qemu_tpm: Extend start/stop APIs

This is basically just a continuation of the previous commit. Now that the security driver APIs have a boolean flag that controls setting/restoring seclabel of either both TPM state and log files, or just the log file, propagate this boolean into those APIs that start/stop swtpm emulator. For now, just pass true. The juicy bits are soon to come. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2024-08-07 01:13:49 +00:00 · 2022-12-02 16:04:41 +01:00 · 2022-12-02 16:04:41 +01:00 · 3c2e55c5ed
commit 3c2e55c5ed
parent f3259f82fd
3 changed files with 14 additions and 7 deletions
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@ -507,6 +507,7 @@ qemuSecurityRestoreNetdevLabel(virQEMUDriver *driver,
 * @cmd: the command to run
 * @uid: the uid to run the emulator
 * @gid: the gid to run the emulator
+ * @setTPMStateLabel: whether TPM state should be labelled, or just logfile
 * @existstatus: pointer to int returning exit status of process
 * @cmdret: pointer to int returning result of virCommandRun
 *
@ -523,6 +524,7 @@ qemuSecurityStartTPMEmulator(virQEMUDriver *driver,
                             virCommand *cmd,
                             uid_t uid,
                             gid_t gid,
+                             bool setTPMStateLabel,
                             int *exitstatus,
                             int *cmdret)
 {
@ -535,7 +537,7 @@ qemuSecurityStartTPMEmulator(virQEMUDriver *driver,
    transactionStarted = true;

    if (virSecurityManagerSetTPMLabels(driver->securityManager,
-                                       vm->def, true) < 0) {
+                                       vm->def, setTPMStateLabel) < 0) {
        virSecurityManagerTransactionAbort(driver->securityManager);
        return -1;
    }
@ -560,7 +562,8 @@ qemuSecurityStartTPMEmulator(virQEMUDriver *driver,
        virSecurityManagerTransactionStart(driver->securityManager) >= 0)
        transactionStarted = true;

-    virSecurityManagerRestoreTPMLabels(driver->securityManager, vm->def, true);
+    virSecurityManagerRestoreTPMLabels(driver->securityManager,
+                                       vm->def, setTPMStateLabel);

    if (transactionStarted &&
        virSecurityManagerTransactionCommit(driver->securityManager,
@ -575,7 +578,8 @@ qemuSecurityStartTPMEmulator(virQEMUDriver *driver,

 void
 qemuSecurityCleanupTPMEmulator(virQEMUDriver *driver,
-                               virDomainObj *vm)
+                               virDomainObj *vm,
+                               bool restoreTPMStateLabel)
 {
    qemuDomainObjPrivate *priv = vm->privateData;
    bool transactionStarted = false;
@ -583,7 +587,8 @@ qemuSecurityCleanupTPMEmulator(virQEMUDriver *driver,
    if (virSecurityManagerTransactionStart(driver->securityManager) >= 0)
        transactionStarted = true;

-    virSecurityManagerRestoreTPMLabels(driver->securityManager, vm->def, true);
+    virSecurityManagerRestoreTPMLabels(driver->securityManager,
+                                       vm->def, restoreTPMStateLabel);

    if (transactionStarted &&
        virSecurityManagerTransactionCommit(driver->securityManager,
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@ -90,11 +90,13 @@ int qemuSecurityStartTPMEmulator(virQEMUDriver *driver,
                                 virCommand *cmd,
                                 uid_t uid,
                                 gid_t gid,
+                                 bool setTPMStateLabel,
                                 int *exitstatus,
                                 int *cmdret);

 void qemuSecurityCleanupTPMEmulator(virQEMUDriver *driver,
-                                    virDomainObj *vm);
+                                    virDomainObj *vm,
+                                    bool restoreTPMStateLabel);

 int qemuSecuritySetSavedStateLabel(virQEMUDriver *driver,
                                   virDomainObj *vm,
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@ -962,7 +962,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
        }
    } else if (qemuSecurityStartTPMEmulator(driver, vm, cmd,
                                            cfg->swtpm_user, cfg->swtpm_group,
-                                            NULL, &cmdret) < 0) {
+                                            true, NULL, &cmdret) < 0) {
        goto error;
    }

@ -1139,7 +1139,7 @@ qemuExtTPMStop(virQEMUDriver *driver,

    qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName);
    if (!(outgoingMigration && qemuTPMHasSharedStorage(vm->def)))
-        qemuSecurityCleanupTPMEmulator(driver, vm);
+        qemuSecurityCleanupTPMEmulator(driver, vm, true);
 }