Step-by-step guide
- Install the
@virtualization
package group in fedora to install libvirt - If you want to use the packages already compiled, skip to Step 4.
a. Initialize a clean mock chroot:
mock r fedora-24-x86_64 --init
b. Install the following dependencies, taken from https://github.com/stefanberger/swtpm/blob/master/INSTALL:mock -r fedora-24-x86_64 --install sudo dnf install -y automake autoconf bash coreutils expect libtool sed libtpms libtpms-devel fuse fuse-devel glib2 glib2-devel gmp gmp-devel nss-devel net-tools selinux-policy-devel gnutls gnutls-devel libtasn1 libtasn1-tools libtasn1-devel rpm-build socat kernel-modules-extra tpm-tools
c. Enter the chroot and clone the swtpm repo:
mock -r fedora-24-x86_64 --shell cd / git clone https://github.com/stefanberger/swtpm.git cd swtpm
d. Compile and install swtpm:
./bootstrap.sh ./configure --prefix=/usr make make check # This might not work :(
e. If everything succeeded thusfar, create the srpm and rpm and install:
make dist cp *.tar.gz /builddir/build/SOURCES # Remove the %check lines from the .spec file if make check did not succeed. rpmbuild -bs dist/swtpm.spec rpmuild -ba dist/swtpm.spec # As root, outside of the mock chroot: cp /var/lib/mock/fedora-24-x86_64/root/builddir/build/RPMS/* <some_desirable_location> dnf install <some_desireable_location>*.rpm
To install our pre-compiled rpms:
sudo dnf copr enable jeefberkey/swtpm sudo dnf install swtpm
To install our pre-compiled qemu:
sudo dnf copr enable jeefberkey/qemu-tpm sudo dnf update
Create the vTPM data directory. The README in the repo above has more details.
sudo mkdir /tmp/vtpm0_data sudo chown -R tss:root /tmp/vtpm0_data
You can't use a typical libvirt xml domain definition with a vTPM. You need to modify a pre-existing xml file and change the schema and add some
qemu:commandline
commands, as shown below. Note that we don't use the TPM device element from the Libvirt XML domain schema. The native element expects the wrong cancel path and does not suport thecuse-tpm
driver yet.vtpm.xml<domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> <...> <qemu:commandline> <qemu:arg value='-tpmdev'/> <qemu:arg value='cuse-tpm,id=tpm-tpm0,path=/dev/vtpm0,cancel-path=/dev/null'/> <qemu:arg value='-device'/> <qemu:arg value='tpm-tis,tpmdev=tpm-tpm0,id=tpm0'/> </qemu:commandline> </domain>
Use the following script to launch your vTPM and VM. You must load a TPM every time you use it in libvirt, because it self-destructs after it detects that it isn't being used anymore. You may also have to disable SElinux for now until a workaround is found.
start_tpm_vm.sh#!/bin/bash # # gracefully shutdown any existing vtpm # swtpm_ioctl -s /dev/vtpm0 # init tpm device, until it exits with 0 until swtpm_setup --tpm-state /tmp/vtpm0_data --createek do sleep .2 done # create /dev/vtpm0 swtpm cuse --tpmstate dir=/tmp/vtpm0_data -n vtpm0 # try to fix permissions even tho the context is still wrong chcon --reference=/dev/tpm0 /dev/vtpm0 chown qemu:qemu /dev/vtpm0 # see https://github.com/stefanberger/swtpm/issues/7#issuecomment-217748309 umount /sys/fs/cgroup/devices # create the domain virsh create $1
Use start_tpm_vm.shsudo ./start_tpm_vm.sh simp-5-tpm.xml
Related articles