1. 06 6月, 2018 18 次提交
    • S
      security: Label the external swtpm with SELinux labels · 2fc665bb
      Stefan Berger 提交于
      In this patch we label the swtpm process with SELinux labels. We give it the
      same label as the QEMU process has. We label its state directory and files
      as well. We restore the old security labels once the swtpm has terminated.
      
      The file and process labels now look as follows:
      
      Directory: /var/lib/libvirt/swtpm
      
      [root@localhost swtpm]# ls -lZ
      total 4
      rwx------. 2 tss  tss  system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr  5 16:46 testvm
      
      [root@localhost testvm]# ls -lZ
      total 8
      -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr  5 16:46 tpm-00.permall
      
      The log in /var/log/swtpm/libvirt/qemu is labeled as follows:
      
      -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr  5 16:46 vtpm.log
      
      [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep
      system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0  0.0 28172  3892 ?        Ss   16:57   0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log
      
      [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep
      system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0  0.0 3096704 48500 ?    Sl   16:57   3:28 /bin/qemu-system-x86_64 [..]
      Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      2fc665bb
    • S
      qemu: Add support for external swtpm TPM emulator · 69122bc2
      Stefan Berger 提交于
      This patch adds support for an external swtpm TPM emulator. The XML for
      this type of TPM looks as follows:
      
       <tpm model='tpm-tis'>
         <backend type='emulator'/>
       </tpm>
      
      The XML will currently only start a TPM 1.2.
      
      Upon first start, libvirt will run `swtpm_setup`, which will simulate the
      manufacturing of a TPM and create certificates for it and write them into
      NVRAM locations of the emulated TPM.
      
      After that libvirt starts the swtpm TPM emulator using the `swtpm` executable.
      
      Once the VM terminates, libvirt uses the swtpm_ioctl executable to gracefully
      shut down the `swtpm` in case it is still running (QEMU did not send shutdown)
      or clean up the socket file.
      
      The above mentioned executables must be found in the PATH.
      
      The executables can either be run as root or started as root and switch to
      the tss user. The requirement for the tss user comes through 'tcsd', which
      is used for the simulation of the manufacturing. Which user is used can be
      configured through qemu.conf. By default 'tss' is used.
      
      The swtpm writes out state into files. The state is kept in /var/lib/libvirt/swtpm:
      
      [root@localhost libvirt]# ls -lZ | grep swtpm
      
      drwx--x--x. 7 root root unconfined_u:object_r:virt_var_lib_t:s0 4096 Apr  5 16:22 swtpm
      
      The directory /var/lib/libvirt/swtpm maintains per-TPM state directories.
      (Using the uuid of the VM for that since the name can change per VM renaming but
       we need a stable directory name.)
      
      [root@localhost swtpm]# ls -lZ
      total 4
      drwx------. 2 tss  tss  system_u:object_r:virt_var_lib_t:s0          4096 Apr  5 16:46 485d0004-a48f-436a-8457-8a3b73e28568
      
      [root@localhost 485d0004-a48f-436a-8457-8a3b73e28568]# ls -lZ
      total 4
      drwx------. 2 tss tss system_u:object_r:virt_var_lib_t:s0 4096 Apr 10 21:34 tpm1.2
      
      [root@localhost tpm1.2]# ls -lZ
      total 8
      -rw-r--r--. 1 tss tss system_u:object_r:virt_var_lib_t:s0 3648 Apr  5 16:46 tpm-00.permall
      
      The directory /var/run/libvirt/qemu/swtpm/ hosts the swtpm.sock that
      QEMU uses to communicate with the swtpm:
      
      root@localhost domain-1-testvm]# ls -lZ
      total 0
      srw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c597,c632  0 Apr  6 10:24 1-testvm-swtpm.sock
      
      The logfile for the swtpm is in /var/log/swtpm/libvirt/qemu:
      
      [root@localhost-3 qemu]# ls -lZ
      total 4
      -rw-------. 1 tss tss unconfined_u:object_r:var_log_t:s0 2199 Apr  6 14:01 testvm-swtpm.log
      
      The processes are labeled as follows:
      
      [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep socket | grep -v grep
      system_u:system_r:virtd_t:s0-s0:c0.c1023 tss 18697 0.0  0.0 28172 3892 ?       Ss   16:46   0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/1-testvm-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/485d0004-a48f-436a-8457-8a3b73e28568/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log
      
      [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep
      system_u:system_r:svirt_t:s0:c413,c430 qemu 18702 2.5  0.0 3036052 48676 ?     Sl   16:46   0:08 /bin/qemu-system-x86_64 [...]
      Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      69122bc2
    • S
      qemu: Extend QEMU with external TPM support · 2a606b86
      Stefan Berger 提交于
      Implement functions for managing the storage of the external swtpm as well
      as starting and stopping it. Also implement functions to use swtpm_setup,
      which simulates the manufacturing of a TPM, which includes creation of
      certificates for the device.
      
      Further, the external TPM needs storage on the host that we need to set
      up before it can be run. We can clean up the host once the domain is
      undefined.
      
      This patch also implements a small layer for external device support that
      calls into the TPM device layer if a domain has an attached TPM. This is
      the layer we will wire up later on.
      Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      2a606b86
    • S
      qemu: Extend qemu_conf with tpm-emulator support · d9c087f5
      Stefan Berger 提交于
      Extend qemu_conf with user and group for running the tpm-emulator
      and add directories to the configuration for the locations of the
      log, state, and socket of the tpm-emulator.
      
      Also add these new directories to the QEMU Makefile.inc.am and
      the RPM spec file libvirt.spec.in.
      Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      d9c087f5
    • S
      security: Add DAC and SELinux security for tpm-emulator · a21c45c4
      Stefan Berger 提交于
      Extend the DAC and SELinux modules with support for the tpm-emulator.
      We label the Unix socket that QEMU connects to after starting swtmp
      with DAC and SELinux labels. We do not have to restore the labels in
      this case since the tpm-emulator will remove the Unix socket when it
      terminates.
      Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      a21c45c4
    • S
      util: Implement virFileChownFiles() · eb46575a
      Stefan Berger 提交于
      Implement virFileChownFiles() which changes file ownership of all
      files in a given directory.
      Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      eb46575a
    • S
      qemu: Extend QEMU capabilities with 'tpm-emulator' · b50edcd8
      Stefan Berger 提交于
      Extend the QEMU capabilities with tpm-emulator support.
      Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      b50edcd8
    • S
      conf: Add support for external swtpm TPM emulator to domain XML · 33af0b2b
      Stefan Berger 提交于
      This patch adds support for an external swtpm TPM emulator. The XML for
      this type of TPM looks as follows:
      
       <tpm model='tpm-tis'>
         <backend type='emulator'/>
       </tpm>
      
      The XML will currently only define a TPM 1.2.
      
      Extend the documentation.
      
      Add a test case testing the XML parser and formatter.
      Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      33af0b2b
    • J
      qemu: Fix double free in qemuDomainSecretAESClear · 228ae709
      John Ferlan 提交于
      Commit id 02b031a4 added a secondary path from which the
      incoming @secinfo would not be free'd until the private
      data was freed in qemuDomainStorageSourcePrivateDispose.
      
      However, by doing this the original intention to free
      @*secinfo afterwards is lost and thus the pass by value
      of the secinfo->s.aes (or secinfo->s.plain for its method)
      results in not keeping the NULL setting in the various
      secret.{username|iv|ciphertext} fields upon return to
      qemuDomainSecretInfoClear and eventually will result in
      a double free at domain destroy:
      
          raise ()
          abort ()
          __libc_message ()
          malloc_printerr ()
          _int_free ()
          virFree
          qemuDomainSecretAESClear
          qemuDomainSecretInfoClear
          qemuDomainSecretInfoFree
          qemuDomainStorageSourcePrivateDispose
          virObjectUnref
          virStorageSourceClear
          virStorageSourceFree
          virDomainDiskDefFree
          virDomainDefFree
          virDomainObjRemoveTransientDef
          qemuProcessStop
          qemuDomainDestroyFlags
          virDomainDestroy
      Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
      ACKed-by: NPeter Krempa <pkrempa@redhat.com>
      228ae709
    • M
      qemuBuildNumaArgStr: Simplify @nodeBackends · 7d34949b
      Michal Privoznik 提交于
      Instead of array of pointers to individual buffers it can be
      array of buffers directly. This also fixes the following memleak:
      
      ==22516== 96 bytes in 4 blocks are definitely lost in loss record 166 of 195
      ==22516==    at 0x4C2EF26: calloc (vg_replace_malloc.c:711)
      ==22516==    by 0x5D2C7D5: virAlloc (viralloc.c:144)
      ==22516==    by 0x56FAABD: qemuBuildNumaArgStr (qemu_command.c:7543)
      ==22516==    by 0x5701835: qemuBuildCommandLine (qemu_command.c:10112)
      ==22516==    by 0x575D794: qemuProcessCreatePretendCmd (qemu_process.c:6568)
      ==22516==    by 0x113338: testCompareXMLToArgv (qemuxml2argvtest.c:549)
      ==22516==    by 0x138CA3: virTestRun (testutils.c:180)
      ==22516==    by 0x136CD1: mymain (qemuxml2argvtest.c:2825)
      ==22516==    by 0x13AD58: virTestMain (testutils.c:1118)
      ==22516==    by 0x137351: main (qemuxml2argvtest.c:2874)
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      7d34949b
    • M
      virQEMUCapsFreeHostCPUModel: Don't always free host cpuData · d0498881
      Michal Privoznik 提交于
      This function exists because of 5276ec71. But it is
      missing initial check just like virQEMUCapsInitHostCPUModel()
      has.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      d0498881
    • R
      all: Replace virGetLastError with virGetLastErrorCode where we can · 2b6667ab
      ramyelkest 提交于
      Replace instances where we previously called virGetLastError just to
      either get the code or to check if an error exists with
      virGetLastErrorCode to avoid a validity pre-check.
      Signed-off-by: NRamy Elkest <ramyelkest@gmail.com>
      Reviewed-by: NErik Skultety <eskultet@redhat.com>
      2b6667ab
    • R
      util: virerror: Introduce virGetLastError{Code,Domain} public APIs · 50e96bb2
      ramyelkest 提交于
      Many places in the code call virGetLastError() just to check the
      raised error code, or domain. However virGetLastError() can return
      NULL, so the code has to check for that first. This patch therefore
      introduces virGetLasError{Code,Domain} functions which always return a
      valid error code or domain respectively, thus dropping the need to
      perform any checks on the error object.
      Signed-off-by: NRamy Elkest <ramyelkest@gmail.com>
      Reviewed-by: NErik Skultety <eskultet@redhat.com>
      50e96bb2
    • R
    • D
      qemu: remove pointless connect retry logic in agent · fc06debd
      Daniel P. Berrangé 提交于
      When the agent code was first introduced back in
      
        commit c160ce33
        Author: Daniel P. Berrange <berrange@redhat.com>
        Date:   Wed Oct 5 18:31:54 2011 +0100
      
          QEMU guest agent support
      
      there was code that would loop and retry the connection when opening
      the agent socket. At this time, the only thing done in between the
      opening of the monitor socket & opening of the agent socket was a
      call to set the monitor capabilities. This was a no-op on non-QMP
      versions, so in theory there could be a race which let us connect
      to the monitor while the agent socket was still not created by QEMU.
      
      In the modern world, however, we long ago mandated the use of QMP
      for managing QEMU, so we're guaranteed to have a set capabilities
      QMP call. Once we've seen a reply to this, we're guaranteed that
      QEMU has fully initialized all backends and is in its event loop.
      
      We can thus be sure the QEMU agent socket is present and don't need
      to retry connections to it, even without having the chardev FD passing
      feature.
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
      fc06debd
    • D
      qemu: don't retry connect() if doing FD passing · 7ef0471b
      Daniel P. Berrangé 提交于
      Since libvirt called bind() and listen() on the UNIX socket, it is
      guaranteed that connect() will immediately succeed, if QEMU is running
      normally. It will only fail if QEMU has closed the monitor socket by
      mistake or if QEMU has exited, letting the kernel close it.
      
      With this in mind we can remove the retry loop and timeout when
      connecting to the QEMU monitor if we are doing FD passing. Libvirt can
      go straight to sending the QMP greeting and will simply block waiting
      for a reply until QEMU is ready.
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
      7ef0471b
    • D
      qemu: support passing pre-opened UNIX socket listen FD · 30fb2276
      Daniel P. Berrangé 提交于
      There is a race condition when spawning QEMU where libvirt has spawned
      QEMU but the monitor socket is not yet open. Libvirt has to repeatedly
      try to connect() to QEMU's monitor until eventually it succeeds, or
      times out. We use kill() to check if QEMU is still alive so we avoid
      waiting a long time if QEMU exited, but having a timeout at all is still
      unpleasant.
      
      With QEMU 2.12 we can pass in a pre-opened FD for UNIX domain or TCP
      sockets. If libvirt has called bind() and listen() on this FD, then we
      have a guarantee that libvirt can immediately call connect() and
      succeed without any race.
      
      Although we only really care about this for the monitor socket and agent
      socket, this patch does FD passing for all UNIX socket based character
      devices since there appears to be no downside to it.
      
      We don't do FD passing for TCP sockets, however, because it is only
      possible to pass a single FD, while some hostnames may require listening
      on multiple FDs to cover IPv4 and IPv6 concurrently.
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
      30fb2276
    • D
      qemu: probe for -chardev 'fd' parameter for FD passing · 7cef131e
      Daniel P. Berrangé 提交于
      QEMU >= 2.12 will support passing of pre-opened file descriptors for
      socket based character devices.
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
      7cef131e
  2. 05 6月, 2018 22 次提交