[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v5 1/4] Provide support for the CUSE TPM
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] [PATCH v5 1/4] Provide support for the CUSE TPM |
Date: |
Thu, 28 Jan 2016 13:15:21 +0000 |
User-agent: |
Mutt/1.5.24 (2015-08-30) |
On Wed, Jan 20, 2016 at 10:31:56AM -0500, Stefan Berger wrote:
> "Daniel P. Berrange" <address@hidden> wrote on 01/20/2016 10:00:41
> AM:
>
> > Subject: Re: [Qemu-devel] [PATCH v5 1/4] Provide support for the CUSE
> > > The CUSE TPM and associated tools can be found here:
> > >
> > > https://github.com/stefanberger/swtpm
> > >
> > > (please use the latest version)
> > >
> > > To use the external CUSE TPM, the CUSE TPM should be started as
> follows:
> > >
> > > # terminate previously started CUSE TPM
> > > /usr/bin/swtpm_ioctl -s /dev/vtpm-test
> > >
> > > # start CUSE TPM
> > > /usr/bin/swtpm_cuse -n vtpm-test
> >
> > IIUC, there needs to be one swtpm_cuse process running per QEMU
> > TPM device ? This makes my wonder why we need this separate
>
> Correct. See reason in answer to previous email.
>
> > process at all - it would make sense if there was a single
> > swtpm_cuse shared across all QEMU's, but if there's one per
> > QEMU device, it feels like it'd be much simpler to just have
> > the functionality linked in QEMU. That avoids the problem
>
> I tried having it linked in QEMU before. It was basically rejected.
>
> > of having to manage all these extra processes alongside QEMU
> > which can add a fair bit of mgmt overhead.
>
> For libvirt, yes, there is mgmt. overhead but it's quite transparent. So
> libvirt is involved in the creation of the directory for the vTPMs, the
> command line creation for the external process as well as the startup of
> the process, but otherwise it's not a big issue (anymore). I have the
> patches that do just for an older libvirt version that along with setting
> up SELinux labels, cgroups etc. for each VM that wants an attached vTPM.
A question that just occurred is how this will work with live migration.
If we live migrate a VM we need the file that backs the guest's vTPM
device to either be on shared storage, or it needs to be copied. With
modern QEMU we are using drive-mirror to copy all block backends over
an NBD connection. If the file backing the vTPM is invisible to QEMU
hidden behind the swtpm_cuse ioctl(), then there's no way for us to
leverage QEMUs block mirror to copy across the TPM state file AFAICT.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Re: [Qemu-devel] [PATCH v5 1/4] Provide support for the CUSE TPM, Michael S. Tsirkin, 2016/01/20
- Re: [Qemu-devel] [PATCH v5 1/4] Provide support for the CUSE TPM, Stefan Berger, 2016/01/20
- Message not available
- Re: [Qemu-devel] [PATCH v5 1/4] Provide support for the CUSE TPM, Michael S. Tsirkin, 2016/01/20
- Re: [Qemu-devel] [PATCH v5 1/4] Provide support for the CUSE TPM, Stefan Berger, 2016/01/20
- Re: [Qemu-devel] [PATCH v5 1/4] Provide support for the CUSE TPM, Michael S. Tsirkin, 2016/01/20
- Re: [Qemu-devel] [PATCH v5 1/4] Provide support for the CUSE TPM, Stefan Berger, 2016/01/20
- Re: [Qemu-devel] [PATCH v5 1/4] Provide support for the CUSE TPM, Michael S. Tsirkin, 2016/01/21
- Re: [Qemu-devel] [PATCH v5 1/4] Provide support for the CUSE TPM, Xu, Quan, 2016/01/21
- Re: [Qemu-devel] [PATCH v5 1/4] Provide support for the CUSE TPM, Michael S. Tsirkin, 2016/01/21