Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

Step-by-step guide

  1. Install the @virtualization package group in fedora to install libvirt
  2. If you want to use the packages already compiled, skip to Step 4.

  3. a. Initialize a clean mock chroot: 

    mock r fedora-24-x86_64 --init


    b. Install the following dependencies, taken from https://github.com/stefanberger/swtpm/blob/master/INSTALL

    mock -r fedora-24-x86_64 --install sudo dnf install -y automake autoconf bash coreutils expect libtool sed libtpms libtpms-devel fuse fuse-devel glib2 glib2-devel gmp gmp-devel nss-devel net-tools selinux-policy-devel gnutls gnutls-devel libtasn1 libtasn1-tools libtasn1-devel rpm-build socat kernel-modules-extra tpm-tools

     

    c. Enter the chroot and clone the swtpm repo:

    mock -r fedora-24-x86_64 --shell
cd /
git clone https://github.com/stefanberger/swtpm.git
cd swtpm

     

    d. Compile and install swtpm:

    ./bootstrap.sh
./configure --prefix=/usr
make
make check 			# This might not work :(

     

    e. If everything succeeded thusfar, create the srpm and rpm and install:

    make dist
cp *.tar.gz /builddir/build/SOURCES
# Remove the %check lines from the .spec file if make check did not succeed.
rpmbuild -bs dist/swtpm.spec
rpmuild -ba dist/swtpm.spec
 
# As root, outside of the mock chroot:
cp /var/lib/mock/fedora-24-x86_64/root/builddir/build/RPMS/* <some_desirable_location>
dnf install <some_desireable_location>*.rpm

  4. To install our pre-compiled rpms:

    sudo dnf copr enable jeefberkey/swtpm
sudo dnf install swtpm

  5. To install our pre-compiled qemu:

    sudo dnf copr enable jeefberkey/qemu-tpm
sudo dnf update

  6. Create the vTPM data directory. The README in the repo above has more details.

    sudo mkdir /tmp/vtpm0_data
sudo chown -R tss:root  /tmp/vtpm0_data

  7. You can't use a typical libvirt xml domain definition with a vTPM. You need to change the xml schema and add some qemu:commandline commands. Note that we don't use the TPM device element from the Libvirt XML domain schema.

    vtpm.xml
    <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
  <...>
  <qemu:commandline>
    <qemu:arg value='-tpmdev'/>
    <qemu:arg value='cuse-tpm,id=tpm-tpm0,path=/dev/vtpm0,cancel-path=/dev/null'/>
    <qemu:arg value='-device'/>
    <qemu:arg value='tpm-tis,tpmdev=tpm-tpm0,id=tpm0'/>
  </qemu:commandline>
</domain>

  8. Use the following script to launch your vTPM and VM. You must load a TPM every time you use it in libvirt, because it self-destructs after it detects that it isn't being used anymore. You may also have to disable SElinux for now until a workaround is found.

    start_tpm_vm.sh
    #!/bin/bash

# # gracefully shutdown any existing vtpm
# swtpm_ioctl -s /dev/vtpm0

# init tpm device, until it exits with 0
until swtpm_setup --tpm-state /tmp/vtpm0_data  --createek 
do sleep .2
done

# create /dev/vtpm0
swtpm cuse --tpmstate dir=/tmp/vtpm0_data -n vtpm0
# try to fix permissions even tho the context is still wrong
chcon --reference=/dev/tpm0 /dev/vtpm0
chown qemu:qemu /dev/vtpm0

# see https://github.com/stefanberger/swtpm/issues/7#issuecomment-217748309
umount /sys/fs/cgroup/devices

# create the domain
virsh create $1
    Use start_tpm_vm.sh
    sudo ./start_tpm_vm.sh simp-5-tpm.xml

  • No labels