Series to allow running tpm2 setup with unprivileged user

[elmarco]

Use local configuation if run under regular / xdg desktop user.

[stefanberger]

Thanks a lot. Now we can run swtpm_setup under a user account and launch it by libvirt. We may need to document this.

[stefanberger]

With the following config files I was able to create a VM with attached TPM 2. The certs were created for that TPM 2 using that locally generated CA:

export XDG_CONFIG_HOME=$HOME/.config

Contents of ~/.config/swtpm_setup.conf:

# Program invoked for creating certificates
create_certs_tool= /usr/share/swtpm/swtpm-localca
create_certs_tool_config = ${XDG_CONFIG_HOME}/swtpm-localca.conf
create_certs_tool_options = ${XDG_CONFIG_HOME}/swtpm-localca.options

Contents of ~/.config/swtpm-localca.conf:

statedir = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca
signingkey = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca/signkey.pem
issuercert = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca/issuercert.pem
certserial = ${XDG_CONFIG_HOME}/var/lib/swtpm-localca/certserial

Contents of ~/.config/swtpm-localca.options:

--platform-manufacturer Fedora
--platform-version 2.12
--platform-model QEMU

The log file showed this:

$ cat ~/.cache/libvirt/qemu/log/testvm-tpm2-swtpm.log 
Starting vTPM manufacturing as stefanb:stefanb @ Wed May 23 16:45:49 2018
Successfully created EK with handle 0x81010001.
  Invoking: /usr/share/swtpm/swtpm-localca --type ek --ek be0c35e00000c0830a47bee07d00011762789558b32cd99ce06ef0196e97be3682ae4ed2fad19b8fb574dd33786b9c2e90c93624c023b0c5a9564cd617cabcd15055e648571a18372be0dd951adf1a71e9d8fc4805d4e5f3d76285a8b8e6ba0d2a470643947ab044e4afa13741fe8bcf1e9ce8e1cecbc7e1b69a2176cf3034207b64597f4e16d97d0273579c82b43b0dd92408bc1406675e81b4a8f61caa519757b78d38025a5a090ad1ff48e5adaf10e434cc5845101b0cd15ce02b3881b7b025e73369715c766926bf65ed148e43aaf26295e4134e7b87dd6a621103d8669ee5eae85a5b9c2233b612fcfe4647410d86fc112beb78859523301eac750f6ce9 --dir /home/stefanb/.config/libvirt/qemu/swtpm/4786300a-bbb8-427e-ae6e-edff0725e46f/tpm2 --logfile /home/stefanb/.cache/libvirt/qemu/log/testvm-tpm2-swtpm.log --vmid "testvm-tpm2:4786300a-bbb8-427e-ae6e-edff0725e46f" --tpm-spec-family 2.0 --tpm-spec-level 00 --tpm-spec-revision 146 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20160511 --configfile "${XDG_CONFIG_HOME}/swtpm-localca.conf" --optsfile "${XDG_CONFIG_HOME}/swtpm-localca.options" --tpm2
Successfully created EK certificate locally.
swtpm-localca: 
  Invoking: /usr/share/swtpm/swtpm-localca --type platform --ek be0c35e00000c0830a47bee07d00011762789558b32cd99ce06ef0196e97be3682ae4ed2fad19b8fb574dd33786b9c2e90c93624c023b0c5a9564cd617cabcd15055e648571a18372be0dd951adf1a71e9d8fc4805d4e5f3d76285a8b8e6ba0d2a470643947ab044e4afa13741fe8bcf1e9ce8e1cecbc7e1b69a2176cf3034207b64597f4e16d97d0273579c82b43b0dd92408bc1406675e81b4a8f61caa519757b78d38025a5a090ad1ff48e5adaf10e434cc5845101b0cd15ce02b3881b7b025e73369715c766926bf65ed148e43aaf26295e4134e7b87dd6a621103d8669ee5eae85a5b9c2233b612fcfe4647410d86fc112beb78859523301eac750f6ce9 --dir /home/stefanb/.config/libvirt/qemu/swtpm/4786300a-bbb8-427e-ae6e-edff0725e46f/tpm2 --logfile /home/stefanb/.cache/libvirt/qemu/log/testvm-tpm2-swtpm.log --vmid "testvm-tpm2:4786300a-bbb8-427e-ae6e-edff0725e46f" --tpm-spec-family 2.0 --tpm-spec-level 00 --tpm-spec-revision 146 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20160511 --configfile "${XDG_CONFIG_HOME}/swtpm-localca.conf" --optsfile "${XDG_CONFIG_HOME}/swtpm-localca.options" --tpm2
Successfully created platform certificate locally.
swtpm-localca: 
Successfully created NVRAM area 0x01c00002 for EK certificate.
Successfully created NVRAM area 0x01c08000 for platform certificate.
Successfully authored TPM state.
Ending vTPM manufacturing @ Wed May 23 16:45:50 2018

[stefanberger]

I guess the only thing I don't like is that we need to store swtpm_setup.conf in $XDG_CONFIG_HOME primarily because there are already so many directories there.

[stefanberger]

Patch to apply to currently proposed libvirt support:

diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 3b1a90a802..22100319ee 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -508,11 +508,11 @@ qemuTPMEmulatorRunSetup(const char *storagepath,
     char uuid[VIR_UUID_STRING_BUFLEN];
     char *vmid = NULL;
 
-    if (!privileged)
+    if (!privileged && tpmversion == VIR_DOMAIN_TPM_VERSION_1_2)
         return virFileWriteStr(logfile,
                                _("Did not create EK and certificates since "
-                               "this requires privileged mode\n"),
-                               0600);
+                                 "this requires privileged mode for a "
+                                 "TPM 1.2\n"), 0600);
 
     cmd = virCommandNew(swtpm_setup);
     if (!cmd)