From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id B2C496CA82 for ; Mon, 9 Aug 2021 20:17:52 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 98F0D8894 for ; Mon, 9 Aug 2021 20:17:22 +0200 (CEST) Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 89675887D for ; Mon, 9 Aug 2021 20:17:18 +0200 (CEST) Received: by mail-ed1-x52f.google.com with SMTP id n12so2121480edx.8 for ; Mon, 09 Aug 2021 11:17:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=ajTVuUnjW+S22g/VoybBqViq9zo7XC4o0OVG9NRyHaA=; b=XV6DVq2oh/S2+mRq1NuF9ABZF71Pqyuuqa7VNjhyEDAJN+FN968T3CxVOg7ntFLlA/ Fx4m+lhbr/UBXtPkjg4kmJTUdWU57MLx8P8E3JdHjbkaSl6V+4/aRLp5xBrjhChYET7n FEF3+Ow74r3smgn05lLKUW1PvmxyG53EEOpG0+R8ZRlGgo1J5emxHzhBMFBS3yvfYWom EPKtpHbVMkVPCOm+vu8HZ8jG4HUyH9Gb0UEEaiudCmzZMXpwMrkNbCL7kmyuz/DJRGCJ bTh/l2onTBlpb4r92cb2RUY5S6/2VwRbAgVuZIoLySBAGUyr/38XH45xdPFyxNF1njN4 oCDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=ajTVuUnjW+S22g/VoybBqViq9zo7XC4o0OVG9NRyHaA=; b=mZg6Iglm/uWvXULJW6jiCVGBKH/ME0nH8e8Yk5ellzXoQkpO5qQS/P6hJS23dI47Jq 471OpqPLXiNKYryHFkE8VfANI52lTO7AVqUoDZ/MWNkJjgqsWTIuV4LoaArTGTVlOeCT 1WN21QfnfAfwi33yNpIdN1zVdCym2eTpDcgAt63+cUrsIqRYJRSsmDh43A2HgwpZTEpH MqKxfe27A8gPP0nvOxnkAIhXRhfO7heJnmlXBfWdJ5E+VF+udKkvTN3rdb1hpjalCH+v oh+7jt7vbDEFYff5GXIjx5qRr/FL778gDlr8WETSCbB4bB9wWdz7VugahqAvWoLdPRAq 4tKw== X-Gm-Message-State: AOAM530Am8EsyMkTTPsePRzNOvntanLIt5OZqu9WR18VAA/c5M1DZMla ylbXmFGw3OcXOqz2ZpLhqpf40817WacZi+qyrt0+9lGy+2jLIQ== X-Google-Smtp-Source: ABdhPJxzvKaNix5AkIYoTsI3j2ZXvQOKzXCwtQitiHOa2pJ+rjm1qxUtijXyET9sAFg5IimBG3HAACdoOxumYY7s2ew= X-Received: by 2002:aa7:c2d4:: with SMTP id m20mr3000061edp.368.1628533031992; Mon, 09 Aug 2021 11:17:11 -0700 (PDT) MIME-Version: 1.0 References: <20210715142319.1457131-1-s.reiter@proxmox.com> <20210715142319.1457131-3-s.reiter@proxmox.com> In-Reply-To: <20210715142319.1457131-3-s.reiter@proxmox.com> From: Nick Chevsky Date: Mon, 9 Aug 2021 13:17:00 -0500 Message-ID: To: Proxmox VE development discussion X-SPAM-LEVEL: Spam detection results: 0 BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider HTML_MESSAGE 0.001 HTML included in message RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 Subject: Re: [pve-devel] [RFC qemu-server 2/2] fix #3075: add TPM v1.2 and v2.0 support via swtpm X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2021 18:17:52 -0000 Hi Stefan, Thank you for your work on this; I've been testing it locally for a few weeks and have since contributed improved Debian packaging and other fixes upstream [3]. Please see my comment below the quoted code: --- a/PVE/QemuServer.pm > +++ b/PVE/QemuServer.pm > ... > +sub start_swtpm { > ... > + my $setup_cmd = [ > + "swtpm_setup", > + "--tpmstate", > + "$tmppath", > + "--createek", > + "--create-ek-cert", > + "--create-platform-cert", > + "--lock-nvram", > + "--config", > + "/etc/swtpm_setup.conf", # do not use XDG configs > + "--runas", > + "0", # force creation as root, error if not possible > Could you add --terminate to this argument array? That's the documented, correct way of achieving the behavior we want (i.e. swtpm automatically terminating along with QEMU). Currently this is already happening even without --terminate, but that's a side effect of two bugs: one for which I've already contributed a fix upstream [1], and another which will be fixed once consumers (e.g. PVE, libvirt) start using --terminate (which they should've been using all along) [2]. Adding --terminate is innocuous and guarantees the current behavior will stay the same after the second bug is fixed upstream. [1] https://github.com/stefanberger/swtpm/commit/6961ec4878b4a569ac53f6e6f77416b44f3f26d9 [2] https://github.com/stefanberger/swtpm/pull/509#issuecomment-890412478 [3] https://github.com/stefanberger/swtpm/pulls?q=author%3Anchevsky Nick