From 90c40d3b9c74d99c0fd7ebfc588e673c4e994143 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Wed, 13 Nov 2024 12:39:46 -0500
Subject: [PATCH] conf: Add support for profile parameter on TPM emulator in
 domain XML

Extend the parser and XML builder with support for the profile parameter
and its remove_disabled attribute.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/conf/domain_conf.c                        | 36 +++++++++++++++++
 src/conf/domain_conf.h                        |  4 ++
 src/conf/domain_validate.c                    |  7 ++++
 ...pm-emulator-crb-profile.x86_64-latest.args | 36 +++++++++++++++++
 ...tpm-emulator-crb-profile.x86_64-latest.xml |  1 +
 .../tpm-emulator-crb-profile.xml              | 40 +++++++++++++++++++
 tests/qemuxmlconftest.c                       |  1 +
 7 files changed, 125 insertions(+)
 create mode 100644 tests/qemuxmlconfdata/tpm-emulator-crb-profile.x86_64-latest.args
 create mode 120000 tests/qemuxmlconfdata/tpm-emulator-crb-profile.x86_64-latest.xml
 create mode 100644 tests/qemuxmlconfdata/tpm-emulator-crb-profile.xml

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 0885403671..bec44eece1 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -3478,6 +3478,7 @@ void virDomainTPMDefFree(virDomainTPMDef *def)
         g_free(def->data.emulator.source_path);
         g_free(def->data.emulator.logfile);
         virBitmapFree(def->data.emulator.activePcrBanks);
+        g_free(def->data.emulator.profile.source);
         break;
     case VIR_DOMAIN_TPM_TYPE_EXTERNAL:
         virObjectUnref(def->data.external.source);
@@ -10786,6 +10787,15 @@ virDomainSmartcardDefParseXML(virDomainXMLOption *xmlopt,
  * <tpm model='tpm-tis'>
  *   <backend type='emulator' version='2.0' persistent_state='yes'>
  * </tpm>
+ *
+ * A profile for a TPM 2.0 can be added like this:
+ *
+ * <tpm model='tpm-crb'>
+ *   <backend type='emulator' version='2.0'>
+ *     <profile source='local:restricted' removeDisabled='check'/>
+ *   </backend>
+ * </tpm>
+ *
  */
 static virDomainTPMDef *
 virDomainTPMDefParseXML(virDomainXMLOption *xmlopt,
@@ -10805,6 +10815,7 @@ virDomainTPMDefParseXML(virDomainXMLOption *xmlopt,
     g_autofree xmlNodePtr *backends = NULL;
     g_autofree xmlNodePtr *nodes = NULL;
     g_autofree char *type = NULL;
+    xmlNodePtr profile;
     int bank;
 
     if (!(def = virDomainTPMDefNew(xmlopt)))
@@ -10911,6 +10922,19 @@ virDomainTPMDefParseXML(virDomainXMLOption *xmlopt,
             }
             virBitmapSetBitExpand(def->data.emulator.activePcrBanks, bank);
         }
+
+        if ((profile = virXPathNode("./backend/profile[1]", ctxt))) {
+            def->data.emulator.profile.source = virXMLPropString(profile, "source");
+            if (!def->data.emulator.profile.source) {
+                virReportError(VIR_ERR_XML_ERROR, "%s", _("missing profile source"));
+                goto error;
+            }
+            if (virXMLPropEnum(profile, "removeDisabled",
+                               virDomainTPMProfileRemoveDisabledTypeFromString,
+                               VIR_XML_PROP_NONZERO,
+                               &def->data.emulator.profile.removeDisabled) < 0)
+                goto error;
+        }
         break;
     case VIR_DOMAIN_TPM_TYPE_EXTERNAL:
         if (!(type = virXPathString("string(./backend/source/@type)", ctxt))) {
@@ -25115,6 +25139,18 @@ virDomainTPMDefFormat(virBuffer *buf,
                               virDomainTPMSourceTypeTypeToString(def->data.emulator.source_type));
             virBufferEscapeString(&backendChildBuf, " path='%s'/>\n", def->data.emulator.source_path);
         }
+        if (def->data.emulator.profile.source) {
+            g_auto(virBuffer) profileAttrBuf = VIR_BUFFER_INITIALIZER;
+
+            virBufferAsprintf(&profileAttrBuf, " source='%s'",
+                              def->data.emulator.profile.source);
+            if (def->data.emulator.profile.removeDisabled) {
+               virBufferAsprintf(&profileAttrBuf, " removeDisabled='%s'",
+                                 virDomainTPMProfileRemoveDisabledTypeToString(def->data.emulator.profile.removeDisabled));
+            }
+
+            virXMLFormatElement(&backendChildBuf, "profile", &profileAttrBuf, NULL);
+        }
         break;
     case VIR_DOMAIN_TPM_TYPE_EXTERNAL:
         if (def->data.external.source->type == VIR_DOMAIN_CHR_TYPE_UNIX) {
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 4d60a4183c..5959e82262 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1492,6 +1492,10 @@ struct _virDomainTPMEmulatorDef {
     bool hassecretuuid;
     bool persistent_state;
     virBitmap *activePcrBanks;
+    struct {
+        char *source; /* 'source' profile was created from */
+        virDomainTPMProfileRemoveDisabled removeDisabled;
+    } profile;
 };
 
 struct _virDomainTPMDef {
diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c
index b8ae9ed79d..b352cd874a 100644
--- a/src/conf/domain_validate.c
+++ b/src/conf/domain_validate.c
@@ -3026,6 +3026,13 @@ virDomainTPMDevValidate(const virDomainTPMDef *tpm)
                            virDomainTPMVersionTypeToString(VIR_DOMAIN_TPM_VERSION_2_0));
             return -1;
         }
+        if (tpm->data.emulator.profile.source &&
+            tpm->data.emulator.version != VIR_DOMAIN_TPM_VERSION_2_0) {
+            virReportError(VIR_ERR_XML_ERROR,
+                           _("<profile/> requires TPM version '%1$s'"),
+                           virDomainTPMVersionTypeToString(VIR_DOMAIN_TPM_VERSION_2_0));
+            return -1;
+        }
         break;
 
     case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
diff --git a/tests/qemuxmlconfdata/tpm-emulator-crb-profile.x86_64-latest.args b/tests/qemuxmlconfdata/tpm-emulator-crb-profile.x86_64-latest.args
new file mode 100644
index 0000000000..7e2fb83a98
--- /dev/null
+++ b/tests/qemuxmlconfdata/tpm-emulator-crb-profile.x86_64-latest.args
@@ -0,0 +1,36 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/var/lib/libvirt/qemu/domain--1-TPM-VM \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/var/lib/libvirt/qemu/domain--1-TPM-VM/.local/share \
+XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain--1-TPM-VM/.cache \
+XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-TPM-VM/.config \
+/usr/bin/qemu-system-x86_64 \
+-name guest=TPM-VM,debug-threads=on \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-TPM-VM/master-key.aes"}' \
+-machine pc-i440fx-2.12,usb=off,dump-guest-core=off,memory-backend=pc.ram,acpi=on \
+-accel tcg \
+-cpu qemu64 \
+-m size=2097152k \
+-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":2147483648}' \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid 11d7cd22-da89-3094-6212-079a48a309a1 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-boot menu=on,strict=on \
+-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
+-chardev socket,id=chrtpm,path=/dev/test \
+-tpmdev emulator,id=tpm-tpm0,chardev=chrtpm \
+-device '{"driver":"tpm-crb","tpmdev":"tpm-tpm0","id":"tpm0"}' \
+-audiodev '{"id":"audio1","driver":"none"}' \
+-device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","addr":"0x2"}' \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxmlconfdata/tpm-emulator-crb-profile.x86_64-latest.xml b/tests/qemuxmlconfdata/tpm-emulator-crb-profile.x86_64-latest.xml
new file mode 120000
index 0000000000..e1e07991ee
--- /dev/null
+++ b/tests/qemuxmlconfdata/tpm-emulator-crb-profile.x86_64-latest.xml
@@ -0,0 +1 @@
+tpm-emulator-crb-profile.xml
\ No newline at end of file
diff --git a/tests/qemuxmlconfdata/tpm-emulator-crb-profile.xml b/tests/qemuxmlconfdata/tpm-emulator-crb-profile.xml
new file mode 100644
index 0000000000..b8473cd894
--- /dev/null
+++ b/tests/qemuxmlconfdata/tpm-emulator-crb-profile.xml
@@ -0,0 +1,40 @@
+<domain type='qemu'>
+  <name>TPM-VM</name>
+  <uuid>11d7cd22-da89-3094-6212-079a48a309a1</uuid>
+  <memory unit='KiB'>2097152</memory>
+  <currentMemory unit='KiB'>512288</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-i440fx-2.12'>hvm</type>
+    <boot dev='hd'/>
+    <bootmenu enable='yes'/>
+  </os>
+  <features>
+    <acpi/>
+  </features>
+  <cpu mode='custom' match='exact' check='none'>
+    <model fallback='forbid'>qemu64</model>
+  </cpu>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <controller type='usb' index='0' model='piix3-uhci'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <controller type='pci' index='0' model='pci-root'/>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <tpm model='tpm-crb'>
+      <backend type='emulator' version='2.0'>
+        <profile source='local:restricted' removeDisabled='check'/>
+      </backend>
+    </tpm>
+    <audio id='1' type='none'/>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index 58db12fee8..194a4b8553 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -2508,6 +2508,7 @@ mymain(void)
     DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-pstate");
     DO_TEST_CAPS_ARCH_LATEST_PARSE_ERROR("aarch64-tpm-wrong-model", "aarch64");
     DO_TEST_CAPS_LATEST("tpm-external");
+    DO_TEST_CAPS_LATEST("tpm-emulator-crb-profile");
 
     g_setenv(TEST_TPM_ENV_VAR, TPM_VER_2_0, true);
     DO_TEST_CAPS_LATEST_PARSE_ERROR("tpm-emulator");