Page Comparison

...

1. Install the @virtualization package group in fedora to install libvirt
2. If you want to use the packages already compiled, skip to Step 4.

3. a. Initialize a clean mock chroot: 

   Code Block
   language bash
   mock r fedora-24-x86_64 --init

   
   b. Install the following dependencies, taken from https://github.com/stefanberger/swtpm/blob/master/INSTALL: 

   Code Block
   language bash
   mock -r fedora-24-x86_64 --install sudo dnf install -y automake autoconf bash coreutils expect libtool sed libtpms libtpms-devel fuse fuse-devel glib2 glib2-devel gmp gmp-devel nss-devel net-tools selinux-policy-devel gnutls gnutls-devel libtasn1 libtasn1-tools libtasn1-devel rpm-build socat kernel-modules-extra tpm-tools

    

   c. Enter the chroot and clone the swtpm repo:

   Code Block
   language bash
   mock -r fedora-24-x86_64 --shell cd / git clone https://github.com/stefanberger/swtpm.git cd swtpm

    

   d. Compile and install swtpm:

   Code Block
   language bash
   ./bootstrap.sh ./configure --prefix=/usr make make check # This might not work :(

    

   e. If everything succeeded thusfar, create the srpm and rpm and install:

   Code Block
   language bash
   make dist cp *.tar.gz /builddir/build/SOURCES # Remove the %check lines from the .spec file if make check did not succeed. rpmbuild -bs dist/swtpm.spec rpmuild -ba dist/swtpm.spec   # As root, outside of the mock chroot: cp /var/lib/mock/fedora-24-x86_64/root/builddir/build/RPMS/* <some_desirable_location> dnf install <some_desireable_location>*.rpm

4. To install our pre-compiled rpms:

   Code Block
   language bash
   sudo dnf copr enable jeefberkey/swtpm sudo dnf install swtpm

5. To install our pre-compiled qemu:

   Code Block
   language bash
   sudo dnf copr enable jeefberkey/qemu-tpm sudo dnf update

6. Create the vTPM data directory. The README in the repo above has more details.

   Code Block
   language bash
   sudo mkdir /tmp/vtpm0_data sudo chown -R tss:root /tmp/vtpm0_data

7. You can't use a typical libvirt xml domain definition with a vTPM. You need to modify a pre-existing xml file and change the schema and add some qemu:commandline commands, as shown below. Note that we don't use the TPM device element from the Libvirt XML domain schema. The native element expects the wrong cancel path and does not suport the cuse-tpm driver yet.

   Code Block
   language xml title vtpm.xml
   <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> <...> <qemu:commandline> <qemu:arg value='-tpmdev'/> <qemu:arg value='cuse-tpm,id=tpm-tpm0,path=/dev/vtpm0,cancel-path=/dev/null'/> <qemu:arg value='-device'/> <qemu:arg value='tpm-tis,tpmdev=tpm-tpm0,id=tpm0'/> </qemu:commandline> </domain>

8. Use the following script to launch your vTPM and VM. You must Run the swtpm setup script (sudo or as root) to initialize and create a virtual TPM device.  Note default parameters will create /dev/vtpm0.  You must run this script and load a TPM every time you use it in libvirt, because it self-destructs after it detects that it isn't being used anymore. You may also have to disable SElinux for now until a workaround is found.

   Code Block

   language	bash
   title	start_tpm_vm.sh

   #!/bin/bash # # gracefully shutdown any existing vtpm # swtpm_ioctl -s /dev/vtpm0 # init tpm device, until it exits with 0 until swtpm_setup --tpm-state /tmp/vtpm0_data --createek do sleep .2 done # create /dev/vtpm0 swtpm cuse --tpmstate dir=/tmp/vtpm0_data -n vtpm0 # try to fix permissions even tho the context is still wrong chcon --reference=/dev/tpm0 /dev/vtpm0 chown qemu:qemu /dev/vtpm0 # see https://github.com/stefanberger/swtpm/issues/7#issuecomment-217748309 umount /sys/fs/cgroup/devices # create the domain virsh create $1

    

9. Add the generated XML from step 6 to your virtual machine's XML file and create it!

    

   Code Block
   language bash title Use start_tpm_vm.sh
   sudo ./start_tpm_vm.sh simp-5-tpmvirsh create your_tmp_vm.xml

Related articles

...