External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-22 05:35:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

conf: Move TPM emulator parameters into own struct

Browse Source 
To avoid passing TPM emulator parameters around individually, move them
into a structure and pass around the structure.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Stefan Berger 2024-11-13 12:39:41 -05:00 committed by Michal Privoznik
parent b0aa9d31f2
commit 8bba15bdc1
3 changed files with 37 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/conf/domain_conf.h
View File

@ -1473,6 +1473,19 @@ typedef enum {
#define VIR_DOMAIN_TPM_DEFAULT_DEVICE "/dev/tpm0" #define VIR_DOMAIN_TPM_DEFAULT_DEVICE "/dev/tpm0"
struct _virDomainTPMEmulatorDef {
virDomainTPMVersion version;
virDomainChrSourceDef *source;
virDomainTPMSourceType source_type;
char *source_path;
char *logfile;
unsigned int debug;
unsigned char secretuuid[VIR_UUID_BUFLEN];
bool hassecretuuid;
bool persistent_state;
virBitmap *activePcrBanks;
};
struct _virDomainTPMDef { struct _virDomainTPMDef {
virObject *privateData; virObject *privateData;
@ -1483,18 +1496,7 @@ struct _virDomainTPMDef {
struct { struct {
virDomainChrSourceDef *source; virDomainChrSourceDef *source;
} passthrough; } passthrough;
struct { virDomainTPMEmulatorDef emulator;
virDomainTPMVersion version;
virDomainChrSourceDef *source;
virDomainTPMSourceType source_type;
char *source_path;
char *logfile;
unsigned int debug;
unsigned char secretuuid[VIR_UUID_BUFLEN];
bool hassecretuuid;
bool persistent_state;
virBitmap *activePcrBanks;
} emulator;
struct { struct {
virDomainChrSourceDef *source; virDomainChrSourceDef *source;
} external; } external;

2
src/conf/virconftypes.h
View File

@ -234,6 +234,8 @@ typedef struct _virDomainAudioDef virDomainAudioDef;
typedef struct _virDomainTPMDef virDomainTPMDef; typedef struct _virDomainTPMDef virDomainTPMDef;
typedef struct _virDomainTPMEmulatorDef virDomainTPMEmulatorDef;
typedef struct _virDomainThreadSchedParam virDomainThreadSchedParam; typedef struct _virDomainThreadSchedParam virDomainThreadSchedParam;
typedef struct _virDomainTimerCatchupDef virDomainTimerCatchupDef; typedef struct _virDomainTimerCatchupDef virDomainTimerCatchupDef;

64
src/qemu/qemu_tpm.c
View File

@ -368,33 +368,26 @@ qemuTPMGetSwtpmSetupStateArg(const virDomainTPMSourceType source_type,
/* /*
* qemuTPMEmulatorRunSetup * qemuTPMEmulatorRunSetup
* *
* @source_type: type of storage * @emulator: emulator parameters
* @source_path: path to the directory for TPM state
* @vmname: the name of the VM * @vmname: the name of the VM
* @vmuuid: the UUID of the VM * @vmuuid: the UUID of the VM
* @privileged: whether we are running in privileged mode * @privileged: whether we are running in privileged mode
* @swtpm_user: The userid to switch to when setting up the TPM; * @swtpm_user: The userid to switch to when setting up the TPM;
* typically this should be the uid of 'tss' or 'root' * typically this should be the uid of 'tss' or 'root'
* @swtpm_group: The group id to switch to * @swtpm_group: The group id to switch to
* @logfile: The file to write the log into; it must be writable * @secretuuid: UUID describing virStorageEncryption holding secret
* for the user given by userid or 'tss'
* @tpmversion: The version of the TPM, either a TPM 1.2 or TPM 2
* @encryption: pointer to virStorageEncryption holding secret
* @incomingMigration: whether we have an incoming migration * @incomingMigration: whether we have an incoming migration
* *
* Setup the external swtpm by creating endorsement key and * Setup the external swtpm by creating endorsement key and
* certificates for it. * certificates for it.
*/ */
static int static int
qemuTPMEmulatorRunSetup(const virDomainTPMSourceType source_type, qemuTPMEmulatorRunSetup(const virDomainTPMEmulatorDef *emulator,
const char *source_path,
const char *vmname, const char *vmname,
const unsigned char *vmuuid, const unsigned char *vmuuid,
bool privileged, bool privileged,
uid_t swtpm_user, uid_t swtpm_user,
gid_t swtpm_group, gid_t swtpm_group,
const char *logfile,
const virDomainTPMVersion tpmversion,
const unsigned char *secretuuid, const unsigned char *secretuuid,
bool incomingMigration) bool incomingMigration)
{ {
@ -403,14 +396,15 @@ qemuTPMEmulatorRunSetup(const virDomainTPMSourceType source_type,
char uuid[VIR_UUID_STRING_BUFLEN]; char uuid[VIR_UUID_STRING_BUFLEN];
g_autofree char *vmid = NULL; g_autofree char *vmid = NULL;
g_autofree char *swtpm_setup = virTPMGetSwtpmSetup(); g_autofree char *swtpm_setup = virTPMGetSwtpmSetup();
g_autofree char *tpm_state = qemuTPMGetSwtpmSetupStateArg(source_type, source_path); g_autofree char *tpm_state = qemuTPMGetSwtpmSetupStateArg(emulator->source_type,
emulator->source_path);
if (!swtpm_setup) if (!swtpm_setup)
return -1; return -1;
if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2 && if (!privileged && emulator->version == VIR_DOMAIN_TPM_VERSION_1_2 &&
!virTPMSwtpmSetupCapsGet(VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT)) { !virTPMSwtpmSetupCapsGet(VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT)) {
return virFileWriteStr(logfile, return virFileWriteStr(emulator->logfile,
_("Did not create EK and certificates since this requires privileged mode for a TPM 1.2\n"), 0600); _("Did not create EK and certificates since this requires privileged mode for a TPM 1.2\n"), 0600);
} }
@ -425,7 +419,7 @@ qemuTPMEmulatorRunSetup(const virDomainTPMSourceType source_type,
virCommandSetUID(cmd, swtpm_user); virCommandSetUID(cmd, swtpm_user);
virCommandSetGID(cmd, swtpm_group); virCommandSetGID(cmd, swtpm_group);
switch (tpmversion) { switch (emulator->version) {
case VIR_DOMAIN_TPM_VERSION_1_2: case VIR_DOMAIN_TPM_VERSION_1_2:
break; break;
case VIR_DOMAIN_TPM_VERSION_2_0: case VIR_DOMAIN_TPM_VERSION_2_0:
@ -443,7 +437,7 @@ qemuTPMEmulatorRunSetup(const virDomainTPMSourceType source_type,
virCommandAddArgList(cmd, virCommandAddArgList(cmd,
"--tpm-state", tpm_state, "--tpm-state", tpm_state,
"--vmid", vmid, "--vmid", vmid,
"--logfile", logfile, "--logfile", emulator->logfile,
"--createek", "--createek",
"--create-ek-cert", "--create-ek-cert",
"--create-platform-cert", "--create-platform-cert",
@ -453,7 +447,7 @@ qemuTPMEmulatorRunSetup(const virDomainTPMSourceType source_type,
} else { } else {
virCommandAddArgList(cmd, virCommandAddArgList(cmd,
"--tpm-state", tpm_state, "--tpm-state", tpm_state,
"--logfile", logfile, "--logfile", emulator->logfile,
"--overwrite", "--overwrite",
NULL); NULL);
} }
@ -463,7 +457,7 @@ qemuTPMEmulatorRunSetup(const virDomainTPMSourceType source_type,
if (virCommandRun(cmd, &exitstatus) < 0 || exitstatus != 0) { if (virCommandRun(cmd, &exitstatus) < 0 || exitstatus != 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, virReportError(VIR_ERR_INTERNAL_ERROR,
_("Could not run '%1$s'. exitstatus: %2$d; Check error log '%3$s' for details."), _("Could not run '%1$s'. exitstatus: %2$d; Check error log '%3$s' for details."),
swtpm_setup, exitstatus, logfile); swtpm_setup, exitstatus, emulator->logfile);
return -1; return -1;
} }
@ -492,41 +486,32 @@ qemuTPMPcrBankBitmapToStr(virBitmap *activePcrBanks)
/* /*
* qemuTPMEmulatorReconfigure * qemuTPMEmulatorReconfigure
* *
* * @emulator: emulator parameters
* @source_type: type of storage
* @source_path: path to the directory for TPM state
* @swtpm_user: The userid to switch to when setting up the TPM; * @swtpm_user: The userid to switch to when setting up the TPM;
* typically this should be the uid of 'tss' or 'root' * typically this should be the uid of 'tss' or 'root'
* @swtpm_group: The group id to switch to * @swtpm_group: The group id to switch to
* @activePcrBanks: The string describing the active PCR banks
* @logfile: The file to write the log into; it must be writable
* for the user given by userid or 'tss'
* @tpmversion: The version of the TPM, either a TPM 1.2 or TPM 2
* @secretuuid: The secret's UUID needed for state encryption * @secretuuid: The secret's UUID needed for state encryption
* *
* Reconfigure the active PCR banks of a TPM 2. * Reconfigure the active PCR banks of a TPM 2.
*/ */
static int static int
qemuTPMEmulatorReconfigure(const virDomainTPMSourceType source_type, qemuTPMEmulatorReconfigure(const virDomainTPMEmulatorDef *emulator,
const char *source_path,
uid_t swtpm_user, uid_t swtpm_user,
gid_t swtpm_group, gid_t swtpm_group,
virBitmap *activePcrBanks,
const char *logfile,
const virDomainTPMVersion tpmversion,
const unsigned char *secretuuid) const unsigned char *secretuuid)
{ {
g_autoptr(virCommand) cmd = NULL; g_autoptr(virCommand) cmd = NULL;
int exitstatus; int exitstatus;
g_autofree char *activePcrBanksStr = NULL; g_autofree char *activePcrBanksStr = NULL;
g_autofree char *swtpm_setup = virTPMGetSwtpmSetup(); g_autofree char *swtpm_setup = virTPMGetSwtpmSetup();
g_autofree char *tpm_state = qemuTPMGetSwtpmSetupStateArg(source_type, source_path); g_autofree char *tpm_state = qemuTPMGetSwtpmSetupStateArg(emulator->source_type,
emulator->source_path);
if (!swtpm_setup) if (!swtpm_setup)
return -1; return -1;
if (tpmversion != VIR_DOMAIN_TPM_VERSION_2_0 || if (emulator->version != VIR_DOMAIN_TPM_VERSION_2_0 ||
(activePcrBanksStr = qemuTPMPcrBankBitmapToStr(activePcrBanks)) == NULL || (activePcrBanksStr = qemuTPMPcrBankBitmapToStr(emulator->activePcrBanks)) == NULL ||
!virTPMSwtpmSetupCapsGet(VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_RECONFIGURE_PCR_BANKS)) !virTPMSwtpmSetupCapsGet(VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_RECONFIGURE_PCR_BANKS))
return 0; return 0;
@ -542,7 +527,7 @@ qemuTPMEmulatorReconfigure(const virDomainTPMSourceType source_type,
virCommandAddArgList(cmd, virCommandAddArgList(cmd,
"--tpm-state", tpm_state, "--tpm-state", tpm_state,
"--logfile", logfile, "--logfile", emulator->logfile,
"--pcr-banks", activePcrBanksStr, "--pcr-banks", activePcrBanksStr,
"--reconfigure", "--reconfigure",
NULL); NULL);
@ -552,7 +537,7 @@ qemuTPMEmulatorReconfigure(const virDomainTPMSourceType source_type,
if (virCommandRun(cmd, &exitstatus) < 0 || exitstatus != 0) { if (virCommandRun(cmd, &exitstatus) < 0 || exitstatus != 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, virReportError(VIR_ERR_INTERNAL_ERROR,
_("Could not run '%1$s --reconfigure'. exitstatus: %2$d; Check error log '%3$s' for details."), _("Could not run '%1$s --reconfigure'. exitstatus: %2$d; Check error log '%3$s' for details."),
swtpm_setup, exitstatus, logfile); swtpm_setup, exitstatus, emulator->logfile);
return -1; return -1;
} }
@ -628,21 +613,14 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
secretuuid = tpm->data.emulator.secretuuid; secretuuid = tpm->data.emulator.secretuuid;
if (run_setup && if (run_setup &&
qemuTPMEmulatorRunSetup(tpm->data.emulator.source_type, qemuTPMEmulatorRunSetup(&tpm->data.emulator, vmname, vmuuid,
tpm->data.emulator.source_path, vmname, vmuuid,
privileged, swtpm_user, swtpm_group, privileged, swtpm_user, swtpm_group,
tpm->data.emulator.logfile,
tpm->data.emulator.version,
secretuuid, incomingMigration) < 0) secretuuid, incomingMigration) < 0)
goto error; goto error;
if (!incomingMigration && if (!incomingMigration &&
qemuTPMEmulatorReconfigure(tpm->data.emulator.source_type, qemuTPMEmulatorReconfigure(&tpm->data.emulator,
tpm->data.emulator.source_path,
swtpm_user, swtpm_group, swtpm_user, swtpm_group,
tpm->data.emulator.activePcrBanks,
tpm->data.emulator.logfile,
tpm->data.emulator.version,
secretuuid) < 0) secretuuid) < 0)
goto error; goto error;