When creating a virtual machine using libvirt/virsh we are unable to access the TPM device. But if we create the VM directly, using the QEMU command line, then we are able to access the TPM device. ---Additional Hardware Info--- Power9 system (Witherspoon) with a hardware TPM Machine Type = Power9 PVR 004e 1203 ---Steps to Reproduce--- Following command line generated by libvirt/virsh fails to access the TPM: /usr/share/avocado-plugins-vt/bin/install_root/bin/qemu-system-ppc64 \ -name guest=f31,debug-threads=on \ -S \ -object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-1-f31/master-key.aes \ -machine pseries-5.0,accel=kvm,usb=off,dump-guest-core=off \ -bios /usr/share/avocado-plugins-vt/bin/install_root/share/qemu/slof.bin \ -m 1024 \ -overcommit mem-lock=off \ -smp 4,sockets=1,cores=4,threads=1 \ -uuid 59691a55-e77f-4519-a9c1-7cba26cccdd1 \ -display none \ -no-user-config \ -nodefaults \ -chardev socket,id=charmonitor,fd=36,server,nowait \ -mon chardev=charmonitor,id=monitor,mode=control \ -rtc base=utc \ -no-shutdown \ -boot strict=on \ -device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.0,addr=0x3 \ -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x2 \ -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x4 \ -drive file=/home/sath/f31-ppc64le.qcow2,format=qcow2,if=none,id=drive-scsi0-0-0-0 \ -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,device_id=drive-scsi0-0-0-0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 \ -netdev tap,fd=38,id=hostnet0,vhost=on,vhostfd=39 \ -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:de:e4:78,bus=pci.0,addr=0x1 \ -chardev pty,id=charserial0 \ -device spapr-vty,chardev=charserial0,id=serial0,reg=0x30000000 \ -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 \ -device spapr-tpm-proxy,id=tpmp0,host-path=/dev/tpm0 \ -trace events=/home/sath/tpm_events_log/tpm_events,file=/home/sath/tpm_events_log/tpm_log \ -global virtio-scsi-pci.disable-legacy=on \ -global virtio-scsi-pci.disable-modern=off \ -global virtio-blk-pci.disable-legacy=on \ -global virtio-blk-pci.disable-modern=off \ -global virtio-net-pci.disable-legacy=on \ -global virtio-net-pci.disable-modern=off \ -global virtio-serial-pci.disable-legacy=on \ -global virtio-serial-pci.disable-modern=off \ -global virtio-balloon-pci.disable-legacy=on \ -global virtio-balloon-pci.disable-modern=off \ -global virtio-serial-pci.disable-legacy=on \ -global virtio-serial-pci.disable-modern=off \ -global virtio-serial-pci.iommu_platform=on \ -global virtio-scsi-pci.iommu_platform=on \ -global virtio-net-pci.iommu_platform=on \ -global virtio-blk-pci.iommu_platform=on \ -global virtio-balloon-pci.iommu_platform=on \ -msg timestamp=on Able to access TPM with following command line /usr/share/avocado-plugins-vt/bin/install_root/bin/qemu-system-ppc64 -nodefaults -cpu host -serial mon:stdio -display none -smp 1 -m 512M -machine pseries,accel=kvm,kvm-type=HV,cap-htm=off,cap-cfpc=broken,cap-sbbc=broken,cap-ibs=broken,cap-ccf-assist=off,ic-mode=xics -kernel /root/svm-images/vmlinuz-5.7.0-rc1-dirty -initrd /root/svm-images/wspoon4-esmb-initrd.img -device spapr-tpm-proxy,id=tpmp0,host-path=/dev/tpm0 -append 'ignore_loglevel powersave=off init=/bin/sh' Fyi ... ... Version 5 of the support is posted in Libvirt mailing list: https://www.redhat.com/archives/libvir-list/2020-May/msg00997.html
Version 6 was posted to the mailing list: https://www.redhat.com/archives/libvir-list/2020-June/msg00051.html
Version 7 was posted to the mailing list: https://www.redhat.com/archives/libvir-list/2020-June/msg00429.html
This is aimed at RHEL-AV, moving accordingly.
Patches were pushed upstream and will be available in Libvirt 6.5.0. For reference, the upstream patch list is: commit 5a333b1034d0626a5514edba7de7ae97ea1f77c6 Author: Daniel Henrique Barboza <danielhb413> NEWS.rst: update for the new TPM Proxy device commit b564332ba7fd22f22a6b8da64ffa7cb4776bf624 Author: Daniel Henrique Barboza <danielhb413> tests/qemuxml2argvtest.c: add TPM Proxy command line tests commit 9577d86f62490af76cfe2c44ffa925f963fec5d2 Author: Daniel Henrique Barboza <danielhb413> qemu: build command line for the TPM Proxy device commit badbd55a3b46b24fae7f0dba67a06b79b5b49c97 Author: Daniel Henrique Barboza <danielhb413> tests: add XML schema tests for the TPM Proxy device commit 0f7e8649c787ec56f2fbcbeaebe42314ae7a8d8d Author: Daniel Henrique Barboza <danielhb413> qemu: add validations after TPM Proxy model introduction commit 19d74fdf0eb5d2e89e80ceedea736425160ffccb Author: Daniel Henrique Barboza <danielhb413> conf, qemu, security, tests: introducing 'def->tpms' array commit db45fb49e8475152136ffafa7b06aab6f9240cf9 Author: Daniel Henrique Barboza <danielhb413> qemu_tpm, security, tests: change 'switch' clauses for 'if' commit 9c77b617e6071ce0b6092cbaa8637beca1e3f08e Author: Daniel Henrique Barboza <danielhb413> qemu_extdevice.c: remove unneeded 'ret' variable commit 096a42000e6c4e13015a04e8b2a1049de5d2cfdc Author: Daniel Henrique Barboza <danielhb413> qemu: Extend QEMU capabilities with 'spapr-tpm-proxy' commit f1d7d6c2cf192c8559dd43c85a7f4b21018c29f6 Author: Daniel Henrique Barboza <danielhb413> docs: documentation and schema for the new TPM Proxy model
Hi, IBM As Red Hat does not have a P9 machine with hardware TPM, could you help test this BZ? If yes, I would like to add 'OtherQA' and give qa_ack. Dan
(In reply to Dan Zheng from comment #7) > Hi, IBM > As Red Hat does not have a P9 machine with hardware TPM, could you help test > this BZ? If yes, I would like to add 'OtherQA' and give qa_ack. > > Dan . ... yes, IBM will do fix verification on POWER ... setting OtherQA ...
Set 'qa_ack' as IBM will help Other_QA. Dan
Hi IBM, Could you provide any updates here when you have? Thanks. Dan
(In reply to Dan Zheng from comment #12) > Hi IBM, > Could you provide any updates here when you have? Thanks. > > > Dan Hi Dan, Sure, we plan to validate this as soon as we have access to 8.3-AV Beta (i.e September 23). Thanks!
------- Comment From kumuda.govind.com 2020-09-28 11:46 EDT------- Creating VM using virsh to access the TPM device works on below environment, Machine Type = power9 ppc64le DD2.3 HW: Wsp DD2.3 with TPM chip Host Kernel: 4.18.0-236.el8.ppc64le Guest Kernel: 4.18.0-236.el8.ppc64le # libvirtd --version libvirtd (libvirt) 6.6.0 # rpm -qf /usr/sbin/libvirtd libvirt-daemon-6.6.0-5.module+el8.3.0+8092+f9e72d7e.ppc64le # /usr/libexec/qemu-kvm -version QEMU emulator version 5.1.0 (qemu-kvm-5.1.0-6.module+el8.3.0+7652+b30e6901.bz1870384) Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers /usr/libexec/qemu-kvm -name guest=svm,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-2-svm/master-key.aes -machine pseries-rhel8.3.0,accel=kvm,usb=off,dump-guest-core=off -cpu POWER9 -m size=8388608k,slots=32,maxmem=83886080k -overcommit mem-lock=off -smp 64,sockets=1,dies=1,cores=64,threads=1 -object memory-backend-ram,id=ram-node0,size=8589934592 -numa node,nodeid=0,cpus=0-63,memdev=ram-node0 -uuid af616b56-b201-4d1c-9fff-58c6989d62e7 -display none -no-user-config -nodefaults -chardev socket,id=charmonitor,fd=31,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.0,addr=0x3 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x4 -blockdev {"driver":"file","filename":"/home/sath/tests/data/avocado-vt/images/rhel8-devel-ppc64le-svm.qcow2","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"} -blockdev {"node-name":"libvirt-1-format","read-only":false,"driver":"qcow2","file":"libvirt-1-storage","backing":null} -device virtio-blk-pci,bus=pci.0,addr=0x6,drive=libvirt-1-format,id=virtio-disk0,bootindex=1 -netdev tap,fd=35,id=hostnet0,vhost=on,vhostfd=36 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:35:04:44,bus=pci.0,addr=0x1 -chardev pty,id=charserial0 -device spapr-vty,chardev=charserial0,id=serial0,reg=0x30000000 -chardev socket,id=charchannel0,fd=37,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -device spapr-tpm-proxy,id=tpm0,host-path=/dev/tpmrm0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 -M pseries,x-svm-allowed=on -global virtio-scsi-pci.iommu_platform=on -global virtio-scsi-pci.disable-legacy=on -global virtio-scsi-pci.disable-modern=off -global virtio-blk-pci.iommu_platform=on -global virtio-blk-pci.disable-legacy=on -global virtio-blk-pci.disable-modern=off -global virtio-net-pci.iommu_platform=on -global virtio-net-pci.disable-legacy=on -global virtio-net-pci.disable-modern=off -global virtio-serial-pci.iommu_platform=on -global virtio-serial-pci.disable-legacy=on -global virtio-serial-pci.disable-modern=off -global virtio-balloon-pci.disable-legacy=on -global virtio-balloon-pci.disable-modern=off -global virtio-balloon-pci.iommu_platform=on -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg timestamp=on snippet of /sys/firmware/ultravisor/msglog when starting svm, [ 18.448057259,0x83C,0x000] SVM: create_svm: Created svm with lpid 1 [ 18.448060648,0x83C,0x000] UVCALL: uv_esm_svm r_state=1004000968e80, stack=100400096dbe0, esm_data=1004000962dd0, kbase=0x2000000, fdt=0x6b00000 [522477.326497440,0x83C,0x000] UVCALL: uv_register_mem_slot lpid=1 start_gpa=0x0 nbytes=0x200000000, flags=0x0, slotid=0x0 [ 19.180306223,0x83C,0x000] UVCALL: uv_esm_svm(): H_SVM_INIT_START returned [0] [ 19.180867697,0x83C,0x000] SVM-ESMB: ERROR: svm_esmb_fdt_upd_hdlr(): files_fdt gpa 0x2ffd0000 [ 19.205413966,0x83C,0x000] SVM-FDT: ERROR: svm_fdt_prop_get: property linux,esm-blob-start rc [-1] [ 19.205416285,0x83C,0x000] SVM-ESM: ERROR: svm_esm_wrapper_esmb: esm-blob-start prop get rc [-1] [ 19.205421172,0x83C,0x000] SVM-ESM: svm_esm_cpio_esmb: esmb fdt 1206bff700260 [ 19.205422264,0x83C,0x000] SVM-FDT: magic 0xd00dfeed [ 19.205423049,0x83C,0x000] SVM-FDT: totalsize 0x687 [ 19.205423714,0x83C,0x000] SVM-FDT: off_dt_struct 0x38 [ 19.205424484,0x83C,0x000] SVM-FDT: off_dt_strings 0x638 [ 19.205425212,0x83C,0x000] SVM-FDT: off_mem_rsvmap 0x28 [ 19.205425873,0x83C,0x000] SVM-FDT: version 0x11 [ 19.205426460,0x83C,0x000] SVM-FDT: last_comp_version 0x2 [ 19.205427140,0x83C,0x000] SVM-FDT: boot_cpuid_phys 0x0 [ 19.205427904,0x83C,0x000] SVM-FDT: size_dt_strings 0x4f [ 19.205428572,0x83C,0x000] SVM-FDT: size_dt_struct 0x600 [ 19.205430950,0x83C,0x000] SVM-ESMB: ERROR: svm_esmb_get_files_fdt: files-fdt property rc [-1] [ 19.205432370,0x83C,0x000] SVM-ESM: N: svm_esm_blob_chk: error -4 getting esmb attachments, ignoring [ 20.299523204,0x83C,0x000] SVM-FDT: magic 0xd00dfeed [ 20.299524269,0x83C,0x000] SVM-FDT: totalsize 0x1fd [ 20.299525002,0x83C,0x000] SVM-FDT: off_dt_struct 0x38 [ 20.299525786,0x83C,0x000] SVM-FDT: off_dt_strings 0x1c0 [ 20.299526453,0x83C,0x000] SVM-FDT: off_mem_rsvmap 0x28 [ 20.299527181,0x83C,0x000] SVM-FDT: version 0x11 [ 20.299527759,0x83C,0x000] SVM-FDT: last_comp_version 0x2 [ 20.299528519,0x83C,0x000] SVM-FDT: boot_cpuid_phys 0x0 [ 20.299529209,0x83C,0x000] SVM-FDT: size_dt_strings 0x3d [ 20.299529902,0x83C,0x000] SVM-FDT: size_dt_struct 0x188 [ 21.122968951,0x83C,0x001] UVCALL: uv_esm_svm(): commit returned [522480.032053716,0x83C,0x000] UVCALL: uv_write_pate Called with lpid: 0x1, dw0: 0xc000203814c900ad, dw1: 0x80000001fe00000c [ 41.111355212,0x015,0x001] SVM: D: Spurious E20 at gpa=0x1dca50000 asdr=0x1dca50000 state=GPF_SECURE ------- Comment From iranna.ankad.com 2020-09-28 13:34 EDT------- Thanks Kumuda for the verification. Closing the bug now.
According to IBM's verification, I mark this verified now.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:5137