Re: [pve-devel] [RFC qemu-server 2/2] fix #3075: add TPM v1.2 and v2.0 support via swtpm

From: Stefan Reiter <s.reiter@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
	Nick Chevsky <nchevsky@gmail.com>
Subject: Re: [pve-devel] [RFC qemu-server 2/2] fix #3075: add TPM v1.2 and v2.0 support via swtpm
Date: Tue, 10 Aug 2021 09:48:55 +0200	[thread overview]
Message-ID: <ecb3f4a7-1eaa-5350-8c1c-34574553a9b1@proxmox.com> (raw)
In-Reply-To: <CAGM+U6JN765OYXg7MbiaT5mg4Tj2SN1q1NrgYW6=yC0QX5i=ag@mail.gmail.com>

On 09/08/2021 20:17, Nick Chevsky wrote:
> Hi Stefan,
> 
> Thank you for your work on this; I've been testing it locally for a few
> weeks and have since contributed improved Debian packaging and other fixes
> upstream [3]. Please see my comment below the quoted code:

Thanks for your upstream work! I've seen some of those changes already, 
they'll certainly help a lot.

As a status update to this in general, since we decided that storing 
data on /etc/pve is a no-go and don't have a generic dir backend for all 
use-cases we want to support, I have also started working with upstream 
(based on some prior work being done in a current draft PR [0]) to 
support block devices as a native backend [1].

With that in place, we should be able to use our existing storage 
infrastructure for storing TPM state.

[0] https://github.com/stefanberger/swtpm/pull/490
[1] https://github.com/stefanberger/swtpm/pull/513

> 
> --- a/PVE/QemuServer.pm
>> +++ b/PVE/QemuServer.pm
>> ...
>> +sub start_swtpm {
>> ...
>> +           my $setup_cmd = [
>> +               "swtpm_setup",
>> +               "--tpmstate",
>> +               "$tmppath",
>> +               "--createek",
>> +               "--create-ek-cert",
>> +               "--create-platform-cert",
>> +               "--lock-nvram",
>> +               "--config",
>> +               "/etc/swtpm_setup.conf", # do not use XDG configs
>> +               "--runas",
>> +               "0", # force creation as root, error if not possible
>>
> 
> Could you add --terminate to this argument array? That's the documented,
> correct way of achieving the behavior we want (i.e. swtpm automatically
> terminating along with QEMU). Currently this is already happening even
> without --terminate, but that's a side effect of two bugs: one for which
> I've already contributed a fix upstream [1], and another which will be
> fixed once consumers (e.g. PVE, libvirt) start using --terminate (which
> they should've been using all along) [2]. Adding --terminate is innocuous
> and guarantees the current behavior will stay the same after the second bug
> is fixed upstream.

Good to hear the explanation behind it, but '--terminate' is already 
added - you're just looking at the 'swtpm_setup' command, check the 
lines below that, specifically '$emulator_cmd'.

> 
> [1]
> https://github.com/stefanberger/swtpm/commit/6961ec4878b4a569ac53f6e6f77416b44f3f26d9
> [2] https://github.com/stefanberger/swtpm/pull/509#issuecomment-890412478
> [3] https://github.com/stefanberger/swtpm/pulls?q=author%3Anchevsky
> 
> Nick
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 