Bug 2029612
Summary: | Rebase swtpm to at least 0.7.0 for rhel-8.6 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | John Ferlan <jferlan> |
Component: | swtpm | Assignee: | Marc-Andre Lureau <marcandre.lureau> |
Status: | CLOSED ERRATA | QA Contact: | Yanqiu Zhang <yanqzhan> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 8.6 | CC: | abologna, coli, ddepaula, jferlan, jsuchane, kkiwi, marcandre.lureau, meili, mprivozn, qcheng, virt-bugs, virt-maint, xuzhang, yanqzhan, yidliu |
Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | swtpm-0.7.0-1.20211109gitb79fd91.module+el8.6.0+13853+e8cd34b9 | Doc Type: | Enhancement |
Doc Text: | Story Points: | --- | |
Clone Of: | 2021580 | Environment: | |
Last Closed: | 2022-05-10 13:24:19 UTC | Type: | Feature Request |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1940893, 1972785, 2021580, 2021628 | ||
Bug Blocks: | 1990153 |
Description
John Ferlan
2021-12-06 21:29:01 UTC
Moving to Marc-Andre since he owns the packages (we may need to fix the bugzilla components though) This just makes sure what we have for RHEL 9.0 is the same for RHEL 8.6 Hi Marc-Andre, I have encountered a failure with encrypted swtpm in RHEL8.6 gating job, but it can be passed in RHEL9 with swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64,so can I think this failure was caused by this bug? Or actually it's a new bug about vtpm encryption support in RHEL 8.6? If it was caused by this bug, can we solve it as soon as possible? Because it will block our gating test. Can you help me to check this issue? Thanks. Test Version: libvirt-7.10.0-1.module+el8.6.0+13502+4f24a11d.x86_64 qemu-kvm-6.2.0-1.module+el8.6.0+13725+61ae1949.x86_64 swtpm-0.6.0-2.20210607gitea627b3.module+el8.6.0+12861+13975d62.x86_64 libtpms-0.9.1-0.20211126git1ff6fe1f43.module+el8.6.0+13725+61ae1949.x86_64 # virsh dumpxml avocado-vt-vm1 | grep tpm -B4 ... <tpm model='tpm-crb'> <backend type='emulator' version='2.0'> <encryption secret='b5714cef-5a84-45e1-bcde-adfe0d895b09'/> </backend> </tpm> # virsh start avocado-vt-vm1 error: Failed to start domain 'avocado-vt-vm1' error: argument unsupported: /usr/bin/swtpm does not support passing passphrase via file descriptor But in RHEL9, this feature can be passed. Test Version: libvirt-7.10.0-1.el9.x86_64 qemu-kvm-6.2.0-1.el9.x86_64 swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64 libtpms-0.9.1-0.20211126git1ff6fe1f43.el9.x86_64 # virsh dumpxml avocado-vt-vm1 | grep tpm -B4 ... <tpm model='tpm-crb'> <backend type='emulator' version='2.0'> <encryption secret='6bd21af4-c870-4bcf-9f5a-399265d0098c'/> </backend> </tpm> # virsh start avocado-vt-vm1 Domain 'avocado-vt-vm1' started (In reply to Meina Li from comment #5) > # virsh start avocado-vt-vm1 > error: Failed to start domain 'avocado-vt-vm1' > error: argument unsupported: /usr/bin/swtpm does not support passing > passphrase via file descriptor Hi, this is really strange. cmdarg-pwdfile-fd should be supported in swtpm 0.6. Perhaps the simplest is now to update swtpm to 0.7 to fix this hopefully. Could you check `swtpm_setup --print-capabilities` output? thanks (In reply to Marc-Andre Lureau from comment #6) > > Hi, this is really strange. cmdarg-pwdfile-fd should be supported in swtpm > 0.6. > > Perhaps the simplest is now to update swtpm to 0.7 to fix this hopefully. > > Could you check `swtpm_setup --print-capabilities` output? thanks # swtpm_setup --print-capabilities在里边 { "type": "swtpm_setup", "features": [ "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd", "tpm12-not-need-root", "tpm2-rsa-keysize-2048", "tpm2-rsa-keysize-3072" ] } We can see cmdarg-pwdfile-fd inside. Hi, The issue in comment 5 can not reproduce after upgrade swtpm to 0.7.0. # avocado run --vt-type libvirt tpm_device..encrypted.basic --vt-machine-type q35 JOB ID : c78f63f73e7519a3ac82cfca9ee77964b4b45a90 JOB LOG : /root/avocado/job-results/job-2022-01-12T21.14-c78f63f/job.log (1/1) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.basic: FAIL: VM 'avocado-vt-vm1' failed to start: error: Failed to start domain 'avocado-vt-vm1'\nerror: argument unsupported: /usr/bin/swtpm does not support passing passphrase via file descriptor (9.49 s) RESULTS : PASS 0 | ERROR 0 | FAIL 1 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0 JOB TIME : 10.08 s # rpm -q libvirt qemu-kvm swtpm libtpms edk2-ovmf libvirt-7.10.0-1.module+el8.6.0+13502+4f24a11d.x86_64 qemu-kvm-6.2.0-2.module+el8.6.0+13738+17338784.x86_64 swtpm-0.6.0-2.20210607gitea627b3.module+el8.6.0+12861+13975d62.x86_64 libtpms-0.9.1-0.20211126git1ff6fe1f43.module+el8.6.0+13725+61ae1949.x86_64 edk2-ovmf-20210527gite1999b264f1f-3.el8.noarch # yum upgrade swtpm JOB ID : 29ce6abad4713c9a0670b670a41b2aacd476e0f0 JOB LOG : /root/avocado/job-results/job-2022-01-12T21.17-29ce6ab/job.log (1/1) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.basic: PASS (69.33 s) RESULTS : PASS 1 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0 JOB TIME : 69.92 s # rpm -q libvirt qemu-kvm swtpm libtpms edk2-ovmf libvirt-7.10.0-1.module+el8.6.0+13502+4f24a11d.x86_64 qemu-kvm-6.2.0-2.module+el8.6.0+13738+17338784.x86_64 swtpm-0.7.0-1.20211109gitb79fd91.module+el8.6.0+13831+a03bf401.x86_64 libtpms-0.9.1-0.20211126git1ff6fe1f43.module+el8.6.0+13725+61ae1949.x86_64 edk2-ovmf-20210527gite1999b264f1f-3.el8.noarch And since swtpm-0.7.0-1.*el8.6.0 is available, is this bug need to be moved to ON_QA? Thanks. Vtpm regression test for linux guest PASS: https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/libvirt/view/RHEL-8.6%20x86_64/job/libvirt-RHEL-8.6-runtest-x86_64-function-tpm_emulator/21/testReport/ (2 failed by existing bz2025520) libvirt-8.0.0-1.module+el8.6.0+13888+55157bfb.x86_64 qemu-kvm-6.2.0-4.module+el8.6.0+13919+adb438db.x86_64 kernel-4.18.0-359.el8.x86_64 swtpm-0.7.0-1.20211109gitb79fd91.module+el8.6.0+13853+e8cd34b9 libtpms-0.9.1-0.20211126git1ff6fe1f43 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:1759 |