Bug 2150731

Summary: VMs requiring vTPM fails to create [rhel-9.0.0.z]
Product: Red Hat Enterprise Linux 9 Reporter: RHEL Program Management Team <pgm-rhel-tools>
Component: libvirtAssignee: Michal Privoznik <mprivozn>
libvirt sub component: General QA Contact: Yanqiu Zhang <yanqzhan>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: acardace, fdeutsch, jdenemar, kbidarka, lmen, lpivarc, mprivozn, sgott, virt-maint, yafu, yanqzhan, ymankad
Version: 9.2Keywords: Triaged, ZStream
Target Milestone: rcFlags: yanqzhan: needinfo-
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: libvirt-8.0.0-8.3.el9_0 Doc Type: Bug Fix
Doc Text:
Cause: when starting or stopping swtpm emulator or vhost-user-gpu helper libvirt would read their pidfile and then check against /proc/[pid]/exe whether the PID is still valid. This works, but also requires CAP_SYS_PTRACE capability which might not be available in restricted containers. Fortunately, there is a way for libvirt to check the PID without accessing /proc and validating the pidfile. Consequence: The CAP_SYS_PTRACE capability was needed, which did not play nicely with rootless containers. Fix: The code was changed so that the pidfile is locked when swtpm or vhost-user-gpu is started. Now, whenever libvirt wants to read the PID it also tries to lock the pidfile. If the pidfile can be locked successfully, it means that the swtpm process which held the file locked is gone and the PID is invalid. And vice verca - if the file can't be locked then the process is still running and the PID is valid. Result: The swtpm PID and/or vhost-user-gpu PID can be read without the CAP_SYS_PTRACE capability.
 Story Points: ---
Clone Of: 2150004 Environment:
Last Closed: 2023-01-30 15:46:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2150004, 2152188    
Bug Blocks:    

Comment 8 Yanqiu Zhang 2022-12-07 08:42:02 UTC 
Tried the strace way:
1. On libvirt-8.0.0-8.2.el9_0.x86_64:
# strace -o output.txt -T -tt -e trace=all -f -p `pidof virtqemud`
[terminal2]# virsh start avocado-vt-vm1 
Domain 'avocado-vt-vm1' started

# cat output_oldpkg.txt |grep -nE 'swtpm.pid|"/usr/bin/swtpm", "socket"|capset|execve'
3144:91348 22:47:09.488201 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=91348}, {effective=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, permitted=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, inheritable=0}) = 0 <0.000016>
3149:91348 22:47:09.488474 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=91348}, {effective=0, permitted=0, inheritable=0}) = 0 <0.000016>
3150:91348 22:47:09.488529 execve("/usr/bin/swtpm", ["/usr/bin/swtpm", "socket", "--daemon", "--ctrl", "type=unixio,path=/run/libvirt/qe"..., "--tpmstate", "dir=/var/lib/libvirt/swtpm/e3c55"..., "--log", "file=/var/log/swtpm/libvirt/qemu"..., "--terminate", "--tpm2", "--pid", "file=/run/libvirt/qemu/swtpm/3-a"...], 0x7ffd2f93efa8 /* 8 vars */) = 0 <0.001495>
3321:91350 22:47:09.501746 openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/3-avocado-vt-vm1-swtpm.pid", O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW, 0644) = 7 <0.000042>
3365:89737 22:47:09.505475 openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/3-avocado-vt-vm1-swtpm.pid", O_RDONLY) = 24 <0.000057>
...

2. Update to libvirt-8.0.0-8.3.el9_0_rc.d5baff84c2.x86_64 and do the operations again:
# cat output_newpkg.txt |grep -nE 'swtpm.pid|"/usr/bin/swtpm", "socket"|capset|execve' 
...
3874:97514 02:03:50.438054 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=97514}, {effective=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, permitted=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, inheritable=0}) = 0 <0.000014>
3881:97514 02:03:50.438285 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=97514}, {effective=0, permitted=0, inheritable=0} <unfinished ...>
3883:97514 02:03:50.438322 <... capset resumed>) = 0 <0.000022>
3884:97514 02:03:50.438359 execve("/usr/bin/swtpm", ["/usr/bin/swtpm", "socket", "--ctrl", "type=unixio,path=/run/libvirt/qe"..., "--tpmstate", "dir=/var/lib/libvirt/swtpm/e3c55"..., "--log", "file=/var/log/swtpm/libvirt/qemu"..., "--terminate", "--tpm2"], 0x7ffce104ebc8 /* 8 vars */ <unfinished ...>
3885:97416 02:03:50.438410 openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.pid", O_RDONLY) = 24 <0.000029>
3891:97514 02:03:50.439748 <... execve resumed>) = 0 <0.001346>


Hi Michal, please help check:
So with the new pkg, only openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.pid", O_RDONLY), does it require ptrace capability? Will this change be enough to fix the 'permission deny' issue? Thank you!
Comment 13 Michal Privoznik 2022-12-07 14:24:14 UTC 
(In reply to yanqzhan from comment #8)
> 
> Hi Michal, please help check:
> So with the new pkg, only openat(AT_FDCWD,
> "/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.pid", O_RDONLY), does it
> require ptrace capability? Will this change be enough to fix the 'permission
> deny' issue? Thank you!

That definitely does not require ptrace capability. I think we can consider this fixed.
Comment 14 Yanqiu Zhang 2022-12-08 03:29:35 UTC 
Thanks Michal. Then mark pre-verification pass. 

And we can wait for Kedar's or Stu's reply of layered products test results before moving to verified.
Comment 21 Yanqiu Zhang 2022-12-14 08:59:23 UTC 
Verify on rhel9.0 with:
libvirt-8.0.0-8.3.el9_0.x86_64
swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64
qemu-kvm-6.2.0-11.el9_0.6.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.el9.x86_64

# strace -o output.txt -T -tt -e trace=all -f -p `pidof virtqemud`

# virsh start avocado-vt-vm1 
Domain 'avocado-vt-vm1' started

# virsh dumpxml avocado-vt-vm1 |grep /tpm -B8
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'>
        <encryption secret='ba1dfbf5-d0b0-4f27-b278-113731beb2b9'/>
        <active_pcr_banks>
          <sha256/>
        </active_pcr_banks>
      </backend>
      <alias name='tpm0'/>
    </tpm>

# cat output.txt |grep -nE 'swtpm.pid|"/usr/bin/swtpm", "socket"|capset|execve' 
...
12999:99434 03:53:05.197775 execve("/usr/bin/swtpm", ["/usr/bin/swtpm", "socket", "--ctrl", "type=unixio,path=/run/libvirt/qe"..., "--tpmstate", "dir=/var/lib/libvirt/swtpm/b424d"..., "--log", "file=/var/log/swtpm/libvirt/qemu"..., "--terminate", "--tpm2", "--key", "pwdfd=27,mode=aes-256-cbc", "--migration-key", "pwdfd=29,mode=aes-256-cbc"], 0x7ffd031bb098 /* 8 vars */ <unfinished ...>
13003:99201 03:53:05.197973 openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.pid", O_RDONLY) = 24 <0.000016>
13008:99434 03:53:05.198860 <... execve resumed>) = 0 <0.001043>
...
Comment 29 errata-xmlrpc 2023-01-30 15:46:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libvirt bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0521