Signed-off-by: Lin Ma
---
docs/news.xml | 9 +
1 file changed, 9 insertions(+)
diff --git a/docs/news.xml b/docs/news.xml
index 76d1613d35..693d4a373b 100644
--- a/docs/news.xml
+++ b/docs/news.xml
@@ -84,6 +84,15 @@
and ich9 sound devices.
+
https://bugzilla.redhat.com/show_bug.cgi?id=1560946
Following the model of the Logical backend, use qemu-img on
the created device to set up for LUKS encryption.
Signed-off-by: John Ferlan
---
works much better with the settle patch applied from:
On 05/17/2018 08:40 AM, Daniel P. Berrangé wrote:
There is a race condition when spawning QEMU where libvirt has spawned
QEMU but the monitor socket is not yet open. Libvirt has to repeatedly
try to connect() to QEMU's monitor until eventually it succeeds, or
times out. We use kill() to check if
On 05/24/2018 04:27 AM, Ian Jackson wrote:
Ian Jackson writes ("Likely build race, "/usr/bin/ld: cannot find -lvirt""):
tl;dr:
I think there is a bug in libvirt's build system which, with
low probability, causes a build failure containing this message:
/usr/bin/ld: cannot find -lvirt
On 05/24/2018 04:26 PM, Stefan Berger wrote:
This patch extends the AppArmor domain profile with file paths
the swtpm accesses for state, log, pid, and socket files.
Both, QEMU and swtpm, use this AppArmor profile.
Signed-off-by: Stefan Berger
Cc: Christian
Extend the existing auditing with auditing for the TPM emulator.
Signed-off-by: Stefan Berger
---
docs/auditlog.html.in | 2 +-
src/conf/domain_audit.c | 16 +---
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/docs/auditlog.html.in
This patch adds support for an external swtpm TPM emulator. The XML for
this type of TPM looks as follows:
The XML will currently only start a TPM 1.2.
Upon first start, libvirt will run `swtpm_setup`, which will simulate the
manufacturing of a TPM and create certificates for it and
TPM 1.2 does not support a CRB interface but only TIS. So, in
this case we need to alert the user and request a change to the
XML rather than silently overwriting it.
Signed-off-by: Stefan Berger
---
src/conf/domain_conf.c | 15 ---
src/qemu/qemu_domain.c
This patch extends the TPM's device XML with TPM 2 support. This only works
for the emulator type backend and looks as follows:
The swtpm process now has --tpm2 as an additional parameter:
system_u:system_r:svirt_t:s0:c597,c632 tss 18477 11.8 0.0 28364 3868 ?
Rs
Add the external swtpm to the emulator cgroup so that upper limits of CPU
usage can be enforced on the emulated TPM.
To enable this we need to have the swtpm write its process id (pid) into a
file. We then read it from the file to configure the emulator cgroup.
The PID file is created in
swtpm_setup can be run for a TPM 2 in unprivileged mode assuming
XDG_CONFIG_HOME has been set and the necessary configuration files
have been put into that directory.
For current reference also see this link:
https://github.com/stefanberger/swtpm/pull/63
Signed-off-by: Stefan Berger
Signed-off-by: Stefan Berger
---
docs/news.xml | 13 +
1 file changed, 13 insertions(+)
diff --git a/docs/news.xml b/docs/news.xml
index 76d1613d35..88570a 100644
--- a/docs/news.xml
+++ b/docs/news.xml
@@ -33,6 +33,19 @@
-->
+
+
+
This series of patches adds support for the TPM emulator backend that
is available in QEMU and based on swtpm + libtpms. It allows to attach a
TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm
process, its Unix socket, and log file with the same label that the
QEMU process
Fix the resrc field for the TPM passthrough case to show tpm.
This fixes the code to follow the documentation.
Signed-off-by: Stefan Berger
---
src/conf/domain_audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/conf/domain_audit.c
Signed-off-by: Stefan Berger
---
src/conf/domain_conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 0b244b2eac..2a7be083f9 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@
Extend qemu_conf with user and group for running the tpm-emulator
and add directories to the configuration for the locations of the
log, state, and socket of the tpm-emulator.
Also add these new directories to the QEMU Makefile.inc.am and
the RPM spec file libvirt.spec.in.
Signed-off-by: Stefan
This patch extends the AppArmor domain profile with file paths
the swtpm accesses for state, log, pid, and socket files.
Both, QEMU and swtpm, use this AppArmor profile.
Signed-off-by: Stefan Berger
Cc: Christian Ehrhardt
---
Extend the DAC and SELinux modules with support for the tpm-emulator.
We label the Unix socket that QEMU connects to after starting swtmp
with DAC and SELinux labels. We do not have to restore the labels in
this case since the tpm-emulator will remove the Unix socket when it
terminates.
This patch adds support for an external swtpm TPM emulator. The XML for
this type of TPM looks as follows:
The XML will currently only define a TPM 1.2.
Extend the documentation.
Add a test case testing the XML parser and formatter.
Signed-off-by: Stefan Berger
In this patch we label the swtpm process with SELinux labels. We give it the
same label as the QEMU process has. We label its state directory and files
as well. We restore the old security labels once the swtpm has terminated.
The file and process labels now look as follows:
Directory:
Implement functions for managing the storage of the external swtpm as well
as starting and stopping it. Also implement functions to use swtpm_setup,
which simulates the manufacturing of a TPM, which includes creation of
certificates for the device.
Further, the external TPM needs storage on the
Extend the QEMU capabilities with tpm-emulator support.
Signed-off-by: Stefan Berger
Reviewed-by: John Ferlan
---
src/qemu/qemu_capabilities.c | 5 +
src/qemu/qemu_capabilities.h | 1 +
This patch adds extensions to existing test cases and specific test cases
for the tpm-emulator.
Signed-off-by: Stefan Berger
Reviewed-by: John Ferlan
---
.../tpm-emulator.x86_64-latest.args| 33 ++
Implement virFileChownFiles() which changes file ownership of all
files in a given directory.
Signed-off-by: Stefan Berger
Reviewed-by: John Ferlan
---
src/libvirt_private.syms | 1 +
src/util/virfile.c | 55
Remove the locks since they are unnecessary and would cause
a hang for a driver reload/restart when a transient pool was
previously active as a result of the call:
virStoragePoolUpdateInactive:
...
if (!virStoragePoolObjGetConfigFile(obj)) {
virStoragePoolObjRemove(driver->pools,
On Wed, May 23, 2018 at 06:23:01PM +0200, Peter Krempa wrote:
> On Wed, May 23, 2018 at 18:05:17 +0200, Pavel Hrdina wrote:
>
> [...]
>
> > I liked the way how GLib is solving the issue so we can simply use the
> > same approach since it looks reasonable.
> >
> > There would be three different
On Thu, May 24, 2018 at 11:16:40PM +0530, Sukrit Bhatnagar wrote:
> On 23 May 2018 at 21:35, Pavel Hrdina wrote:
> > On Sun, Mar 25, 2018 at 01:55:07AM +0530, Sukrit Bhatnagar wrote:
> >> Hi,
> >>
> >> I am interested in implementing the GCC cleanup attribute for automatic
>
On Wed, May 23, 2018 at 05:53:34PM +0200, Markus Armbruster wrote:
> Eduardo Habkost writes:
>
> > On Wed, May 23, 2018 at 11:17:55AM +0200, Markus Armbruster wrote:
> >> Eduardo Habkost writes:
> >> > On Mon, May 21, 2018 at 04:46:36PM -0300, Daniel
On 23 May 2018 at 21:35, Pavel Hrdina wrote:
> On Sun, Mar 25, 2018 at 01:55:07AM +0530, Sukrit Bhatnagar wrote:
>> Hi,
>>
>> I am interested in implementing the GCC cleanup attribute for automatic
>> resource freeing as part of GSoC'18. I have shared a proposal for the same.
On 05/24/18 18:23, Paolo Bonzini wrote:
> On 24/05/2018 18:21, Laszlo Ersek wrote:
>> On 05/15/18 11:49, Gerd Hoffmann wrote:
>>> On Wed, May 09, 2018 at 05:26:08PM +0200, Laszlo Ersek wrote:
Add a schema that describes the different uses and properties of virtual
machine firmware.
On 05/16/2018 04:39 AM, Jiri Denemark wrote:
> This command is a virsh wrapper for virConnectCompareHypervisorCPU.
>
> Signed-off-by: Jiri Denemark
> ---
> tools/virsh-host.c | 113 +
> tools/virsh.pod| 29 +++-
> 2
On Thu, 24 May 2018 14:24:32 +0200
Xiao Feng Ren wrote:
> From: Yi Min Zhao
>
> This commit adds hotplug support for PCI devices on S390 guests.
> There's no need to implement hot unplug for zPCI as QEMU implements
> an unplug callback which
On Thu, May 24, 2018 at 05:22:07PM +0200, Peter Krempa wrote:
Rather than a lot of checks use a switch statement. This optimizes the
code as if one device is matched the rest will certainly not match.
Signed-off-by: Peter Krempa
---
src/qemu/qemu_domain.c | 77
On 05/15/18 11:49, Gerd Hoffmann wrote:
> On Wed, May 09, 2018 at 05:26:08PM +0200, Laszlo Ersek wrote:
>> Add a schema that describes the different uses and properties of virtual
>> machine firmware.
>>
>> Each firmware executable installed on a host system should come with at
>> least one JSON
On 24/05/2018 18:21, Laszlo Ersek wrote:
> On 05/15/18 11:49, Gerd Hoffmann wrote:
>> On Wed, May 09, 2018 at 05:26:08PM +0200, Laszlo Ersek wrote:
>>> Add a schema that describes the different uses and properties of virtual
>>> machine firmware.
>>>
>>> Each firmware executable installed on a
On Thu, May 24, 2018 at 05:22:06PM +0200, Peter Krempa wrote:
Signed-off-by: Peter Krempa
---
src/qemu/qemu_domain.c | 27 +++
1 file changed, 19 insertions(+), 8 deletions(-)
Reviewed-by: Ján Tomko
Jano
signature.asc
On Thu, May 24, 2018 at 05:22:05PM +0200, Peter Krempa wrote:
Signed-off-by: Peter Krempa
---
src/qemu/qemu_domain.c | 40 +---
1 file changed, 25 insertions(+), 15 deletions(-)
Reviewed-by: Ján Tomko
Jano
On Thu, May 24, 2018 at 05:22:04PM +0200, Peter Krempa wrote:
Signed-off-by: Peter Krempa
---
src/qemu/qemu_domain.c | 24 ++--
1 file changed, 18 insertions(+), 6 deletions(-)
Reviewed-by: Ján Tomko
Jano
signature.asc
On Thu, May 24, 2018 at 05:22:03PM +0200, Peter Krempa wrote:
Later on, more stuff will be added so prevent the main function growing
out of control.
We wouldn't want it to become sentient.
Signed-off-by: Peter Krempa
---
src/qemu/qemu_domain.c | 77
Patch looks good, many thanks Eric.
Ramy
On Wed, May 9, 2018 at 12:58 PM, Erik Skultety wrote:
> On Sat, May 05, 2018 at 01:04:18PM +0100, ramyelkest wrote:
>> Changes from v1[1]:
>>
>> * removed virHasLastError() and s/virHasLastError/virGetLastErrorCode/g
>> * replaced in
https://bugzilla.redhat.com/show_bug.cgi?id=1400475
In order to avoid a possible error as a result of kernel interactions
with the partition helper, let's use virWaitForDevices to force things
to settle down before attempting to open and read the partition. This
is related to
Signed-off-by: Peter Krempa
---
src/qemu/qemu_domain.c | 40 +---
1 file changed, 25 insertions(+), 15 deletions(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index dbdd94de2f..e9a8b0c332 100644
---
Rather than a lot of checks use a switch statement. This optimizes the
code as if one device is matched the rest will certainly not match.
Signed-off-by: Peter Krempa
---
src/qemu/qemu_domain.c | 77 ++
1 file changed, 52
Signed-off-by: Peter Krempa
---
src/qemu/qemu_domain.c | 24 ++--
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index ab0a823f1e..dbdd94de2f 100644
--- a/src/qemu/qemu_domain.c
+++
Signed-off-by: Peter Krempa
---
src/qemu/qemu_domain.c | 27 +++
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index e9a8b0c332..a6b879aa76 100644
--- a/src/qemu/qemu_domain.c
+++
Later on, more stuff will be added so prevent the main function growing
out of control.
Signed-off-by: Peter Krempa
---
src/qemu/qemu_domain.c | 77 --
1 file changed, 43 insertions(+), 34 deletions(-)
diff --git
Main idea was to split the disk code since I'll be changing it later but
as I was at it I refactored everything.
Peter Krempa (5):
qemu: domain: Extract disk post parse code into a function
qemu: domain: Extract network device def post parse code
qemu: domain: Extract video device def post
On Wed, May 16, 2018 at 10:39:29AM +0200, Jiri Denemark wrote:
This command is a virsh wrapper for virConnectCompareHypervisorCPU.
Signed-off-by: Jiri Denemark
---
tools/virsh-host.c | 113 +
tools/virsh.pod| 29 +++-
On Wed, May 16, 2018 at 10:39:27AM +0200, Jiri Denemark wrote:
This new API compares the given CPU description with the CPU the
specified hypervisor is able to provide on the host. It is a more useful
version of virConnectCompareCPU, which compares the CPU definition with
the host CPU without
On Wed, May 16, 2018 at 10:39:28AM +0200, Jiri Denemark wrote:
Signed-off-by: Jiri Denemark
---
src/remote/remote_driver.c | 3 ++-
src/remote/remote_protocol.x | 21 -
src/remote_protocol-structs | 12
3 files changed, 34 insertions(+), 2
From: Yi Min Zhao
This patch introduces new XML parser/formatter functions. Uid is
16-bit and non-zero. Fid is 32-bit. They are added as two new
attributes of PCI address, and parsed/formatted along with PCI
address parser/formatter.
Signed-off-by: Yi Min Zhao
The PCI representation in QEMU has recently been extended for S390
allowing configuration of zPCI attributes like uid (user-defined
identifier) and fid (PCI function identifier).
The details can be found here:
https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg07262.html
To support the new
From: Yi Min Zhao
Signed-off-by: Yi Min Zhao
Reviewed-by: Boris Fiuczynski
Reviewed-by: Stefan Zimmermann
---
docs/news.xml | 11 +++
1 file changed, 11 insertions(+)
diff --git
From: Yi Min Zhao
Add new functions to generate zPCI command string and append it to
QEMU command line.
Signed-off-by: Yi Min Zhao
Reviewed-by: Boris Fiuczynski
Reviewed-by: Stefan Zimmermann
From: Yi Min Zhao
QEMU on s390 supports PCI multibus since forever. But zPCI, as extension
of PCI device on s390, is the significant capability. Only when zPCI
capability is existing, we consider QEMU supports PCI multibus properly.
So let enable PCI multibus only if zPCI
From: Yi Min Zhao
Update 'Device address' section to describe the 'uid' and 'fid'
attributes.
Signed-off-by: Yi Min Zhao
Reviewed-by: Boris Fiuczynski
Reviewed-by: Stefan Zimmermann
---
From: Yi Min Zhao
This patch adds new test cases for zPCI when 'uid' and 'fid'
are defined with different conditions in XML.
Signed-off-by: Yi Min Zhao
Reviewed-by: Boris Fiuczynski
Reviewed-by: Bjoern Walk
From: Yi Min Zhao
This patch adds new functions for reservation, assignment and release
to handle the uid/fid. If the uid/fid is defined in the domain XML,
they will be reserved directly in collecting phase. If any of them is
not defined, we will find out an available value
From: Yi Min Zhao
This commit adds hotplug support for PCI devices on S390 guests.
There's no need to implement hot unplug for zPCI as QEMU implements
an unplug callback which will unplug both PCI and zPCI device in a
cascaded way.
Currently, the following PCI devices are
From: Yi Min Zhao
Add zPCI definitions in preparation of extending the PCI address
with parameters uid (user-defined identifier) and fid (PCI function
identifier).
Signed-off-by: Yi Min Zhao
Reviewed-by: Boris Fiuczynski
From: Yi Min Zhao
Let's introduce zPCI capability.
Signed-off-by: Yi Min Zhao
Reviewed-by: Boris Fiuczynski
Reviewed-by: Stefan Zimmermann
Reviewed-by: Bjoern Walk
---
From: Yi Min Zhao
The pci-root depends on zpci capability. So autogenerate pci-root if
zpci exists.
Signed-off-by: Yi Min Zhao
Reviewed-by: Boris Fiuczynski
Reviewed-by: Stefan Zimmermann
Reviewed-by:
From: Yi Min Zhao
This patch provides a caching mechanism for the device address
extensions uid and fid on S390. For efficient sparse address allocation,
we introduce two hash tables for uid/fid which hold the address set
information per domain. Also in order to improve
From: Yi Min Zhao
This patch introduces a new attribute PCI address extension flag
to deal with the extension PCI attributes such as 'uid' and 'fid'
on the S390 platform.
Signed-off-by: Yi Min Zhao
Reviewed-by: Boris Fiuczynski
On Wed, May 16, 2018 at 10:39:26AM +0200, Jiri Denemark wrote:
virConnectGetDomainCapabilities needs to lookup QEMU capabilities
matching a specified binary, architecture, virt type, and machine type
while using default values when any of the parameters are not provided
by the user. Let's
On 05/24/2018 11:04 AM, Roland Schulz wrote:
> Signed-off-by: Roland Schulz
> ---
> tools/virsh-completer.c | 58 +
> tools/virsh-completer.h | 3 +++
> tools/virsh-host.c | 3 +++
> 3 files changed, 64 insertions(+)
I'm
On 05/24/2018 11:04 AM, Roland Schulz wrote:
> Signed-off-by: Roland Schulz
> ---
> tools/virsh-completer.c | 4 ++--
> tools/virsh-completer.h | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
ACKed and pushed.
Michal
--
libvir-list mailing list
On Wed, May 16, 2018 at 10:39:25AM +0200, Jiri Denemark wrote:
The domain capabilities XML contains host CPU model tailored to a
specific hypervisor and since it's enclosed in
element rather then the required it's impossible to directly use
the host CPU model as an input to, e.g., cpu-compare
On Wed, May 16, 2018 at 10:39:24AM +0200, Jiri Denemark wrote:
Signed-off-by: Jiri Denemark
---
src/libvirt-host.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/libvirt-host.c b/src/libvirt-host.c
index 76087badd8..ed689b9ec2 100644
---
On Wed, May 16, 2018 at 10:39:23AM +0200, Jiri Denemark wrote:
Signed-off-by: Jiri Denemark
---
tools/virsh.pod | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/tools/virsh.pod b/tools/virsh.pod
index 5f72e11dec..5fc8201893 100644
---
On 05/24/2018 09:21 AM, John Ferlan wrote:
On 05/24/2018 09:02 AM, Stefan Berger wrote:
This series of patches adds support for the TPM emulator backend that
is available in QEMU and based on swtpm + libtpms. It allows to attach a
TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling
On Wed, May 16, 2018 at 10:39:22AM +0200, Jiri Denemark wrote:
Signed-off-by: Jiri Denemark
---
tools/virsh.pod | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Reviewed-by: Ján Tomko
Jano
signature.asc
Description: Digital signature
--
On Wed, May 16, 2018 at 10:39:21AM +0200, Jiri Denemark wrote:
Both cpu-compare and cpu-baseline commands accept more that just CPU
definition XML(s). For users' convenience they are able to extract the
CPU definition(s) even from domain XML or capabilities XML. The main
differences between the
On 05/24/2018 03:51 PM, Michal Privoznik wrote:
> On 05/23/2018 04:08 PM, Roland Schulz wrote:
>> ---
>> tools/virsh-completer.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> This patch is missing SoB line. I cannot push this patch without it. Can
> you please confirm here
On 05/23/2018 04:08 PM, Roland Schulz wrote:
> ---
> tools/virsh-completer.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
This patch is missing SoB line. I cannot push this patch without it. Can
you please confirm here that I can add is there (funny, because your
other patches
On 05/24/2018 03:11 PM, Roland Schulz wrote:
> Signed-off-by: Roland Schulz
> ---
> For the time being virshAllocpagesPagesizeCompleter can be used with
> other commands that use --pagesize option.
>
> tools/virsh-host.c | 1 +
> 1 file changed, 1 insertion(+)
ACKed and
On 05/23/2018 08:32 AM, Lin Ma wrote:
> Signed-off-by: Lin Ma
> ---
> tools/virsh-completer.c | 31 +++
> tools/virsh-completer.h | 3 +++
> tools/virsh-domain.c| 1 +
> 3 files changed, 35 insertions(+)
>
> diff --git a/tools/virsh-completer.c
On 05/23/2018 08:32 AM, Lin Ma wrote:
> v2 -> v3:
> Most of patches in original v2 patchset were pushed, only 2 patches left,
> So create a new patchset for including the 2 patches and 6 new completion
> patches which about secret-event, pool-event and nodedev-event.
>
> (Borrowed code & idea
On Wed, May 16, 2018 at 10:39:20AM +0200, Jiri Denemark wrote:
Similarly to cpu-models these two commands do not operate on a domain
and should be listed in the "Host and Hypervisor" commands section.
Signed-off-by: Jiri Denemark
---
tools/virsh-domain.c | 223
On 05/23/2018 08:32 AM, Lin Ma wrote:
> The next patch will use it in virsh-completer.c for returning the strings
> of domain event name.
>
> Signed-off-by: Lin Ma
> ---
> tools/virsh-domain.c | 8 +---
> tools/virsh-domain.h | 8
> 2 files changed, 9 insertions(+),
On 05/23/2018 08:32 AM, Lin Ma wrote:
> The next patch will use it in virsh-completer.c for returning the name
> list of secret events.
>
> The patch code originally authored by Michal Privoznik, Please refer to
> https://www.redhat.com/archives/libvir-list/2018-May/msg01022.html
>
> I splitted
On 05/24/2018 09:02 AM, Stefan Berger wrote:
> This series of patches adds support for the TPM emulator backend that
> is available in QEMU and based on swtpm + libtpms. It allows to attach a
> TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm
> process, its Unix socket,
Signed-off-by: Roland Schulz
---
For the time being virshAllocpagesPagesizeCompleter can be used with
other commands that use --pagesize option.
tools/virsh-host.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/virsh-host.c b/tools/virsh-host.c
index
This patch extends the TPM's device XML with TPM 2 support. This only works
for the emulator type backend and looks as follows:
The swtpm process now has --tpm2 as an additional parameter:
system_u:system_r:svirt_t:s0:c597,c632 tss 18477 11.8 0.0 28364 3868 ?
Rs
On Thu, May 24, 2018 at 07:22:30AM -0400, Stefan Berger wrote:
On 05/24/2018 03:08 AM, Ján Tomko wrote:
On Wed, May 23, 2018 at 02:33:08PM -0400, Stefan Berger wrote:
swtpm doesn't have all the bells and whistles of QEMU that we would have
a JSON interface to query the features from.
With
Add the external swtpm to the emulator cgroup so that upper limits of CPU
usage can be enforced on the emulated TPM.
To enable this we need to have the swtpm write its process id (pid) into a
file. We then read it from the file to configure the emulator cgroup.
The PID file is created in
This series of patches adds support for the TPM emulator backend that
is available in QEMU and based on swtpm + libtpms. It allows to attach a
TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm
process, its Unix socket, and log file with the same label that the
QEMU process
Extend the QEMU capabilities with tpm-emulator support.
Signed-off-by: Stefan Berger
Reviewed-by: John Ferlan
---
src/qemu/qemu_capabilities.c | 5 +
src/qemu/qemu_capabilities.h | 1 +
Implement functions for managing the storage of the external swtpm as well
as starting and stopping it. Also implement functions to use swtpm_setup,
which simulates the manufacturing of a TPM, which includes creation of
certificates for the device.
Further, the external TPM needs storage on the
On Thu, May 24, 2018 at 02:17:13PM +0200, Marc Hartmayer wrote:
On Tue, May 22, 2018 at 10:44 PM +0200, Stefan Berger
wrote:
This patch extends the TPM's device XML with TPM 2 support. This only works
for the emulator type backend and looks as follows:
This patch adds extensions to existing test cases and specific test cases
for the tpm-emulator.
Signed-off-by: Stefan Berger
Reviewed-by: John Ferlan
---
.../tpm-emulator.x86_64-latest.args| 33 ++
Extend qemu_conf with user and group for running the tpm-emulator
and add directories to the configuration for the locations of the
log, state, and socket of the tpm-emulator.
Also add these new directories to the QEMU Makefile.inc.am and
the RPM spec file libvirt.spec.in.
Signed-off-by: Stefan
In this patch we label the swtpm process with SELinux labels. We give it the
same label as the QEMU process has. We label its state directory and files
as well. We restore the old security labels once the swtpm has terminated.
The file and process labels now look as follows:
Directory:
Extend the DAC and SELinux modules with support for the tpm-emulator.
We label the Unix socket that QEMU connects to after starting swtmp
with DAC and SELinux labels. We do not have to restore the labels in
this case since the tpm-emulator will remove the Unix socket when it
terminates.
Signed-off-by: Stefan Berger
---
docs/news.xml | 9 +
1 file changed, 9 insertions(+)
diff --git a/docs/news.xml b/docs/news.xml
index 76d1613d35..7c401e42de 100644
--- a/docs/news.xml
+++ b/docs/news.xml
@@ -64,6 +64,15 @@
TLS environment which is
This patch adds support for an external swtpm TPM emulator. The XML for
this type of TPM looks as follows:
The XML will currently only start a TPM 1.2.
Upon first start, libvirt will run `swtpm_setup`, which will simulate the
manufacturing of a TPM and create certificates for it and
This patch adds support for an external swtpm TPM emulator. The XML for
this type of TPM looks as follows:
The XML will currently only define a TPM 1.2.
Extend the documentation.
Add a test case testing the XML parser and formatter.
Signed-off-by: Stefan Berger
Implement virFileChownFiles() which changes file ownership of all
files in a given directory.
Signed-off-by: Stefan Berger
Reviewed-by: John Ferlan
---
src/libvirt_private.syms | 1 +
src/util/virfile.c | 55
On Thu, May 24, 2018 at 12:39:08PM +0200, Ján Tomko wrote:
v1:
https://www.redhat.com/archives/libvir-list/2018-May/msg01517.html
v2:
* use instead of
* use for the guest address
* add attribute and auto-assign the guest CID
* fixed PCI address allocation
On 05/24/2018 08:17 AM, Marc Hartmayer wrote:
On Tue, May 22, 2018 at 10:44 PM +0200, Stefan Berger
wrote:
This patch extends the TPM's device XML with TPM 2 support. This only works
for the emulator type backend and looks as follows:
The
1 - 100 of 141 matches
Mail list logo