1838975 – RHEL8.2 - Unable to access TPM (via H_TPM_COMM) via libvirt/virsh (kvm)

Bug 1838975 - RHEL8.2 - Unable to access TPM (via H_TPM_COMM) via libvirt/virsh (kvm)

Summary: RHEL8.2 - Unable to access TPM (via H_TPM_COMM) via libvirt/virsh (kvm)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Advanced Virtualization
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	8.2
Hardware:	ppc64le
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.3
Assignee:	Daniel Henrique Barboza (IBM)
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1776265
TreeView+	depends on / blocked

Reported:	2020-05-22 08:31 UTC by IBM Bug Proxy
Modified:	2020-11-17 17:48 UTC (History)
CC List:	13 users (show)
Fixed In Version:	libvirt-6.5.0-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-17 17:48:38 UTC
Type:	---
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
IBM Linux Technology Center	185963	0	None	None	None	2020-05-22 08:31:38 UTC

Description IBM Bug Proxy 2020-05-22 08:31:22 UTC

Comment 1 IBM Bug Proxy 2020-05-22 08:31:32 UTC

When creating a virtual machine using libvirt/virsh we are unable to access the TPM device. But if we create the VM directly, using the QEMU command line, then we are able to access the TPM device. 
 
---Additional Hardware Info---
Power9 system (Witherspoon) with a hardware TPM 

Machine Type = Power9 PVR 004e 1203 
 
---Steps to Reproduce---
Following command line generated by libvirt/virsh fails to access the TPM:

/usr/share/avocado-plugins-vt/bin/install_root/bin/qemu-system-ppc64 \
-name guest=f31,debug-threads=on \
-S \
-object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-1-f31/master-key.aes \
-machine pseries-5.0,accel=kvm,usb=off,dump-guest-core=off \
-bios /usr/share/avocado-plugins-vt/bin/install_root/share/qemu/slof.bin \
-m 1024 \
-overcommit mem-lock=off \
-smp 4,sockets=1,cores=4,threads=1 \
-uuid 59691a55-e77f-4519-a9c1-7cba26cccdd1 \
-display none \
-no-user-config \
-nodefaults \
-chardev socket,id=charmonitor,fd=36,server,nowait \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=utc \
-no-shutdown \
-boot strict=on \
-device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.0,addr=0x3 \
-device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x2 \
-device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x4 \
-drive file=/home/sath/f31-ppc64le.qcow2,format=qcow2,if=none,id=drive-scsi0-0-0-0 \
-device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,device_id=drive-scsi0-0-0-0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 \
-netdev tap,fd=38,id=hostnet0,vhost=on,vhostfd=39 \
-device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:de:e4:78,bus=pci.0,addr=0x1 \
-chardev pty,id=charserial0 \
-device spapr-vty,chardev=charserial0,id=serial0,reg=0x30000000 \
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 \
-device spapr-tpm-proxy,id=tpmp0,host-path=/dev/tpm0 \
-trace events=/home/sath/tpm_events_log/tpm_events,file=/home/sath/tpm_events_log/tpm_log \
-global virtio-scsi-pci.disable-legacy=on \
-global virtio-scsi-pci.disable-modern=off \
-global virtio-blk-pci.disable-legacy=on \
-global virtio-blk-pci.disable-modern=off \
-global virtio-net-pci.disable-legacy=on \
-global virtio-net-pci.disable-modern=off \
-global virtio-serial-pci.disable-legacy=on \
-global virtio-serial-pci.disable-modern=off \
-global virtio-balloon-pci.disable-legacy=on \
-global virtio-balloon-pci.disable-modern=off \
-global virtio-serial-pci.disable-legacy=on \
-global virtio-serial-pci.disable-modern=off \
-global virtio-serial-pci.iommu_platform=on \
-global virtio-scsi-pci.iommu_platform=on \
-global virtio-net-pci.iommu_platform=on \
-global virtio-blk-pci.iommu_platform=on \
-global virtio-balloon-pci.iommu_platform=on \
-msg timestamp=on

Able to access TPM with following command line

/usr/share/avocado-plugins-vt/bin/install_root/bin/qemu-system-ppc64
        -nodefaults
        -cpu host
        -serial mon:stdio
        -display none
        -smp 1
        -m 512M
        -machine pseries,accel=kvm,kvm-type=HV,cap-htm=off,cap-cfpc=broken,cap-sbbc=broken,cap-ibs=broken,cap-ccf-assist=off,ic-mode=xics
        -kernel /root/svm-images/vmlinuz-5.7.0-rc1-dirty
        -initrd /root/svm-images/wspoon4-esmb-initrd.img
        -device spapr-tpm-proxy,id=tpmp0,host-path=/dev/tpm0
        -append 'ignore_loglevel powersave=off init=/bin/sh'

 

Fyi ...
... Version 5 of the support is posted in Libvirt mailing list:

https://www.redhat.com/archives/libvir-list/2020-May/msg00997.html

Comment 2 Daniel Henrique Barboza (IBM) 2020-06-03 12:10:48 UTC

Version 6 was posted to the mailing list:

https://www.redhat.com/archives/libvir-list/2020-June/msg00051.html

Comment 3 Daniel Henrique Barboza (IBM) 2020-06-10 18:13:42 UTC

Version 7 was posted to the mailing list:

https://www.redhat.com/archives/libvir-list/2020-June/msg00429.html

Comment 5 David Gibson 2020-06-19 05:02:47 UTC

This is aimed at RHEL-AV, moving accordingly.

Comment 6 Daniel Henrique Barboza (IBM) 2020-06-23 18:01:45 UTC

Patches were pushed upstream and will be available in Libvirt 6.5.0.


For reference, the upstream patch list is:

commit 5a333b1034d0626a5514edba7de7ae97ea1f77c6
Author: Daniel Henrique Barboza <danielhb413>

    NEWS.rst: update for the new TPM Proxy device

commit b564332ba7fd22f22a6b8da64ffa7cb4776bf624
Author: Daniel Henrique Barboza <danielhb413>

    tests/qemuxml2argvtest.c: add TPM Proxy command line tests

commit 9577d86f62490af76cfe2c44ffa925f963fec5d2
Author: Daniel Henrique Barboza <danielhb413>

    qemu: build command line for the TPM Proxy device

commit badbd55a3b46b24fae7f0dba67a06b79b5b49c97
Author: Daniel Henrique Barboza <danielhb413>

    tests: add XML schema tests for the TPM Proxy device

commit 0f7e8649c787ec56f2fbcbeaebe42314ae7a8d8d
Author: Daniel Henrique Barboza <danielhb413>

    qemu: add validations after TPM Proxy model introduction

commit 19d74fdf0eb5d2e89e80ceedea736425160ffccb
Author: Daniel Henrique Barboza <danielhb413>

    conf, qemu, security, tests: introducing 'def->tpms' array

commit db45fb49e8475152136ffafa7b06aab6f9240cf9
Author: Daniel Henrique Barboza <danielhb413>

    qemu_tpm, security, tests: change 'switch' clauses for 'if'

commit 9c77b617e6071ce0b6092cbaa8637beca1e3f08e
Author: Daniel Henrique Barboza <danielhb413>

    qemu_extdevice.c: remove unneeded 'ret' variable

commit 096a42000e6c4e13015a04e8b2a1049de5d2cfdc
Author: Daniel Henrique Barboza <danielhb413>

    qemu: Extend QEMU capabilities with 'spapr-tpm-proxy'

commit f1d7d6c2cf192c8559dd43c85a7f4b21018c29f6
Author: Daniel Henrique Barboza <danielhb413>

    docs: documentation and schema for the new TPM Proxy model

Comment 7 Dan Zheng 2020-07-07 01:50:28 UTC

Hi, IBM
As Red Hat does not have a P9 machine with hardware TPM, could you help test this BZ? If yes, I would like to add 'OtherQA' and give qa_ack.

Dan

Comment 8 Hanns-Joachim Uhl 2020-07-07 11:24:59 UTC

(In reply to Dan Zheng from comment #7)
> Hi, IBM
> As Red Hat does not have a P9 machine with hardware TPM, could you help test
> this BZ? If yes, I would like to add 'OtherQA' and give qa_ack.
> 
> Dan
.
... yes, IBM will do fix verification on POWER ... setting OtherQA ...

Comment 9 Dan Zheng 2020-07-09 04:21:09 UTC

Set 'qa_ack' as IBM will help Other_QA.

Dan

Comment 12 Dan Zheng 2020-09-08 06:55:53 UTC

Hi IBM,
Could you provide any updates here when you have? Thanks.


Dan

Comment 13 Iranna Ankad 2020-09-08 15:27:36 UTC

(In reply to Dan Zheng from comment #12)
> Hi IBM,
> Could you provide any updates here when you have? Thanks.
> 
> 
> Dan

Hi Dan,
Sure, we plan to validate this as soon as we have access to 8.3-AV Beta (i.e September 23).

Thanks!

Comment 14 IBM Bug Proxy 2020-09-28 17:40:48 UTC

------- Comment From kumuda.govind.com 2020-09-28 11:46 EDT-------
Creating VM using virsh to access the TPM device works on below environment,

Machine Type = power9 ppc64le DD2.3
HW: Wsp DD2.3 with TPM chip
Host Kernel: 4.18.0-236.el8.ppc64le
Guest Kernel: 4.18.0-236.el8.ppc64le
# libvirtd --version
libvirtd (libvirt) 6.6.0
# rpm -qf /usr/sbin/libvirtd
libvirt-daemon-6.6.0-5.module+el8.3.0+8092+f9e72d7e.ppc64le

# /usr/libexec/qemu-kvm -version
QEMU emulator version 5.1.0 (qemu-kvm-5.1.0-6.module+el8.3.0+7652+b30e6901.bz1870384)
Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers

/usr/libexec/qemu-kvm -name guest=svm,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-2-svm/master-key.aes -machine pseries-rhel8.3.0,accel=kvm,usb=off,dump-guest-core=off -cpu POWER9 -m size=8388608k,slots=32,maxmem=83886080k -overcommit mem-lock=off -smp 64,sockets=1,dies=1,cores=64,threads=1 -object memory-backend-ram,id=ram-node0,size=8589934592 -numa node,nodeid=0,cpus=0-63,memdev=ram-node0 -uuid af616b56-b201-4d1c-9fff-58c6989d62e7 -display none -no-user-config -nodefaults -chardev socket,id=charmonitor,fd=31,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.0,addr=0x3 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x4 -blockdev {"driver":"file","filename":"/home/sath/tests/data/avocado-vt/images/rhel8-devel-ppc64le-svm.qcow2","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"} -blockdev {"node-name":"libvirt-1-format","read-only":false,"driver":"qcow2","file":"libvirt-1-storage","backing":null} -device virtio-blk-pci,bus=pci.0,addr=0x6,drive=libvirt-1-format,id=virtio-disk0,bootindex=1 -netdev tap,fd=35,id=hostnet0,vhost=on,vhostfd=36 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:35:04:44,bus=pci.0,addr=0x1 -chardev pty,id=charserial0 -device spapr-vty,chardev=charserial0,id=serial0,reg=0x30000000 -chardev socket,id=charchannel0,fd=37,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -device spapr-tpm-proxy,id=tpm0,host-path=/dev/tpmrm0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 -M pseries,x-svm-allowed=on -global virtio-scsi-pci.iommu_platform=on -global virtio-scsi-pci.disable-legacy=on -global virtio-scsi-pci.disable-modern=off -global virtio-blk-pci.iommu_platform=on -global virtio-blk-pci.disable-legacy=on -global virtio-blk-pci.disable-modern=off -global virtio-net-pci.iommu_platform=on -global virtio-net-pci.disable-legacy=on -global virtio-net-pci.disable-modern=off -global virtio-serial-pci.iommu_platform=on -global virtio-serial-pci.disable-legacy=on -global virtio-serial-pci.disable-modern=off -global virtio-balloon-pci.disable-legacy=on -global virtio-balloon-pci.disable-modern=off -global virtio-balloon-pci.iommu_platform=on -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg timestamp=on

snippet of /sys/firmware/ultravisor/msglog when starting svm,
[   18.448057259,0x83C,0x000] SVM: create_svm: Created svm with lpid 1
[   18.448060648,0x83C,0x000] UVCALL: uv_esm_svm r_state=1004000968e80, stack=100400096dbe0, esm_data=1004000962dd0, kbase=0x2000000, fdt=0x6b00000
[522477.326497440,0x83C,0x000] UVCALL: uv_register_mem_slot lpid=1 start_gpa=0x0 nbytes=0x200000000, flags=0x0, slotid=0x0
[   19.180306223,0x83C,0x000] UVCALL: uv_esm_svm(): H_SVM_INIT_START returned [0]
[   19.180867697,0x83C,0x000] SVM-ESMB: ERROR: svm_esmb_fdt_upd_hdlr(): files_fdt gpa 0x2ffd0000
[   19.205413966,0x83C,0x000] SVM-FDT: ERROR: svm_fdt_prop_get: property linux,esm-blob-start rc [-1]
[   19.205416285,0x83C,0x000] SVM-ESM: ERROR: svm_esm_wrapper_esmb: esm-blob-start prop get rc [-1]
[   19.205421172,0x83C,0x000] SVM-ESM: svm_esm_cpio_esmb: esmb fdt 1206bff700260
[   19.205422264,0x83C,0x000] SVM-FDT: magic 0xd00dfeed
[   19.205423049,0x83C,0x000] SVM-FDT: totalsize 0x687
[   19.205423714,0x83C,0x000] SVM-FDT: off_dt_struct 0x38
[   19.205424484,0x83C,0x000] SVM-FDT: off_dt_strings 0x638
[   19.205425212,0x83C,0x000] SVM-FDT: off_mem_rsvmap 0x28
[   19.205425873,0x83C,0x000] SVM-FDT: version 0x11
[   19.205426460,0x83C,0x000] SVM-FDT: last_comp_version 0x2
[   19.205427140,0x83C,0x000] SVM-FDT: boot_cpuid_phys 0x0
[   19.205427904,0x83C,0x000] SVM-FDT: size_dt_strings 0x4f
[   19.205428572,0x83C,0x000] SVM-FDT: size_dt_struct 0x600
[   19.205430950,0x83C,0x000] SVM-ESMB: ERROR: svm_esmb_get_files_fdt: files-fdt property rc [-1]
[   19.205432370,0x83C,0x000] SVM-ESM: N: svm_esm_blob_chk: error -4 getting esmb attachments, ignoring
[   20.299523204,0x83C,0x000] SVM-FDT: magic 0xd00dfeed
[   20.299524269,0x83C,0x000] SVM-FDT: totalsize 0x1fd
[   20.299525002,0x83C,0x000] SVM-FDT: off_dt_struct 0x38
[   20.299525786,0x83C,0x000] SVM-FDT: off_dt_strings 0x1c0
[   20.299526453,0x83C,0x000] SVM-FDT: off_mem_rsvmap 0x28
[   20.299527181,0x83C,0x000] SVM-FDT: version 0x11
[   20.299527759,0x83C,0x000] SVM-FDT: last_comp_version 0x2
[   20.299528519,0x83C,0x000] SVM-FDT: boot_cpuid_phys 0x0
[   20.299529209,0x83C,0x000] SVM-FDT: size_dt_strings 0x3d
[   20.299529902,0x83C,0x000] SVM-FDT: size_dt_struct 0x188
[   21.122968951,0x83C,0x001] UVCALL: uv_esm_svm(): commit returned
[522480.032053716,0x83C,0x000] UVCALL: uv_write_pate Called with lpid: 0x1, dw0: 0xc000203814c900ad, dw1: 0x80000001fe00000c
[   41.111355212,0x015,0x001] SVM: D: Spurious E20 at gpa=0x1dca50000 asdr=0x1dca50000 state=GPF_SECURE

------- Comment From iranna.ankad.com 2020-09-28 13:34 EDT-------
Thanks Kumuda for the verification.

Closing the bug now.

Comment 15 Dan Zheng 2020-09-29 02:17:26 UTC

According to IBM's verification, I mark this verified now.

Comment 18 errata-xmlrpc 2020-11-17 17:48:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5137

Note You need to log in before you can comment on or make changes to this bug.