Hi, I would like to clarify how to make snapshots of running VMs with emulated TPM devices. As far as I understand QEMU documentation, it's possible to make snapshots of running VMs with TPM, but it's important to retain the state of swtpm. Does libvirt assist with that in any way or is it completely user's responsibility? libvirt pauses the VM internally when making a snapshot, which should be the right moment to copy the swtpm data, but the user doesn't have control over it. Is there a way to make a copy of swtpm data that is guaranteed to be consistent with the snapshot?

Thank you, Milan

On Thu, Jul 09, 2020 at 14:14:32 +0200, Milan Zamazal wrote: > Milan Zamazal <mzamazal(a)redhat.com&gt; writes: > > > Hi, > > > > I would like to clarify how to make snapshots of running VMs with > > emulated TPM devices. As far as I understand QEMU documentation, it's > > possible to make snapshots of running VMs with TPM, but it's important > > to retain the state of swtpm. Does libvirt assist with that in any way > > or is it completely user's responsibility? libvirt pauses the VM > > internally when making a snapshot, which should be the right moment to > > copy the swtpm data, but the user doesn't have control over it. Is > > there a way to make a copy of swtpm data that is guaranteed to be > > consistent with the snapshot? > > No idea? I can comment only on the fact that libvirt doesn't do anything regarding snapshots on a VM with TPM.

On Thu, Jul 09, 2020 at 17:54:23 +0200, Milan Zamazal wrote: > Peter Krempa <pkrempa(a)redhat.com&gt; writes: > > > On Thu, Jul 09, 2020 at 14:14:32 +0200, Milan Zamazal wrote: > >> Milan Zamazal <mzamazal(a)redhat.com&gt; writes: > >> > > > >> > Hi, > >> > > >> > I would like to clarify how to make snapshots of running VMs with > >> > emulated TPM devices. As far as I understand QEMU documentation, it's > >> > possible to make snapshots of running VMs with TPM, but it's important > >> > to retain the state of swtpm. Does libvirt assist with that in any way > >> > or is it completely user's responsibility? libvirt pauses the VM > >> > internally when making a snapshot, which should be the right moment to > >> > copy the swtpm data, but the user doesn't have control over it. Is > >> > there a way to make a copy of swtpm data that is guaranteed to be > >> > consistent with the snapshot? > >> > >> No idea? > > > > I can comment only on the fact that libvirt doesn't do anything > > regarding snapshots on a VM with TPM. > > Thank you for the confirmation. > > Can anybody confirm there is no way to perform custom actions while a VM > is frozen by libvirt when making a memory snapshot, before we start > thinking about workarounds and/or filing a RFE? No, currently we don't support any custom actions at the point when the external memory snapshot is finalized prior to continuing the VM. Please file a generic RFE for snapshoting including TPM rather than a partial one where you'll request a way to do your hack.