From: "Michael S. Tsirkin" <mst@redhat.com>
To: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: chrisw@redhat.com, anbang.ruan@cs.ox.ac.uk,
qemu-devel@nongnu.org, rrelyea@redhat.com, alevy@redhat.com,
andreas.niederl@iaik.tugraz.at, serge@hallyn.com
Subject: Re: [Qemu-devel] [PATCH V8 08/14] Introduce file lock for the block layer
Date: Wed, 7 Sep 2011 14:18:57 +0300 [thread overview]
Message-ID: <20110907111857.GB9337@redhat.com> (raw)
In-Reply-To: <4E66B304.8020605@linux.vnet.ibm.com>
On Tue, Sep 06, 2011 at 07:55:48PM -0400, Stefan Berger wrote:
> On 09/04/2011 03:32 PM, Michael S. Tsirkin wrote:
> >On Thu, Sep 01, 2011 at 09:53:40PM -0400, Stefan Berger wrote:
> >>>Generally, what all other devices do is perform validation
> >>>as the last step in migration when device state
> >>>is restored. On failure, management can decide what to do:
> >>>retry migration or restart on source.
> >>>
> >>>Why is TPM special and needs to be treated differently?
> >>>
> >>>
> >>>
> >...
> >
> >>More detail: Typically one starts out with an empty QCoW2 file
> >>created via qemu-img. Once Qemu starts and initializes the
> >>libtpms-based TPM, it tries to read existing state from that QCoW2
> >>file. Since there is no state stored in the QCoW2, the TPM will
> >>start initializing itself to an initial 'blank' state.
> >So it looks like the problem is you access the file when guest isn't
> >running. Delaying the initialization until the guest actually starts
> >running will solve the problem in a way that is more consistent with
> >other qemu devices.
> >
> I'd agree if there wasn't one more thing: encryption on the data
> inside the QCoW2 filesystem
>
> First: There are two ways to encrypt the data.
>
> One comes with the QCoW2 type of image and it comes for free. Set
> the encryption flag when creating the QCoW2 file and one has to
> provide a key to access the QCoW2. I found this mode problematic for
> users since it required me to go through the monitor every time I
> started the VM. Besides that the key is provided so late that all
> devices are already initialized and if the wrong key was provided
> the only thing the TPM can do is to go into shutdown mode since
> there is state on the QCoW2 but it cannot be decrypted. This also
> became problematic when doing migrations with libvirt for example
> and one was to have a wrong key/password installed on the target
> side -- graceful termination of the migration is impossible.
>
> So the above drove the implementation of the encryption mode added
> in patch 10 in this series. Here the key is provided via command
> line and it can be used immediately. So I am reading the state blobs
> from the file, decrypt them, create the CRC32 on the plain data and
> check against the CRC32 stored in the 'directory'. If it doesn't
> match the expected CRC32 either the key was wrong or the state is
> corrupted and I can terminate Qemu gracefully. I can also react
> appropriately if no key was provided but one is expected and
> vice-versa. Also in case of migration this now allows me to
> terminate Qemu gracefully so it continues running on the source.
> This is an improvement over the situation described above where in
> case the target had the wrong key the TPM went into shutdown mode
> and the user would be wondering why that is -- the TPM becomes
> inaccessible. However, particularly in the case of migration with
> shared storage I need to access the QCoW2 file to check whether on
> the target I have the right key. And this happens very early during
> qemu startup on the target machine. So that's where the file locking
> on the block layer comes in. I want to serialize access to the QCoW2
> so I don't read intermediate state on the migration-target host that
> can occur if the source is currently writing TPM state data.
>
> This patch and the command line provided key along with the
> encryption mode added in patch 10 in this series add to usability
> and help prevent failures.
>
> Regards,
> Stefan
Sure, it's a useful feature of validating the device early.
But as I said above, it's useful for other devices besides
TPM. However it introduces issues where state changes
since guest keeps running (such as what you have described here).
I think solving this in a way specific to TPM is a mistake.
Passing key on command line does not mean you must use it
immediately, this can still be done when guest starts running.
Further, the patchset seems to be split in
a way that introduces support headaches and makes review
harder, not easier. In this case, we will have to support
both a broken mode (key supplied later) and a non-broken one
(key supplied on init). It would be better to implement
a single mode, in a single patch.
--
MST
next prev parent reply other threads:[~2011-09-07 11:19 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-31 14:35 [Qemu-devel] [PATCH V8 00/14] Qemu Trusted Platform Module (TPM) integration Stefan Berger
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 01/14] Support for TPM command line options Stefan Berger
2011-09-01 17:14 ` Michael S. Tsirkin
2011-09-02 1:01 ` Stefan Berger
2011-09-04 16:29 ` Michael S. Tsirkin
2011-09-04 16:50 ` Michael S. Tsirkin
2011-09-01 18:14 ` Michael S. Tsirkin
2011-09-02 1:02 ` Stefan Berger
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 02/14] Add TPM (frontend) hardware interface (TPM TIS) to Qemu Stefan Berger
2011-09-09 19:28 ` Paul Moore
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 03/14] Add persistent state handling to TPM TIS frontend driver Stefan Berger
2011-09-01 17:20 ` Michael S. Tsirkin
2011-09-02 1:12 ` Stefan Berger
2011-09-09 21:13 ` Paul Moore
2011-09-11 16:45 ` Stefan Berger
2011-09-12 21:16 ` Paul Moore
2011-09-12 23:37 ` Stefan Berger
2011-09-13 12:13 ` Paul Moore
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 04/14] Add tpm_tis driver to build process Stefan Berger
2011-09-01 17:23 ` Michael S. Tsirkin
2011-09-02 1:16 ` Stefan Berger
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 05/14] Add a debug register Stefan Berger
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 06/14] Add a TPM backend skeleton implementation Stefan Berger
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 07/14] Implementation of the libtpms-based backend Stefan Berger
2011-09-01 17:27 ` Michael S. Tsirkin
2011-09-02 1:24 ` Stefan Berger
2011-09-04 16:27 ` Michael S. Tsirkin
2011-08-31 14:35 ` [Qemu-devel] [PATCH V8 08/14] Introduce file lock for the block layer Stefan Berger
2011-09-01 17:32 ` Michael S. Tsirkin
2011-09-02 1:53 ` Stefan Berger
2011-09-04 19:32 ` Michael S. Tsirkin
2011-09-06 23:55 ` Stefan Berger
2011-09-07 11:18 ` Michael S. Tsirkin [this message]
2011-09-07 13:06 ` Stefan Berger
2011-09-07 13:16 ` Michael S. Tsirkin
2011-09-07 13:56 ` Stefan Berger
2011-09-07 14:10 ` Michael S. Tsirkin
2011-09-07 14:25 ` Stefan Berger
2011-09-07 14:35 ` Michael S. Tsirkin
2011-09-07 15:06 ` Stefan Berger
2011-09-07 15:16 ` Michael S. Tsirkin
2011-09-07 16:08 ` Stefan Berger
2011-09-07 18:49 ` Michael S. Tsirkin
2011-09-08 0:31 ` Stefan Berger
2011-09-08 10:36 ` Michael S. Tsirkin
2011-08-31 14:36 ` [Qemu-devel] [PATCH V8 09/14] Add block storage support for libtpms based TPM backend Stefan Berger
2011-08-31 14:36 ` [Qemu-devel] [PATCH V8 10/14] Encrypt state blobs using AES CBC encryption Stefan Berger
2011-09-01 19:26 ` Michael S. Tsirkin
2011-09-02 2:23 ` Stefan Berger
2011-09-04 16:58 ` Michael S. Tsirkin
2011-09-07 0:32 ` Stefan Berger
2011-09-07 11:59 ` Michael S. Tsirkin
2011-09-07 18:55 ` Michael S. Tsirkin
2011-09-08 0:16 ` Stefan Berger
2011-09-08 10:32 ` Michael S. Tsirkin
2011-09-08 12:11 ` Stefan Berger
2011-09-08 13:16 ` Michael S. Tsirkin
2011-09-08 15:27 ` Stefan Berger
2011-08-31 14:36 ` [Qemu-devel] [PATCH V8 11/14] Experimental support for block migrating TPMs state Stefan Berger
2011-08-31 14:36 ` [Qemu-devel] [PATCH V8 12/14] Support for taking measurements when kernel etc. are passed to Qemu Stefan Berger
2011-08-31 14:36 ` [Qemu-devel] [PATCH V8 13/14] Add a TPM backend null driver implementation Stefan Berger
2011-09-01 17:40 ` Michael S. Tsirkin
2011-09-02 2:41 ` Stefan Berger
2011-09-04 16:42 ` Michael S. Tsirkin
2011-08-31 14:36 ` [Qemu-devel] [PATCH V8 14/14] Allow to provide inital TPM state Stefan Berger
2011-09-01 18:10 ` Michael S. Tsirkin
2011-09-01 19:01 ` Michael S. Tsirkin
2011-09-02 3:00 ` Stefan Berger
2011-09-04 16:38 ` Michael S. Tsirkin
2011-09-07 2:45 ` Stefan Berger
2011-09-07 11:23 ` Michael S. Tsirkin
2011-09-07 13:51 ` Stefan Berger
2011-09-07 13:57 ` Michael S. Tsirkin
2011-09-01 18:12 ` [Qemu-devel] [PATCH V8 00/14] Qemu Trusted Platform Module (TPM) integration Michael S. Tsirkin
2011-09-02 3:02 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110907111857.GB9337@redhat.com \
--to=mst@redhat.com \
--cc=alevy@redhat.com \
--cc=anbang.ruan@cs.ox.ac.uk \
--cc=andreas.niederl@iaik.tugraz.at \
--cc=chrisw@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rrelyea@redhat.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).