tpm: Pass migration key passphrase via fd to swtpm

This patch now passes the passphrase as a migration key to swtpm.
This now encrypts the state of the TPM while a VM is migrated between
hosts or when suspended into a file. Since the migration key secret
is the same as the state encryption secret, this now requires that
the migration destination host has the same secret value.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 27a31efe5044c789a1bb5702578fe76756214e53..7efd6358310f0422cdfd5de821e57fd00a38c02e 100644 (file)
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -584,6 +584,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
     char *pidfile;
     VIR_AUTOFREE(char *) swtpm = virTPMGetSwtpm();
     VIR_AUTOCLOSE pwdfile_fd = -1;
+    VIR_AUTOCLOSE migpwdfile_fd = -1;
     const unsigned char *secretuuid = NULL;
 
     if (!swtpm)
@@ -653,6 +654,9 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
 
         pwdfile_fd = qemuTPMSetupEncryption(tpm->data.emulator.secretuuid, cmd);
         if (pwdfile_fd)
+        migpwdfile_fd = qemuTPMSetupEncryption(tpm->data.emulator.secretuuid,
+                                               cmd);
+        if (pwdfile_fd < 0 || migpwdfile_fd < 0)
             goto error;
 
         virCommandAddArg(cmd, "--key");
@@ -660,6 +664,12 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm,
                                pwdfile_fd);
         virCommandPassFD(cmd, pwdfile_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
         pwdfile_fd = -1;
+
+        virCommandAddArg(cmd, "--migration-key");
+        virCommandAddArgFormat(cmd, "pwdfd=%d,mode=aes-256-cbc",
+                               migpwdfile_fd);
+        virCommandPassFD(cmd, migpwdfile_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT);
+        migpwdfile_fd = -1;
     }
 
     return cmd;