Bug 1668199

Summary: [RFE] TPM passthrough support (libvirt) - tpm2.0 backend
Product: Red Hat Enterprise Linux 8 Reporter: Yanqiu Zhang <yanqzhan>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Yanqiu Zhang <yanqzhan>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: areis, fjin, knoel, rbalakri, xuzhang, yanqzhan
Target Milestone: rcKeywords: Automation, FutureFeature, TestOnly
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1654490 Environment:
Last Closed: 2019-06-14 00:47:50 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1327947, 1654486, 1654490    
Bug Blocks: 1359862, 1431788, 1431792, 1519016, 1558125, 1595018, 1623566, 1919797    

Comment 1 Xuesong Zhang 2019-02-21 05:19:03 UTC 
Update to ON_QA status since this is a testonly BZ.
Comment 2 Yanqiu Zhang 2019-03-07 13:06:04 UTC 
Verified on rhel8.0 with:
libvirt-4.5.0-23.module+el8+2800+2d311f65.x86_64
qemu-kvm-2.12.0-63.module+el8+2833+c7d6d092.x86_64

Pre-1. Prepare tpm2.0 chip in host and enable it in System BIOs;

Pre-2. Install tpm2-tools tpm2-tss on both host and guest, check tpm usage:
[host]# tpm2_getrandom 14
0x4A 0xAA 0xE6 0x5E 0xBA 0xA5 0xCA 0xA3 0x40 0x6B 0xC9 0xFF 0x3A 0x73

[guest]# tpm2_getrandom 7
ERROR:tcti:src/tss2-tcti/tcti-device.c:281:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory
ERROR: tcti init allocation routine failed for library: "device" options: "(null)"
ERROR: Could not load tcti, got: "device"

Scenario 1: tpm_crb
1. Start guest with tpm_crb:
    <tpm model='tpm-crb'>
      <backend type='passthrough'>
        <device path='/dev/tpm0'/>
      </backend>
      <alias name='tpm0'/>
    </tpm>
# ps aux|grep tpm
... -tpmdev passthrough,id=tpm-tpm0,path=/dev/fdset/4,cancel-path=/dev/fdset/5 -add-fd set=4,fd=34 -add-fd set=5,fd=35 -device tpm-crb,tpmdev=tpm-tpm0,id=tpm0 ...

2.Check tpm usage again in host and guest:
[host]# tpm2_getrandom 14
ERROR:tcti:src/tss2-tcti/tcti-device.c:281:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: Device or resource busy
ERROR: tcti init allocation routine failed for library: "device" options: "(null)"
ERROR: Could not load tcti, got: "device"

[guest]# tpm2_getrandom 10
0xAF 0x37 0x62 0xCC 0xFF 0x7E 0xBE 0xD8 0x06 0x88

3.# virsh shutdown avocado-vt-vm1
Domain avocado-vt-vm1 is being shutdown

[host]# tpm2_getrandom 12
0x70 0xFF 0xCA 0x61 0x60 0x73 0x65 0xA0 0xE4 0x3E 0x35 0x96


Scenario 2: tpm_tis
1.     <tpm model='tpm-tis'>
      <backend type='passthrough'>
        <device path='/dev/tpm0'/>
      </backend>
      <alias name='tpm0'/>
    </tpm>

... -tpmdev passthrough,id=tpm-tpm0,path=/dev/fdset/4,cancel-path=/dev/fdset/5 -add-fd set=4,fd=34 -add-fd set=5,fd=35 -device tpm-tis,tpmdev=tpm-tpm0,id=tpm0 ...

2. Check usage, tpm2.0 passthrough as tpm_tis still can work in guest.
[host]# tpm2_getrandom 11
ERROR:tcti:src/tss2-tcti/tcti-device.c:281:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: Device or resource busy
ERROR: tcti init allocation routine failed for library: "device" options: "(null)"
ERROR: Could not load tcti, got: "device"

[guest]# tpm2_getrandom 16
0xC5 0x7D 0xAD 0x56 0x7B 0x49 0xF6 0xCE 0x19 0x0D 0x8E 0x31 0xCF 0xD3 0x36 0xF0
Comment 3 Yanqiu Zhang 2019-03-08 07:52:13 UTC 
Scenario 3: try to reuse
1. try to start another guest when tpm is used by a running guest:
# virsh start avocado-vt-vm2
error: Failed to start domain avocado-vt-vm2
error: Could not open TPM device /dev/tpm0: Device or resource busy

2. try to edit guest with two tpm devices:
    <tpm model='tpm-crb'>
      <backend type='passthrough'>
        <device path='/dev/tpm0'/>
      </backend>
    </tpm>
    <tpm>
      <backend type='passthrough'>
      </backend>
    </tpm>

# virsh edit avocado-vt-vm2
error: XML error: only a single TPM device is supported
Failed. Try again? [y,n,i,f,?]:


Since the results are as expected, mark this bug as verified.