Bug 2035888
| Summary: | Managedsave-edit should forbid modify some tpm configs such as pcrbank | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Yanqiu Zhang <yanqzhan> |
| Component: | libvirt | Assignee: | Michal Privoznik <mprivozn> |
| libvirt sub component: | General | QA Contact: | Yanqiu Zhang <yanqzhan> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | unspecified | ||
| Priority: | unspecified | CC: | dyuan, fjin, jdenemar, jsuchane, marcandre.lureau, mprivozn, qcheng, virt-maint, xuzhang, yanqzhan |
| Version: | 9.0 | Keywords: | Triaged, Upstream |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-8.0.0-0rc1.1.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 12:45:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | 8.0.0 |
| Embargoed: | |||
I believe the same issue exists on migration, e.g. when an additional XML is provided during migration that changes <active_pcr_banks/>. The fix should be simple - we are lacking ABI stability check. Patch posted upstream: https://listman.redhat.com/archives/libvir-list/2022-January/msg00052.html Merged upstream as:
commit 1ce27fa7761248ab9d8e142eb957432527280df0
Author: Michal Prívozník <mprivozn>
AuthorDate: Tue Jan 4 09:26:08 2022 +0100
Commit: Michal Prívozník <mprivozn>
CommitDate: Tue Jan 4 09:42:01 2022 +0100
conf: Extend TPM ABI stability check for <active_pcr_banks/>
Changing <active_pcr_banks/> means changing the guest ABI and as
such must be prevented on both restoring from a file or
migration.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2035888
Signed-off-by: Michal Privoznik <mprivozn>
Reviewed-by: Peter Krempa <pkrempa>
v7.10.0-397-g1ce27fa776
Verify on:
libvirt-8.0.0-1.el9.x86_64
qemu-kvm-6.2.0-3.el9.x86_64
Scenarios:
1.From no pcrbank to has.
From: <tpm model='tpm-crb'>
<backend type='emulator' version='2.0'>
<encryption secret='e7442270-f813-4e48-a57b-5a5ff9d67ace'/>
</backend>
<alias name='tpm0'/>
</tpm>
To:
<tpm model='tpm-crb'>
<backend type='emulator' version='2.0'>
<encryption secret='e7442270-f813-4e48-a57b-5a5ff9d67ace'/>
<active_pcr_banks>
<sha512/>
</active_pcr_banks>
</backend>
</tpm>
2.Change pcrbank value
From: <active_pcr_banks>
<sha385/>
</active_pcr_banks>
To:
<active_pcr_banks>
<sha256/>
</active_pcr_banks>
3.From has to none
<tpm model='tpm-crb'>
<backend type='emulator' version='2.0'>
<encryption secret='e7442270-f813-4e48-a57b-5a5ff9d67ace'/>
<active_pcr_banks>
<sha384/>
</active_pcr_banks>
</backend>
</tpm>
To:
<tpm model='tpm-crb'>
<backend type='emulator' version='2.0'>
<encryption secret='e7442270-f813-4e48-a57b-5a5ff9d67ace'/>
</backend>
</tpm>
4. Unsupported value
Steps:
1.Managedsave/Save-edit
# virsh managedsave-edit myuefi
error: unsupported configuration: Target active PCR banks doesn't match source
Failed. Try again? [y,n,f,?]:
# virsh save-image-edit /var/lib/libvirt/qemu/save/myuefi.save
error: unsupported configuration: Target active PCR banks doesn't match source
Failed. Try again? [y,n,f,?]:
# virsh managedsave-edit myuefi
error: unsupported configuration: Unsupported PCR banks 'sha224'
Failed. Try again? [y,n,f,?]:
# virsh save-image-edit /var/lib/libvirt/qemu/save/myuefi.save
error: unsupported configuration: Unsupported PCR banks 'sha224'
Failed. Try again? [y,n,f,?]:
2. Managedsave/Save-define
# virsh managedsave-dumpxml myuefi > myuefisave.xml
# vim myuefisave.xml
# virsh managedsave-define myuefi myuefisave.xml
error: Failed to update myuefi XML configuration
error: unsupported configuration: Target active PCR banks doesn't match source
# virsh save-image-define /var/lib/libvirt/qemu/save/myuefi.save myuefisave.xml
error: Failed to update /var/lib/libvirt/qemu/save/myuefi.save
error: unsupported configuration: Target active PCR banks doesn't match source
# virsh managedsave-define myuefi save.xml
error: Failed to update myuefi XML configuration
error: unsupported configuration: Unsupported PCR banks 'sha224'
# virsh save-image-define /var/lib/libvirt/qemu/save/myuefi.save save.xml
error: Failed to update /var/lib/libvirt/qemu/save/myuefi.save
error: unsupported configuration: Unsupported PCR banks 'sha224'
3. Migrate with --xml:
# virsh migrate myuefi --live qemu+ssh://hostb/system --verbose --xml myuefimig.xml
error: unsupported configuration: Target active PCR banks doesn't match source
# virsh migrate myuefi --live qemu+ssh://hostb/system --verbose --xml mig.xml-invalidpcr
error: unsupported configuration: Unsupported PCR banks 'sha224'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: libvirt), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:2390 |
Description of problem: Modification when managedsave-edit for tpm pcrbanks only behaves in guest xml, not take actual effect on vtpm device inside guest. Since restore does not trigger new swtpm_setup, so the changed of pcrbank will never take effect. Managedsave-edit should forbid modify some tpm configs such as pcrbanks. Version-Release number of selected component (if applicable): libvirt-7.10.0-1.el9.x86_64 qemu-kvm-6.2.0-1.el9.x86_64 swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64 libtpms-0.9.1-0.20211126git1ff6fe1f43.el9.x86_64 edk2-ovmf-20210527gite1999b264f1f-7.el9.noarch How reproducible: 100% Steps to Reproduce: 1.Start a guest vtpm device with sha384 pcrbank # virsh start vm2-ovmf Domain 'vm2-ovmf' started # virsh dumpxml vm2-ovmf |grep /tpm -B10 </input> <tpm model='tpm-crb'> <backend type='emulator' version='2.0'> <encryption secret='b4a117f1-8af2-44a4-91b8-7f0d2d4d68a3'/> > <active_pcr_banks> <sha384/> </active_pcr_banks> </backend> <alias name='tpm0'/> </tpm> 2.Check pcr bank in guest os, only pcrbank sha384 has pcr values: # virsh console vm2-ovmf [root@localhost ~]# tpm2_getrandom --hex 16 68170e8a865a9c647a09cba2b6e6b06b[root@localhost ~]# tpm2_pcrread sha1: sha256: sha384: 0 : 0x4733994C26A92B2FA846147945864EB788C3D1A55401A0A647008B006DF2878A5609C0491FA1937E5FC56640B3835245 1 : 0x6C340682CE451190A62A323D3AFA396289725C1BA094A91A32CFBC800486CAD0DC50D88C33C05A15BDAC92F274CB258F ... 23: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 sha512: 3.Managedsave and edit guest to use sha512 instead: # virsh managedsave vm2-ovmf Domain 'vm2-ovmf' state saved by libvirt # virsh managedsave-edit vm2-ovmf Managed save image of Domain 'vm2-ovmf' XML configuration edited. # virsh start vm2-ovmf Domain 'vm2-ovmf' started # virsh dumpxml vm2-ovmf |grep /tpm -B9 <tpm model='tpm-crb'> <backend type='emulator' version='2.0'> <encryption secret='b4a117f1-8af2-44a4-91b8-7f0d2d4d68a3'/> > <active_pcr_banks> <sha512/> </active_pcr_banks> </backend> <alias name='tpm0'/> </tpm> 4. Check pcrbanks in guest os again, guest still uses sha384 pcrbank: [root@localhost ~]# tpm2_getrandom --hex 16 befbb6bd2ec985b2ec963c03a81bb4f3[root@localhost ~]# tpm2_pcrread sha1: sha256: sha384: 0 : 0x4733994C26A92B2FA846147945864EB788C3D1A55401A0A647008B006DF2878A5609C0491FA1937E5FC56640B3835245 1 : 0x6C340682CE451190A62A323D3AFA396289725C1BA094A91A32CFBC800486CAD0DC50D88C33C05A15BDAC92F274CB258F ... 23: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 sha512: Actual results: As in step3 and step4, guest restored with modified pcrbank in guest xml, but that didn't take effect for vtpm device in guest OS. Expected results: Managedsave-edit should forbid modify some tpm configs such as pcrbank. Additional info: 1.After step1, check log we can see, when fresh start, swtpm_setup used new sha384 pcrbank to reconfigure tpm: # grep 'to run /usr/bin/swtpm' /var/log/libvirt/libvirtd.log 2021-12-28 09:26:32.015+0000: 2780715: debug : virCommandRunAsync:2629 : About to run /usr/bin/swtpm_setup --tpm2 --pwdfile-fd 33 --cipher aes-256-cbc --tpm-state /var/lib/libvirt/swtpm/699960f3-9eaa-4804-8263-ce1206e34054/tpm2 --vmid vm2-ovmf:699960f3-9eaa-4804-8263-ce1206e34054 --logfile /var/log/swtpm/libvirt/qemu/vm2-ovmf-swtpm.log --createek --create-ek-cert --create-platform-cert --lock-nvram --not-overwrite 2021-12-28 09:26:32.117+0000: 2780715: debug : virCommandRunAsync:2629 : About to run /usr/bin/swtpm_setup --tpm2 --pwdfile-fd 33 --cipher aes-256-cbc --tpm-state /var/lib/libvirt/swtpm/699960f3-9eaa-4804-8263-ce1206e34054/tpm2 --logfile /var/log/swtpm/libvirt/qemu/vm2-ovmf-swtpm.log --pcr-banks sha384 --reconfigure 2021-12-28 09:26:32.153+0000: 2780715: debug : virCommandRunAsync:2629 : About to run /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/run/libvirt/qemu/swtpm/44-vm2-ovmf-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/699960f3-9eaa-4804-8263-ce1206e34054/tpm2,mode=0600 --log file=/var/log/swtpm/libvirt/qemu/vm2-ovmf-swtpm.log --terminate --tpm2 --pid file=/run/libvirt/qemu/swtpm/44-vm2-ovmf-swtpm.pid --key pwdfd=33,mode=aes-256-cbc --migration-key pwdfd=35,mode=aes-256-cbc # grep sha /var/log/swtpm/libvirt/qemu/vm2-ovmf-swtpm.log Successfully activated PCR banks sha256 among sha1,sha256,sha384,sha512. Successfully activated PCR banks sha384 among sha1,sha256,sha384,sha512. 2. After step4 check log again, we can see restore does not trigger new swtpm_setup, so the changed pcrbank512 will never take effect: 2021-12-28 09:31:37.131+0000: 2780381: debug : virCommandRunAsync:2629 : About to run /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/run/libvirt/qemu/swtpm/45-vm2-ovmf-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/699960f3-9eaa-4804-8263-ce1206e34054/tpm2,mode=0600 --log file=/var/log/swtpm/libvirt/qemu/vm2-ovmf-swtpm.log --terminate --tpm2 --pid file=/run/libvirt/qemu/swtpm/45-vm2-ovmf-swtpm.pid --key pwdfd=34,mode=aes-256-cbc --migration-key pwdfd=36,mode=aes-256-cbc 3. Do migrate --xml can also modify tpm pcrbanks on target live xml, but inside guest tpm pcrbank is also not changed. Even with swtpm_setup cmd executed, but no pcrbank related change: # virsh migrate vm-ovmf --live qemu+ssh://dell-per730-39.lab.eng.pek2.redhat.com/system --verbose --p2p --xml vm-ovmf.xml-mig Migration: [100 %] [targethost]# grep 'to run /usr/bin/swtpm' /var/log/libvirt/libvirtd.log 2021-12-28 09:47:26.364+0000: 2780715: debug : virCommandRunAsync:2629 : About to run /usr/bin/swtpm_setup --tpm2 --pwdfile-fd 33 --cipher aes-256-cbc --tpm-state /var/lib/libvirt/swtpm/bbd16783-8077-43f3-bf37-3f0c486cc586/tpm2 --overwrite 2021-12-28 09:47:26.393+0000: 2780715: debug : virCommandRunAsync:2629 : About to run /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/run/libvirt/qemu/swtpm/46-vm-ovmf-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/bbd16783-8077-43f3-bf37-3f0c486cc586/tpm2,mode=0600 --log file=/var/log/swtpm/libvirt/qemu/vm-ovmf-swtpm.log --terminate --tpm2 --pid file=/run/libvirt/qemu/swtpm/46-vm-ovmf-swtpm.pid --key pwdfd=33,mode=aes-256-cbc --migration-key pwdfd=35,mode=aes-256-cbc [targethost]# grep sha /var/log/swtpm/libvirt/qemu/vm2-ovmf-swtpm.log (nothing)