conf: Add support for keeping TPM emulator state

Currently, swtpm TPM state file is removed when a transient domain is
powered off or undefined. When we store TPM state on a shared storage
such as NFS and use transient domain, TPM states should be kept as it is.

Add per-TPM emulator option `persistent_sate` for keeping TPM state.
This option only works for the emulator type backend and looks as follows:

  <tpm model='tpm-tis'>
    <backend type='emulator' persistent_state='yes'/>
  </tpm>

Signed-off-by: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Eiichi Tsukata 2021-01-04 02:31:59 +00:00 committed by Michal Privoznik
parent f7c40b5c71
commit cc6c49f6cd
10 changed files with 144 additions and 1 deletions

View File

@ -6986,6 +6986,13 @@ Example: usage of the TPM Emulator
- '1.2' : creates a TPM 1.2 - '1.2' : creates a TPM 1.2
- '2.0' : creates a TPM 2.0 - '2.0' : creates a TPM 2.0
``persistent_state``
The ``persistent_state`` attribute indicates whether 'swtpm' TPM state is
kept or not when a transient domain is powered off or undefined. This
option can be used for preserving TPM state. By default the value is ``no``.
This attribute only works with the ``emulator`` backend. The accepted values
are ``yes`` and ``no``. :since:`Since 7.0.0`
``encryption`` ``encryption``
The ``encryption`` element allows the state of a TPM emulator to be The ``encryption`` element allows the state of a TPM emulator to be
encrypted. The ``secret`` must reference a secret object that holds the encrypted. The ``secret`` must reference a secret object that holds the

View File

@ -4766,6 +4766,14 @@
<value>emulator</value> <value>emulator</value>
</attribute> </attribute>
<ref name="tpm-backend-emulator-encryption"/> <ref name="tpm-backend-emulator-encryption"/>
<optional>
<attribute name="persistent_state">
<choice>
<value>yes</value>
<value>no</value>
</choice>
</attribute>
</optional>
</group> </group>
</choice> </choice>
<choice> <choice>

View File

@ -12220,6 +12220,12 @@ virDomainSmartcardDefParseXML(virDomainXMLOptionPtr xmlopt,
* <encryption secret='32ee7e76-2178-47a1-ab7b-269e6e348015'/> * <encryption secret='32ee7e76-2178-47a1-ab7b-269e6e348015'/>
* </backend> * </backend>
* </tpm> * </tpm>
*
* Emulator persistent_state is supported with the following:
*
* <tpm model='tpm-tis'>
* <backend type='emulator' version='2.0' persistent_state='yes'>
* </tpm>
*/ */
static virDomainTPMDefPtr static virDomainTPMDefPtr
virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt, virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt,
@ -12235,6 +12241,7 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt,
g_autofree char *backend = NULL; g_autofree char *backend = NULL;
g_autofree char *version = NULL; g_autofree char *version = NULL;
g_autofree char *secretuuid = NULL; g_autofree char *secretuuid = NULL;
g_autofree char *persistent_state = NULL;
g_autofree xmlNodePtr *backends = NULL; g_autofree xmlNodePtr *backends = NULL;
def = g_new0(virDomainTPMDef, 1); def = g_new0(virDomainTPMDef, 1);
@ -12307,6 +12314,16 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt,
} }
def->data.emulator.hassecretuuid = true; def->data.emulator.hassecretuuid = true;
} }
persistent_state = virXMLPropString(backends[0], "persistent_state");
if (persistent_state) {
if (virStringParseYesNo(persistent_state,
&def->data.emulator.persistent_state) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("Invalid persistent_state value, either 'yes' or 'no'"));
goto error;
}
}
break; break;
case VIR_DOMAIN_TPM_TYPE_LAST: case VIR_DOMAIN_TPM_TYPE_LAST:
goto error; goto error;
@ -26025,6 +26042,8 @@ virDomainTPMDefFormat(virBufferPtr buf,
case VIR_DOMAIN_TPM_TYPE_EMULATOR: case VIR_DOMAIN_TPM_TYPE_EMULATOR:
virBufferAsprintf(buf, " version='%s'", virBufferAsprintf(buf, " version='%s'",
virDomainTPMVersionTypeToString(def->version)); virDomainTPMVersionTypeToString(def->version));
if (def->data.emulator.persistent_state)
virBufferAddLit(buf, " persistent_state='yes'");
if (def->data.emulator.hassecretuuid) { if (def->data.emulator.hassecretuuid) {
char uuidstr[VIR_UUID_STRING_BUFLEN]; char uuidstr[VIR_UUID_STRING_BUFLEN];
virBufferAddLit(buf, ">\n"); virBufferAddLit(buf, ">\n");

View File

@ -1362,6 +1362,7 @@ struct _virDomainTPMDef {
char *logfile; char *logfile;
unsigned char secretuuid[VIR_UUID_BUFLEN]; unsigned char secretuuid[VIR_UUID_BUFLEN];
bool hassecretuuid; bool hassecretuuid;
bool persistent_state;
} emulator; } emulator;
} data; } data;
}; };

View File

@ -729,6 +729,7 @@ qemuExtTPMCleanupHost(virDomainDefPtr def)
if (def->tpms[i]->type != VIR_DOMAIN_TPM_TYPE_EMULATOR) if (def->tpms[i]->type != VIR_DOMAIN_TPM_TYPE_EMULATOR)
continue; continue;
if (!def->tpms[i]->data.emulator.persistent_state)
qemuTPMDeleteEmulatorStorage(def->tpms[i]); qemuTPMDeleteEmulatorStorage(def->tpms[i]);
} }
} }

View File

@ -0,0 +1,38 @@
LC_ALL=C \
PATH=/bin \
HOME=/tmp/lib/domain--1-TPM-VM \
USER=test \
LOGNAME=test \
XDG_DATA_HOME=/tmp/lib/domain--1-TPM-VM/.local/share \
XDG_CACHE_HOME=/tmp/lib/domain--1-TPM-VM/.cache \
XDG_CONFIG_HOME=/tmp/lib/domain--1-TPM-VM/.config \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-x86_64 \
-name guest=TPM-VM,debug-threads=on \
-S \
-object secret,id=masterKey0,format=raw,\
file=/tmp/lib/domain--1-TPM-VM/master-key.aes \
-machine pc-i440fx-2.12,accel=tcg,usb=off,dump-guest-core=off,\
memory-backend=pc.ram \
-cpu qemu64 \
-m 2048 \
-object memory-backend-ram,id=pc.ram,size=2147483648 \
-overcommit mem-lock=off \
-smp 1,sockets=1,cores=1,threads=1 \
-uuid 11d7cd22-da89-3094-6212-079a48a309a1 \
-display none \
-no-user-config \
-nodefaults \
-chardev socket,id=charmonitor,fd=1729,server,nowait \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=utc \
-no-shutdown \
-boot menu=on,strict=on \
-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
-tpmdev emulator,id=tpm-tpm0,chardev=chrtpm \
-chardev socket,id=chrtpm,path=/dev/test \
-device tpm-tis,tpmdev=tpm-tpm0,id=tpm0 \
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 \
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
resourcecontrol=deny \
-msg timestamp=on

View File

@ -0,0 +1,30 @@
<domain type='qemu'>
<name>TPM-VM</name>
<uuid>11d7cd22-da89-3094-6212-079a48a309a1</uuid>
<memory unit='KiB'>2097152</memory>
<currentMemory unit='KiB'>512288</currentMemory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc-i440fx-2.12'>hvm</type>
<boot dev='hd'/>
<bootmenu enable='yes'/>
</os>
<features>
<acpi/>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<controller type='usb' index='0'/>
<controller type='pci' index='0' model='pci-root'/>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<tpm model='tpm-tis'>
<backend type='emulator' version='2.0' persistent_state='yes'/>
</tpm>
<memballoon model='virtio'/>
</devices>
</domain>

View File

@ -2461,6 +2461,7 @@ mymain(void)
DO_TEST_CAPS_LATEST("tpm-emulator"); DO_TEST_CAPS_LATEST("tpm-emulator");
DO_TEST_CAPS_LATEST("tpm-emulator-tpm2"); DO_TEST_CAPS_LATEST("tpm-emulator-tpm2");
DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-enc"); DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-enc");
DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-pstate");
DO_TEST_CAPS_LATEST_PPC64("tpm-emulator-spapr"); DO_TEST_CAPS_LATEST_PPC64("tpm-emulator-spapr");
DO_TEST_PARSE_ERROR("pci-domain-invalid", NONE); DO_TEST_PARSE_ERROR("pci-domain-invalid", NONE);

View File

@ -0,0 +1,37 @@
<domain type='qemu'>
<name>TPM-VM</name>
<uuid>11d7cd22-da89-3094-6212-079a48a309a1</uuid>
<memory unit='KiB'>2097152</memory>
<currentMemory unit='KiB'>512288</currentMemory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc-i440fx-2.12'>hvm</type>
<boot dev='hd'/>
<bootmenu enable='yes'/>
</os>
<features>
<acpi/>
</features>
<cpu mode='custom' match='exact' check='none'>
<model fallback='forbid'>qemu64</model>
</cpu>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<controller type='usb' index='0' model='piix3-uhci'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<tpm model='tpm-tis'>
<backend type='emulator' version='2.0' persistent_state='yes'/>
</tpm>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</memballoon>
</devices>
</domain>

View File

@ -761,6 +761,7 @@ mymain(void)
DO_TEST_CAPS_LATEST("tpm-emulator"); DO_TEST_CAPS_LATEST("tpm-emulator");
DO_TEST_CAPS_LATEST("tpm-emulator-tpm2"); DO_TEST_CAPS_LATEST("tpm-emulator-tpm2");
DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-enc"); DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-enc");
DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-pstate");
DO_TEST("metadata", NONE); DO_TEST("metadata", NONE);
DO_TEST("metadata-duplicate", NONE); DO_TEST("metadata-duplicate", NONE);