mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-03 19:45:21 +00:00
qemu: tpm: Pass --migration option to swtpm if supported and needed
Pass the --migration option to swtpm if swptm supports it (starting with v0.8) and if the TPM's state is written on shared storage. If this is the case apply the 'release-lock-outgoing' parameter with this option and apply the 'incoming' parameter for incoming migration so that swtpm releases the file lock on the source side when the state is migrated and locks the file on the destination side when the state is received. If a started swtpm instance is running with the necessary options of migrating with share storage then remember this with a flag in the virDomainTPMPrivateDef. Report an error if swtpm does not support the --migration option and an incoming migration across shared storage is requested. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
parent
5597476e40
commit
188dfeb398
@ -1555,6 +1555,13 @@ qemuMigrationSrcIsAllowed(virQEMUDriver *driver,
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (qemuTPMHasSharedStorage(vm->def)&&
|
||||||
|
!qemuTPMCanMigrateSharedStorage(vm->def)) {
|
||||||
|
virReportError(VIR_ERR_NO_SUPPORT, "%s",
|
||||||
|
_("the running swtpm does not support migration with shared storage"));
|
||||||
|
return false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
|
@ -557,6 +557,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
|
|||||||
int migpwdfile_fd = -1;
|
int migpwdfile_fd = -1;
|
||||||
const unsigned char *secretuuid = NULL;
|
const unsigned char *secretuuid = NULL;
|
||||||
bool create_storage = true;
|
bool create_storage = true;
|
||||||
|
bool on_shared_storage;
|
||||||
|
|
||||||
if (!swtpm)
|
if (!swtpm)
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -564,8 +565,8 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
|
|||||||
/* Do not create storage and run swtpm_setup on incoming migration over
|
/* Do not create storage and run swtpm_setup on incoming migration over
|
||||||
* shared storage
|
* shared storage
|
||||||
*/
|
*/
|
||||||
if (incomingMigration &&
|
on_shared_storage = virFileIsSharedFS(tpm->data.emulator.storagepath) == 1;
|
||||||
virFileIsSharedFS(tpm->data.emulator.storagepath) == 1)
|
if (incomingMigration && on_shared_storage)
|
||||||
create_storage = false;
|
create_storage = false;
|
||||||
|
|
||||||
if (create_storage &&
|
if (create_storage &&
|
||||||
@ -643,6 +644,30 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
|
|||||||
virCommandAddArgFormat(cmd, "pwdfd=%d,mode=aes-256-cbc", migpwdfile_fd);
|
virCommandAddArgFormat(cmd, "pwdfd=%d,mode=aes-256-cbc", migpwdfile_fd);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* If swtpm supports it and the TPM state is stored on shared storage,
|
||||||
|
* start swtpm with --migration release-lock-outgoing so it can migrate
|
||||||
|
* across shared storage if needed.
|
||||||
|
*/
|
||||||
|
QEMU_DOMAIN_TPM_PRIVATE(tpm)->swtpm.can_migrate_shared_storage = false;
|
||||||
|
if (on_shared_storage &&
|
||||||
|
virTPMSwtpmCapsGet(VIR_TPM_SWTPM_FEATURE_CMDARG_MIGRATION)) {
|
||||||
|
|
||||||
|
virCommandAddArg(cmd, "--migration");
|
||||||
|
virCommandAddArgFormat(cmd, "release-lock-outgoing%s",
|
||||||
|
incomingMigration ? ",incoming": "");
|
||||||
|
QEMU_DOMAIN_TPM_PRIVATE(tpm)->swtpm.can_migrate_shared_storage = true;
|
||||||
|
} else {
|
||||||
|
/* Report an error if there's an incoming migration across shared
|
||||||
|
* storage and swtpm does not support the --migration option.
|
||||||
|
*/
|
||||||
|
if (incomingMigration && on_shared_storage) {
|
||||||
|
virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,
|
||||||
|
_("%s (on destination side) does not support the --migration option needed for migration with shared storage"),
|
||||||
|
swtpm);
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return g_steal_pointer(&cmd);
|
return g_steal_pointer(&cmd);
|
||||||
|
|
||||||
error:
|
error:
|
||||||
@ -983,6 +1008,24 @@ qemuTPMHasSharedStorage(virDomainDef *def)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
bool
|
||||||
|
qemuTPMCanMigrateSharedStorage(virDomainDef *def)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
|
||||||
|
for (i = 0; i < def->ntpms; i++) {
|
||||||
|
virDomainTPMDef *tpm = def->tpms[i];
|
||||||
|
switch (tpm->type) {
|
||||||
|
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
|
||||||
|
return QEMU_DOMAIN_TPM_PRIVATE(tpm)->swtpm.can_migrate_shared_storage;
|
||||||
|
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
|
||||||
|
case VIR_DOMAIN_TPM_TYPE_LAST:
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/* ---------------------
|
/* ---------------------
|
||||||
* Module entry points
|
* Module entry points
|
||||||
* ---------------------
|
* ---------------------
|
||||||
|
@ -60,3 +60,6 @@ int qemuExtTPMSetupCgroup(virQEMUDriver *driver,
|
|||||||
bool qemuTPMHasSharedStorage(virDomainDef *def)
|
bool qemuTPMHasSharedStorage(virDomainDef *def)
|
||||||
ATTRIBUTE_NONNULL(1)
|
ATTRIBUTE_NONNULL(1)
|
||||||
G_GNUC_WARN_UNUSED_RESULT;
|
G_GNUC_WARN_UNUSED_RESULT;
|
||||||
|
|
||||||
|
bool qemuTPMCanMigrateSharedStorage(virDomainDef *def)
|
||||||
|
ATTRIBUTE_NONNULL(1);
|
||||||
|
Loading…
Reference in New Issue
Block a user