Re: [libvirt] [PATCH 2/6] tpm: Add support for external swtpm TPM emulator

Fri, 06 Apr 2018 07:04:49 -0700 

On 04/06/2018 07:23 AM, Stefan Berger wrote:

On 04/06/2018 04:26 AM, Daniel P. Berrangé wrote:

On Thu, Apr 05, 2018 at 05:56:02PM -0400, Stefan Berger wrote:

This patch adds support for an external swtpm TPM emulator. The XML for
this type of TPM looks as follows:

  <tpm model='tpm-tis'>
    <backend type='emulator'/>
  </tpm>

The XML will currently only start a TPM 1.2.
Upon the first start, libvirt will run `swtpm_setup`, which will simulate the manufacturing of a TPM and create certificates for it and write them into the 
NVRAM location of the emulated TPM.
Then, libvirt will automatically start the swtpm TPM emulator using the `swtpm` 
executable.
Once the VM terminates, libvirt uses the swtpm_ioctl executable to gracefully shut down the `swtpm` in case it is still running (QEMU did not send shutdown) 
or clean up the socket file.

The above mentioned executables must be found in the PATH.
The executables can either be run as root or started as root and switch to the tss user. The requirement for the tss user comes through 'tcsd', which is used for the simulation of the manufacturing. Which user is used can be 
configured through qemu.conf.
The swtpm writes out state into files. The state is kept in /var/lib/libvirt/tpm: 

[root@localhost libvirt]# ls -lZ | grep tpm
drwx--x--x. 7 root root unconfined_u:object_r:virt_var_lib_t:s0 4096 Apr 5 16:22 tpm
The directory /var/lib/libvirt/tpm maintains per-TPM state directories but also hosts the UnixIO socket of running swtpms, which QEMU uses for communicating with them. At this point only the socket file is labeled properly and made accessible 
for QEMU, which runs under the qemu user:

/var/lib is for persistent state while /var/run is for transient
state, so I think sockets should be under /var/run instead.


/var/run/libvirt/qemu then ?
I now moved it into this neighborhood, which seems good due to the existing permissions: 

# ls -lZ domain-1-testvm/
total 4
-rw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c40,c612 32 Apr 6 09:55 master-key.aes srwxrwxr-x. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c40,c612 0 Apr 6 09:55 monitor.sock srw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c40,c612 0 Apr 6 09:55 swtpm.sock 

    Stefan

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to