qemuExtTPMStop: Restore TPM state label more often

When stopping swtpm we can restore the label either on just the swtpm's domain specific logfile (/var/log/swtpm/libvirt/qemu/...), or on the logfile and the state too (/var/lib/libvirt/swtpm/...). The deciding factor is whether the guest is stopped because of outgoing migration OR the state is on a shared filesystem. But this is not correct condition, because for instance saving the guest into a file (virsh save) is also an outgoing migration. Alternatively, when the swtpm state is stored on a shared filesystem, but the guest is destroyed (virsh destroy), i.e. stopped because of different reason than migration, we want to restore the seclabels. The correct condition is: skip restoring the state on outgoing migration AND shared filesystem. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2161557 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2025-01-21 20:15:17 +00:00 · 2023-01-27 10:46:55 +01:00 · 2023-01-27 10:46:55 +01:00 · 794fddf866
commit 794fddf866
parent 88f0fbf638
1 changed files with 1 additions and 1 deletions
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@ -1142,7 +1142,7 @@ qemuExtTPMStop(virQEMUDriver *driver,
        return;

    qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName);
-    if (outgoingMigration || qemuTPMHasSharedStorage(vm->def))
+    if (outgoingMigration && qemuTPMHasSharedStorage(vm->def))
        restoreTPMStateLabel = false;

    if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel) < 0)