Bug 2000396 - [aarch64][RHEL9] The lack of TPMFinalLog in efi causes the tpm self-test in the guest to fail
Summary: [aarch64][RHEL9] The lack of TPMFinalLog in efi causes the tpm self-test in t...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: edk2
Version: 9.0
Hardware: aarch64
OS: Linux
medium
medium
Target Milestone: rc
: 9.0
Assignee: Gerd Hoffmann
QA Contact: Yihuang Yu
URL:
Whiteboard:
Depends On:
Blocks: 1924294
TreeView+ depends on / blocked
 
Reported: 2021-09-02 05:17 UTC by Yihuang Yu
Modified: 2022-05-17 13:14 UTC (History)
16 users (show)

Fixed In Version: edk2-20210527gite1999b264f1f-7.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-17 12:53:56 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-95951 0 None None None 2021-09-02 05:18:43 UTC
Red Hat Product Errata RHBA-2022:2415 0 None None None 2022-05-17 12:54:31 UTC

Description Yihuang Yu 2021-09-02 05:17:52 UTC 
Description of problem:
Launch a guest with vtpm device on a RHEL9 host, the guest starts normally but a TPM error occurred.

Version-Release number of selected component (if applicable):
Host kernel: 5.14.0-1.el9.aarch64
guest kenel: 4.18.0-338.el8.aarch64/5.14.0-0.rc7.54.el9.aarch64
qemu version: qemu-kvm-6.0.0-13.el9.aarch64
edk2 version: edk2-aarch64-20210527gite1999b264f1f-6.el9.noarch
tpm versions:
    tpm2-tss-3.0.3-5.el9.aarch64
    tpm2-tools-5.0-8.el9.aarch64
    libtpms-0.8.2-0.20210301git729fc6a4ca.el9.6.aarch64
    swtpm-libs-0.6.0-3.20210607gitea627b3.el9.aarch64
    swtpm-0.6.0-3.20210607gitea627b3.el9.aarch64
    swtpm-tools-0.6.0-3.20210607gitea627b3.el9.aarch64
 

How reproducible:
always

Steps to Reproduce:
1. Setup vtpm device on host
swtpm_setup --tpm2 --tpm-state /tmp/avocado_wi445d0g/avocado-vt-vm1_tpm0_tpm_state --createek --create-ek-cert --create-platform-cert --lock-nvram --not-overwrite
swtpm socket --ctrl type=unixio,path=/tmp/avocado_wi445d0g/avocado-vt-vm1_tpm0_swtpm.sock,mode=0600 --tpmstate dir=/tmp/avocado_wi445d0g/avocado-vt-vm1_tpm0_tpm_state,mode=0600 --tpm2 --log file=/tmp/vtpm_tpm0_swtpm.log

2. Launch a guest
MALLOC_PERTURB_=1  /usr/libexec/qemu-kvm \
    -name 'avocado-vt-vm1'  \
    -sandbox on  \
    -blockdev node-name=file_aavmf_code,driver=file,filename=/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw,auto-read-only=on,discard=unmap \
    -blockdev node-name=drive_aavmf_code,driver=raw,read-only=on,file=file_aavmf_code \
    -blockdev node-name=file_aavmf_vars,driver=file,filename=/home/kvm_autotest_root/images/avocado-vt-vm1_rhel900-aarch64-virtio-scsi.qcow2_VARS.fd,auto-read-only=on,discard=unmap \
    -blockdev node-name=drive_aavmf_vars,driver=raw,read-only=off,file=file_aavmf_vars \
    -machine virt,gic-version=host,memory-backend=mem-machine_mem,pflash0=drive_aavmf_code,pflash1=drive_aavmf_vars \
    -device pcie-root-port,id=pcie-root-port-0,multifunction=on,bus=pcie.0,addr=0x1,chassis=1 \
    -device pcie-pci-bridge,id=pcie-pci-bridge-0,addr=0x0,bus=pcie-root-port-0  \
    -nodefaults \
    -device pcie-root-port,id=pcie-root-port-1,port=0x1,addr=0x1.0x1,bus=pcie.0,chassis=2 \
    -device virtio-gpu-pci,bus=pcie-root-port-1,addr=0x0 \
    -m 8192 \
    -object memory-backend-ram,size=8192M,id=mem-machine_mem  \
    -smp 4,maxcpus=4,cores=2,threads=1,sockets=2  \
    -cpu 'host' \
    -serial unix:'/tmp/serial-serial0',server=on,wait=off \
    -device pcie-root-port,id=pcie-root-port-2,port=0x2,addr=0x1.0x2,bus=pcie.0,chassis=3 \
    -device qemu-xhci,id=usb1,bus=pcie-root-port-2,addr=0x0 \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 \
    -device pcie-root-port,id=pcie-root-port-3,port=0x3,addr=0x1.0x3,bus=pcie.0,chassis=4 \
    -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie-root-port-3,addr=0x0 \
    -blockdev node-name=file_image1,driver=file,auto-read-only=on,discard=unmap,aio=threads,filename=/home/kvm_autotest_root/images/rhel900-aarch64-virtio-scsi.qcow2,cache.direct=on,cache.no-flush=off \
    -blockdev node-name=drive_image1,driver=qcow2,read-only=off,cache.direct=on,cache.no-flush=off,file=file_image1 \
    -device scsi-hd,id=image1,drive=drive_image1,write-cache=on \
    -device pcie-root-port,id=pcie-root-port-4,port=0x4,addr=0x1.0x4,bus=pcie.0,chassis=5 \
    -device virtio-net-pci,mac=9a:c2:5b:66:77:49,rombar=0,id=id8gy2we,netdev=id69OnLM,bus=pcie-root-port-4,addr=0x0  \
    -netdev tap,id=id69OnLM,vhost=on  \
    -vnc :0  \
    -rtc base=utc,clock=host,driftfix=slew \
    -chardev socket,id=char_vtpm_tpm0,path=/tmp/avocado_wi445d0g/avocado-vt-vm1_tpm0_swtpm.sock \
    -tpmdev emulator,chardev=char_vtpm_tpm0,id=emulator_vtpm_tpm0 \
    -device tpm-tis-device,id=tpm-tis-device_vtpm_tpm0,tpmdev=emulator_vtpm_tpm0 \
    -enable-kvm \
    -monitor stdio

3. Check the guest's dmesg
dmesg | grep "efi:"
dmesg | grep -i tpm

Actual results:
[    0.000000] efi: EFI v2.70 by EDK II
[    0.000000] efi: SMBIOS 3.0=0x23f5c0000 MEMATTR=0x23ce56418 ACPI 2.0=0x23c040018 MEMRESERVE=0x23c233e18 

[    0.000000] ACPI: TPM2 0x000000023C04E418 00004C (v04 BOCHS  BXPC     00000001 BXPC 00000001)
[    2.423967] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1)
[    2.426814] tpm tpm0: A TPM error (256) occurred attempting the self test
[    2.428487] tpm tpm0: starting up the TPM manually

Expected results:
[    0.000000] efi: EFI v2.70 by EDK II
[    0.000000] efi: SMBIOS 3.0=0x23f540000 TPMFinalLog=0x23bc50000 MEMATTR=0x23c907418 ACPI 2.0=0x23bbf0000 TPMEventLog=0x23c1b0018 MEMRESERVE=0x23c1b3e18 

[    0.000000] efi:  SMBIOS 3.0=0x23f530000  TPMFinalLog=0x23bda0000  MEMATTR=0x23e1d8018  ACPI 2.0=0x23bd20018  RNG=0x23f63bc18  MEMRESERVE=0x23c1a3e18 
[    0.000000] ACPI: TPM2 0x000000023BD2E418 00004C (v04 BOCHS  BXPC     00000001 BXPC 00000001)
[    5.438785] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1)

Additional info:
I downgraded to edk2-aarch64-20200602gitca407c7246bf-2.el9.noarch, then the test case passed smoothly.
Also, can not reproduce this problem in x86 with edk2-ovmf-20210527gite1999b264f1f-6.el9.noarch:

[    0.000000] efi: SMBIOS=0x7e9d6000 TPMFinalLog=0x7ebf6000 ACPI=0x7eb7d000 ACPI 2.0=0x7eb7d014 MEMATTR=0x7da29198 TPMEventLog=0x7da21018
[    0.018348] ACPI: TPM2 0x000000007EB76000 00004C (v04 BOCHS  BXPC     00000001 BXPC 00000001)
[    0.018369] ACPI: Reserving TPM2 table memory at [mem 0x7eb76000-0x7eb7604b]
Comment 1 Eric Auger 2021-09-02 06:59:55 UTC 
Looks like the EDK2 FW was not compiled with 
build -a AARCH64 -p ./ArmVirtPkg/ArmVirtQemu.dsc -b DEBUG -t GCC5 -D SECURE_BOOT_ENABLE -D TPM2_ENABLE
Adding Philippe to check FW compilation flags
Comment 13 Gerd Hoffmann 2021-10-22 08:17:19 UTC 
shameless plug: there is https://gitlab.com/kraxel/edk2-tests/-/blob/master/tools/dumpfv.py which dumps edk2 firmware volumes so one can inspect what modules got compiled in.
Comment 15 Yihuang Yu 2021-11-02 14:38:38 UTC 
Verify this bug with edk2-aarch64-20210527gite1999b264f1f-7.el9.noarch

Environment:
qemu version: qemu-kvm-6.1.0-6.el9.aarch64
host kernel version: kernel-5.14.0-11.el9.aarch64
guest kernel version: 


1. Setup vTPM daemon:
/usr/bin/swtpm_setup --tpm2 --tpm-state /tmp/avocado_bg23ku8o/avocado-vt-vm1_tpm0_tpm_state --createek --create-ek-cert --create-platform-cert --lock-nvram --not-overwrite

/usr/bin/swtpm socket --ctrl type=unixio,path=/tmp/avocado_bg23ku8o/avocado-vt-vm1_tpm0_swtpm.sock,mode=0600 --tpmstate dir=/tmp/avocado_bg23ku8o/avocado-vt-vm1_tpm0_tpm_state,mode=0600 --tpm2 --log file=/root/avocado/job-results/job-2021-11-02T10.24-2e63516/test-results/1-Host_RHEL.m9.u0.qcow2.virtio_scsi.up.virtio_net.Guest.RHEL.9.0.0.aarch64.io-github-autotest-qemu.tpm_verify_device.with_emulator.arm64-pci/vtpm_tpm0_swtpm.log

2. Launch a guest:
MALLOC_PERTURB_=1  /usr/libexec/qemu-kvm \
    -name 'avocado-vt-vm1'  \
    -sandbox on  \
    -blockdev node-name=file_aavmf_code,driver=file,filename=/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw,auto-read-only=on,discard=unmap \
    -blockdev node-name=drive_aavmf_code,driver=raw,read-only=on,file=file_aavmf_code \
    -blockdev node-name=file_aavmf_vars,driver=file,filename=/home/kvm_autotest_root/images/avocado-vt-vm1_rhel900-aarch64-virtio-scsi.qcow2_VARS.fd,auto-read-only=on,discard=unmap \
    -blockdev node-name=drive_aavmf_vars,driver=raw,read-only=off,file=file_aavmf_vars \
    -machine virt,gic-version=host,memory-backend=mem-machine_mem,pflash0=drive_aavmf_code,pflash1=drive_aavmf_vars \
    -device pcie-root-port,id=pcie-root-port-0,multifunction=on,bus=pcie.0,addr=0x1,chassis=1 \
    -device pcie-pci-bridge,id=pcie-pci-bridge-0,addr=0x0,bus=pcie-root-port-0  \
    -nodefaults \
    -device pcie-root-port,id=pcie-root-port-1,port=0x1,addr=0x1.0x1,bus=pcie.0,chassis=2 \
    -device virtio-gpu-pci,bus=pcie-root-port-1,addr=0x0 \
    -m 14336 \
    -object memory-backend-ram,size=14336M,id=mem-machine_mem  \
    -smp 8,maxcpus=8,cores=4,threads=1,sockets=2  \
    -cpu 'host' \
    -chardev socket,id=qmp_id_qmpmonitor1,server=on,wait=off,path=/tmp/avocado_bg23ku8o/monitor-qmpmonitor1-20211102-102458-9MJNc8JD  \
    -mon chardev=qmp_id_qmpmonitor1,mode=control \
    -chardev socket,id=qmp_id_catch_monitor,server=on,wait=off,path=/tmp/avocado_bg23ku8o/monitor-catch_monitor-20211102-102458-9MJNc8JD  \
    -mon chardev=qmp_id_catch_monitor,mode=control  \
    -serial unix:'/tmp/avocado_bg23ku8o/serial-serial0-20211102-102458-9MJNc8JD',server=on,wait=off \
    -device pcie-root-port,id=pcie-root-port-2,port=0x2,addr=0x1.0x2,bus=pcie.0,chassis=3 \
    -device qemu-xhci,id=usb1,bus=pcie-root-port-2,addr=0x0 \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 \
    -device pcie-root-port,id=pcie-root-port-3,port=0x3,addr=0x1.0x3,bus=pcie.0,chassis=4 \
    -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie-root-port-3,addr=0x0 \
    -blockdev node-name=file_image1,driver=file,auto-read-only=on,discard=unmap,aio=threads,filename=/home/kvm_autotest_root/images/rhel900-aarch64-virtio-scsi.qcow2,cache.direct=on,cache.no-flush=off \
    -blockdev node-name=drive_image1,driver=qcow2,read-only=off,cache.direct=on,cache.no-flush=off,file=file_image1 \
    -device scsi-hd,id=image1,drive=drive_image1,write-cache=on \
    -device pcie-root-port,id=pcie-root-port-4,port=0x4,addr=0x1.0x4,bus=pcie.0,chassis=5 \
    -device virtio-net-pci,mac=9a:33:3f:5c:88:48,rombar=0,id=idRoqMPx,netdev=idf3ZSTI,bus=pcie-root-port-4,addr=0x0  \
    -netdev tap,id=idf3ZSTI,vhost=on,vhostfd=21,fd=5  \
    -vnc :0  \
    -rtc base=utc,clock=host,driftfix=slew \
    -chardev socket,id=char_vtpm_tpm0,path=/tmp/avocado_bg23ku8o/avocado-vt-vm1_tpm0_swtpm.sock \
    -tpmdev emulator,chardev=char_vtpm_tpm0,id=emulator_vtpm_tpm0 \
    -device tpm-tis-device,id=tpm-tis-device_vtpm_tpm0,tpmdev=emulator_vtpm_tpm0 \
    -enable-kvm \
    -device pcie-root-port,id=pcie_extra_root_port_0,multifunction=on,bus=pcie.0,addr=0x2,chassis=6 \
    -device pcie-root-port,id=pcie_extra_root_port_1,addr=0x2.0x1,bus=pcie.0,chassis=7

3. Verify dmesg output inside guest:

dmesg | grep -i tpm
[    0.000000] efi: SMBIOS 3.0=0x3bf5a0000 TPMFinalLog=0x3bc020000 MEMATTR=0x3bcf03698 ACPI 2.0=0x3bbe00018 TPMEventLog=0x3bc210018 MEMRESERVE=0x3bc213e18
[    0.000000] ACPI: TPM2 0x00000003BBE0FC18 00004C (v04 BOCHS  BXPC     00000001 BXPC 00000001)
[    2.638808] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1)
Comment 19 Yihuang Yu 2021-11-03 02:21:02 UTC 
Move the bug status to "VERIFIED" based on comment 15
Comment 23 errata-xmlrpc 2022-05-17 12:53:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: edk2), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2415
Note You need to log in before you can comment on or make changes to this bug.