From: Nick Chevsky <nchevsky@gmail.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [RFC qemu-server 2/2] fix #3075: add TPM v1.2 and v2.0 support via swtpm
Date: Mon, 9 Aug 2021 13:17:00 -0500 [thread overview]
Message-ID: <CAGM+U6JN765OYXg7MbiaT5mg4Tj2SN1q1NrgYW6=yC0QX5i=ag@mail.gmail.com> (raw)
In-Reply-To: <20210715142319.1457131-3-s.reiter@proxmox.com>
Hi Stefan,
Thank you for your work on this; I've been testing it locally for a few
weeks and have since contributed improved Debian packaging and other fixes
upstream [3]. Please see my comment below the quoted code:
--- a/PVE/QemuServer.pm
> +++ b/PVE/QemuServer.pm
> ...
> +sub start_swtpm {
> ...
> + my $setup_cmd = [
> + "swtpm_setup",
> + "--tpmstate",
> + "$tmppath",
> + "--createek",
> + "--create-ek-cert",
> + "--create-platform-cert",
> + "--lock-nvram",
> + "--config",
> + "/etc/swtpm_setup.conf", # do not use XDG configs
> + "--runas",
> + "0", # force creation as root, error if not possible
>
Could you add --terminate to this argument array? That's the documented,
correct way of achieving the behavior we want (i.e. swtpm automatically
terminating along with QEMU). Currently this is already happening even
without --terminate, but that's a side effect of two bugs: one for which
I've already contributed a fix upstream [1], and another which will be
fixed once consumers (e.g. PVE, libvirt) start using --terminate (which
they should've been using all along) [2]. Adding --terminate is innocuous
and guarantees the current behavior will stay the same after the second bug
is fixed upstream.
[1]
https://github.com/stefanberger/swtpm/commit/6961ec4878b4a569ac53f6e6f77416b44f3f26d9
[2] https://github.com/stefanberger/swtpm/pull/509#issuecomment-890412478
[3] https://github.com/stefanberger/swtpm/pulls?q=author%3Anchevsky
Nick
next prev parent reply other threads:[~2021-08-09 18:17 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-15 14:23 [pve-devel] [RFC 0/2] Initial TPM support for VMs Stefan Reiter
2021-07-15 14:23 ` [pve-devel] [RFC edk2-firmware 1/2] enable TPM and TPM2 support Stefan Reiter
2021-07-15 14:23 ` [pve-devel] [RFC qemu-server 2/2] fix #3075: add TPM v1.2 and v2.0 support via swtpm Stefan Reiter
2021-07-16 14:47 ` alexandre derumier
2021-08-09 18:17 ` Nick Chevsky [this message]
2021-08-10 7:48 ` Stefan Reiter
2021-07-16 9:48 ` [pve-devel] [RFC 0/2] Initial TPM support for VMs Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGM+U6JN765OYXg7MbiaT5mg4Tj2SN1q1NrgYW6=yC0QX5i=ag@mail.gmail.com' \
--to=nchevsky@gmail.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal