[libvirt] [PATCH v4 06/11] qemu: Extend QEMU with external TPM support

Tue May 15 15:25:00 UTC 2018

On Thu, May 10, 2018 at 11:57 PM +0200, Stefan Berger <stefanb at linux.vnet.ibm.com> wrote:
> Implement functions for managing the storage of the external swtpm as well
> as starting and stopping it. Also implement functions to use swtpm_setup,
> which simulates the manufacturing of a TPM, which includes creation of
> certificates for the device.
>
> Further, the external TPM needs storage on the host that we need to set
> up before it can be run. We can clean up the host once the domain is
> undefined.
>
> This patch also implements a small layer for external device support that
> calls into the TPM device layer if a domain has an attached TPM. This is
> the layer we will wire up later on.
>
> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
> ---

[…snip…]

> +
> +/*
> + * qemuExtTPMStartEmulator:
> + *
> + * @driver: QEMU driver
> + * @def: domain definition
> + * @logCtxt: log context
> + *
> + * Start the external TPM Emulator:
> + * - have the command line built
> + * - start the external TPM Emulator and sync with it before QEMU start
> + */
> +static int
> +qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
> +                        virDomainDefPtr def,
> +                        qemuDomainLogContextPtr logCtxt)
> +{
> +    int ret = -1;
> +    virCommandPtr cmd = NULL;
> +    int exitstatus;
> +    char *errbuf = NULL;
> +    virQEMUDriverConfigPtr cfg;
> +    virDomainTPMDefPtr tpm = def->tpm;
> +    char *shortName = virDomainDefGetShortName(def);
> +
> +    if (!shortName)
> +        return -1;
> +
> +    cfg = virQEMUDriverGetConfig(driver);
> +
> +    /* stop any left-over TPM emulator for this VM */
> +    qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName);
> +
> +    if (!(cmd = qemuTPMEmulatorBuildCommand(tpm, def->name, def->uuid,
> +                                            driver->privileged,
> +                                            cfg->swtpm_user,
> +                                            cfg->swtpm_group)))
> +        goto cleanup;
> +
> +    if (qemuExtDeviceLogCommand(logCtxt, cmd, "TPM Emulator") < 0)
> +        goto cleanup;
> +
> +    virCommandSetErrorBuffer(cmd, &errbuf);
> +
> +    if (virCommandRun(cmd, &exitstatus) < 0 || exitstatus != 0) {
> +        VIR_ERROR(_("Could not start 'swtpm'. exitstatus: %d "
> +                    "stderr: %s"), exitstatus, errbuf);
> +        virReportError(VIR_ERR_INTERNAL_ERROR,
> +                       _("Could not start 'swtpm'. exitstatus: %d, "
> +                       "error: %s"), exitstatus, errbuf);

Do we need both? (VIR_ERROR and virReportError)?

[…snip]

Beste Grüße / Kind regards
   Marc Hartmayer

IBM Deutschland Research & Development GmbH
Vorsitzende des Aufsichtsrats: Martina Koederitz
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294