Description
New Windows versions often depend von TPM devices beeing attached (at least during installation).
Libvirt allows for two types of TPM devices:
- emulated devices (swtpm based)
- passthrough devices
it may make sense to include the swtpm related files within the backup too, even if i currently dont see
a way to guarantee the data beeing consistent.
If an emulated device is attached, libvirt starts an swtpm process:
/usr/bin/swtpm socket --ctrl type=unixio,path=/run/libvirt/qemu/swtpm/2-backuptest-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/*vm_uuid*/tpm2,mode=0600 -
it makes sense to add the files from /var/lib/libvirt/swtpm/vm_uuid/ to the backup.
In case the complete host system is lost or these files are missing, i think it may be troublesome to boot the actual virtual machine (uefi / secureboot)
The files in /var/lib/libvirt/swtpm are owned by special "tss" user with no read rights. So this might only work if backup is executed as root user. More information required.
For now backup at least prints a warning that further action may be required by user.
Outstanding:
- Clarify which user most distributions use for the swtpm process (on Debian it is "tss")
- ssh client needs to be enhanced to be able to put/get directory trees and not single files for remote backup
- Fail backup with warning if we dont have access to the files (we need to be part of the "tss" group if run as regular user)
- Adopt restore utility
More info and Limitations:
https://www.ovirt.org/develop/release-management/features/virt/tpm-device.html