read the data from.
Only implement the function to allocate memory for send buffers
and to free them later on.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/util/vircommand.c | 93 ++++++++++++++++++++++++++++++++++++++++
src/util/vircommand.h | 5 +++
3 files changed, 99 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index cf80ea3e44..e6249caa80 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1725,6 +1725,7 @@ virCommandSetOutputFD;
virCommandSetPidFile;
virCommandSetPreExecHook;
virCommandSetSELinuxLabel;
+virCommandSetSendBuffer;
virCommandSetUID;
virCommandSetUmask;
virCommandSetWorkingDirectory;
diff --git a/src/util/vircommand.c b/src/util/vircommand.c
index e10ca3eb7c..536691335f 100644
--- a/src/util/vircommand.c
+++ b/src/util/vircommand.c
@@ -76,6 +76,16 @@ struct _virCommandFD {
unsigned int flags;
};
+typedef struct _virCommandSendBuffer virCommandSendBuffer;
+typedef virCommandSendBuffer *virCommandSendBufferPtr;
+
+struct _virCommandSendBuffer {
+ int fd;
+ unsigned char *buffer;
+ size_t buflen;
+ off_t offset;
+};
+
struct _virCommand {
int has_error; /* ENOMEM on allocation failure, -1 for anything else. */
@@ -135,6 +145,9 @@ struct _virCommand {
char *appArmorProfile;
#endif
int mask;
+
+ virCommandSendBufferPtr sendBuffers;
+ size_t numSendBuffers;
};
/* See virCommandSetDryRun for description for this variable */
@@ -1728,6 +1741,84 @@ virCommandSetWorkingDirectory(virCommandPtr cmd, const char *pwd)
}
+static int
+virCommandGetNumSendBuffers(virCommandPtr cmd)
+{
+ return cmd->numSendBuffers;
+}
+
+
+static void
+virCommandFreeSendBuffers(virCommandPtr cmd)
+{
+ size_t i;
+
+ for (i = 0; i < virCommandGetNumSendBuffers(cmd); i++) {
+ VIR_FORCE_CLOSE(cmd->sendBuffers[i].fd);
+ VIR_FREE(cmd->sendBuffers[i].buffer);
+ }
+ VIR_FREE(cmd->sendBuffers);
+}
+
+
+/**
+ * virCommandSetSendBuffer
+ * @cmd: the command to modify
+ *
+ * Pass a buffer to virCommand that will be written into the
+ * given file descriptor. The buffer will be freed automatically
+ * and the file descriptor closed.
+ */
+#if defined(F_SETFL)
+int
+virCommandSetSendBuffer(virCommandPtr cmd,
+ int fd,
+ unsigned char *buffer, size_t buflen)
+{
+ size_t i = virCommandGetNumSendBuffers(cmd);
+
+ if (!cmd || cmd->has_error)
+ return -1;
+
+ if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) {
+ virReportSystemError(errno, "%s",
+ _("fcntl failed to set O_NONBLOCK"));
+ cmd->has_error = errno;
+ return -1;
+ }
+
+ if (VIR_REALLOC_N(cmd->sendBuffers, i + 1) < 0) {
+ cmd->has_error = ENOMEM;
+ return -1;
+ }
+
+ cmd->sendBuffers[i].fd = fd;
+ cmd->sendBuffers[i].buffer = buffer;
+ cmd->sendBuffers[i].buflen = buflen;
+ cmd->sendBuffers[i].offset = 0;
+
+ cmd->numSendBuffers++;
+
+ return 0;
+}
+
+#else /* !defined(F_SETFL) */
+
+int
+virCommandSetSendBuffer(virCommandPtr cmd,
+ int fd,
+ unsigned char *buffer, size_t buflen)
+{
+ if (!cmd || cmd->has_error)
+ return -1;
+
+ cmd->has_error = ENOTSUP;
+
+ return -1;
+}
+
+#endif
+
/**
* virCommandSetInputBuffer:
* @cmd: the command to modify
@@ -2867,6 +2958,8 @@ virCommandFree(virCommandPtr cmd)
VIR_FREE(cmd->appArmorProfile);
#endif
+ virCommandFreeSendBuffers(cmd);
+
VIR_FREE(cmd);
}
diff --git a/src/util/vircommand.h b/src/util/vircommand.h
index 2a9ee5cdc7..c2abc7b2c3 100644
--- a/src/util/vircommand.h
+++ b/src/util/vircommand.h
@@ -146,6 +146,11 @@ void virCommandAddArgList(virCommandPtr cmd,
void virCommandSetWorkingDirectory(virCommandPtr cmd,
const char *pwd) ATTRIBUTE_NONNULL(2);
+int virCommandSetSendBuffer(virCommandPtr cmd,
+ int fd,
+ unsigned char *buffer, size_t buflen)
+ ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(3);
+
void virCommandSetInputBuffer(virCommandPtr cmd,
const char *inbuf) ATTRIBUTE_NONNULL(2);
--
2.20.1
5:45 a.m.
New subject: [libvirt] [PATCH v7 10/19] utils: Implement function to pass a buffer to send via a fd to virCommand
On 7/25/19 2:22 PM, Stefan Berger wrote:
Implement virCommandSetSendBuffer() that allows the caller to pass a
file descriptor and buffer to virCommand. virCommand will write the
buffer into the file descriptor. That file descriptor could be the
write end of a pipe or one of the file descriptors of a socketpair.
The other file descriptor should be passed to the launched process to
read the data from.
Only implement the function to allocate memory for send buffers
and to free them later on.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/util/vircommand.c | 93 ++++++++++++++++++++++++++++++++++++++++
src/util/vircommand.h | 5 +++
3 files changed, 99 insertions(+)
[...]
+/**
+ * virCommandSetSendBuffer
+ * @cmd: the command to modify
+ *
+ * Pass a buffer to virCommand that will be written into the
+ * given file descriptor. The buffer will be freed automatically
+ * and the file descriptor closed.
+ */
+#if defined(F_SETFL)
+int
+virCommandSetSendBuffer(virCommandPtr cmd,
+ int fd,
+ unsigned char *buffer, size_t buflen)
+{
+ size_t i = virCommandGetNumSendBuffers(cmd);
This call would deref @cmd before the following check for !cmd
[1] Was found by Coverity, but see below
+
+ if (!cmd || cmd->has_error)
+ return -1;
+
+ if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) {
+ virReportSystemError(errno, "%s",
+ _("fcntl failed to set O_NONBLOCK"));
+ cmd->has_error = errno;
+ return -1;
+ }
+
+ if (VIR_REALLOC_N(cmd->sendBuffers, i + 1) < 0) {
+ cmd->has_error = ENOMEM;
+ return -1;
+ }
+
+ cmd->sendBuffers[i].fd = fd;
+ cmd->sendBuffers[i].buffer = buffer;
+ cmd->sendBuffers[i].buflen = buflen;
+ cmd->sendBuffers[i].offset = 0;
+
+ cmd->numSendBuffers++;
+
+ return 0;
+}
+
+#else /* !defined(F_SETFL) */
+
+int
+virCommandSetSendBuffer(virCommandPtr cmd,
+ int fd,
+ unsigned char *buffer, size_t buflen)
+{
+ if (!cmd || cmd->has_error)
+ return -1;
+
+ cmd->has_error = ENOTSUP;
+
+ return -1;
+}
+
+#endif
+
/**
* virCommandSetInputBuffer:
* @cmd: the command to modify
@@ -2867,6 +2958,8 @@ virCommandFree(virCommandPtr cmd)
VIR_FREE(cmd->appArmorProfile);
#endif
+ virCommandFreeSendBuffers(cmd);
+
VIR_FREE(cmd);
}
diff --git a/src/util/vircommand.h b/src/util/vircommand.h
index 2a9ee5cdc7..c2abc7b2c3 100644
--- a/src/util/vircommand.h
+++ b/src/util/vircommand.h
@@ -146,6 +146,11 @@ void virCommandAddArgList(virCommandPtr cmd,
void virCommandSetWorkingDirectory(virCommandPtr cmd,
const char *pwd) ATTRIBUTE_NONNULL(2);
+int virCommandSetSendBuffer(virCommandPtr cmd,
+ int fd,
+ unsigned char *buffer, size_t buflen)
+ ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(3);
The ATTRIBUTE_NONNULL(1) causes a Coverity build error when the function
checks !cmd - so either this is removed or the function doesn't check
for !cmd... If going with the latter, then both halves of the "#if
defined(F_SETFL)" would need to be changed.
John
+
void virCommandSetInputBuffer(virCommandPtr cmd,
const char *inbuf) ATTRIBUTE_NONNULL(2);
1:22 p.m.
New subject: [libvirt] [PATCH v7 11/19] utils: Convert pollfd array to be allocated
Convert the struct pollfd *fds to be allocated rather than residing
on the stack. This prepares it for the next patch where the size of
the array of fds becomes dynamic.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/util/vircommand.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/util/vircommand.c b/src/util/vircommand.c
index 536691335f..f29b679b77 100644
--- a/src/util/vircommand.c
+++ b/src/util/vircommand.c
@@ -2141,6 +2141,7 @@ virCommandProcessIO(virCommandPtr cmd)
size_t inlen = 0, outlen = 0, errlen = 0;
size_t inoff = 0;
int ret = 0;
+ VIR_AUTOFREE(struct pollfd *) fds = NULL;
if (dryRunBuffer || dryRunCallback) {
VIR_DEBUG("Dry run requested, skipping I/O processing");
@@ -2172,9 +2173,11 @@ virCommandProcessIO(virCommandPtr cmd)
goto cleanup;
ret = -1;
+ if (VIR_ALLOC_N(fds, 3) < 0)
+ goto cleanup;
+
for (;;) {
size_t i;
- struct pollfd fds[3];
int nfds = 0;
if (cmd->inpipe != -1) {
--
2.20.1
1:22 p.m.
New subject: [libvirt] [PATCH v7 12/19] utils: Mark inpipe as non-blocking
Mark a virCommand's inpipe (write-end of pipe) as non-blocking so that it
will never block when we were to try to write too many bytes to it while
it doesn't have the capacity to hold them.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/util/vircommand.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/util/vircommand.c b/src/util/vircommand.c
index f29b679b77..50e14fd8be 100644
--- a/src/util/vircommand.c
+++ b/src/util/vircommand.c
@@ -2537,6 +2537,19 @@ virCommandRunAsync(virCommandPtr cmd, pid_t *pid)
}
cmd->infd = infd[0];
cmd->inpipe = infd[1];
+#if defined (F_SETFL)
+ if (fcntl(cmd->inpipe, F_SETFL, O_NONBLOCK) < 0) {
+ virReportSystemError(errno, "%s",
+ _("fcntl failed to set O_NONBLOCK"));
+ cmd->has_error = -1;
+ ret = -1;
+ goto cleanup;
+ }
+#else /* !defined(F_SETFL) */
+ cmd->has_error = ENOTSUP;
+ ret = -1;
+ goto cleanup;
+#endif
} else if ((cmd->inbuf && cmd->infd == -1) ||
(cmd->outbuf && cmd->outfdptr != &cmd->outfd) ||
(cmd->errbuf && cmd->errfdptr != &cmd->errfd)) {
--
2.20.1
1:22 p.m.
New subject: [libvirt] [PATCH v7 13/19] utils: Extend virCommandProcessIO to include the send buffers
Extend virCommandProcessIO to include the send buffers in the poll
loop.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/util/vircommand.c | 62 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 61 insertions(+), 1 deletion(-)
diff --git a/src/util/vircommand.c b/src/util/vircommand.c
index 50e14fd8be..cc9fdacc8b 100644
--- a/src/util/vircommand.c
+++ b/src/util/vircommand.c
@@ -1819,6 +1819,61 @@ virCommandSetSendBuffer(virCommandPtr cmd,
#endif
+static int
+virCommandSendBuffersFillPollfd(virCommandPtr cmd,
+ struct pollfd *fds,
+ int startidx)
+{
+ size_t i, j;
+
+ for (i = 0, j = 0; i < virCommandGetNumSendBuffers(cmd); i++) {
+ if (cmd->sendBuffers[i].fd >= 0) {
+ fds[startidx + j].fd = cmd->sendBuffers[i].fd;
+ fds[startidx + j].events = POLLOUT;
+ fds[startidx + j].revents = 0;
+ j++;
+ }
+ }
+
+ return j;
+}
+
+
+static int
+virCommandSendBuffersHandlePoll(virCommandPtr cmd,
+ struct pollfd *fds)
+{
+ size_t i;
+ ssize_t done;
+
+ for (i = 0; i < virCommandGetNumSendBuffers(cmd); i++) {
+ if (fds->fd == cmd->sendBuffers[i].fd)
+ break;
+ }
+ if (i == virCommandGetNumSendBuffers(cmd))
+ return 0;
+
+ done = write(fds->fd,
+ cmd->sendBuffers[i].buffer + cmd->sendBuffers[i].offset,
+ cmd->sendBuffers[i].buflen - cmd->sendBuffers[i].offset);
+ if (done < 0) {
+ if (errno == EPIPE) {
+ VIR_DEBUG("child closed PIPE early, ignoring EPIPE "
+ "on fd %d", cmd->sendBuffers[i].fd);
+ VIR_FORCE_CLOSE(cmd->sendBuffers[i].fd);
+ } else if (errno != EINTR && errno != EAGAIN) {
+ virReportSystemError(errno, "%s",
+ _("unable to write to child input"));
+ return -1;
+ }
+ } else {
+ cmd->sendBuffers[i].offset += done;
+ if (cmd->sendBuffers[i].offset == cmd->sendBuffers[i].buflen)
+ VIR_FORCE_CLOSE(cmd->sendBuffers[i].fd);
+ }
+ return 0;
+}
+
/**
* virCommandSetInputBuffer:
* @cmd: the command to modify
@@ -2173,7 +2228,7 @@ virCommandProcessIO(virCommandPtr cmd)
goto cleanup;
ret = -1;
- if (VIR_ALLOC_N(fds, 3) < 0)
+ if (VIR_ALLOC_N(fds, 3 + virCommandGetNumSendBuffers(cmd)) < 0)
goto cleanup;
for (;;) {
@@ -2199,6 +2254,8 @@ virCommandProcessIO(virCommandPtr cmd)
nfds++;
}
+ nfds += virCommandSendBuffersFillPollfd(cmd, fds, nfds);
+
if (nfds == 0)
break;
@@ -2271,6 +2328,9 @@ virCommandProcessIO(virCommandPtr cmd)
if (inoff == inlen)
VIR_FORCE_CLOSE(cmd->inpipe);
}
+ } else if (fds[i].revents & (POLLOUT | POLLHUP | POLLERR)) {
+ if (virCommandSendBuffersHandlePoll(cmd, &fds[i]) < 0)
+ goto cleanup;
}
}
}
--
2.20.1
1:22 p.m.
New subject: [libvirt] [PATCH v7 14/19] tests: Extend command test to transfer large data to process on multiple fds
Add a test case to commandtest.c to test the transfer of data to a
process who received the read-end of pipes' file descriptors. Transfer
large (128 kb) byte streams.
Extend the commandhelper.c with support for --readfd <fd> command line
parameter and convert the data receive loop to use poll and receive data
on multiple file descriptors (up to 3) and read data into distinct buffers
that we grow while adding more (string) data.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
tests/commandhelper.c | 70 +++++++++++++++++++++++---
tests/commandtest.c | 113 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 177 insertions(+), 6 deletions(-)
diff --git a/tests/commandhelper.c b/tests/commandhelper.c
index 32ebeeaef2..1312f3ee52 100644
--- a/tests/commandhelper.c
+++ b/tests/commandhelper.c
@@ -23,6 +23,7 @@
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
+#include <poll.h>
#include "internal.h"
#define NO_LIBVIRT
@@ -62,13 +63,27 @@ int main(int argc, char **argv) {
char *cwd;
FILE *log = fopen(abs_builddir "/commandhelper.log", "w");
int ret = EXIT_FAILURE;
+ int readfds[3] = { STDIN_FILENO, };
+ int numreadfds = 1;
+ struct pollfd fds[3];
+ int numpollfds = 0;
+ char *buffers[3] = {NULL, NULL, NULL};
+ size_t buflen[3] = {0, 0, 0};
+ char c;
if (!log)
return ret;
- for (i = 1; i < argc; i++)
+ for (i = 1; i < argc; i++) {
fprintf(log, "ARG:%s\n", argv[i]);
+ if (STREQ(argv[i - 1], "--readfd") &&
+ sscanf(argv[i], "%u%c", &readfds[numreadfds++], &c) != 1)
{
+ printf("Could not parse fd %s\n", argv[i]);
+ goto cleanup;
+ }
+ }
+
origenv = environ;
n = 0;
while (*origenv != NULL) {
@@ -134,15 +149,56 @@ int main(int argc, char **argv) {
fprintf(stderr, "BEGIN STDERR\n");
fflush(stderr);
+ for (i = 0; i < numreadfds; i++) {
+ fds[numpollfds].fd = readfds[i];
+ fds[numpollfds].events = POLLIN;
+ fds[numpollfds].revents = 0;
+ numpollfds++;
+ }
+
for (;;) {
- got = read(STDIN_FILENO, buf, sizeof(buf));
- if (got < 0)
+ unsigned ctr = 0;
+
+ if (poll(fds, numpollfds, -1) < 0) {
+ printf("poll failed: %s\n", strerror(errno));
goto cleanup;
- if (got == 0)
+ }
+
+ for (i = 0; i < numpollfds; i++) {
+ if (fds[i].revents & (POLLIN | POLLHUP | POLLERR)) {
+ fds[i].revents = 0;
+
+ got = read(fds[i].fd, buf, sizeof(buf));
+ if (got < 0)
+ goto cleanup;
+ if (got == 0) {
+ /* do not want to hear from this fd anymore */
+ fds[i].events = 0;
+ } else {
+ buffers[i] = realloc(buffers[i], buflen[i] + got);
+ if (!buf[i]) {
+ fprintf(stdout, "Out of memory!\n");
+ goto cleanup;
+ }
+ memcpy(buffers[i] + buflen[i], buf, got);
+ buflen[i] += got;
+ }
+ }
+ }
+ for (i = 0; i < numpollfds; i++) {
+ if (fds[i].events) {
+ ctr++;
+ break;
+ }
+ }
+ if (ctr == 0)
break;
- if (write(STDOUT_FILENO, buf, got) != got)
+ }
+
+ for (i = 0; i < numpollfds; i++) {
+ if (write(STDOUT_FILENO, buffers[i], buflen[i]) != buflen[i])
goto cleanup;
- if (write(STDERR_FILENO, buf, got) != got)
+ if (write(STDERR_FILENO, buffers[i], buflen[i]) != buflen[i])
goto cleanup;
}
@@ -154,6 +210,8 @@ int main(int argc, char **argv) {
ret = EXIT_SUCCESS;
cleanup:
+ for (i = 0; i < ARRAY_CARDINALITY(buffers); i++)
+ free(buffers[i]);
fclose(log);
free(newenv);
return ret;
diff --git a/tests/commandtest.c b/tests/commandtest.c
index ce0832fb0c..991c0572b0 100644
--- a/tests/commandtest.c
+++ b/tests/commandtest.c
@@ -1139,6 +1139,118 @@ static int test26(const void *unused ATTRIBUTE_UNUSED)
return ret;
}
+static int test27(const void *unused ATTRIBUTE_UNUSED)
+{
+ virCommandPtr cmd = virCommandNew(abs_builddir "/commandhelper");
+ int pipe1[2];
+ int pipe2[2];
+ int ret = -1;
+ size_t buflen = 1024 * 128;
+ char *buffer0 = NULL;
+ char *buffer1 = NULL;
+ char *buffer2 = NULL;
+ char *outactual = NULL;
+ char *erractual = NULL;
+ char *outexpect = NULL;
+# define TEST27_OUTEXPECT_TEMP "BEGIN STDOUT\n" \
+ "%s%s%s" \
+ "END STDOUT\n"
+ char *errexpect = NULL;
+# define TEST27_ERREXPECT_TEMP "BEGIN STDERR\n" \
+ "%s%s%s" \
+ "END STDERR\n"
+
+ if (VIR_ALLOC_N(buffer0, buflen) < 0 ||
+ VIR_ALLOC_N(buffer1, buflen) < 0 ||
+ VIR_ALLOC_N(buffer2, buflen) < 0)
+ goto cleanup;
+
+ memset(buffer0, 'H', buflen - 2);
+ buffer0[buflen - 2] = '\n';
+ buffer0[buflen - 1] = 0;
+
+ memset(buffer1, '1', buflen - 2);
+ buffer1[buflen - 2] = '\n';
+ buffer1[buflen - 1] = 0;
+
+ memset(buffer2, '2', buflen - 2);
+ buffer2[buflen - 2] = '\n';
+ buffer2[buflen - 1] = 0;
+
+ if (virAsprintf(&outexpect, TEST27_OUTEXPECT_TEMP,
+ buffer0, buffer1, buffer2) < 0 ||
+ virAsprintf(&errexpect, TEST27_ERREXPECT_TEMP,
+ buffer0, buffer1, buffer2) < 0) {
+ printf("Could not virAsprintf expected output\n");
+ goto cleanup;
+ }
+
+ if (pipe(pipe1) < 0 || pipe(pipe2) < 0) {
+ printf("Could not create pipe: %s\n", strerror(errno));
+ goto cleanup;
+ }
+
+ if (virCommandSetSendBuffer(cmd, pipe1[1],
+ (unsigned char *)buffer1, buflen - 1) < 0 ||
+ virCommandSetSendBuffer(cmd, pipe2[1],
+ (unsigned char *)buffer2, buflen - 1) < 0) {
+ printf("Could not set send buffers\n");
+ goto cleanup;
+ }
+ pipe1[1] = 0;
+ pipe2[1] = 0;
+ buffer1 = NULL;
+ buffer2 = NULL;
+
+ virCommandAddArg(cmd, "--readfd");
+ virCommandAddArgFormat(cmd, "%d", pipe1[0]);
+ virCommandPassFD(cmd, pipe1[0], 0);
+
+ virCommandAddArg(cmd, "--readfd");
+ virCommandAddArgFormat(cmd, "%d", pipe2[0]);
+ virCommandPassFD(cmd, pipe2[0], 0);
+
+ virCommandSetInputBuffer(cmd, buffer0);
+ virCommandSetOutputBuffer(cmd, &outactual);
+ virCommandSetErrorBuffer(cmd, &erractual);
+
+ if (virCommandRun(cmd, NULL) < 0) {
+ printf("Cannot run child %s\n", virGetLastErrorMessage());
+ goto cleanup;
+ }
+
+ virCommandFree(cmd);
+
+ if (!outactual || !erractual)
+ goto cleanup;
+
+ if (STRNEQ(outactual, outexpect)) {
+ virTestDifference(stderr, outexpect, outactual);
+ goto cleanup;
+ }
+ if (STRNEQ(erractual, errexpect)) {
+ virTestDifference(stderr, errexpect, erractual);
+ goto cleanup;
+ }
+
+ ret = 0;
+
+ cleanup:
+ VIR_FORCE_CLOSE(pipe1[0]);
+ VIR_FORCE_CLOSE(pipe2[0]);
+ VIR_FORCE_CLOSE(pipe1[1]);
+ VIR_FORCE_CLOSE(pipe2[1]);
+ VIR_FREE(buffer0);
+ VIR_FREE(buffer1);
+ VIR_FREE(buffer2);
+ VIR_FREE(outactual);
+ VIR_FREE(erractual);
+ VIR_FREE(outexpect);
+ VIR_FREE(errexpect);
+
+ return ret;
+}
+
static void virCommandThreadWorker(void *opaque)
{
virCommandTestDataPtr test = opaque;
@@ -1292,6 +1404,7 @@ mymain(void)
DO_TEST(test23);
DO_TEST(test25);
DO_TEST(test26);
+ DO_TEST(test27);
virMutexLock(&test->lock);
if (test->running) {
--
2.20.1
5:46 a.m.
New subject: [libvirt] [PATCH v7 14/19] tests: Extend command test to transfer large data to process on multiple fds
On 7/25/19 2:22 PM, Stefan Berger wrote:
Add a test case to commandtest.c to test the transfer of data to a
process who received the read-end of pipes' file descriptors. Transfer
large (128 kb) byte streams.
Extend the commandhelper.c with support for --readfd <fd> command line
parameter and convert the data receive loop to use poll and receive data
on multiple file descriptors (up to 3) and read data into distinct buffers
that we grow while adding more (string) data.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
tests/commandhelper.c | 70 +++++++++++++++++++++++---
tests/commandtest.c | 113 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 177 insertions(+), 6 deletions(-)
[...]
diff --git a/tests/commandtest.c b/tests/commandtest.c
index ce0832fb0c..991c0572b0 100644
--- a/tests/commandtest.c
+++ b/tests/commandtest.c
@@ -1139,6 +1139,118 @@ static int test26(const void *unused ATTRIBUTE_UNUSED)
return ret;
}
+static int test27(const void *unused ATTRIBUTE_UNUSED)
+{
+ virCommandPtr cmd = virCommandNew(abs_builddir "/commandhelper");
+ int pipe1[2];
+ int pipe2[2];
+ int ret = -1;
+ size_t buflen = 1024 * 128;
+ char *buffer0 = NULL;
+ char *buffer1 = NULL;
+ char *buffer2 = NULL;
+ char *outactual = NULL;
+ char *erractual = NULL;
+ char *outexpect = NULL;
+# define TEST27_OUTEXPECT_TEMP "BEGIN STDOUT\n" \
+ "%s%s%s" \
+ "END STDOUT\n"
+ char *errexpect = NULL;
+# define TEST27_ERREXPECT_TEMP "BEGIN STDERR\n" \
+ "%s%s%s" \
+ "END STDERR\n"
+
+ if (VIR_ALLOC_N(buffer0, buflen) < 0 ||
+ VIR_ALLOC_N(buffer1, buflen) < 0 ||
+ VIR_ALLOC_N(buffer2, buflen) < 0)
+ goto cleanup;
+
+ memset(buffer0, 'H', buflen - 2);
+ buffer0[buflen - 2] = '\n';
+ buffer0[buflen - 1] = 0;
+
+ memset(buffer1, '1', buflen - 2);
+ buffer1[buflen - 2] = '\n';
+ buffer1[buflen - 1] = 0;
+
+ memset(buffer2, '2', buflen - 2);
+ buffer2[buflen - 2] = '\n';
+ buffer2[buflen - 1] = 0;
+
+ if (virAsprintf(&outexpect, TEST27_OUTEXPECT_TEMP,
+ buffer0, buffer1, buffer2) < 0 ||
+ virAsprintf(&errexpect, TEST27_ERREXPECT_TEMP,
+ buffer0, buffer1, buffer2) < 0) {
+ printf("Could not virAsprintf expected output\n");
+ goto cleanup;
+ }
+
+ if (pipe(pipe1) < 0 || pipe(pipe2) < 0) {
+ printf("Could not create pipe: %s\n", strerror(errno));
+ goto cleanup;
+ }
+
+ if (virCommandSetSendBuffer(cmd, pipe1[1],
+ (unsigned char *)buffer1, buflen - 1) < 0 ||
+ virCommandSetSendBuffer(cmd, pipe2[1],
+ (unsigned char *)buffer2, buflen - 1) < 0) {
+ printf("Could not set send buffers\n");
+ goto cleanup;
+ }
+ pipe1[1] = 0;
+ pipe2[1] = 0;
+ buffer1 = NULL;
+ buffer2 = NULL;
+
+ virCommandAddArg(cmd, "--readfd");
+ virCommandAddArgFormat(cmd, "%d", pipe1[0]);
+ virCommandPassFD(cmd, pipe1[0], 0);
+
+ virCommandAddArg(cmd, "--readfd");
+ virCommandAddArgFormat(cmd, "%d", pipe2[0]);
+ virCommandPassFD(cmd, pipe2[0], 0);
+
+ virCommandSetInputBuffer(cmd, buffer0);
+ virCommandSetOutputBuffer(cmd, &outactual);
+ virCommandSetErrorBuffer(cmd, &erractual);
+
+ if (virCommandRun(cmd, NULL) < 0) {
+ printf("Cannot run child %s\n", virGetLastErrorMessage());
+ goto cleanup;
+ }
+
+ virCommandFree(cmd);
This should be in the cleanup section; otherwise, Coverity considers
@cmd as leaked for any other path above where @cmd is allocated and we
go to cleanup.
John
+
+ if (!outactual || !erractual)
+ goto cleanup;
+
+ if (STRNEQ(outactual, outexpect)) {
+ virTestDifference(stderr, outexpect, outactual);
+ goto cleanup;
+ }
+ if (STRNEQ(erractual, errexpect)) {
+ virTestDifference(stderr, errexpect, erractual);
+ goto cleanup;
+ }
+
+ ret = 0;
+
+ cleanup:
+ VIR_FORCE_CLOSE(pipe1[0]);
+ VIR_FORCE_CLOSE(pipe2[0]);
+ VIR_FORCE_CLOSE(pipe1[1]);
+ VIR_FORCE_CLOSE(pipe2[1]);
+ VIR_FREE(buffer0);
+ VIR_FREE(buffer1);
+ VIR_FREE(buffer2);
+ VIR_FREE(outactual);
+ VIR_FREE(erractual);
+ VIR_FREE(outexpect);
+ VIR_FREE(errexpect);
+
+ return ret;
+}
+
static void virCommandThreadWorker(void *opaque)
{
virCommandTestDataPtr test = opaque;
@@ -1292,6 +1404,7 @@ mymain(void)
DO_TEST(test23);
DO_TEST(test25);
DO_TEST(test26);
+ DO_TEST(test27);
virMutexLock(&test->lock);
if (test->running) {
1:22 p.m.
New subject: [libvirt] [PATCH v7 15/19] tpm: Use fd to pass password to swtpm_setup and swtpm
Allow vTPM state encryption when swtpm_setup and swtpm support
passing a passphrase using a file descriptor.
This patch enables the encryption of the vTPM state only. It does
not encrypt the state during migration, so the destination secret
does not need to have the same password at this point.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/libvirt_private.syms | 2 +
src/qemu/qemu_tpm.c | 110 ++++++++++++++++++++++++++++++++++++++-
src/util/virtpm.c | 16 ++++++
src/util/virtpm.h | 3 ++
4 files changed, 129 insertions(+), 2 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index e6249caa80..a8d65e4318 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -3182,7 +3182,9 @@ virTPMEmulatorInit;
virTPMGetSwtpm;
virTPMGetSwtpmIoctl;
virTPMGetSwtpmSetup;
+virTPMSwtpmCapsGet;
virTPMSwtpmFeatureTypeFromString;
+virTPMSwtpmSetupCapsGet;
virTPMSwtpmSetupFeatureTypeFromString;
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 9f1e7e20ba..27a31efe50 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -43,6 +43,7 @@
#include "dirname.h"
#include "qemu_tpm.h"
#include "virtpm.h"
+#include "secret_util.h"
#define VIR_FROM_THIS VIR_FROM_NONE
@@ -373,6 +374,66 @@ qemuTPMEmulatorPrepareHost(virDomainTPMDefPtr tpm,
return ret;
}
+/*
+ * qemuTPMSetupEncryption
+ *
+ * @secretuuid: The UUID with the secret holding passphrase
+ * @cmd: the virCommand to transfer the secret to
+ *
+ * Returns file descriptor representing the read-end of a pipe.
+ * The passphrase can be read from this pipe. Returns < 0 in case
+ * of error.
+ *
+ * This function reads the passphrase and writes it into the
+ * write-end of a pipe so that the read-end of the pipe can be
+ * passed to the emulator for reading the passphrase from.
+ */
+static int
+qemuTPMSetupEncryption(const unsigned char *secretuuid,
+ virCommandPtr cmd)
+{
+ int ret = -1;
+ int pipefd[2] = { -1, -1 };
+ virConnectPtr conn;
+ VIR_AUTOFREE(uint8_t *) secret = NULL;
+ size_t secret_len;
+ virSecretLookupTypeDef seclookupdef = {
+ .type = VIR_SECRET_LOOKUP_TYPE_UUID,
+ };
+
+ conn = virGetConnectSecret();
+ if (!conn)
+ return -1;
+
+ memcpy(seclookupdef.u.uuid, secretuuid, sizeof(seclookupdef.u.uuid));
+ if (virSecretGetSecretString(conn, &seclookupdef,
+ VIR_SECRET_USAGE_TYPE_VTPM,
+ &secret, &secret_len) < 0)
+ goto error;
+
+ if (pipe(pipefd) == -1) {
+ virReportSystemError(errno, "%s",
+ _("Unable to create pipe"));
+ goto error;
+ }
+
+ if (virCommandSetSendBuffer(cmd, pipefd[1], secret, secret_len) < 0)
+ goto error;
+
+ secret = NULL;
+ ret = pipefd[0];
+
+ cleanup:
+ virObjectUnref(conn);
+
+ return ret;
+
+ error:
+ VIR_FORCE_CLOSE(pipefd[1]);
+ VIR_FORCE_CLOSE(pipefd[0]);
+
+ goto cleanup;
+}
/*
* qemuTPMEmulatorRunSetup
@@ -387,6 +448,7 @@ qemuTPMEmulatorPrepareHost(virDomainTPMDefPtr tpm,
* @logfile: The file to write the log into; it must be writable
* for the user given by userid or 'tss'
* @tpmversion: The version of the TPM, either a TPM 1.2 or TPM 2
+ * @encryption: pointer to virStorageEncryption holding secret
*
* Setup the external swtpm by creating endorsement key and
* certificates for it.
@@ -399,7 +461,8 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
uid_t swtpm_user,
gid_t swtpm_group,
const char *logfile,
- const virDomainTPMVersion tpmversion)
+ const virDomainTPMVersion tpmversion,
+ const unsigned char *secretuuid)
{
virCommandPtr cmd = NULL;
int exitstatus;
@@ -407,6 +470,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
char uuid[VIR_UUID_STRING_BUFLEN];
char *vmid = NULL;
VIR_AUTOFREE(char *)swtpm_setup = virTPMGetSwtpmSetup();
+ VIR_AUTOCLOSE pwdfile_fd = -1;
if (!swtpm_setup)
return -1;
@@ -439,6 +503,23 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
break;
}
+ if (secretuuid) {
+ if (!virTPMSwtpmSetupCapsGet(
+ VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PWDFILE_FD)) {
+ virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,
+ _("%s does not support passing a passphrase using a file "
+ "descriptor"), virTPMGetSwtpmSetup());
+ goto cleanup;
+ }
+ if ((pwdfile_fd = qemuTPMSetupEncryption(secretuuid, cmd)) < 0)
+ goto cleanup;
+
+ virCommandAddArg(cmd, "--pwdfile-fd");
+ virCommandAddArgFormat(cmd, "%d", pwdfile_fd);
+ virCommandAddArgList(cmd, "--cipher", "aes-256-cbc", NULL);
+ virCommandPassFD(cmd, pwdfile_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
+ pwdfile_fd = -1;
+ }
virCommandAddArgList(cmd,
"--tpm-state", storagepath,
@@ -502,6 +583,8 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
bool created = false;
char *pidfile;
VIR_AUTOFREE(char *) swtpm = virTPMGetSwtpm();
+ VIR_AUTOCLOSE pwdfile_fd = -1;
+ const unsigned char *secretuuid = NULL;
if (!swtpm)
return NULL;
@@ -510,10 +593,14 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
&created, swtpm_user, swtpm_group) < 0)
return NULL;
+ if (tpm->data.emulator.hassecretuuid)
+ secretuuid = tpm->data.emulator.secretuuid;
+
if (created &&
qemuTPMEmulatorRunSetup(tpm->data.emulator.storagepath, vmname, vmuuid,
privileged, swtpm_user, swtpm_group,
- tpm->data.emulator.logfile, tpm->version) < 0)
+ tpm->data.emulator.logfile, tpm->version,
+ secretuuid) < 0)
goto error;
unlink(tpm->data.emulator.source.data.nix.path);
@@ -556,6 +643,25 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
virCommandAddArgFormat(cmd, "file=%s", pidfile);
VIR_FREE(pidfile);
+ if (tpm->data.emulator.hassecretuuid) {
+ if (!virTPMSwtpmCapsGet(VIR_TPM_SWTPM_FEATURE_CMDARG_PWD_FD)) {
+ virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,
+ _("%s does not support passing passphrase via file
descriptor"),
+ virTPMGetSwtpm());
+ goto error;
+ }
+
+ pwdfile_fd = qemuTPMSetupEncryption(tpm->data.emulator.secretuuid, cmd);
+ if (pwdfile_fd)
+ goto error;
+
+ virCommandAddArg(cmd, "--key");
+ virCommandAddArgFormat(cmd, "pwdfd=%d,mode=aes-256-cbc",
+ pwdfile_fd);
+ virCommandPassFD(cmd, pwdfile_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
+ pwdfile_fd = -1;
+ }
+
return cmd;
error:
diff --git a/src/util/virtpm.c b/src/util/virtpm.c
index 99abbf3f8b..52094d911e 100644
--- a/src/util/virtpm.c
+++ b/src/util/virtpm.c
@@ -352,3 +352,19 @@ virTPMEmulatorInit(void)
return ret;
}
+
+bool
+virTPMSwtpmCapsGet(unsigned int cap)
+{
+ if (virTPMEmulatorInit() < 0)
+ return false;
+ return virBitmapIsBitSet(swtpm_caps, cap);
+}
+
+bool
+virTPMSwtpmSetupCapsGet(unsigned int cap)
+{
+ if (virTPMEmulatorInit() < 0)
+ return false;
+ return virBitmapIsBitSet(swtpm_setup_caps, cap);
+}
diff --git a/src/util/virtpm.h b/src/util/virtpm.h
index 157b43ff17..50948aac9a 100644
--- a/src/util/virtpm.h
+++ b/src/util/virtpm.h
@@ -27,6 +27,9 @@ char *virTPMGetSwtpmSetup(void);
char *virTPMGetSwtpmIoctl(void);
int virTPMEmulatorInit(void);
+bool virTPMSwtpmCapsGet(unsigned int cap);
+bool virTPMSwtpmSetupCapsGet(unsigned int cap);
+
typedef enum {
VIR_TPM_SWTPM_FEATURE_CMDARG_PWD_FD,
--
2.20.1
5:47 a.m.
New subject: [libvirt] [PATCH v7 15/19] tpm: Use fd to pass password to swtpm_setup and swtpm
On 7/25/19 2:22 PM, Stefan Berger wrote:
Allow vTPM state encryption when swtpm_setup and swtpm support
passing a passphrase using a file descriptor.
This patch enables the encryption of the vTPM state only. It does
not encrypt the state during migration, so the destination secret
does not need to have the same password at this point.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/libvirt_private.syms | 2 +
src/qemu/qemu_tpm.c | 110 ++++++++++++++++++++++++++++++++++++++-
src/util/virtpm.c | 16 ++++++
src/util/virtpm.h | 3 ++
4 files changed, 129 insertions(+), 2 deletions(-)
[...]
/*
* qemuTPMEmulatorRunSetup
@@ -387,6 +448,7 @@ qemuTPMEmulatorPrepareHost(virDomainTPMDefPtr tpm,
* @logfile: The file to write the log into; it must be writable
* for the user given by userid or 'tss'
* @tpmversion: The version of the TPM, either a TPM 1.2 or TPM 2
+ * @encryption: pointer to virStorageEncryption holding secret
*
* Setup the external swtpm by creating endorsement key and
* certificates for it.
@@ -399,7 +461,8 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
uid_t swtpm_user,
gid_t swtpm_group,
const char *logfile,
- const virDomainTPMVersion tpmversion)
+ const virDomainTPMVersion tpmversion,
+ const unsigned char *secretuuid)
{
virCommandPtr cmd = NULL;
int exitstatus;
@@ -407,6 +470,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
char uuid[VIR_UUID_STRING_BUFLEN];
char *vmid = NULL;
VIR_AUTOFREE(char *)swtpm_setup = virTPMGetSwtpmSetup();
+ VIR_AUTOCLOSE pwdfile_fd = -1;
if (!swtpm_setup)
return -1;
@@ -439,6 +503,23 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
break;
}
+ if (secretuuid) {
+ if (!virTPMSwtpmSetupCapsGet(
+ VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PWDFILE_FD)) {
+ virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,
+ _("%s does not support passing a passphrase using a file "
+ "descriptor"), virTPMGetSwtpmSetup());
Coverity complains since virTPMGetSwtpm() returns something that needs
to be free'd. I note above that @swtpm_setup is already set - is that
what was meant here?
+ goto cleanup;
+ }
+ if ((pwdfile_fd = qemuTPMSetupEncryption(secretuuid, cmd)) < 0)
+ goto cleanup;
+
+ virCommandAddArg(cmd, "--pwdfile-fd");
+ virCommandAddArgFormat(cmd, "%d", pwdfile_fd);
+ virCommandAddArgList(cmd, "--cipher", "aes-256-cbc", NULL);
+ virCommandPassFD(cmd, pwdfile_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
+ pwdfile_fd = -1;
+ }
virCommandAddArgList(cmd,
"--tpm-state", storagepath,
@@ -502,6 +583,8 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
bool created = false;
char *pidfile;
VIR_AUTOFREE(char *) swtpm = virTPMGetSwtpm();
+ VIR_AUTOCLOSE pwdfile_fd = -1;
+ const unsigned char *secretuuid = NULL;
if (!swtpm)
return NULL;
@@ -510,10 +593,14 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
&created, swtpm_user, swtpm_group) < 0)
return NULL;
+ if (tpm->data.emulator.hassecretuuid)
+ secretuuid = tpm->data.emulator.secretuuid;
+
if (created &&
qemuTPMEmulatorRunSetup(tpm->data.emulator.storagepath, vmname, vmuuid,
privileged, swtpm_user, swtpm_group,
- tpm->data.emulator.logfile, tpm->version) < 0)
+ tpm->data.emulator.logfile, tpm->version,
+ secretuuid) < 0)
goto error;
unlink(tpm->data.emulator.source.data.nix.path);
@@ -556,6 +643,25 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
virCommandAddArgFormat(cmd, "file=%s", pidfile);
VIR_FREE(pidfile);
+ if (tpm->data.emulator.hassecretuuid) {
+ if (!virTPMSwtpmCapsGet(VIR_TPM_SWTPM_FEATURE_CMDARG_PWD_FD)) {
+ virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,
+ _("%s does not support passing passphrase via file
descriptor"),
+ virTPMGetSwtpm());
Same, but @swtpm is used in this context
John
+ goto error;
+ }
+
+ pwdfile_fd = qemuTPMSetupEncryption(tpm->data.emulator.secretuuid, cmd);
+ if (pwdfile_fd)
+ goto error;
+
+ virCommandAddArg(cmd, "--key");
+ virCommandAddArgFormat(cmd, "pwdfd=%d,mode=aes-256-cbc",
+ pwdfile_fd);
+ virCommandPassFD(cmd, pwdfile_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
+ pwdfile_fd = -1;
+ }
+
return cmd;
error:
8:26 a.m.
New subject: [libvirt] [PATCH v7 15/19] tpm: Use fd to pass password to swtpm_setup and swtpm
On 7/26/19 6:47 AM, John Ferlan wrote:
On 7/25/19 2:22 PM, Stefan Berger wrote:
> Allow vTPM state encryption when swtpm_setup and swtpm support
> passing a passphrase using a file descriptor.
>
> This patch enables the encryption of the vTPM state only. It does
> not encrypt the state during migration, so the destination secret
> does not need to have the same password at this point.
>
> Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
> Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
> ---
> src/libvirt_private.syms | 2 +
> src/qemu/qemu_tpm.c | 110 ++++++++++++++++++++++++++++++++++++++-
> src/util/virtpm.c | 16 ++++++
> src/util/virtpm.h | 3 ++
> 4 files changed, 129 insertions(+), 2 deletions(-)
>
[...]
> /*
> * qemuTPMEmulatorRunSetup
> @@ -387,6 +448,7 @@ qemuTPMEmulatorPrepareHost(virDomainTPMDefPtr tpm,
> * @logfile: The file to write the log into; it must be writable
> * for the user given by userid or 'tss'
> * @tpmversion: The version of the TPM, either a TPM 1.2 or TPM 2
> + * @encryption: pointer to virStorageEncryption holding secret
> *
> * Setup the external swtpm by creating endorsement key and
> * certificates for it.
> @@ -399,7 +461,8 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
> uid_t swtpm_user,
> gid_t swtpm_group,
> const char *logfile,
> - const virDomainTPMVersion tpmversion)
> + const virDomainTPMVersion tpmversion,
> + const unsigned char *secretuuid)
> {
> virCommandPtr cmd = NULL;
> int exitstatus;
> @@ -407,6 +470,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
> char uuid[VIR_UUID_STRING_BUFLEN];
> char *vmid = NULL;
> VIR_AUTOFREE(char *)swtpm_setup = virTPMGetSwtpmSetup();
> + VIR_AUTOCLOSE pwdfile_fd = -1;
>
> if (!swtpm_setup)
> return -1;
> @@ -439,6 +503,23 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
> break;
> }
>
> + if (secretuuid) {
> + if (!virTPMSwtpmSetupCapsGet(
> + VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PWDFILE_FD)) {
> + virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,
> + _("%s does not support passing a passphrase using a file
"
> + "descriptor"), virTPMGetSwtpmSetup());
Coverity complains since virTPMGetSwtpm() returns something that needs
to be free'd. I note above that @swtpm_setup is already set - is that
what was meant here?
Right. Will send patch for it. Do you want a single patch or one for
each issue?
> + goto cleanup;
> + }
> + if ((pwdfile_fd = qemuTPMSetupEncryption(secretuuid, cmd)) < 0)
> + goto cleanup;
> +
> + virCommandAddArg(cmd, "--pwdfile-fd");
> + virCommandAddArgFormat(cmd, "%d", pwdfile_fd);
> + virCommandAddArgList(cmd, "--cipher", "aes-256-cbc",
NULL);
> + virCommandPassFD(cmd, pwdfile_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
> + pwdfile_fd = -1;
> + }
>
> virCommandAddArgList(cmd,
> "--tpm-state", storagepath,
> @@ -502,6 +583,8 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
> bool created = false;
> char *pidfile;
> VIR_AUTOFREE(char *) swtpm = virTPMGetSwtpm();
> + VIR_AUTOCLOSE pwdfile_fd = -1;
> + const unsigned char *secretuuid = NULL;
>
> if (!swtpm)
> return NULL;
> @@ -510,10 +593,14 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
> &created, swtpm_user, swtpm_group) <
0)
> return NULL;
>
> + if (tpm->data.emulator.hassecretuuid)
> + secretuuid = tpm->data.emulator.secretuuid;
> +
> if (created &&
> qemuTPMEmulatorRunSetup(tpm->data.emulator.storagepath, vmname, vmuuid,
> privileged, swtpm_user, swtpm_group,
> - tpm->data.emulator.logfile, tpm->version) <
0)
> + tpm->data.emulator.logfile, tpm->version,
> + secretuuid) < 0)
> goto error;
>
> unlink(tpm->data.emulator.source.data.nix.path);
> @@ -556,6 +643,25 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
> virCommandAddArgFormat(cmd, "file=%s", pidfile);
> VIR_FREE(pidfile);
>
> + if (tpm->data.emulator.hassecretuuid) {
> + if (!virTPMSwtpmCapsGet(VIR_TPM_SWTPM_FEATURE_CMDARG_PWD_FD)) {
> + virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,
> + _("%s does not support passing passphrase via file
descriptor"),
> + virTPMGetSwtpm());
Same, but @swtpm is used in this context
Gee.
Stefan
1:22 p.m.
New subject: [libvirt] [PATCH v7 16/19] tpm: Pass migration key passphrase via fd to swtpm
This patch now passes the passphrase as a migration key to swtpm.
This now encrypts the state of the TPM while a VM is migrated between
hosts or when suspended into a file. Since the migration key secret
is the same as the state encryption secret, this now requires that
the migration destination host has the same secret value.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/qemu/qemu_tpm.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 27a31efe50..7efd635831 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -584,6 +584,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
char *pidfile;
VIR_AUTOFREE(char *) swtpm = virTPMGetSwtpm();
VIR_AUTOCLOSE pwdfile_fd = -1;
+ VIR_AUTOCLOSE migpwdfile_fd = -1;
const unsigned char *secretuuid = NULL;
if (!swtpm)
@@ -653,6 +654,9 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
pwdfile_fd = qemuTPMSetupEncryption(tpm->data.emulator.secretuuid, cmd);
if (pwdfile_fd)
+ migpwdfile_fd = qemuTPMSetupEncryption(tpm->data.emulator.secretuuid,
+ cmd);
+ if (pwdfile_fd < 0 || migpwdfile_fd < 0)
goto error;
virCommandAddArg(cmd, "--key");
@@ -660,6 +664,12 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
pwdfile_fd);
virCommandPassFD(cmd, pwdfile_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
pwdfile_fd = -1;
+
+ virCommandAddArg(cmd, "--migration-key");
+ virCommandAddArgFormat(cmd, "pwdfd=%d,mode=aes-256-cbc",
+ migpwdfile_fd);
+ virCommandPassFD(cmd, migpwdfile_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
+ migpwdfile_fd = -1;
}
return cmd;
--
2.20.1
1:22 p.m.
New subject: [libvirt] [PATCH v7 17/19] tpm: Check TPM XML device configuration changes after edit
Since swtpm does not support getting started without password
once it was created with encryption enabled, we don't allow
encryption to be removed. Similarly, we do not allow encryption
to be added once swtpm has run. We also prevent chaning the type
of the TPM backend since the encrypted state is still around and
the next time one was to switch back to the emulator backend
and forgot the encryption the TPM would not work.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/conf/domain_conf.c | 56 +++++++++++++++++++++++++++++++++++++++
src/conf/domain_conf.h | 4 +++
src/libvirt_private.syms | 1 +
src/qemu/qemu_driver.c | 28 ++++++++++++++++++++
src/qemu/qemu_extdevice.c | 2 +-
src/qemu/qemu_extdevice.h | 3 +++
6 files changed, 93 insertions(+), 1 deletion(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 6673a323c6..d60ef81061 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -31430,3 +31430,59 @@ virDomainGraphicsNeedsAutoRenderNode(const virDomainGraphicsDef
*graphics)
return true;
}
+
+
+static int
+virDomainCheckTPMChanges(virDomainDefPtr def,
+ virDomainDefPtr newDef)
+{
+ bool oldEnc, newEnc;
+
+ if (!def->tpm)
+ return 0;
+
+ switch (def->tpm->type) {
+ case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ if (virFileExists(def->tpm->data.emulator.storagepath)) {
+ /* VM has been started */
+ /* Once a VM was started with an encrypted state we allow
+ * less configuration changes.
+ */
+ oldEnc = def->tpm->data.emulator.hassecretuuid;
+ if (oldEnc && def->tpm->type != newDef->tpm->type) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Changing the type of TPM is not allowed"));
+ return -1;
+ }
+ if (oldEnc && !newDef->tpm) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Removing an encrypted TPM is not allowed"));
+ return -1;
+ }
+ newEnc = newDef->tpm->data.emulator.hassecretuuid;
+ if (oldEnc != newEnc) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("TPM state encryption cannot be changed "
+ "once VM was started"));
+ return -1;
+ }
+ }
+ break;
+ case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+ case VIR_DOMAIN_TPM_TYPE_LAST:
+ break;
+ }
+
+ return 0;
+}
+
+
+int
+virDomainCheckDeviceChanges(virDomainDefPtr def,
+ virDomainDefPtr newDef)
+{
+ if (!def || !newDef)
+ return 0;
+
+ return virDomainCheckTPMChanges(def, newDef);
+}
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 8092893c2a..285fa6c496 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -3636,3 +3636,7 @@ virDomainGraphicsGetRenderNode(const virDomainGraphicsDef
*graphics);
bool
virDomainGraphicsNeedsAutoRenderNode(const virDomainGraphicsDef *graphics);
+
+int
+virDomainCheckDeviceChanges(virDomainDefPtr def, virDomainDefPtr newDef)
+ ATTRIBUTE_NONNULL(2);
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index a8d65e4318..e1526031a5 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -205,6 +205,7 @@ virDomainBootTypeFromString;
virDomainBootTypeToString;
virDomainCapabilitiesPolicyTypeToString;
virDomainCapsFeatureTypeToString;
+virDomainCheckDeviceChanges;
virDomainChrConsoleTargetTypeFromString;
virDomainChrConsoleTargetTypeToString;
virDomainChrDefForeach;
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index e7720fbd99..9110d15cca 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -52,6 +52,7 @@
#include "qemu_migration_params.h"
#include "qemu_blockjob.h"
#include "qemu_security.h"
+#include "qemu_extdevice.h"
#include "virerror.h"
#include "virlog.h"
@@ -7600,6 +7601,30 @@ qemuDomainCreate(virDomainPtr dom)
return qemuDomainCreateWithFlags(dom, 0);
}
+static int
+qemuDomainCheckDeviceChanges(virQEMUDriverPtr driver,
+ virDomainDefPtr def)
+{
+ virDomainObjPtr vm;
+ int ret;
+
+ vm = virDomainObjListFindByUUID(driver->domains, def->uuid);
+ if (!vm)
+ return 0;
+
+ if (qemuExtDevicesInitPaths(driver, vm->def) < 0) {
+ ret = -1;
+ goto cleanup;
+ }
+
+ ret = virDomainCheckDeviceChanges(vm->def, def);
+
+ cleanup:
+ virDomainObjEndAPI(&vm);
+
+ return ret;
+}
+
static virDomainPtr
qemuDomainDefineXMLFlags(virConnectPtr conn,
const char *xml,
@@ -7636,6 +7661,9 @@ qemuDomainDefineXMLFlags(virConnectPtr conn,
if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0)
goto cleanup;
+ if (qemuDomainCheckDeviceChanges(driver, def) < 0)
+ goto cleanup;
+
if (!(vm = virDomainObjListAdd(driver->domains, def,
driver->xmlopt,
0, &oldDef)))
diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c
index a21caefaba..e576bca165 100644
--- a/src/qemu/qemu_extdevice.c
+++ b/src/qemu/qemu_extdevice.c
@@ -79,7 +79,7 @@ qemuExtDeviceLogCommand(qemuDomainLogContextPtr logCtxt,
* stored and we can remove directories and files in case of domain XML
* changes.
*/
-static int
+int
qemuExtDevicesInitPaths(virQEMUDriverPtr driver,
virDomainDefPtr def)
{
diff --git a/src/qemu/qemu_extdevice.h b/src/qemu/qemu_extdevice.h
index a72e05ce63..bbdb9a1cc2 100644
--- a/src/qemu/qemu_extdevice.h
+++ b/src/qemu/qemu_extdevice.h
@@ -53,3 +53,6 @@ bool qemuExtDevicesHasDevice(virDomainDefPtr def);
int qemuExtDevicesSetupCgroup(virQEMUDriverPtr driver,
virDomainDefPtr def,
virCgroupPtr cgroup);
+
+int qemuExtDevicesInitPaths(virQEMUDriverPtr driver,
+ virDomainDefPtr def);
--
2.20.1
5:44 a.m.
New subject: [libvirt] [PATCH v7 17/19] tpm: Check TPM XML device configuration changes after edit
On 7/25/19 2:22 PM, Stefan Berger wrote:
Since swtpm does not support getting started without password
once it was created with encryption enabled, we don't allow
encryption to be removed. Similarly, we do not allow encryption
to be added once swtpm has run. We also prevent chaning the type
of the TPM backend since the encrypted state is still around and
the next time one was to switch back to the emulator backend
and forgot the encryption the TPM would not work.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/conf/domain_conf.c | 56 +++++++++++++++++++++++++++++++++++++++
src/conf/domain_conf.h | 4 +++
src/libvirt_private.syms | 1 +
src/qemu/qemu_driver.c | 28 ++++++++++++++++++++
src/qemu/qemu_extdevice.c | 2 +-
src/qemu/qemu_extdevice.h | 3 +++
6 files changed, 93 insertions(+), 1 deletion(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 6673a323c6..d60ef81061 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
[...]
+
+int
+virDomainCheckDeviceChanges(virDomainDefPtr def,
+ virDomainDefPtr newDef)
+{
+ if (!def || !newDef)
Because !newDef is checked here...
+ return 0;
+
+ return virDomainCheckTPMChanges(def, newDef);
+}
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 8092893c2a..285fa6c496 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -3636,3 +3636,7 @@ virDomainGraphicsGetRenderNode(const virDomainGraphicsDef
*graphics);
bool
virDomainGraphicsNeedsAutoRenderNode(const virDomainGraphicsDef *graphics);
+
+int
+virDomainCheckDeviceChanges(virDomainDefPtr def, virDomainDefPtr newDef)
+ ATTRIBUTE_NONNULL(2);
This ATTRIBUTE_NONNULL(2) is unnecessary
Causes a Coverity (or whenever STATIC_ANALYSIS is set) build error.
John
1:22 p.m.
New subject: [libvirt] [PATCH v7 18/19] docs: Extend Secret XML documentation with vtpm usage type
Extend the Secret XML documentation with vtpm usage type.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
docs/formatsecret.html.in | 61 +++++++++++++++++++++++++++++++++++++--
1 file changed, 59 insertions(+), 2 deletions(-)
diff --git a/docs/formatsecret.html.in b/docs/formatsecret.html.in
index defbe71731..8d0630a7c3 100644
--- a/docs/formatsecret.html.in
+++ b/docs/formatsecret.html.in
@@ -42,8 +42,8 @@
Specifies what this secret is used for. A mandatory
<code>type</code> attribute specifies the usage category, currently
only <code>volume</code>, <code>ceph</code>,
<code>iscsi</code>,
- and <code>tls</code> are defined. Specific usage categories
- are described below.
+ <code>tls</code>, and <code>vtpm</code> are defined.
Specific usage
+ categories are described below.
</dd>
</dl>
@@ -322,6 +322,63 @@ Secret 718c71bd-67b5-4a2b-87ec-a24e8ca200dc created
<pre>
# MYSECRET=`printf %s "letmein" | base64`
# virsh secret-set-value 718c71bd-67b5-4a2b-87ec-a24e8ca200dc $MYSECRET
+Secret value set
+
+ </pre>
+
+ <h3><a id="vTPMUsageType">Usage type
"vtpm"</a></h3>
+
+ <p>
+ This secret is associated with a virtualized TPM (vTPM) and serves
+ as a passphrase for deriving a key from for encrypting the state
+ of the vTPM.
+ The <code><usage type='vtpm'></code> element must
contain
+ a single <code>name</code> element that specifies a usage name
+ for the secret. The vTPM secret can then be used by UUID or by
+ this usage name via the <code><encryption></code> element
of
+ a <a href="formatdomain.html#elementsTpm">tpm</a> when using
an
+ emulator.
+ <span class="since">Since 5.6.0</span>. The following is an
example
+ of the steps to be taken. First create a vtpm-secret.xml file: </p>
+
+ <pre>
+# cat vtpm-secret.xml
+<secret ephemeral='no' private='yes'>
+ <description>sample vTPM secret</description>
+ <usage type='vtpm'>
+ <name>VTPM_example</name>
+ </usage>
+</secret>
+
+# virsh secret-define vtpm-secret.xml
+Secret 6dd3e4a5-1d76-44ce-961f-f119f5aad935 created
+
+# virsh secret-list
+ UUID Usage
+----------------------------------------------------------------------------------------
+ 6dd3e4a5-1d76-44ce-961f-f119f5aad935 vtpm VTPM_example
+
+#
+
+ </pre>
+
+ <p>
+ A secret may also be defined via the
+ <a href="html/libvirt-libvirt-secret.html#virSecretDefineXML">
+ <code>virSecretDefineXML</code></a> API.
+
+ Once the secret is defined, a secret value will need to be set. The
+ secret would be the passphrase used to decrypt the vTPM state.
+ The following is a simple example of using
+ <code>virsh secret-set-value</code> to set the secret value. The
+ <a href="html/libvirt-libvirt-secret.html#virSecretSetValue">
+ <code>virSecretSetValue</code></a> API may also be used to set
+ a more secure secret without using printable/readable characters.
+ </p>
+
+ <pre>
+# MYSECRET=`printf %s "open sesame" | base64`
+# virsh secret-set-value 6dd3e4a5-1d76-44ce-961f-f119f5aad935 $MYSECRET
Secret value set
</pre>
--
2.20.1
1:22 p.m.
New subject: [libvirt] [PATCH v7 19/19] docs: Extend TPM docs with new encryption element
Describe the encryption element in the TPM's domain XML.
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
docs/formatdomain.html.in | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 1d57729394..1938bd875c 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -8215,6 +8215,9 @@ qemu-kvm -net nic,model=? /dev/null
TPM functionality for each VM. QEMU talks to it over a Unix socket. With
the emulator device type each guest gets its own private TPM.
<span class="since">'emulator' since 4.5.0</span>
+ The state of the TPM emulator can be encrypted by providing an
+ <code>encryption</code> element.
+ <span class="since">'encryption' since 5.6.0</span>
</p>
<p>
Example: usage of the TPM Emulator
@@ -8224,6 +8227,7 @@ qemu-kvm -net nic,model=? /dev/null
<devices>
<tpm model='tpm-tis'>
<backend type='emulator' version='2.0'>
+ <encryption
secret='6dd3e4a5-1d76-44ce-961f-f119f5aad935'/>
</backend>
</tpm>
</devices>
@@ -8286,6 +8290,14 @@ qemu-kvm -net nic,model=? /dev/null
<li>'2.0' : creates a TPM 2.0</li>
</ul>
</dd>
+ <dt><code>encryption</code></dt>
+ <dd>
+ <p>
+ The <code>encryption</code> element allows the state of a TPM
emulator
+ to be encrypted. The <code>secret</code> must reference a secret
object
+ that holds the passphrase from which the encryption key will be derived.
+ </p>
+ </dd>
</dl>
<h4><a id="elementsNVRAM">NVRAM device</a></h4>
--
2.20.1
4:36 a.m.
On Thu, Jul 25, 2019 at 02:21:56PM -0400, Stefan Berger wrote:
This series of patches addresses the RFE in BZ 172830:
https://bugzilla.redhat.com/show_bug.cgi?id=1728030
This series of patches adds support for vTPM state encryption by passing
the read-end of a pipe's file descriptor to 'swtpm_setup' and
'swtpm'
where they can read a passphrase from and derive a key from that passphrase.
The TPM's domain XML looks to enable state encryption looks like this:
<tpm model='tpm-tis'>
<backend type='emulator' version='1.2'>
<encryption secret='2c9ceaba-c6ef-4f38-86fd-6e3adb2df5cd'/>
</backend>
</tpm>
The vTPM secret holding the passphrase looks like this:
<secret ephemeral='no' private='yes'>
<uuid>2c9ceaba-c6ef-4f38-86fd-6e3adb2df5cd</uuid>
<description>vTPM passphrase example</description>
<usage type='vtpm'>
<name>vtpm_example</name>
</usage>
</secret>
The swtpm v0.2 is needed that supports the command line option
--print-capabilities returning a JSON object that identifies features added
since v0.1. One such features is the possibility to pass a passphrase via a
file descriptor.
The patches do some refactoring of existing code on the way.
This series is now pushed to GIT, thanks for your work on it
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
1951
days inactive
1952
days old
26 comments
4 participants
participants (4)
-
Daniel P. Berrangé -
John Ferlan -
Stefan Berger -
Stefan Berger