735c6b
From 01d7e15c8c4a33a379e8297182dc474bb2046d2a Mon Sep 17 00:00:00 2001
735c6b
Message-Id: <01d7e15c8c4a33a379e8297182dc474bb2046d2a@dist-git>
735c6b
From: Michal Privoznik <mprivozn@redhat.com>
735c6b
Date: Fri, 27 Jan 2023 10:46:55 +0100
735c6b
Subject: [PATCH] qemuExtTPMStop: Restore TPM state label more often
735c6b
MIME-Version: 1.0
735c6b
Content-Type: text/plain; charset=UTF-8
735c6b
Content-Transfer-Encoding: 8bit
735c6b
735c6b
When stopping swtpm we can restore the label either on just the
735c6b
swtpm's domain specific logfile (/var/log/swtpm/libvirt/qemu/...),
735c6b
or on the logfile and the state too (/var/lib/libvirt/swtpm/...).
735c6b
735c6b
The deciding factor is whether the guest is stopped because of
735c6b
outgoing migration OR the state is on a shared filesystem.
735c6b
735c6b
But this is not correct condition, because for instance saving the
735c6b
guest into a file (virsh save) is also an outgoing migration.
735c6b
Alternatively, when the swtpm state is stored on a shared
735c6b
filesystem, but the guest is destroyed (virsh destroy), i.e.
735c6b
stopped because of different reason than migration, we want to
735c6b
restore the seclabels.
735c6b
735c6b
The correct condition is: skip restoring the state on outgoing
735c6b
migration AND shared filesystem.
735c6b
735c6b
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2161557
735c6b
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
735c6b
Reviewed-by: Ján Tomko <jtomko@redhat.com>
735c6b
(cherry picked from commit 794fddf866676ef4119b3acf43b5547a9e868bb9)
735c6b
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
735c6b
---
735c6b
 src/qemu/qemu_tpm.c | 2 +-
735c6b
 1 file changed, 1 insertion(+), 1 deletion(-)
735c6b
735c6b
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
735c6b
index b2748eb6a4..5831ffc32e 100644
735c6b
--- a/src/qemu/qemu_tpm.c
735c6b
+++ b/src/qemu/qemu_tpm.c
735c6b
@@ -1142,7 +1142,7 @@ qemuExtTPMStop(virQEMUDriver *driver,
735c6b
         return;
735c6b
 
735c6b
     qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName);
735c6b
-    if (outgoingMigration || qemuTPMHasSharedStorage(vm->def))
735c6b
+    if (outgoingMigration && qemuTPMHasSharedStorage(vm->def))
735c6b
         restoreTPMStateLabel = false;
735c6b
 
735c6b
     if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel) < 0)
735c6b
-- 
735c6b
2.39.1
735c6b