qemu_tpm: lock the state explicitly when running swtpm

Commit bb5e26749fe5b ("qemu: explicit swtpm state locking") attempted to
lock the state, but only for swtpm-setup. The capability
"tpmstate-opt-lock" is actually only exposed by swtpm.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 476e3dd2245795a12a3ac1db03b27d3835733baa..942ee64263fca87802e12f2201674f0de82a3fd9 100644 (file)
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -606,17 +606,24 @@ static void
 qemuTPMVirCommandSwtpmAddTPMState(virCommand *cmd,
                                   const virDomainTPMEmulatorDef *emulator)
 {
+    const char *lock = ",lock";
+
+    if (!virTPMSwtpmCapsGet(VIR_TPM_SWTPM_FEATURE_TPMSTATE_OPT_LOCK)) {
+        VIR_WARN("This swtpm version doesn't support explicit locking");
+        lock = "";
+    }
+
     virCommandAddArg(cmd, "--tpmstate");
     switch (emulator->source_type) {
     case VIR_DOMAIN_TPM_SOURCE_TYPE_FILE:
-        virCommandAddArgFormat(cmd, "backend-uri=file://%s",
-                               emulator->source_path);
+        virCommandAddArgFormat(cmd, "backend-uri=file://%s%s",
+                               emulator->source_path, lock);
         break;
     case VIR_DOMAIN_TPM_SOURCE_TYPE_DIR:
     case VIR_DOMAIN_TPM_SOURCE_TYPE_DEFAULT:
     case VIR_DOMAIN_TPM_SOURCE_TYPE_LAST:
-        virCommandAddArgFormat(cmd, "dir=%s,mode=0600",
-                               emulator->source_path);
+        virCommandAddArgFormat(cmd, "dir=%s,mode=0600%s",
+                               emulator->source_path, lock);
         break;
     }
 }

diff --git a/src/util/virtpm.c b/src/util/virtpm.c
index f90839debeee1b833c7a260d7cc472cdae13fe4e..cf0f20e009721fc20db780015871308a385a7ef1 100644 (file)
--- a/src/util/virtpm.c
+++ b/src/util/virtpm.c
@@ -43,6 +43,7 @@ VIR_ENUM_IMPL(virTPMSwtpmFeature,
               "nvram-backend-dir",
               "nvram-backend-file",
               "cmdarg-print-info",
+              "tpmstate-opt-lock",
 );
 
 VIR_ENUM_IMPL(virTPMSwtpmSetupFeature,

diff --git a/src/util/virtpm.h b/src/util/virtpm.h
index 4119a903e527bfa046e6445601f55f48df4b7024..c741d28465f41d74bed5f4d79408887a52141dc7 100644 (file)
--- a/src/util/virtpm.h
+++ b/src/util/virtpm.h
@@ -34,6 +34,7 @@ typedef enum {
     VIR_TPM_SWTPM_FEATURE_NVRAM_BACKEND_DIR,
     VIR_TPM_SWTPM_FEATURE_NVRAM_BACKEND_FILE,
     VIR_TPM_SWTPM_FEATURE_CMDARG_PRINT_INFO,
+    VIR_TPM_SWTPM_FEATURE_TPMSTATE_OPT_LOCK,
 
     VIR_TPM_SWTPM_FEATURE_LAST
 } virTPMSwtpmFeature;