tpm: Run swtpm_setup with less parameters on incoming migration

In case of an incoming migration we do not need to run swtpm_setup
with all the parameters but only want to get the benefit of it
creating a TPM state file for us that we can then label with an
SELinux label. The actual state will be overwritten by the in-
coming state. So we have to pass an indicator for incomingMigration
all the way to the command line parameter generation for swtpm_setup.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c
index e576bca165fe20e7858bf959df8caea50029766e..af52466421272b457cee03e20852aca89fa91120 100644 (file)
--- a/src/qemu/qemu_extdevice.c
+++ b/src/qemu/qemu_extdevice.c
@@ -128,7 +128,8 @@ qemuExtDevicesCleanupHost(virQEMUDriverPtr driver,
 int
 qemuExtDevicesStart(virQEMUDriverPtr driver,
                     virDomainObjPtr vm,
-                    qemuDomainLogContextPtr logCtxt)
+                    qemuDomainLogContextPtr logCtxt,
+                    bool incomingMigration)
 {
     int ret = 0;
 
@@ -136,7 +137,7 @@ qemuExtDevicesStart(virQEMUDriverPtr driver,
         return -1;
 
     if (vm->def->tpm)
-        ret = qemuExtTPMStart(driver, vm, logCtxt);
+        ret = qemuExtTPMStart(driver, vm, logCtxt, incomingMigration);
 
     return ret;
 }

diff --git a/src/qemu/qemu_extdevice.h b/src/qemu/qemu_extdevice.h
index bbdb9a1cc29f3a491613d6002ce4a50be8a287c8..5a53c79f384bf24541e97be2fa0ad2d69bfd3409 100644 (file)
--- a/src/qemu/qemu_extdevice.h
+++ b/src/qemu/qemu_extdevice.h
@@ -40,7 +40,8 @@ void qemuExtDevicesCleanupHost(virQEMUDriverPtr driver,
 
 int qemuExtDevicesStart(virQEMUDriverPtr driver,
                         virDomainObjPtr vm,
-                        qemuDomainLogContextPtr logCtxt)
+                        qemuDomainLogContextPtr logCtxt,
+                        bool incomingMigration)
     ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
     ATTRIBUTE_RETURN_CHECK;
 

diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 53b8ff36f60615a77ca447eafb464c11499a7460..bbd3d9596a2ff5d5d5bf0963eefc5c2f70d1d753 100644 (file)
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6774,7 +6774,7 @@ qemuProcessLaunch(virConnectPtr conn,
     if (qemuProcessGenID(vm, flags) < 0)
         goto cleanup;
 
-    if (qemuExtDevicesStart(driver, vm, logCtxt) < 0)
+    if (qemuExtDevicesStart(driver, vm, logCtxt, incoming != NULL) < 0)
         goto cleanup;
 
     VIR_DEBUG("Building emulator command line");

diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 66d3fde160379fa919c798ef227b05a98d56d5e0..98fe8a38b4278f6a5985ea617d08541e2c972ac1 100644 (file)
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -453,6 +453,7 @@ qemuTPMSetupEncryption(const unsigned char *secretuuid,
  *           for the user given by userid or 'tss'
  * @tpmversion: The version of the TPM, either a TPM 1.2 or TPM 2
  * @encryption: pointer to virStorageEncryption holding secret
+ * @incomingMigration: whether we have an incoming migration
  *
  * Setup the external swtpm by creating endorsement key and
  * certificates for it.
@@ -466,7 +467,8 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
                         gid_t swtpm_group,
                         const char *logfile,
                         const virDomainTPMVersion tpmversion,
-                        const unsigned char *secretuuid)
+                        const unsigned char *secretuuid,
+                        bool incomingMigration)
 {
     virCommandPtr cmd = NULL;
     int exitstatus;
@@ -525,16 +527,23 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
         pwdfile_fd = -1;
     }
 
-    virCommandAddArgList(cmd,
-                         "--tpm-state", storagepath,
-                         "--vmid", vmid,
-                         "--logfile", logfile,
-                         "--createek",
-                         "--create-ek-cert",
-                         "--create-platform-cert",
-                         "--lock-nvram",
-                         "--not-overwrite",
-                         NULL);
+    if (!incomingMigration) {
+        virCommandAddArgList(cmd,
+                             "--tpm-state", storagepath,
+                             "--vmid", vmid,
+                             "--logfile", logfile,
+                             "--createek",
+                             "--create-ek-cert",
+                             "--create-platform-cert",
+                             "--lock-nvram",
+                             "--not-overwrite",
+                             NULL);
+    } else {
+        virCommandAddArgList(cmd,
+                             "--tpm-state", storagepath,
+                             "--overwrite",
+                             NULL);
+    }
 
     virCommandClearCaps(cmd);
 
@@ -568,6 +577,7 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
  * @swtpmStateDir: the directory where swtpm writes the pid file and creates the
  *                 Unix socket
  * @shortName: the short name of the VM
+ * @incomingMigration: whether we have an incoming migration
  *
  * Create the virCommand use for starting the emulator
  * Do some initializations on the way, such as creation of storage
@@ -581,7 +591,8 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
                             uid_t swtpm_user,
                             gid_t swtpm_group,
                             const char *swtpmStateDir,
-                            const char *shortName)
+                            const char *shortName,
+                            bool incomingMigration)
 {
     virCommandPtr cmd = NULL;
     bool created = false;
@@ -605,7 +616,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
         qemuTPMEmulatorRunSetup(tpm->data.emulator.storagepath, vmname, vmuuid,
                                 privileged, swtpm_user, swtpm_group,
                                 tpm->data.emulator.logfile, tpm->version,
-                                secretuuid) < 0)
+                                secretuuid, incomingMigration) < 0)
         goto error;
 
     unlink(tpm->data.emulator.source.data.nix.path);
@@ -814,6 +825,7 @@ qemuExtTPMCleanupHost(virDomainDefPtr def)
  * @driver: QEMU driver
  * @vm: the domain object
  * @logCtxt: log context
+ * @incomingMigration: whether we have an incoming migration
  *
  * Start the external TPM Emulator:
  * - have the command line built
@@ -822,7 +834,8 @@ qemuExtTPMCleanupHost(virDomainDefPtr def)
 static int
 qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
                         virDomainObjPtr vm,
-                        qemuDomainLogContextPtr logCtxt)
+                        qemuDomainLogContextPtr logCtxt,
+                        bool incomingMigration)
 {
     int ret = -1;
     virCommandPtr cmd = NULL;
@@ -846,7 +859,8 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
                                             driver->privileged,
                                             cfg->swtpm_user,
                                             cfg->swtpm_group,
-                                            cfg->swtpmStateDir, shortName)))
+                                            cfg->swtpmStateDir, shortName,
+                                            incomingMigration)))
         goto cleanup;
 
     if (qemuExtDeviceLogCommand(logCtxt, cmd, "TPM Emulator") < 0)
@@ -903,14 +917,15 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
 int
 qemuExtTPMStart(virQEMUDriverPtr driver,
                 virDomainObjPtr vm,
-                qemuDomainLogContextPtr logCtxt)
+                qemuDomainLogContextPtr logCtxt,
+                bool incomingMigration)
 {
     int ret = 0;
     virDomainTPMDefPtr tpm = vm->def->tpm;
 
     switch (tpm->type) {
     case VIR_DOMAIN_TPM_TYPE_EMULATOR:
-        ret = qemuExtTPMStartEmulator(driver, vm, logCtxt);
+        ret = qemuExtTPMStartEmulator(driver, vm, logCtxt, incomingMigration);
         break;
     case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
     case VIR_DOMAIN_TPM_TYPE_LAST:

diff --git a/src/qemu/qemu_tpm.h b/src/qemu/qemu_tpm.h
index 74c9924d682574685a1c4fd07d0f352d6d7325bc..5f454d3580cf86a0855af1e9ef33245d7e02d88d 100644 (file)
--- a/src/qemu/qemu_tpm.h
+++ b/src/qemu/qemu_tpm.h
@@ -37,7 +37,8 @@ void qemuExtTPMCleanupHost(virDomainDefPtr def)
 
 int qemuExtTPMStart(virQEMUDriverPtr driver,
                     virDomainObjPtr vm,
-                    qemuDomainLogContextPtr logCtxt)
+                    qemuDomainLogContextPtr logCtxt,
+                    bool incomingMigration)
     ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
     ATTRIBUTE_RETURN_CHECK;