[pve-devel] [PATCH qemu-server 0/3] minor tpm state handling improvements

[pve-devel] [PATCH qemu-server 0/3] minor tpm state handling improvements

[Fiona Ebner]

Fiona Ebner (3):
  fix #5562: tpm: avoid warning about undefined value when version is
    not explicitly set
  drive: tpm: fix default version in schema
  fix #5563: api: update vm: prohibit changing version of TPM state

 PVE/API2/Qemu.pm        | 19 +++++++++++++++++++
 PVE/QemuServer.pm       |  6 +++---
 PVE/QemuServer/Drive.pm |  2 +-
 3 files changed, 23 insertions(+), 4 deletions(-)

-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server 1/3] fix #5562: tpm: avoid warning about undefined value when version is not explicitly set

[Fiona Ebner]

Fixes: f9dde219 ("fix #3075: add TPM v1.2 and v2.0 support via swtpm")
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 PVE/QemuServer.pm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 5e2f5e2a..55ad8a7a 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -3163,9 +3163,9 @@ sub start_swtpm {
 	    "--not-overwrite", # ignore existing state, do not modify
 	];
 
-	push @$setup_cmd, "--tpm2" if $tpm->{version} eq 'v2.0';
+	push @$setup_cmd, "--tpm2" if $tpm->{version} && $tpm->{version} eq 'v2.0';
 	# TPM 2.0 supports ECC crypto, use if possible
-	push @$setup_cmd, "--ecc" if $tpm->{version} eq 'v2.0';
+	push @$setup_cmd, "--ecc" if $tpm->{version} && $tpm->{version} eq 'v2.0';
 
 	run_command($setup_cmd, outfunc => sub {
 	    print "swtpm_setup: $1\n";
@@ -3189,7 +3189,7 @@ sub start_swtpm {
 	"--log",
 	"file=/run/qemu-server/$vmid-swtpm.log,level=1,prefix=$log_prefix",
     ];
-    push @$emulator_cmd, "--tpm2" if $tpm->{version} eq 'v2.0';
+    push @$emulator_cmd, "--tpm2" if $tpm->{version} && $tpm->{version} eq 'v2.0';
     run_command($emulator_cmd, outfunc => sub { print $1; });
 
     my $tries = 100; # swtpm may take a bit to start before daemonizing, wait up to 5s for pid
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server 2/3] drive: tpm: fix default version in schema

[Fiona Ebner]

Since the check in start_swtpm() only checks for an explicitly
configured v2.0 to opt-in to version 2, the actual default is v1.2
and not v2.0 like the schema stated.

Of course, it would be nicer to have the default be v2.0, but changing
the check to use that default would break any TPM state without an
explicitly configured version.

There doesn't seem to be any code beside start_swtpm() accessing the
version.

Fixes: f9dde219 ("fix #3075: add TPM v1.2 and v2.0 support via swtpm")
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 PVE/QemuServer/Drive.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/PVE/QemuServer/Drive.pm b/PVE/QemuServer/Drive.pm
index 6a4fafd9..6e98c095 100644
--- a/PVE/QemuServer/Drive.pm
+++ b/PVE/QemuServer/Drive.pm
@@ -394,7 +394,7 @@ my %tpmversion_fmt = (
 	description => "The TPM interface version. v2.0 is newer and should be preferred."
 	    ." Note that this cannot be changed later on.",
 	optional => 1,
-	default => 'v2.0',
+	default => 'v1.2',
     },
 );
 my $tpmstate_fmt = {
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server 3/3] fix #5563: api: update vm: prohibit changing version of TPM state

[Fiona Ebner]

After the TPM state has been created (to be precise, initialized by
swtpm) it is not possible to change the version anymore. Doing so will
lead to failure starting the associated VM. While documented in the
description, it's better to enforce this via API.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 PVE/API2/Qemu.pm | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 0c3f451a..74143856 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -314,6 +314,24 @@ my $import_from_volid = sub {
     return $cloned->@{qw(file size)};
 };
 
+my sub prohibit_tpm_version_change {
+    my ($old, $new) = @_;
+
+    return if !$old || !$new;
+
+    my $old_drive = PVE::QemuServer::parse_drive('tpmstate0', $old);
+    my $new_drive = PVE::QemuServer::parse_drive('tpmstate0', $new);
+
+    return if $old_drive->{file} ne $new_drive->{file};
+
+    my $old_version = $old_drive->{version} // 'v1.2';
+    my $new_version = $new_drive->{version} // 'v1.2';
+
+    die "cannot change TPM state version after creation\n" if $old_version ne $new_version;
+
+    return;
+}
+
 # Note: $pool is only needed when creating a VM, because pool permissions
 # are automatically inherited if VM already exists inside a pool.
 my sub create_disks : prototype($$$$$$$$$$) {
@@ -1930,6 +1948,7 @@ my $update_vm_api  = sub {
 		    # old drive
 		    if ($conf->{$opt}) {
 			$check_drive_perms->($opt, $conf->{$opt});
+			prohibit_tpm_version_change($conf->{$opt}, $param->{$opt}) if $opt eq 'tpmstate0';
 		    }
 
 		    # new drive
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH qemu-server 3/3] fix #5563: api: update vm: prohibit changing version of TPM state

[Fiona Ebner]

Sorry, I was too quick to put "fix #5563" here. While it is the issue
from the first comment, there actually is another unrelated issue in the
second comment. So it's best to drop that prefix.

Am 27.06.24 um 13:03 schrieb Fiona Ebner:
> After the TPM state has been created (to be precise, initialized by
> swtpm) it is not possible to change the version anymore. Doing so will
> lead to failure starting the associated VM. While documented in the
> description, it's better to enforce this via API.
> 
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
>  PVE/API2/Qemu.pm | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
> 
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index 0c3f451a..74143856 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -314,6 +314,24 @@ my $import_from_volid = sub {
>      return $cloned->@{qw(file size)};
>  };
>  
> +my sub prohibit_tpm_version_change {
> +    my ($old, $new) = @_;
> +
> +    return if !$old || !$new;
> +
> +    my $old_drive = PVE::QemuServer::parse_drive('tpmstate0', $old);
> +    my $new_drive = PVE::QemuServer::parse_drive('tpmstate0', $new);
> +
> +    return if $old_drive->{file} ne $new_drive->{file};
> +
> +    my $old_version = $old_drive->{version} // 'v1.2';
> +    my $new_version = $new_drive->{version} // 'v1.2';
> +
> +    die "cannot change TPM state version after creation\n" if $old_version ne $new_version;
> +
> +    return;
> +}
> +
>  # Note: $pool is only needed when creating a VM, because pool permissions
>  # are automatically inherited if VM already exists inside a pool.
>  my sub create_disks : prototype($$$$$$$$$$) {
> @@ -1930,6 +1948,7 @@ my $update_vm_api  = sub {
>  		    # old drive
>  		    if ($conf->{$opt}) {
>  			$check_drive_perms->($opt, $conf->{$opt});
> +			prohibit_tpm_version_change($conf->{$opt}, $param->{$opt}) if $opt eq 'tpmstate0';
>  		    }
>  
>  		    # new drive


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH qemu-server 0/3] minor tpm state handling improvements

[Fabian Grünbichler]

with the fixes: prefix dropped for the last patch

On June 27, 2024 1:03 pm, Fiona Ebner wrote:
> 
> Fiona Ebner (3):
>   fix #5562: tpm: avoid warning about undefined value when version is
>     not explicitly set
>   drive: tpm: fix default version in schema
>   fix #5563: api: update vm: prohibit changing version of TPM state
> 
>  PVE/API2/Qemu.pm        | 19 +++++++++++++++++++
>  PVE/QemuServer.pm       |  6 +++---
>  PVE/QemuServer/Drive.pm |  2 +-
>  3 files changed, 23 insertions(+), 4 deletions(-)
> 
> -- 
> 2.39.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel