From: Stefan Berger <stefanb@linux.ibm.com>
Date: Sat, 30 Oct 2021 04:01:37 +0000 (-0400)
Subject: qemu: tpm: Enable creation of certs for TPM 1.2 in non-privileged mode
X-Git-Tag: v7.10.0-rc1~263
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0b4705a4aa9c7f610dbead4b7dc136b55b6ba30f;p=thirdparty%2Flibvirt.git

qemu: tpm: Enable creation of certs for TPM 1.2 in non-privileged mode

When 'swtpm_setup --print-capabilities' shows the 'tpm12-not-need-root'
flag, then it is possible to create certificates for the TPM 1.2 also
in non-privileged mode since swtpm_setup doesn't need tcsd anymore.
Check for this flag and create the certificates if this flag is found.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---

diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index e1b08a66c5..5a05273100 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -463,11 +463,13 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
     if (!swtpm_setup)
         return -1;
 
-    if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2)
+    if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2 &&
+        !virTPMSwtpmSetupCapsGet(VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT)) {
         return virFileWriteStr(logfile,
                                _("Did not create EK and certificates since "
                                  "this requires privileged mode for a "
                                  "TPM 1.2\n"), 0600);
+    }
 
     if (!privileged && qemuTPMCreateConfigFiles(swtpm_setup) < 0)
         return -1;
diff --git a/src/util/virtpm.c b/src/util/virtpm.c
index 0f50de866c..40d9272e66 100644
--- a/src/util/virtpm.c
+++ b/src/util/virtpm.c
@@ -46,6 +46,7 @@ VIR_ENUM_IMPL(virTPMSwtpmSetupFeature,
               VIR_TPM_SWTPM_SETUP_FEATURE_LAST,
               "cmdarg-pwdfile-fd",
               "cmdarg-create-config-files",
+              "tpm12-not-need-root",
 );
 
 /**
diff --git a/src/util/virtpm.h b/src/util/virtpm.h
index 3bb03b3b33..b75eb84f31 100644
--- a/src/util/virtpm.h
+++ b/src/util/virtpm.h
@@ -39,6 +39,7 @@ typedef enum {
 typedef enum {
     VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_PWDFILE_FD,
     VIR_TPM_SWTPM_SETUP_FEATURE_CMDARG_CREATE_CONFIG_FILES,
+    VIR_TPM_SWTPM_SETUP_FEATURE_TPM12_NOT_NEED_ROOT,
 
     VIR_TPM_SWTPM_SETUP_FEATURE_LAST
 } virTPMSwtpmSetupFeature;