Description of problem: swtpm 0.4.2 / 0.5.1 has been patched to mitigate a potential symlink attack issue: https://github.com/stefanberger/swtpm/releases/tag/v0.4.2 From the release notes: version 0.4.2: swtpm & swtpm_setup: Addressed potential symlink attack issue (CVE-2020-28407) version 0.5.1: swtpm & swtpm_setup: Addressed potential symlink attack issue (CVE-2020-28407) build-sys: Fix configure python cryptography error message
Sorry, it seems like it was built today.
Verify this bug as follows: 1) Install rhel8.3 baseos on a machine 2) Install virt:8.3 module and swtpm related pkgs, list some pkgs: libvirt-daemon-6.6.0-7.1.module+el8.3.0+8852+b44fca9f.x86_64 qemu-kvm-5.1.0-14.module+el8.3.0+8790+80f9c6d8.1.x86_64 swtpm-0.4.0-3.20200828git0c238a2.module+el8.3.0+8254+568ca30d.x86_64 3)run the auto cases of tpm device # avocado run --vt-type libvirt --vt-machine-type q35 tpm_device .... RESULTS : PASS 41 | ERROR 0 | FAIL 2 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0 JOB TIME : 3832.22 s 41 cases passed, 2 cases failed because of exsiting bug 1769196 4) upgrade the host # dnf module reset virt # dnf module enable virt:8.3 # dnf distrosync --allowerasing 5) check some pkgs version after upgrading libvirt-daemon-6.6.0-11.module+el8.3.1+9196+74a80ca4.x86_64 qemu-kvm-5.1.0-17.module+el8.3.1+9213+7ace09c3.x86_64 swtpm-0.4.2-1.20201201git2df14e3.module+el8.3.1+9074+e34e3b04.x86_64 6) run the auto cases of tpm device # avocado run --vt-type libvirt --vt-machine-type q35 tpm_device [54/591] JOB ID : e688cc5529b962d469e5962d463ff164e099bcc5 JOB LOG : /root/avocado/job-results/job-2020-12-18T20.09-e688cc5/job.log (01/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-tis_model.passthrough.device_path_assign: PASS (33.36 s) (02/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.passthrough.device_path_assign: PASS (33.11 s) (03/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.plain.basic: PASS (88.93 s) (04/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.plain.version_default: PASS (89.42 s) (05/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.plain.multi_vms: PASS (134.63 s) (06/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.plain.test_suite: PASS (191.32 s) (07/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.plain.snapshot_operate: PASS (88.04 s) (08/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.plain.restart_vm.domrename _operate: PASS (128.00 s) (09/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.plain.restart_vm.remove_vt pm: PASS (128.08 s) (10/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.plain.restart_vm.restart_l ibvirtd: FAIL: error: Failed to start domain avocado-vt-vm1\nerror: Requested operation is not valid: Setting different SELinux label on /var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log which is already in use\n (96.49 s) (11/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.plain.restore_vm: PASS (108.28 s) (12/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.plain.suspend_resume: PASS (95.87 s) (13/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.plain.undefine_create: PASS (128.78 s) (14/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.plain.restart_libvirtd: PASS (92.40 s) (15/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.basic: PASS (90.60 s) (16/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.multi_vms: PASS (142.79 s) (17/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.test_suite: PASS (187.69 s) (18/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.snapshot_operate: PASS (99.88 s) (19/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.restart_vm.domrename_operate: PASS (130.09 s) (20/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.restart_vm.remote_vtpm: PASS (126.68 s) (21/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.restart_vm.resta rt_libvirtd: FAIL: error: Failed to start domain avocado-vt-vm1\nerror: Requested operation is not valid: Setting different SELinux label on /var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log which is already in use\n (99.82 s) (22/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.restart_vm.newse cret_samepw: PASS (134.04 s) (23/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.restart_vm.newpw _rmstate: PASS (128.54 s) (24/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.restore_vm: PASS (96.96 s) (25/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.suspend_resume:PASS (93.62 s) (26/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.undefine_create: PASS (134.85 s) (27/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.restart_libvirtd: PASS (91.51 s) (28/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.default_model.passthrough.device_path_default: PASS (5.61 s) (29/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.other_backend.no_backend: PASS (4.60 s) (30/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.other_backend.none_backendtype: PASS (4.56 s) (31/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.other_backend.invalid_backendtype: PASS (4.53 s) (32/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.passthrough.reuse_passthrgh_tpm: PASS (39.54 s) (33/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.passthrough.multi_passthrgh_tpm: PASS (5.64 s) (34/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.emulator.backend_version.version_1.2: PASS (49.74 s) (35/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.emulator.backend_version.version_2: PASS (49.73s) (36/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.emulator.encrypt_secret.invalid_secret: PASS (46.77 s) (37/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.emulator.encrypt_secret.nonexist_secret: PASS (47.23 s) (38/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.emulator.encryption_test.none_pw: PASS (47.59 s) (39/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.emulator.encryption_test.restart_vm.plain_to_en crypt: PASS (102.52 s) (40/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.emulator.encryption_test.restart_vm.encrypt_to_ plain: PASS (104.40 s) (41/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.emulator.encryption_test.restart_vm.newpw_keeps tate: PASS (95.83 s) (42/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.emulator.encryption_test.restore_vm.newpw_keeps tate: PASS (98.44 s) (43/43) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.negative_test.emulator.encryption_test.restore_vm.newpw_rmsta te: PASS (96.56 s) RESULTS : PASS 41 | ERROR 0 | FAIL 2 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0 JOB TIME : 3800.96 s 41 cases passed, 2 cases failed because of exsiting bug 1769196
After upgrading to swtpm-0.4.2, all the function about above tpm cases works just as before upgrading, mark the bug as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0639