Description of problem: When i set tpm_tis model with backend emulator on aarch64 guest with out setting version 2.0. libvirt will auto add version 1.2 by default. Start guest successfully but guest doesn't have tpm device ``` [root@localhost ~]# dmesg | grep tpm [ 2.485254] tpm_tis MSFT0101:00: [Firmware Bug]: failed to get TPM2 ACPI table [ 2.488897] tpm_tis: probe of MSFT0101:00 failed with error -22 [ 2.492259] tpm_crb MSFT0101:00: [Firmware Bug]: failed to get TPM2 ACPI table [ 2.494497] tpm_crb: probe of MSFT0101:00 failed with error -22 ``` Version-Release number of selected component (if applicable): I tested it on libvirt-7.4.0-1 How reproducible: 100% Steps to Reproduce: 1. Edit an aarch64 guest xml with TPM setting ``` <tpm model='tpm-tis'> <backend type='emulator' version='1.2'/> </tpm> ``` 2. Start guest && Login Actual results: Guest doesn't have tpm device [root@localhost ~]# ls /dev/tpm* ls: cannot access '/dev/tpm*': No such file or directory [root@localhost ~]# dmesg | grep tpm [ 2.485254] tpm_tis MSFT0101:00: [Firmware Bug]: failed to get TPM2 ACPI table [ 2.488897] tpm_tis: probe of MSFT0101:00 failed with error -22 [ 2.492259] tpm_crb MSFT0101:00: [Firmware Bug]: failed to get TPM2 ACPI table [ 2.494497] tpm_crb: probe of MSFT0101:00 failed with error -22 Expected results: I'm not sure whether tpm_tis + emulator + version 1.2 should emulate tpm device on guest successfully. But if i didn't specify version 2.0, libvirt will auto add version 1.2 and i could start guest successfully. From my points of view: 1. If i could start guest successfully, guest should has tpm device 2. If tpm_tis + emulator + version 2.0 is must, libvirt shouldn't auto add version 1.2 when don't specify version Additional info: Support TPM on ARM virt machine was added in BZ#1867917
Hi, what is presented in the ACPI table is a "TCG Hardware Interface Description Table Format for TPM 2.0" with a TPM2 signature. I don't know if such description makes the device backward compatible with 1.2 but I would expect the TPM2.0 to be the default (that's what I tested also) and not 1.2. From a libvirt pov what is the consequence of chosing 1.2 or 2.0: impact at qemu level or in the SW emulator? In any case if aarch64 does not properly support 1.2 qemu should return an error.
(In reply to Eric Auger from comment #1) > Hi, > > what is presented in the ACPI table is a "TCG Hardware Interface Description > Table Format for TPM 2.0" with a TPM2 signature. I don't know if such > description makes the device backward compatible with 1.2 According to a comment I've found in libvirt (so take it with a grain of salt) TPM 1.2 and 2.0 are not compatible. > but I would expect > the TPM2.0 to be the default (that's what I tested also) and not 1.2. The libvirt documentation[1] says that By default a TPM 1.2 is created. so technically we're not doing anything wrong... Knowing this doesn't make the current behavior any more useful though :) > From a libvirt pov what is the consequence of chosing 1.2 or 2.0: impact at > qemu level or in the SW emulator? As far as I can tell, the TPM version is only used when building the command line for swtpm, and the examples included in the QEMU documentation[2] seem to confirm this, as they show examples of both TPM 1.2 and 2.0 which are identical at the QEMU command line level. Since swtpm itself seems to support TPM 1.2 on aarch64 (I think? At the very least it doesn't look like the command fails outright, or you'd get an error from libvirt about it) and QEMU seems to support TPM 1.2 for tpm-tis on x86_64, is it possible that there's some aarch64-specific code that needs to be tweaked in the frontend for this combination to work? Alternatively, is it possible that TPM only became a thing on ARM after TPM 2.0 had already been standardized, and so TPM 1.2 was never considered in the relevant specifications (ACPI etc.)? > In any case if aarch64 does not properly > support 1.2 qemu should return an error. If we can determine with reasonable certainty that TPM 1.2 was never a thing on aarch64, and is never going to be a thing either, then I think we can build a convincing case for this configuration to be rejected by libvirt and for the default to be changed to TPM 2.0: this is already the case for the tpm-crb and tpm-spapr devices[3]. However, I lack the subject expertise to confidently propose such a change... Can we perhaps dig up some references? [1] https://libvirt.org/formatdomain.html#tpm-device [2] https://qemu-project.gitlab.io/qemu/specs/tpm.html [3] Yes, this means that the documentation I just referred to is not actually entirely accurate O:-)
Thanks Andrea for your detailed reply. I just got a reply for Ard who said that TPM1.2 is not supported at edk2 level (ArmVirtQemu). I guess at QEMU level we would also need to generate a different ACPI level. So I think we are in the case of "TPM only became a thing on ARM after TPM 2.0 had already been standardized" and we should make libvirt default for ARM being 2.0 and document it.
Adding Marc-Andre. Marc-Andre, according to you, is it OK to set the default TPM version to 2.0 for ARM. It seems EDK2 does not support 1.2 and at qemu level the ACPI table generation may not support 1.2. I only tested 2.0 on my side. Do you know what would be the requirements in term of ACPI table (TCPA?)
I don't know the requirements for 1.2, even less on ARM. We only support vTPM 2.0 in RHEL (although 1.2 support is compiled in atm, for some historical reasons)
Hi Marc-Andre, thank you for the quick reply. So I don't see any reason supporting 1.2 on ARM and I would opt to set 2.0 by default at libvirt level for this arch. Nevertheless, upstream I can propose a patch to fail at qemu launch if 1.2 is used. in hw/arm/virt-acpi-build.c we have if (tpm_get_version(tpm_find()) == TPM_VERSION_2_0) { acpi_add_table(table_offsets, tables_blob); build_tpm2(tables_blob, tables->linker, tables->tcpalog, vms->oem_id, vms->oem_table_id); } Meaning that if 1.2 we do not generate any related ACPI table. I see that on i386 we generate the TCPA table. At least I can add an explicit error saying that TPM1.2 is not supported. Also this can be explictly documented at qemu level.
Patches posted upstream. https://listman.redhat.com/archives/libvir-list/2021-June/msg00759.html
(In reply to Andrea Bolognani from comment #7) > Patches posted upstream. > > https://listman.redhat.com/archives/libvir-list/2021-June/msg00759.html That works for me. Thanks!
Patches merged upstream. d8a1c059e0 qemu: Reject TPM 1.2 for ARM virt guests bf84313bbc tests: Test the defaults for TPM on ARM virt guests 7ace0fd221 qemu: Default to TPM 2.0 for ARM virt guests 7ad6f8dde0 tests: Add aarch64-tpm test to qemuxml2xml 499c38b22f docs: Fix information for default TPM version v7.5.0-7-gd8a1c059e0 libvirt 7.6.0 will include the changes.
Verified on libvirt-7.6.0-1.module+el8.5.0+12097+2c77910b.aarch64 a) Set tpm v1.2 specifically for aarch64 guest, libvirt output an error ``` [root@hpe-moonshot-02-c25 ~]# virsh edit avocado-vt-vm1 error: unsupported configuration: TPM 1.2 is not supported on ARM Failed. Try again? [y,n,i,f,?]: ``` b) Don't set tpm version, libvirt use version 2 by default.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:av bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4684