From 242a5c6ed143303a7b8e979f31638ae3df5520a2 Mon Sep 17 00:00:00 2001 From: Fiona Ebner Date: Thu, 27 Jun 2024 13:03:17 +0200 Subject: [PATCH] api: update vm: prohibit changing version of TPM state After the TPM state has been created (to be precise, initialized by swtpm) it is not possible to change the version anymore. Doing so will lead to failure starting the associated VM. While documented in the description, it's better to enforce this via API. Signed-off-by: Fiona Ebner --- PVE/API2/Qemu.pm | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm index 0c3f451a..74143856 100644 --- a/PVE/API2/Qemu.pm +++ b/PVE/API2/Qemu.pm @@ -314,6 +314,24 @@ my $import_from_volid = sub { return $cloned->@{qw(file size)}; }; +my sub prohibit_tpm_version_change { + my ($old, $new) = @_; + + return if !$old || !$new; + + my $old_drive = PVE::QemuServer::parse_drive('tpmstate0', $old); + my $new_drive = PVE::QemuServer::parse_drive('tpmstate0', $new); + + return if $old_drive->{file} ne $new_drive->{file}; + + my $old_version = $old_drive->{version} // 'v1.2'; + my $new_version = $new_drive->{version} // 'v1.2'; + + die "cannot change TPM state version after creation\n" if $old_version ne $new_version; + + return; +} + # Note: $pool is only needed when creating a VM, because pool permissions # are automatically inherited if VM already exists inside a pool. my sub create_disks : prototype($$$$$$$$$$) { @@ -1930,6 +1948,7 @@ my $update_vm_api = sub { # old drive if ($conf->{$opt}) { $check_drive_perms->($opt, $conf->{$opt}); + prohibit_tpm_version_change($conf->{$opt}, $param->{$opt}) if $opt eq 'tpmstate0'; } # new drive