From cec9eb5e7e28bb65ccc9880c6c9c986ee24a856a Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Wed, 18 Feb 2026 14:02:53 +0100 Subject: [PATCH] vmspawn: Don't keep tpmstate around in auto mode if ephemeral --- man/systemd-vmspawn.xml | 3 +++ src/vmspawn/vmspawn.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/man/systemd-vmspawn.xml b/man/systemd-vmspawn.xml index dc56c590587..0f2f6649e30 100644 --- a/man/systemd-vmspawn.xml +++ b/man/systemd-vmspawn.xml @@ -221,6 +221,9 @@ when the VM shuts down. This mode is not suitable for VMs which lock disk encryption keys to the TPM, as these keys will be lost on every reboot. Defaults to auto. + If is specified, auto behaves like + off. + diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c index 988a391cda7..0c957b48aae 100644 --- a/src/vmspawn/vmspawn.c +++ b/src/vmspawn/vmspawn.c @@ -85,7 +85,7 @@ typedef enum TpmStateMode { TPM_STATE_OFF, /* keep no state around */ - TPM_STATE_AUTO, /* keep state around, derive path from image/directory */ + TPM_STATE_AUTO, /* keep state around if not ephemeral, derive path from image/directory */ TPM_STATE_PATH, /* explicitly specified location */ _TPM_STATE_MODE_MAX, _TPM_STATE_MODE_INVALID = -EINVAL, @@ -2569,7 +2569,7 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) { _cleanup_free_ char *swtpm = NULL; if (arg_tpm != 0) { - if (arg_tpm_state_mode == TPM_STATE_AUTO) { + if (arg_tpm_state_mode == TPM_STATE_AUTO && !arg_ephemeral) { assert(!arg_tpm_state_path); const char *p = ASSERT_PTR(arg_image ?: arg_directory); -- 2.47.3