Bug 2029612

Summary: Rebase swtpm to at least 0.7.0 for rhel-8.6
Product: Red Hat Enterprise Linux 8 Reporter: John Ferlan <jferlan>
Component: swtpmAssignee: Marc-Andre Lureau <marcandre.lureau>
Status: CLOSED ERRATA QA Contact: Yanqiu Zhang <yanqzhan>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.6CC: abologna, coli, ddepaula, jferlan, jsuchane, kkiwi, marcandre.lureau, meili, mprivozn, qcheng, virt-bugs, virt-maint, xuzhang, yanqzhan, yidliu
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: swtpm-0.7.0-1.20211109gitb79fd91.module+el8.6.0+13853+e8cd34b9 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 2021580 Environment:
Last Closed: 2022-05-10 13:24:19 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1940893, 1972785, 2021580, 2021628    
Bug Blocks: 1990153    

Description John Ferlan 2021-12-06 21:29:01 UTC 
+++ This bug was initially created as a clone of Bug #2021580 +++

+++ This bug was initially created as a clone of Bug #1972785 +++

+++ This bug was initially created as a clone of Bug #1972783 +++

Please rebase swtpm to at least 0.7.0 (to be released soon)

This is necessary to pick-up the necessary changes to disable SHA-1 PCR banks (see Bug 1935497)

Those are the relevant patches:
  * gets a config file option to specify the pcr banks which should be
    active by default.
https://github.com/stefanberger/swtpm/commit/a5cc0bf6e26eb4af5cbfd0e66fcd7e6af13f503d

  * gets support for reconfiguring the active pcr banks in an existing
    swtpm config
https://github.com/stefanberger/swtpm/commit/25d4ac2d3a7bf63ea2eb0621f0a1f416b7ce5481

--- Additional comment from RHEL Program Management on 2021-11-09 16:48:28 UTC ---

850ITRStrip 9BetaITRStrip AtFullFreeze

Attention assignees: This BZ was automatically returned to the backlog by changing the Internal Target Release (ITR) to '---'. The change was made because the final release+ deadline was passed and no request for an exception, blocker, or zstream was made.  Please consult with your PO and team to decide what action to take next with this BZ:

1. Important changes that cannot wait for the next minor release should request an exception or blocker (Reset ITR/ITM, set exception? or blocker?, save, then follow the instructions appended to the BZ).

2. Bug fixes that may be best managed post-release can start following the z-stream process (Set ZTR, ITR, and zstream? flag)

3. Changes that can wait for a future release can have their ITR/ITM set to the optimal release target.  Acks are preserved and release+ will again be added.

If you are unsure of what action to take it is safe to leave this BZ in the backlog for the time being.  You may wish to unset your acks in this case.

--- Additional comment from RHEL Program Management on 2021-11-09 16:48:28 UTC ---

Internal Target Release is not set so the Development Target Milestone has been unset.

--- Additional comment from Marc-Andre Lureau on 2021-11-09 19:00:38 UTC ---

upstream got released: https://github.com/stefanberger/swtpm/releases/tag/v0.7.0

--- Additional comment from Marc-Andre Lureau on 2021-11-12 13:48:24 UTC ---

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=41237963

--- Additional comment from errata-xmlrpc on 2021-11-12 13:53:20 UTC ---

This bug has been added to advisory RHEA-2021:84109 by Marc-Andre Lureau (mlureau)

--- Additional comment from errata-xmlrpc on 2021-11-12 13:53:20 UTC ---

Bug report changed to ON_QA status by Errata System.
A QE request has been submitted for advisory RHEA-2021:84109-01
https://errata.devel.redhat.com/advisory/84109

--- Additional comment from errata-xmlrpc on 2021-11-12 13:53:31 UTC ---

This bug has been added to advisory RHEA-2021:84109 by Marc-Andre Lureau (mlureau)

--- Additional comment from yanqzhan on 2021-11-15 01:30:33 UTC ---

Set ITM to 26 to ensure the last rebase version works well.

--- Additional comment from yanqzhan on 2021-11-24 07:29:49 UTC ---

Vtpm regression test for linux guest passed:
  swtpm-0.7.0-1.20211109gitb79fd91.el9
  libtpms-0.9.0-0.20211004gitdc4e3f6313.el9
  edk2-ovmf-20210527gite1999b264f1f-7.el
  libvirt-7.9.0-1.el9.x86_64
  qemu-kvm-6.1.0-6.el9.x86_64
  kernel-5.14.0-17.el9.x86_64
Job url:
  https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/libvirt-RHEL-9.0-runtest-x86_64-function-tpm_emulator/89/testReport/
    2 failed by kernel issue: bz2025520
Comment 1 John Ferlan 2021-12-06 21:36:07 UTC 
Moving to Marc-Andre since he owns the packages (we may need to fix the bugzilla components though)

This just makes sure what we have for RHEL 9.0 is the same for RHEL 8.6
Comment 5 Meina Li 2021-12-24 02:05:49 UTC 
Hi Marc-Andre,

I have encountered a failure with encrypted swtpm in RHEL8.6 gating job, but it can be passed in RHEL9 with swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64,so can I think this failure was caused by this bug? Or actually it's a new bug about vtpm encryption support in RHEL 8.6? 

If it was caused by this bug, can we solve it as soon as possible? Because it will block our gating test.

Can you help me to check this issue? Thanks.

Test Version:
libvirt-7.10.0-1.module+el8.6.0+13502+4f24a11d.x86_64
qemu-kvm-6.2.0-1.module+el8.6.0+13725+61ae1949.x86_64
swtpm-0.6.0-2.20210607gitea627b3.module+el8.6.0+12861+13975d62.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.module+el8.6.0+13725+61ae1949.x86_64

# virsh dumpxml avocado-vt-vm1 | grep tpm -B4
...
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'>
        <encryption secret='b5714cef-5a84-45e1-bcde-adfe0d895b09'/>
      </backend>
    </tpm>

# virsh start avocado-vt-vm1
error: Failed to start domain 'avocado-vt-vm1'
error: argument unsupported: /usr/bin/swtpm does not support passing passphrase via file descriptor

But in RHEL9, this feature can be passed.

Test Version:
libvirt-7.10.0-1.el9.x86_64
qemu-kvm-6.2.0-1.el9.x86_64
swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.el9.x86_64

# virsh dumpxml avocado-vt-vm1 | grep tpm -B4
...
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'>
        <encryption secret='6bd21af4-c870-4bcf-9f5a-399265d0098c'/>
      </backend>
    </tpm>
# virsh start avocado-vt-vm1
Domain 'avocado-vt-vm1' started
Comment 6 Marc-Andre Lureau 2021-12-24 08:03:25 UTC 
(In reply to Meina Li from comment #5)
> # virsh start avocado-vt-vm1
> error: Failed to start domain 'avocado-vt-vm1'
> error: argument unsupported: /usr/bin/swtpm does not support passing
> passphrase via file descriptor

Hi, this is really strange. cmdarg-pwdfile-fd should be supported in swtpm 0.6.

Perhaps the simplest is now to update swtpm to 0.7 to fix this hopefully.

Could you check `swtpm_setup --print-capabilities` output? thanks
Comment 7 Meina Li 2021-12-27 02:16:54 UTC 
(In reply to Marc-Andre Lureau from comment #6)
> 
> Hi, this is really strange. cmdarg-pwdfile-fd should be supported in swtpm
> 0.6.
> 
> Perhaps the simplest is now to update swtpm to 0.7 to fix this hopefully.
> 
> Could you check `swtpm_setup --print-capabilities` output? thanks

# swtpm_setup --print-capabilities在里边
{ "type": "swtpm_setup", "features": [ "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd", "tpm12-not-need-root", "tpm2-rsa-keysize-2048", "tpm2-rsa-keysize-3072" ] }

We can see cmdarg-pwdfile-fd inside.
Comment 8 Yanqiu Zhang 2022-01-13 02:42:11 UTC 
Hi, 
The issue in comment 5 can not reproduce after upgrade swtpm to 0.7.0.

# avocado run --vt-type libvirt tpm_device..encrypted.basic  --vt-machine-type q35
JOB ID     : c78f63f73e7519a3ac82cfca9ee77964b4b45a90
JOB LOG    : /root/avocado/job-results/job-2022-01-12T21.14-c78f63f/job.log
 (1/1) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.basic: FAIL: VM 'avocado-vt-vm1' failed to start: error: Failed to start domain 'avocado-vt-vm1'\nerror: argument unsupported: /usr/bin/swtpm does not support passing passphrase via file descriptor (9.49 s)
RESULTS    : PASS 0 | ERROR 0 | FAIL 1 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0
JOB TIME   : 10.08 s
# rpm -q libvirt qemu-kvm swtpm libtpms edk2-ovmf
libvirt-7.10.0-1.module+el8.6.0+13502+4f24a11d.x86_64
qemu-kvm-6.2.0-2.module+el8.6.0+13738+17338784.x86_64
swtpm-0.6.0-2.20210607gitea627b3.module+el8.6.0+12861+13975d62.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.module+el8.6.0+13725+61ae1949.x86_64
edk2-ovmf-20210527gite1999b264f1f-3.el8.noarch

# yum upgrade swtpm

JOB ID     : 29ce6abad4713c9a0670b670a41b2aacd476e0f0
JOB LOG    : /root/avocado/job-results/job-2022-01-12T21.17-29ce6ab/job.log
 (1/1) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.basic: PASS (69.33 s)
RESULTS    : PASS 1 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0
JOB TIME   : 69.92 s
# rpm -q libvirt qemu-kvm swtpm libtpms edk2-ovmf
libvirt-7.10.0-1.module+el8.6.0+13502+4f24a11d.x86_64
qemu-kvm-6.2.0-2.module+el8.6.0+13738+17338784.x86_64
swtpm-0.7.0-1.20211109gitb79fd91.module+el8.6.0+13831+a03bf401.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.module+el8.6.0+13725+61ae1949.x86_64
edk2-ovmf-20210527gite1999b264f1f-3.el8.noarch


And since swtpm-0.7.0-1.*el8.6.0 is available, is this bug need to be moved to ON_QA?

Thanks.
Comment 12 Yanqiu Zhang 2022-01-24 03:04:09 UTC 
Vtpm regression test for linux guest PASS:
https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/libvirt/view/RHEL-8.6%20x86_64/job/libvirt-RHEL-8.6-runtest-x86_64-function-tpm_emulator/21/testReport/
(2 failed by existing bz2025520)
libvirt-8.0.0-1.module+el8.6.0+13888+55157bfb.x86_64
qemu-kvm-6.2.0-4.module+el8.6.0+13919+adb438db.x86_64
kernel-4.18.0-359.el8.x86_64
swtpm-0.7.0-1.20211109gitb79fd91.module+el8.6.0+13853+e8cd34b9
libtpms-0.9.1-0.20211126git1ff6fe1f43
Comment 14 errata-xmlrpc 2022-05-10 13:24:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1759