mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-03-07 17:28:15 +00:00
tpm: Pass migration key passphrase via fd to swtpm
This patch now passes the passphrase as a migration key to swtpm. This now encrypts the state of the TPM while a VM is migrated between hosts or when suspended into a file. Since the migration key secret is the same as the state encryption secret, this now requires that the migration destination host has the same secret value. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
5eeff28585
commit
a9d6f1c054
@ -584,6 +584,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
|
|||||||
char *pidfile;
|
char *pidfile;
|
||||||
VIR_AUTOFREE(char *) swtpm = virTPMGetSwtpm();
|
VIR_AUTOFREE(char *) swtpm = virTPMGetSwtpm();
|
||||||
VIR_AUTOCLOSE pwdfile_fd = -1;
|
VIR_AUTOCLOSE pwdfile_fd = -1;
|
||||||
|
VIR_AUTOCLOSE migpwdfile_fd = -1;
|
||||||
const unsigned char *secretuuid = NULL;
|
const unsigned char *secretuuid = NULL;
|
||||||
|
|
||||||
if (!swtpm)
|
if (!swtpm)
|
||||||
@ -653,6 +654,9 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
|
|||||||
|
|
||||||
pwdfile_fd = qemuTPMSetupEncryption(tpm->data.emulator.secretuuid, cmd);
|
pwdfile_fd = qemuTPMSetupEncryption(tpm->data.emulator.secretuuid, cmd);
|
||||||
if (pwdfile_fd)
|
if (pwdfile_fd)
|
||||||
|
migpwdfile_fd = qemuTPMSetupEncryption(tpm->data.emulator.secretuuid,
|
||||||
|
cmd);
|
||||||
|
if (pwdfile_fd < 0 || migpwdfile_fd < 0)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
virCommandAddArg(cmd, "--key");
|
virCommandAddArg(cmd, "--key");
|
||||||
@ -660,6 +664,12 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
|
|||||||
pwdfile_fd);
|
pwdfile_fd);
|
||||||
virCommandPassFD(cmd, pwdfile_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
|
virCommandPassFD(cmd, pwdfile_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
|
||||||
pwdfile_fd = -1;
|
pwdfile_fd = -1;
|
||||||
|
|
||||||
|
virCommandAddArg(cmd, "--migration-key");
|
||||||
|
virCommandAddArgFormat(cmd, "pwdfd=%d,mode=aes-256-cbc",
|
||||||
|
migpwdfile_fd);
|
||||||
|
virCommandPassFD(cmd, migpwdfile_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
|
||||||
|
migpwdfile_fd = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
return cmd;
|
return cmd;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user