Bug 2103119
| Summary: | [RFE] Expose supported TPM version in domCapabilities (via 'swtpm') | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Kashyap Chamarthy <kchamart> |
| Component: | libvirt | Assignee: | Michal Privoznik <mprivozn> |
| libvirt sub component: | CLI & API | QA Contact: | Yanqiu Zhang <yanqzhan> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | unspecified | ||
| Priority: | unspecified | CC: | chhu, jdenemar, lmen, mprivozn, virt-maint, xuzhang, yanqzhan |
| Version: | 9.0 | Keywords: | AutomationTriaged, FutureFeature, Triaged, Upstream |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-8.5.0-2.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-15 10:04:39 UTC | Type: | Feature Request |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1782128 | ||
Patches posted on the list: https://listman.redhat.com/archives/libvir-list/2022-July/232763.html Merged upstream as: 430ab88ab1 qemu: Report supported TPM version in domcaps 1277a9c884 domcaps: Introduce TPM backendVersion 7b37763278 virtpm: Introduce TPM-1.2 and TPM-2.0 capabilieis 6a00c565c4 docs: Document TPM portion of domcaps v8.5.0-85-g430ab88ab1 All patches pushed after 8.5.0 upstream release need to be backported to make it into RHEL 9.1.0. To POST: https://gitlab.com/redhat/rhel/src/libvirt/-/merge_requests/34 https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1293353 Tested on:
libvirt-8.5.0-2.el9.x86_64
qemu-kvm-7.0.0-8.el9.x86_64
swtpm-0.7.0-3.20211109gitb79fd91.el9.x86_64
libtpms-0.9.1-2.20211126git1ff6fe1f43.el9.x86_64
# /usr/libexec/qemu-kvm -device help|grep tpm
name "tpm-crb"
name "tpm-tis", bus ISA
# /usr/libexec/qemu-kvm -tpmdev help
Supported TPM types (choose only one):
emulator TPM emulator backend driver <== supported backend type
# swtpm_setup --print-capabilities |jq
{
"type": "swtpm_setup",
"features": [
"tpm-2.0", <== supported backend version
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"tpm12-not-need-root",
"cmdarg-write-ek-cert-files",
"cmdarg-create-config-files",
"cmdarg-reconfigure-pcr-banks",
"tpm2-rsa-keysize-2048",
"tpm2-rsa-keysize-3072"
],
"version": "0.7.0"
}
# virsh domcapabilities
...
<tpm supported='yes'>
<enum name='model'>
<value>tpm-tis</value>
<value>tpm-crb</value>
</enum>
<enum name='backendModel'>
<value>emulator</value>
</enum>
<enum name='backendVersion'>
<value>2.0</value>
</enum>
</tpm>
</devices>
...
Work as expected.
Test with a lower libtpms: libvirt-8.5.0-2.el9.x86_64 qemu-kvm-7.0.0-8.el9.x86_64 swtpm-0.7.0-3.20211109gitb79fd91.el9.x86_64 libtpms-0.8.2-0.20210301git729fc6a4ca.el9.7.x86_64 <== a lower version supports tpm1.2 (before bz1990152) # swtpm_setup --print-capabilities |jq { "type": "swtpm_setup", "features": [ "tpm-1.2", <== supported backend version "tpm-2.0", <== supported backend version "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd", "tpm12-not-need-root", "cmdarg-write-ek-cert-files", "cmdarg-create-config-files", "cmdarg-reconfigure-pcr-banks", "tpm2-rsa-keysize-2048", "tpm2-rsa-keysize-3072" ], "version": "0.7.0" } # virsh domcapabilities|grep /tpm -B12 <tpm supported='yes'> <enum name='model'> <value>tpm-tis</value> <value>tpm-crb</value> </enum> <enum name='backendModel'> <value>emulator</value> </enum> <enum name='backendVersion'> <value>1.2</value> <value>2.0</value> </enum> </tpm> Work as expected. Hi Kashyap, The fix is available on brewweb: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2087909. Verification is pass in comment6 and comment7. Could you check whether it also works for you? Thanks. Verified with libvirt-8.5.0-3.el9.x86_64 qemu-kvm-7.0.0-9.el9.x86_64 swtpm-0.7.0-3.20211109gitb79fd91.el9.x86_64 libtpms-0.9.1-2.20211126git1ff6fe1f43.el9.x86_64 and libtpms-0.8.2-0.20210301git729fc6a4ca.el9.7.x86_64 Results are same with comment6 and comment7. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Low: libvirt security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8003 (In reply to yanqzhan from comment #8) > Hi Kashyap, > > The fix is available on brewweb: > https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2087909. > Verification is pass in comment6 and comment7. Could you check whether it > also works for you? > Thanks. Hi! I'm asking our fine Compute QE, James Parker, to test it. He's on it. |
Description of problem ---------------------- It can be useful to management applications to query for supported TPM (Trusted Platform Module) via libvirt's domCapabilities API. Some Linux distributions (e.g. RHEL 9) have deprecated/removed[1] support for TPM 1.2 (as it is tied to SHA-1.) It looks like libvirt already probes the `swtpm` binary for capabilities, and `swtpm_setup` already exposes the info that can be used by higher-level management tools. (The below is from Fedora 36.) $> swtpm_setup --print-capabilities | jq { "type": "swtpm_setup", "features": [ "tpm-1.2", "tpm-2.0", "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd", "tpm12-not-need-root", "cmdarg-write-ek-cert-files", "cmdarg-create-config-files", "cmdarg-reconfigure-pcr-banks", "tpm2-rsa-keysize-2048", "tpm2-rsa-keysize-3072" ], "version": "0.7.3" } Here's the corresponding upstream ticket[2]. (Thanks: Andrea Bolognani for a discussion on this.) [1] https://bugzilla.redhat.com/show_bug.cgi?id=1990153 — Remove swtpm TPM 1.2 support from RHEL9 [2] https://gitlab.com/libvirt/libvirt/-/issues/340