Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backup (SW)TPM Device related files #169

Open
abbbi opened this issue Apr 4, 2024 · 0 comments
Open

Backup (SW)TPM Device related files #169

abbbi opened this issue Apr 4, 2024 · 0 comments
Labels
enhancement New feature or request need-info Additional information or logfiles required to solve issue.
Milestone
v3.0

Comments

@abbbi
Copy link
Owner

abbbi commented Apr 4, 2024
edited
Loading

New Windows versions often depend von TPM devices beeing attached (at least during installation).
Libvirt allows for two types of TPM devices:

  • emulated devices (swtpm based)
  • passthrough devices

it may make sense to include the swtpm related files within the backup too, even if i currently dont see
a way to guarantee the data beeing consistent.

If an emulated device is attached, libvirt starts an swtpm process:

/usr/bin/swtpm socket --ctrl type=unixio,path=/run/libvirt/qemu/swtpm/2-backuptest-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/*vm_uuid*/tpm2,mode=0600 -

it makes sense to add the files from /var/lib/libvirt/swtpm/vm_uuid/ to the backup.
In case the complete host system is lost or these files are missing, i think it may be troublesome to boot the actual virtual machine (uefi / secureboot)

The files in /var/lib/libvirt/swtpm are owned by special "tss" user with no read rights. So this might only work if backup is executed as root user. More information required.

For now backup at least prints a warning that further action may be required by user.

Outstanding:

  • Clarify which user most distributions use for the swtpm process (on Debian it is "tss")
  • ssh client needs to be enhanced to be able to put/get directory trees and not single files for remote backup
  • Fail backup with warning if we dont have access to the files (we need to be part of the "tss" group if run as regular user)
  • Adopt restore utility

More info and Limitations:

https://www.ovirt.org/develop/release-management/features/virt/tpm-device.html
@abbbi abbbi added the enhancement New feature or request label Apr 4, 2024
@abbbi abbbi added this to the v2.7 milestone Apr 4, 2024
abbbi added a commit that referenced this issue Apr 4, 2024
@abbbi
(#169) show warning if swtpm device is attached to virtual domain
3243c4f
abbbi added a commit that referenced this issue Apr 4, 2024
@abbbi
(#169) show directory in warning
55a44d3
@abbbi abbbi changed the title Backup SWTPM / TPM Device related files Backup SWTPM Device related files Apr 4, 2024
@abbbi abbbi changed the title Backup SWTPM Device related files Backup (SW)TPM Device related files Apr 4, 2024
@abbbi abbbi added the need-info Additional information or logfiles required to solve issue. label Apr 4, 2024
@abbbi abbbi modified the milestones: v2.8, v3.0 Apr 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request need-info Additional information or logfiles required to solve issue.
Projects
None yet
Milestone
v3.0
Development

No branches or pull requests
1 participant
@abbbi