Bug 1359862
| Summary: | TPM passthru uses wrong cancel-path: should be /sys/class/tpm/tpm0/device/cancel | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | emahoney |
| Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fangge Jin <fjin> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | dyuan, emahoney, fjin, jbryant, jtomko, knoel, mkalinin, mtessun, pkrempa, rbalakri, sherold, xuzhang |
| Target Milestone: | rc | Keywords: | TestOnly |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-1.3.1-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-05-26 11:04:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1327947, 1519016, 1595018, 1654486, 1654490, 1668199 | ||
| Bug Blocks: | |||
Upstream fixed this by commit:
commit 5ed7afa9de4e8d2b7e83fee334a0c3f2bddc6a48
Author: Stefan Berger <stefanb.com>
Date: Tue Nov 17 19:44:13 2015 -0500
tpm: adapt sysfs cancel path for new TPM driver
This patch addresses BZ 1244895.
Adapt the sysfs TPM command cancel path for the TPM driver that
does not use a miscdevice anymore since Linux 4.0. Support old
and new paths and check their availability.
Add a mockup for the test cases to avoid the testing for
availability of the cancel path.
$ git describe 5ed7afa9de4e8d2b7e83fee334a0c3f2bddc6a48
v1.2.21-67-g5ed7afa
1. On RHEL7, guest can't start successfully with tpm device, qemu version is qemu-kvm-rhev-2.6.0-17.el7.x86_64
# virsh start rhel7.2
error: Failed to start domain rhel7.2
error: unsupported configuration: The QEMU executable /usr/libexec/qemu-kvm does not support TPM backend type passthrough
2. On fedora, guest can start successfully with tpm device
1) The versions I used on fedora is:
# /usr/bin/qemu-system-x86_64 --version
QEMU emulator version 2.4.1 (qemu-2.4.1-5.fc23), Copyright (c) 2003-2008 Fabrice Bellard
# libvirtd --version
libvirtd (libvirt) 1.3.2
2) Guest can start successfully and qemu cml is:
-tpmdev passthrough,id=tpm-tpm0,path=/dev/fdset/2,cancel-path=/dev/fdset/3
-add-fd set=2,fd=29
-add-fd set=3,fd=30
-device tpm-tis,tpmdev=tpm-tpm0,id=tpm0
More info about guest xml and qemu command line:
1) The guest xml libvirt uses is:
<tpm model='tpm-tis'>
<backend type='passthrough'>
<device path='/dev/tpm0'/>
</backend>
<alias name='tpm0'/>
</tpm>
2) The complete qemu command line is as below in case I miss something above:
/usr/bin/qemu-system-x86_64 -name rhel7 -S -machine pc-i440fx-2.4,accel=kvm,usb=off -cpu Opteron_G2,+popcnt,+monitor,+ht,+vme,-svm -m size=512000k,slots=16,maxmem=1524736k -realtime mlock=off -smp 4,sockets=4,cores=1,threads=1 -numa node,nodeid=0,cpus=0-3,mem=500 -uuid 7cae86d2-88a2-4c94-95ee-5fdf08e07370 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/usr/local/var/lib/libvirt/qemu/domain-rhel7/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x9.0x7 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/90121/fjin/rhel7.2.qcow2,format=qcow2,if=none,id=drive-virtio-disk0,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x7,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=26,id=hostnet0,vhost=on,vhostfd=28 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:f1:2c:ed,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,path=/usr/local/var/lib/libvirt/qemu/channel/target/domain-rhel7/org.qemu.guest_agent.0,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -chardev spicevmc,id=charchannel1,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=com.redhat.spice.0 -tpmdev passthrough,id=tpm-tpm0,path=/dev/fdset/2,cancel-path=/dev/fdset/3 -add-fd set=2,fd=29 -add-fd set=3,fd=30 -device tpm-tis,tpmdev=tpm-tpm0,id=tpm0 -vnc 127.0.0.1:0 -device qxl-vga,id=video0,ram_size=67108864,vram_size=16777216,vgamem_mb=16,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x8 -device pvpanic,ioport=1285 -msg timestamp=on
Reproduce this bug with libvirt-1.2.17-13.el7.x86_64, kernel-3.10.0-493.el7.x86_64 and upstream qemu(v2.7.0-217-g7263da7)
Steps:
1. Prepare a guest with tpm device:
# virsh dumpxml rhel7.3-0817
...
<tpm model='tpm-tis'>
<backend type='passthrough'>
<device path='/dev/tpm0'/>
</backend>
</tpm>
2. Start guest
# virsh start rhel7.3-0817
error: Failed to start domain rhel7.3-0817
error: Could not open TPM device's cancel path /sys/class/misc/tpm0/device/cancel: No such file or directory
Verify this bug with libvirt-2.0.0-8.el7.x86_64 and upstream qemu(v2.7.0-217-g7263da7)
And also test on two different kernel versions:
For kerne-3.10.0-493.el7.x86_64, the tpm device cancel path is: /sys/class/tpm/tpm0/device/cancel
For kernel-3.10.0-229.el7.x86_64, the tpm device cancel path is:/sys/class/misc/tpm0/device/cancel
Steps:
1.Prepare a guest with tpm device:
# virsh dumpxml rhel7.3-0817
<tpm model='tpm-tis'>
<backend type='passthrough'>
<device path='/dev/tpm0'/>
</backend>
<alias name='tpm0'/>
</tpm>
2. Start guest
# virsh start rhel7.3-0817
3. Check qemu command line:
...-tpmdev passthrough,id=tpm-tpm0,path=/dev/fdset/3,cancel-path=/dev/fdset/4 -add-fd set=3,fd=30 -add-fd set=4,fd=32 -device tpm-tis,tpmdev=tpm-tpm0,id=tpm0...
4. Check the opened file descriptors:
For kerne-3.10.0-493.el7.x86_64:
# lsof /sys/class/tpm/tpm0/device/cancel
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
qemu-syst 15117 qemu 11w REG 0,16 4096 10212 /sys/class/tpm/../../devices/pnp0/00:09/tpm/tpm0/../../../00:09/cancel
qemu-syst 15117 qemu 24w REG 0,16 4096 10212 /sys/class/tpm/../../devices/pnp0/00:09/tpm/tpm0/../../../00:09/cancel
# lsof /dev/tpm0
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
qemu-syst 15117 qemu 10u CHR 10,224 0t0 1143 /dev/tpm0
qemu-syst 15117 qemu 23u CHR 10,224 0t0 1143 /dev/tpm0
For kernel-3.10.0-229.el7.x86_64:
# lsof /sys/class/misc/tpm0/device/cancel
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
qemu-syst 31727 qemu 10w REG 0,16 4096 10111 /sys/class/misc/../../devices/pnp0/00:0d/misc/tpm0/../../../00:0d/cancel
qemu-syst 31727 qemu 23w REG 0,16 4096 10111 /sys/class/misc/../../devices/pnp0/00:0d/misc/tpm0/../../../00:0d/cancel
\ # lsof /dev/tpm0
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
qemu-syst 31727 qemu 9u CHR 10,224 0t0 1144 /dev/tpm0
qemu-syst 31727 qemu 22u CHR 10,224 0t0 1144 /dev/tpm0
Test with builds qemu-kvm-1.5.3-125.el7.x86_64 and libvirt-2.0.0-9.el7.x86_64. # virsh start mig1 error: Failed to start domain mig1 error: unsupported configuration: The QEMU executable /usr/libexec/qemu-kvm does not support TPM backend type passthrough So it seems that qemu-kvm also doesn't support TPM passthrough device. hi, Evan, As you can see from the above comments 9 to 11, libvirt component implement this feature support in RHEL7.3, but qemu do not implement this feature in current RHEL7.3, qemu implement it in upstream now. I have 2 concerns need to confirm with you: 1. from the comment 4 to 7, it seems we should test and verify this bug with qemu-kvm in RHEL OS, not with qemu-kvm-rhev in RHEL OS, right? 2. Can we move this libvirt bug to RHEL7.4 and add Testonly keyword? since qemu-kvm do not support this feature in RHEL7.3 now. Since this bug is from the Customer Portal, we'd like to double condirm with you if it is ok to deal this bug per current support status of libvirt and qemu. And can we file one corresponding qemu bug to RHEL7.4 for better tracking? Move this bug to RHEL7.4 with Testonly keyword for better tracking, since qemu do not implement this feature in downstream in RHEL7.3. TPM is not supported in RHEL7.4 by either qemu-kvm-rhev or qemu-kvm. So move this bug to RHEL7.5 Thank you! Here is the qemu-kvm-rhev rfe: https://bugzilla.redhat.com/show_bug.cgi?id=1327947 And here is the kcs documenting current support status: https://access.redhat.com/solutions/2623641 |
Description of problem: Version-Release number of selected component (if applicable): How reproducible: map a physical TPM as passthrough to a virtual machine Steps to Reproduce: 1. 2. 3. Actual results: Error starting domain: internal error: early end of file from monitor: possible problem: 2015-07-20T17:32:36.870094Z qemu-system-x86_64: -tpmdev passthrough,id=tpm-tpm0,path=/dev/tpm0,cancel-path=/sys/class/misc/tpm0/device/cancel: Cannot access TPM device using '/dev/tpm0': Device or resource busy When tpm dev is added through virtManager it displays the bellow error upon domain start. Error starting domain: unable to set security context 'system_u:object_r:svirt_image_t:s0:c121,c372' on '/sys/class/misc/tpm0/device/cancel': No such file or directory Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 89, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/asyncjob.py", line 125, in tmpcb callback(*args, **kwargs) File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn ret = fn(self, *args, **kwargs) File "/usr/share/virt-manager/virtManager/domain.py", line 1423, in startup self._backend.create() File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1007, in create if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self) libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c121,c372' on '/sys/class/misc/tpm0/device/cancel': No such file or directory Expected results: cancel path for kernel >= 4.0 should be /sys/class/tpm/tpm0/device/cancel Additional info: qemu-system-x86_64 supports passing the TPM cancel path on the command line with -tpmdev passthrough,cancel-path=<path>, but it doesn't look like libvirt will recognize this when using virt-install. It might be worth supporting the cancel-path parameter.