From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Stefan Reiter <s.reiter@proxmox.com>
Subject: [pve-devel] applied: [PATCH v3 qemu-server 2/3] fix #3075: add TPM v1.2 and v2.0 support via swtpm
Date: Tue, 5 Oct 2021 07:30:16 +0200 [thread overview]
Message-ID: <9c2ffaf4-48b5-8af5-7682-66175ddbe2f0@proxmox.com> (raw)
In-Reply-To: <20211004152921.2839809-3-s.reiter@proxmox.com>
On 04.10.21 17:29, Stefan Reiter wrote:
> Starts an instance of swtpm per VM in it's systemd scope, it will
> terminate by itself if the VM exits, or be terminated manually if
> startup fails.
>
> Before first use, a TPM state is created via swtpm_setup. State is
> stored in a 'tpmstate0' volume, treated much the same way as an efidisk.
>
> It is migrated 'offline', the important part here is the creation of the
> target volume, the actual data transfer happens via the QEMU device
> state migration process.
>
> Move-disk can only work offline, as the disk is not registered with
> QEMU, so 'drive-mirror' wouldn't work. swtpm itself has no method of
> moving a backing storage at runtime.
>
> For backups, a bit of a workaround is necessary (this may later be
> replaced by NBD support in swtpm): During the backup, we attach the
> backing file of the TPM as a read-only drive to QEMU, so our backup
> code can detect it as a block device and back it up as such, while
> ensuring consistency with the rest of disk state ("snapshot" semantic).
>
> The name for the ephemeral drive is specifically chosen as
> 'drive-tpmstate0-backup', diverging from our usual naming scheme with
> the '-backup' suffix, to avoid it ever being treated as a regular drive
> from the rest of the stack in case it gets left over after a backup for
> some reason (shouldn't happen).
>
> Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
> ---
> PVE/API2/Qemu.pm | 5 ++
> PVE/QemuMigrate.pm | 14 +++-
> PVE/QemuServer.pm | 137 +++++++++++++++++++++++++++++++++++++--
> PVE/QemuServer/Drive.pm | 63 ++++++++++++++----
> PVE/VZDump/QemuServer.pm | 43 ++++++++++--
> 5 files changed, 238 insertions(+), 24 deletions(-)
>
>
applied, with a few trivial whitespace related cleanups, thanks!
next prev parent reply other threads:[~2021-10-05 5:31 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-04 15:29 [pve-devel] [PATCH v3 0/3] Initial TPM support for VMs Stefan Reiter
2021-10-04 15:29 ` [pve-devel] [PATCH v3 storage 1/3] import: don't check for 1K aligned size Stefan Reiter
2021-10-05 4:24 ` [pve-devel] applied: " Thomas Lamprecht
2021-10-04 15:29 ` [pve-devel] [PATCH v3 qemu-server 2/3] fix #3075: add TPM v1.2 and v2.0 support via swtpm Stefan Reiter
2021-10-05 5:30 ` Thomas Lamprecht [this message]
2021-10-04 15:29 ` [pve-devel] [PATCH v3 manager 3/3] ui: add support for adding TPM devices Stefan Reiter
2021-10-05 5:34 ` [pve-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9c2ffaf4-48b5-8af5-7682-66175ddbe2f0@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=s.reiter@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.