CP-39414: start swtpm depending on the VM's platform metadata #4693
Conversation
|
I think we should create a vTPM object when vtpm=true, and then start/stop the vtpm daemon based on the presence of the vtpm object (fairly soon we'll need to write out and give access to the vTPM object, so we'll need to know its UUID/ref). Might need a bit more plumbing, see how the bios vs uefi is done in |
I believe this needs to happen when trying to start the VM
For starting I agree, I'd say it's part of object creation. For stopping it happens unconditionally, the code checks whether the swtpm process exists or not. We wouldn't want a case where the obkect has been removed but somehow the swtpm process is still running.
I'll check this. I think it's worth noting that currently a tpm instance is closely coupled with a vm instance. For the future it might be worth decoupling it and using the vtpm uuid as you say.
Not sure I follow, the swtpm daemon already has a module in device.ml |
|
Now an optional variant is passed through the idl so all the logic to decide what information gets passed around can be done in xapi. Xenopsd can decide how to set up swtpm based on that information. This should make creating the vtpm object and changing how to set up swtpm much simpler |
Now swtpm is only started for domains that have vtpm=true added to their platform's metada. This can be done using xe e.g. xe vm-param-add uuid=VM-XXX param-name=platform vtpm=true Shutting down domains without the swtpm and the xapi-guard services running works as normal and without any errors Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
This was missed when parametrizing the code, varstored was hardcoded Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
Now VTPM objects are created and attached to a VM when it is started for the first and they are destroyed when the VM they are attached to are destroyed. These objects are empty and do not reflect the state of the actual vTPM attached to the domains. Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
psafont
force-pushed
the
private/paus/vtpm-param
branch
from
22dc127
to
8dbc71e
Compare
|
I've tested that xapi now creates and destroys the vtpm objects on a VM's first boot (not on successive boots) and when they are destroyed. |
Now swtpm is only started for domains that have vtpm=true added to their
platform's metada. This can be done using xe e.g.
xe vm-param-add uuid=VM-XXX param-name=platform vtpm=true
Shutting down domains without the swtpm and the xapi-guard services
running works as normal and without any errorsNow swtpm is only started for domains that have vtpm=true added to their
platform's metada. This can be done using xe e.g.
xe vm-param-add uuid=VM-XXX param-name=platform vtpm=trueShutting down domains without the swtpm and the xapi-guard services
running works as normal and without any errors.