[pve-devel] [PATCH qemu-server 3/3] fix #5563: api: update vm: prohibit changing version of TPM state

Fiona Ebner f.ebner at proxmox.com
Thu Jun 27 13:03:17 CEST 2024


After the TPM state has been created (to be precise, initialized by
swtpm) it is not possible to change the version anymore. Doing so will
lead to failure starting the associated VM. While documented in the
description, it's better to enforce this via API.

Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
---
 PVE/API2/Qemu.pm | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 0c3f451a..74143856 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -314,6 +314,24 @@ my $import_from_volid = sub {
     return $cloned->@{qw(file size)};
 };
 
+my sub prohibit_tpm_version_change {
+    my ($old, $new) = @_;
+
+    return if !$old || !$new;
+
+    my $old_drive = PVE::QemuServer::parse_drive('tpmstate0', $old);
+    my $new_drive = PVE::QemuServer::parse_drive('tpmstate0', $new);
+
+    return if $old_drive->{file} ne $new_drive->{file};
+
+    my $old_version = $old_drive->{version} // 'v1.2';
+    my $new_version = $new_drive->{version} // 'v1.2';
+
+    die "cannot change TPM state version after creation\n" if $old_version ne $new_version;
+
+    return;
+}
+
 # Note: $pool is only needed when creating a VM, because pool permissions
 # are automatically inherited if VM already exists inside a pool.
 my sub create_disks : prototype($$$$$$$$$$) {
@@ -1930,6 +1948,7 @@ my $update_vm_api  = sub {
 		    # old drive
 		    if ($conf->{$opt}) {
 			$check_drive_perms->($opt, $conf->{$opt});
+			prohibit_tpm_version_change($conf->{$opt}, $param->{$opt}) if $opt eq 'tpmstate0';
 		    }
 
 		    # new drive
-- 
2.39.2





More information about the pve-devel mailing list