qemu: tpm: Enable creation of certs for TPM 1.2 in non-privileged mode

When 'swtpm_setup --print-capabilities' shows the 'tpm12-not-need-root'
flag, then it is possible to create certificates for the TPM 1.2 also
in non-privileged mode since swtpm_setup doesn't need tcsd anymore.
Check for this flag and create the certificates if this flag is found.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

src/qemu/qemu_tpm.c

@@ -463,11 +463,13 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
     if (!swtpm_setup)
         return -1;
 
-    if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2)
+    if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2 &&
+        !virTPMSwtpmSetupCapsGet(VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT)) {
         return virFileWriteStr(logfile,
                                _("Did not create EK and certificates since "
                                  "this requires privileged mode for a "
                                  "TPM 1.2\n"), 0600);
+    }
 
     if (!privileged && qemuTPMCreateConfigFiles(swtpm_setup) < 0)
         return -1;

src/util/virtpm.c

@@ -46,6 +46,7 @@ VIR_ENUM_IMPL(virTPMSwtpmSetupFeature,
               VIR_TPM_SWTPM_SETUP_FEATURE_LAST,
               "cmdarg-pwdfile-fd",
               "cmdarg-create-config-files",
+              "tpm12-not-need-root",
 );
 
 /**

src/util/virtpm.h

@@ -39,6 +39,7 @@ typedef enum {
 typedef enum {
     VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PWDFILE_FD,
     VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_CREATE_CONFIG_FILES,
+    VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT,
 
     VIR_TPM_SWTPM_SETUP_FEATURE_LAST
 } virTPMSwtpmSetupFeature;