1668199 – [RFE] TPM passthrough support (libvirt) - tpm2.0 backend

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1668199 - [RFE] TPM passthrough support (libvirt) - tpm2.0 backend

Summary: [RFE] TPM passthrough support (libvirt) - tpm2.0 backend

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Libvirt Maintainers
QA Contact:	Yanqiu Zhang
Docs Contact:
URL:
Whiteboard:
Depends On:	1327947 1654486 1654490
Blocks:	1359862 1431788 1431792 1519016 1558125 1595018 1623566 1919797
TreeView+	depends on / blocked

Reported:	2019-01-22 08:03 UTC by Yanqiu Zhang
Modified:	2023-09-07 19:40 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:	1654490
Environment:
Last Closed:	2019-06-14 00:47:50 UTC
Type:	Feature Request
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Comment 1 Xuesong Zhang 2019-02-21 05:19:03 UTC

Update to ON_QA status since this is a testonly BZ.

Comment 2 Yanqiu Zhang 2019-03-07 13:06:04 UTC

Verified on rhel8.0 with:
libvirt-4.5.0-23.module+el8+2800+2d311f65.x86_64
qemu-kvm-2.12.0-63.module+el8+2833+c7d6d092.x86_64

Pre-1. Prepare tpm2.0 chip in host and enable it in System BIOs;

Pre-2. Install tpm2-tools tpm2-tss on both host and guest, check tpm usage:
[host]# tpm2_getrandom 14
0x4A 0xAA 0xE6 0x5E 0xBA 0xA5 0xCA 0xA3 0x40 0x6B 0xC9 0xFF 0x3A 0x73

[guest]# tpm2_getrandom 7
ERROR:tcti:src/tss2-tcti/tcti-device.c:281:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory
ERROR: tcti init allocation routine failed for library: "device" options: "(null)"
ERROR: Could not load tcti, got: "device"

Scenario 1: tpm_crb
1. Start guest with tpm_crb:
    <tpm model='tpm-crb'>
      <backend type='passthrough'>
        <device path='/dev/tpm0'/>
      </backend>
      <alias name='tpm0'/>
    </tpm>
# ps aux|grep tpm
... -tpmdev passthrough,id=tpm-tpm0,path=/dev/fdset/4,cancel-path=/dev/fdset/5 -add-fd set=4,fd=34 -add-fd set=5,fd=35 -device tpm-crb,tpmdev=tpm-tpm0,id=tpm0 ...

2.Check tpm usage again in host and guest:
[host]# tpm2_getrandom 14
ERROR:tcti:src/tss2-tcti/tcti-device.c:281:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: Device or resource busy
ERROR: tcti init allocation routine failed for library: "device" options: "(null)"
ERROR: Could not load tcti, got: "device"

[guest]# tpm2_getrandom 10
0xAF 0x37 0x62 0xCC 0xFF 0x7E 0xBE 0xD8 0x06 0x88

3.# virsh shutdown avocado-vt-vm1
Domain avocado-vt-vm1 is being shutdown

[host]# tpm2_getrandom 12
0x70 0xFF 0xCA 0x61 0x60 0x73 0x65 0xA0 0xE4 0x3E 0x35 0x96


Scenario 2: tpm_tis
1.     <tpm model='tpm-tis'>
      <backend type='passthrough'>
        <device path='/dev/tpm0'/>
      </backend>
      <alias name='tpm0'/>
    </tpm>

... -tpmdev passthrough,id=tpm-tpm0,path=/dev/fdset/4,cancel-path=/dev/fdset/5 -add-fd set=4,fd=34 -add-fd set=5,fd=35 -device tpm-tis,tpmdev=tpm-tpm0,id=tpm0 ...

2. Check usage, tpm2.0 passthrough as tpm_tis still can work in guest.
[host]# tpm2_getrandom 11
ERROR:tcti:src/tss2-tcti/tcti-device.c:281:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: Device or resource busy
ERROR: tcti init allocation routine failed for library: "device" options: "(null)"
ERROR: Could not load tcti, got: "device"

[guest]# tpm2_getrandom 16
0xC5 0x7D 0xAD 0x56 0x7B 0x49 0xF6 0xCE 0x19 0x0D 0x8E 0x31 0xCF 0xD3 0x36 0xF0

Comment 3 Yanqiu Zhang 2019-03-08 07:52:13 UTC

Scenario 3: try to reuse
1. try to start another guest when tpm is used by a running guest:
# virsh start avocado-vt-vm2
error: Failed to start domain avocado-vt-vm2
error: Could not open TPM device /dev/tpm0: Device or resource busy

2. try to edit guest with two tpm devices:
    <tpm model='tpm-crb'>
      <backend type='passthrough'>
        <device path='/dev/tpm0'/>
      </backend>
    </tpm>
    <tpm>
      <backend type='passthrough'>
      </backend>
    </tpm>

# virsh edit avocado-vt-vm2
error: XML error: only a single TPM device is supported
Failed. Try again? [y,n,i,f,?]:


Since the results are as expected, mark this bug as verified.

Note You need to log in before you can comment on or make changes to this bug.