Bug 1828045
| Summary: | Windows 10 1903+ VM does not provide valid TPM 2.0 info | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux Advanced Virtualization | Reporter: | ybendito |
| Component: | libtpms | Assignee: | Marc-Andre Lureau <marcandre.lureau> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Qinghua Cheng <qcheng> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | --- | CC: | ailan, chhu, coli, jinzhao, juzhang, lijin, lkotek, lmen, marcandre.lureau, mdean, mkedzier, qcheng, stefanb, virt-maint, xiagao, xuzhang, yanqzhan, yvugenfi |
| Target Milestone: | rc | Keywords: | TestOnly, Triaged |
| Target Release: | 8.3 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-08-04 05:09:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1809676, 1809778 | ||
| Bug Blocks: | 1774158 | ||
|
Description
ybendito
2020-04-26 12:33:12 UTC
Attempt to find a solution via Microsoft support (pointing on regression between 1809 and 1903) was unsuccessful. Ticket number: 120020625000478; Is get-tpm just one command that doesn't work or is TPM 2 via swtpm generally not usable on this version of Windows? Do you have a list of the HLK failures? I know certificates can be an issue with the TPM 2, I have heared about HLK now complaining about CRB not using interrupts, but what other ones are there? Can be also related to https://bugzilla.redhat.com/show_bug.cgi?id=1744045 The explanation required doing reverse engineering of TPM providers (tpm.sys/TpmCoreProvisioning.dll).
On newest version of Windows (>=1903) Microsoft decided that ManufacturerVersion field
is manadatory when get-tpm command is executed. If it is not somehow provided, get-tpm
command is finished with exception.
The question is what is that ManufacturerVersion? TPM specification doesn't define it or
even mentions it (or at least I've not found it).
So in short: this is just a primitive security check done by Windows OS to make sure that TPM device is
real hardware. Microsoft called function responsilbe for doing this check HWSecurityBooster.
When TPM emulator provides manufacturer name ("IBM " in our case) in response TPM_CAP_TPM_PROPERTIES, this
function checks manufacturer's name against list of predefined names (Altera, AMD, Rockhip, ...).
However, for IBM case it checks predefined "IBM" against our "IBM ". And because there is a space instead
of 0, it throws an exception.
To the solution is to remove space:
-#define MANUFACTURER "IBM "
+#define MANUFACTURER "IBM"
in file src/tpm2/VendorString.h
After that get-tpm command works and ManufacturerVersion provides info. It works also on older systems.
Ok, we may be able to fix this. Does this help with the HLK tests, though? Checked with banch stable-0.7.0.next of libtpm - this fix also helps with one of the HLK test which was previously failing. (In reply to Marek Kedzierski from comment #7) > Checked with banch stable-0.7.0.next of libtpm - this fix also helps with > one of the HLK test which was previously failing. Merge now into stable-0.7.0. I'll tag it as 0.7.1 soon. Yes, ON_QA is ok. (In reply to Marek Kedzierski from comment #14) > Let's summary: > > When Windows OS communicates with vTPM (libtpms) in one of requests it asks > for TPM manufacturer name. > libtpms responds with 'IBM ' string (space at the end). > However, Windows OS keeps predefined list of supported manufacturers and IBM > is defined there as > 'IBM' (without space). So comparison fails because of difference. > > This check is used in at least two places in Windows OS: > - the mentioned Windows command (get-tpm) crashes and doesn't display > information about > TPM status because 'IBM ' is not on the list of supported vendors. > - one of the HLK tests is failing for the same reason ('IBM ' is not on the > list > of supported vendors) > > That's why changing the name from 'IBM ' to 'IBM' in libtpms solves the > problem. For reference that's: https://github.com/stefanberger/libtpms/commit/819caa4be844161deeac457ac98d26295a0a1995 Change was made for libtpms 0.8.0 (although no tag exists in the repo) Verified on rhel 8.3
Kernel: 4.18.0-223.el8.x86_64
qemu-kvm: qemu-kvm-5.0.0-0.module+el8.3.0+6620+5d5e1420.x86_64
libtpms: libtpms-0.7.2-1.20200527git7325acb477.module+el8.3.0+7068+4e1b8df5.x86_64
swtpm: swtpm-0.3.0-1.20200218git74ae43b.module+el8.3.0+7102+0b79cc3a.x86_64
windows 10 (2004)
Attach a vtpm device to guest VM, run get-tpm command in powershell got following output:
get-tpm
TpmPresent : True
TpmReady : True
TpmEnabled : True
TpmActivated : True
TpmOwned : True
RestartPending : False
ManufacturerId : 1229081856
ManufacturerIdTxt : IBM
ManufacturerVersion : 8215.1561.22.13878
ManufacturerVersionFull20 : 8215.1561.22.13878
ManagedAuthLevel : Full
OwnerAuth : gpbrzOZEUlNi8mflQ5roRHniy80=
OwnerClearDisabled : False
AutoProvisioning : Enabled
LockedOut : False
LockoutHealTime : 10 minutes
LockoutCount : 0
LockoutMax : 31
SelfTest : {}
|