Bug 1244895

Summary: TPM passthru uses wrong cancel-path: should be /sys/class/tpm/tpm0/device/cancel
Product: [Fedora] Fedora Reporter: old_speedy
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: agedosier, berrange, charon00, clalancette, crobinso, fullung, itamar, jforbes, laine, libvirt-maint, markus, mkalinin, rbalakri, sfgets, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-1.2.18.2-1.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-28 22:53:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description old_speedy 2015-07-20 17:39:50 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
1.2.1.1-1

How reproducible:
map a physical TPM as passthrough to a virtual machine

Steps to Reproduce:
1.
2.
3.

Actual results:
Error starting domain: internal error: early end of file from monitor: possible problem:
2015-07-20T17:32:36.870094Z qemu-system-x86_64: -tpmdev passthrough,id=tpm-tpm0,path=/dev/tpm0,cancel-path=/sys/class/misc/tpm0/device/cancel: Cannot access TPM device using '/dev/tpm0': Device or resource busy


Expected results:
cancel path for kernel >= 4.0 should be /sys/class/tpm/tpm0/device/cancel

Additional info:
Comment 1 Cole Robinson 2015-08-09 17:33:18 UTC 
Thanks for the report. That path is set by libvirt, so that's where the bug is, so reassigning
Comment 2 David V 2015-08-20 19:21:23 UTC 
qemu-system-x86_64 supports passing the TPM cancel path on the command line with -tpmdev passthrough,cancel-path=<path>, but it doesn't look like libvirt will recognize this when using virt-install.  It might be worth supporting the cancel-path parameter.
Comment 3 Kamen M 2015-10-13 20:52:34 UTC 
When tpm dev is added through virtManager it displays the bellow error upon domain start. 

Error starting domain: unable to set security context 'system_u:object_r:svirt_image_t:s0:c121,c372' on '/sys/class/misc/tpm0/device/cancel': No such file or directory

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 89, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 125, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1423, in startup
    self._backend.create()
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1007, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c121,c372' on '/sys/class/misc/tpm0/device/cancel': No such file or directory

is that cancel-path hardcoded somewhere?
Comment 4 Cole Robinson 2015-10-14 12:54:47 UTC 
(In reply to Kamen M from comment #3)
> 
> is that cancel-path hardcoded somewhere?

Yes it seems to be hardcoded in libvirt. Seems like we need to extend the logic here to check for the newer path you mentioned: /sys/class/tpm/tpm0/device/cancel
Comment 5 Markus Heberling 2015-11-12 13:09:21 UTC 
I have used ghex /lib64/libvirt.so.0 to patch the file to the new path:

search for /sys/class/misc/tpm0/device/cancel and replace it with /sys/class/tpm//tpm0/device/cancel

note the 2 slashes after tpm, that is so that the string keeps the same lenght and no offsets in the file are destroyed.

This works for me, but would be nice if it could be fixed in the package or upstream.
Comment 6 Kamen M 2015-11-13 10:13:41 UTC 
(In reply to Markus Heberling from comment #5)
> I have used ghex /lib64/libvirt.so.0 to patch the file to the new path:

Thanks for the idea Markus and I also would like to see this fixed one day!
Comment 7 Cole Robinson 2015-11-17 00:53:46 UTC 
stefan, this sounds like a simple libvirt fix for tpm support but I don't have any way to test. Can you take a look?
Comment 8 Stefan Berger 2015-11-17 03:14:43 UTC 
(In reply to Cole Robinson from comment #7)
> stefan, this sounds like a simple libvirt fix for tpm support but I don't
> have any way to test. Can you take a look?

Patch(es) posted.
Comment 9 Cole Robinson 2015-11-18 01:56:31 UTC 
Fix is upstream now:

commit 5ed7afa9de4e8d2b7e83fee334a0c3f2bddc6a48
Author: Stefan Berger <stefanb.com>
Date:   Tue Nov 17 19:44:13 2015 -0500

    tpm: adapt sysfs cancel path for new TPM driver

Moving back to Fedora since users have been hitting it
Comment 10 Fedora Update System 2015-12-24 14:55:56 UTC 
libvirt-1.2.18.2-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-30b347dff1
Comment 11 Fedora Update System 2015-12-25 01:57:05 UTC 
libvirt-1.2.18.2-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-30b347dff1
Comment 12 Fedora Update System 2015-12-28 22:52:34 UTC 
libvirt-1.2.18.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.