qemu_tpm: Set log file label on migration

Recently, the QEMU driver gained support for migration with TPM state on a shared volume (e.g. NFS). As a part of that, the destination side avoids setting seclabels on it to avoid cutting off the source while it is still using it. Makes sense, except for a wee bit: the secdriver API does a bit more - it also sets label on the swtpm log file. And this one definitely needs to be labeled (it lives under /var/log/swtpm/libvirt/qemu/..., i.e. not on a shared volume). Previously, qemuSecurityStartTPMEmulator() took care of that. But during rework to shared volume migration, the code was changed so now plain qemuSecurityCommandRun() would be run (i.e. no relabelling). But after previous commits, we can now chose whether the TPM state should be relabelled or just the log file. Fixes: 2e669ec789231d39e0d5f5f6a201d2a661b8070c Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2130192#c7 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2025-02-02 09:55:18 +00:00 · 2022-12-02 16:09:37 +01:00 · 2022-12-02 16:09:37 +01:00 · 713578d77f
commit 713578d77f
parent 3c2e55c5ed
1 changed files with 12 additions and 10 deletions
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@ -926,6 +926,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
    g_autofree char *pidfile = NULL;
    virTimeBackOffVar timebackoff;
    const unsigned long long timeout = 1000; /* ms */
+    bool setTPMStateLabel = true;
    int cmdret = 0;
    pid_t pid = -1;

@ -955,14 +956,12 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
    if (incomingMigration &&
        virFileIsSharedFS(tpm->data.emulator.storagepath) == 1) {
        /* security labels must have been set up on source already */
-        if (qemuSecurityCommandRun(driver, vm, cmd,
-                                   cfg->swtpm_user, cfg->swtpm_group,
-                                   NULL, &cmdret) < 0) {
-            goto error;
-        }
-    } else if (qemuSecurityStartTPMEmulator(driver, vm, cmd,
-                                            cfg->swtpm_user, cfg->swtpm_group,
-                                            true, NULL, &cmdret) < 0) {
+        setTPMStateLabel = false;
+    }
+
+    if (qemuSecurityStartTPMEmulator(driver, vm, cmd,
+                                     cfg->swtpm_user, cfg->swtpm_group,
+                                     setTPMStateLabel, NULL, &cmdret) < 0) {
        goto error;
    }

@ -1133,13 +1132,16 @@ qemuExtTPMStop(virQEMUDriver *driver,
 {
    g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
    g_autofree char *shortName = virDomainDefGetShortName(vm->def);
+    bool restoreTPMStateLabel = true;

    if (!shortName)
        return;

    qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName);
-    if (!(outgoingMigration && qemuTPMHasSharedStorage(vm->def)))
-        qemuSecurityCleanupTPMEmulator(driver, vm, true);
+    if (outgoingMigration || qemuTPMHasSharedStorage(vm->def))
+        restoreTPMStateLabel = false;
+
+    qemuSecurityCleanupTPMEmulator(driver, vm, restoreTPMStateLabel);
 }