Bug 2084046
| Summary: | active_pcr_banks are removed from guest xml if tpm version not specified | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Yanqiu Zhang <yanqzhan> |
| Component: | libvirt | Assignee: | Michal Privoznik <mprivozn> |
| libvirt sub component: | General | QA Contact: | Yanqiu Zhang <yanqzhan> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | low | ||
| Priority: | low | CC: | dyuan, dzheng, fjin, jdenemar, lmen, virt-maint, yanqzhan |
| Version: | 9.1 | Keywords: | Triaged, Upstream |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-8.7.0-1.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-09 07:26:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | 8.7.0 |
| Embargoed: | |||
Patches posted on the list: https://listman.redhat.com/archives/libvir-list/2022-July/232872.html Merged upstream as: bdd8ce02c4 conf: Don't lose <active_pcr_banks/> when no TPM version is provided 99e2b670fa qemu: Move TPMs validation out of PostParse 2b3e8ddd9d qemu_domain: Move TPM post parse code into qemuDomainTPMDefPostParse() e31fc5bb2a conf: Use virXMLPropEnum more when parsing TPM c8992f6d97 conf: Move _virDomainTPMDef::version into _virDomainTPMDef::data::emulator 598ffbdd41 conf: Drop needless setting of VIR_DOMAIN_TPM_VERSION_DEFAULT d5712c54a6 conf: Report error when default TPM version is provided 3f7c63bba5 conf: Report an error when default TPM model is provided v8.6.0-16-gbdd8ce02c4 Tested with:
libvirt-8.7.0-1.el9.x86_64
qemu-kvm-7.1.0-1.el9.x86_64
Steps:
Edit vm xml as:
<tpm model='tpm-crb'>
<backend type='emulator'>
<active_pcr_banks>
<sha256/>
</active_pcr_banks>
</backend>
</tpm>
Saved.
Check xml again:
# virsh dumpxml avocado-vt-vm1 |grep /tpm -B6
<tpm model='tpm-crb'>
<backend type='emulator' version='2.0'>
<active_pcr_banks>
<sha256/>
</active_pcr_banks>
</backend>
</tpm>
Version of default '2.0' is auto-added, and active_pcr_banks still exist.
Reproduce some issues:
libvirt-8.0.0-10.module+el8.7.0+16689+53d59bc2.x86_64
qemu-kvm-6.2.0-20.module+el8.7.0+16689+53d59bc2.1.x86_64
Steps:
1.value ’default’ previously can be accepted:
(1)"default" model.
# cat update-avocado.xml |grep /tpm -B2
<tpm model='default'>
<backend type='emulator' version='2.0'/>
</tpm>
# virsh define update-avocado.xml
Domain 'avocado-vt-vm1' defined from update-avocado.xml
# virsh dumpxml avocado-vt-vm1|grep /tpm -B2
<tpm model='tpm-tis'>
<backend type='emulator' version='2.0'/>
</tpm>
(2)"default" version.
# cat update-avocado.xml |grep /tpm -B2
<tpm model='tpm-crb'>
<backend type='emulator' version='default'/>
</tpm>
# virsh define update-avocado.xml
Domain 'avocado-vt-vm1' defined from update-avocado.xml
# virsh dumpxml avocado-vt-vm1|grep /tpm -B2
<tpm model='tpm-crb'>
<backend type='emulator' version='2.0'/>
</tpm>
2. Previous specific error report:
(1)
error: Failed to define domain from update-avocado.xml
error: unsupported configuration: Unknown TPM frontend model '0'
(2)
error: Failed to define domain from update-avocado.xml
error: XML error: missing TPM device backend type
(3)
error: Failed to define domain from update-avocado.xml
error: unsupported configuration: Unknown TPM backend type '0'
(4)
error: Failed to define domain from update-avocado.xml
error: unsupported configuration: Unsupported TPM version '2'
—------------------------
Verify with:
libvirt-8.8.0-1.el9.x86_64
qemu-kvm-7.1.0-3.el9.x86_64
Steps:
1. Report error for value ‘default’:
(1)# cat avocado-vt-vm1.xml|grep /tpm -B2
<tpm model='default'>
<backend type='emulator' version='2.0'/>
</tpm>
# virsh define avocado-vt-vm1.xml
error: Failed to define domain from avocado-vt-vm1.xml
error: XML error: Invalid value for attribute 'model' in element 'tpm': 'default'.
(2)# cat avocado-vt-vm1.xml|grep /tpm -B2
<tpm model='tpm-crb'>
<backend type='emulator' version='default'/>
</tpm>
# virsh define avocado-vt-vm1.xml
error: Failed to define domain from avocado-vt-vm1.xml
error: XML error: Invalid value for attribute 'version' in element 'backend': 'default'.
2. Current unified error report:
For unknown model(1) and unsupported version(4), same as verification steps 1(1)(2);
(2)error: Failed to define domain from avocado-vt-vm1.xml
error: XML error: Missing required attribute 'type' in element 'backend'
(3)error: Failed to define domain from avocado-vt-vm1.xml
error: XML error: Invalid value for attribute 'type' in element 'backend': '0'.
3.retest the bug issue and got same result with comment3:
Edit vm xml as:
<tpm model='tpm-crb'>
<backend type='emulator'>
<active_pcr_banks>
<sha256/>
</active_pcr_banks>
</backend>
</tpm>
Saved.
# virsh dumpxml avocado-vt-vm1 |grep /tpm -B6
<tpm model='tpm-crb'>
<backend type='emulator' version='2.0'>
<active_pcr_banks>
<sha256/>
</active_pcr_banks>
</backend>
</tpm>
Also get the same result if edit a xml file and define from it.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (libvirt bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2171 |
Description of problem: As we know, if edit vm xml with a tpm device without version specified, it automatically changes to '2.0' on the latest product. But, when add active_pcr_banks to the tpm, they will disappear if tpm version is not specified. Version-Release number of selected component (if applicable): libvirt-8.3.0-1.el9.x86_64 qemu-kvm-7.0.0-2.el9.x86_64 How reproducible: 100% Steps to Reproduce: 1. Edit vm with following tpm: <tpm model='tpm-crb'> <backend type='emulator' version='2.0'> <active_pcr_banks> <sha256/> </active_pcr_banks> </backend> </tpm> Xml saved successfully and keep consistent with above. 2. Edit vm again to remove tpm version: <tpm model='tpm-crb'> <backend type='emulator'> <active_pcr_banks> <sha256/> </active_pcr_banks> </backend> </tpm> Xml saved. 3. Check vm xml again, version is auto added to the default 2.0, but active_pcr_banks disappear. <tpm model='tpm-crb'> <backend type='emulator' version='2.0'/> </tpm> Actual results: As in step3. Expected results: Since default version can be auto added to '2.0', active_pcr_banks is sure be supported, so should not be removed. And if there is a new version (say 3.0) that no longer supports <active_pcr_banks/>, reporting an error is better than dropping a piece of information that user provided. Additional info: