2000396 – [aarch64][RHEL9] The lack of TPMFinalLog in efi causes the tpm self-test in the guest to fail

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2000396 - [aarch64][RHEL9] The lack of TPMFinalLog in efi causes the tpm self-test in the guest to fail

Summary: [aarch64][RHEL9] The lack of TPMFinalLog in efi causes the tpm self-test in t...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	edk2
Sub Component:
Version:	9.0
Hardware:	aarch64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	9.0
Assignee:	Gerd Hoffmann
QA Contact:	Yihuang Yu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1924294
TreeView+	depends on / blocked

Reported:	2021-09-02 05:17 UTC by Yihuang Yu
Modified:	2022-05-17 13:14 UTC (History)
CC List:	16 users (show)
Fixed In Version:	edk2-20210527gite1999b264f1f-7.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-17 12:53:56 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-95951	0	None	None	None	2021-09-02 05:18:43 UTC
Red Hat Product Errata	RHBA-2022:2415	0	None	None	None	2022-05-17 12:54:31 UTC

Description Yihuang Yu 2021-09-02 05:17:52 UTC

Description of problem:
Launch a guest with vtpm device on a RHEL9 host, the guest starts normally but a TPM error occurred.

Version-Release number of selected component (if applicable):
Host kernel: 5.14.0-1.el9.aarch64
guest kenel: 4.18.0-338.el8.aarch64/5.14.0-0.rc7.54.el9.aarch64
qemu version: qemu-kvm-6.0.0-13.el9.aarch64
edk2 version: edk2-aarch64-20210527gite1999b264f1f-6.el9.noarch
tpm versions:
    tpm2-tss-3.0.3-5.el9.aarch64
    tpm2-tools-5.0-8.el9.aarch64
    libtpms-0.8.2-0.20210301git729fc6a4ca.el9.6.aarch64
    swtpm-libs-0.6.0-3.20210607gitea627b3.el9.aarch64
    swtpm-0.6.0-3.20210607gitea627b3.el9.aarch64
    swtpm-tools-0.6.0-3.20210607gitea627b3.el9.aarch64
 

How reproducible:
always

Steps to Reproduce:
1. Setup vtpm device on host
swtpm_setup --tpm2 --tpm-state /tmp/avocado_wi445d0g/avocado-vt-vm1_tpm0_tpm_state --createek --create-ek-cert --create-platform-cert --lock-nvram --not-overwrite
swtpm socket --ctrl type=unixio,path=/tmp/avocado_wi445d0g/avocado-vt-vm1_tpm0_swtpm.sock,mode=0600 --tpmstate dir=/tmp/avocado_wi445d0g/avocado-vt-vm1_tpm0_tpm_state,mode=0600 --tpm2 --log file=/tmp/vtpm_tpm0_swtpm.log

2. Launch a guest
MALLOC_PERTURB_=1  /usr/libexec/qemu-kvm \
    -name 'avocado-vt-vm1'  \
    -sandbox on  \
    -blockdev node-name=file_aavmf_code,driver=file,filename=/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw,auto-read-only=on,discard=unmap \
    -blockdev node-name=drive_aavmf_code,driver=raw,read-only=on,file=file_aavmf_code \
    -blockdev node-name=file_aavmf_vars,driver=file,filename=/home/kvm_autotest_root/images/avocado-vt-vm1_rhel900-aarch64-virtio-scsi.qcow2_VARS.fd,auto-read-only=on,discard=unmap \
    -blockdev node-name=drive_aavmf_vars,driver=raw,read-only=off,file=file_aavmf_vars \
    -machine virt,gic-version=host,memory-backend=mem-machine_mem,pflash0=drive_aavmf_code,pflash1=drive_aavmf_vars \
    -device pcie-root-port,id=pcie-root-port-0,multifunction=on,bus=pcie.0,addr=0x1,chassis=1 \
    -device pcie-pci-bridge,id=pcie-pci-bridge-0,addr=0x0,bus=pcie-root-port-0  \
    -nodefaults \
    -device pcie-root-port,id=pcie-root-port-1,port=0x1,addr=0x1.0x1,bus=pcie.0,chassis=2 \
    -device virtio-gpu-pci,bus=pcie-root-port-1,addr=0x0 \
    -m 8192 \
    -object memory-backend-ram,size=8192M,id=mem-machine_mem  \
    -smp 4,maxcpus=4,cores=2,threads=1,sockets=2  \
    -cpu 'host' \
    -serial unix:'/tmp/serial-serial0',server=on,wait=off \
    -device pcie-root-port,id=pcie-root-port-2,port=0x2,addr=0x1.0x2,bus=pcie.0,chassis=3 \
    -device qemu-xhci,id=usb1,bus=pcie-root-port-2,addr=0x0 \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 \
    -device pcie-root-port,id=pcie-root-port-3,port=0x3,addr=0x1.0x3,bus=pcie.0,chassis=4 \
    -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie-root-port-3,addr=0x0 \
    -blockdev node-name=file_image1,driver=file,auto-read-only=on,discard=unmap,aio=threads,filename=/home/kvm_autotest_root/images/rhel900-aarch64-virtio-scsi.qcow2,cache.direct=on,cache.no-flush=off \
    -blockdev node-name=drive_image1,driver=qcow2,read-only=off,cache.direct=on,cache.no-flush=off,file=file_image1 \
    -device scsi-hd,id=image1,drive=drive_image1,write-cache=on \
    -device pcie-root-port,id=pcie-root-port-4,port=0x4,addr=0x1.0x4,bus=pcie.0,chassis=5 \
    -device virtio-net-pci,mac=9a:c2:5b:66:77:49,rombar=0,id=id8gy2we,netdev=id69OnLM,bus=pcie-root-port-4,addr=0x0  \
    -netdev tap,id=id69OnLM,vhost=on  \
    -vnc :0  \
    -rtc base=utc,clock=host,driftfix=slew \
    -chardev socket,id=char_vtpm_tpm0,path=/tmp/avocado_wi445d0g/avocado-vt-vm1_tpm0_swtpm.sock \
    -tpmdev emulator,chardev=char_vtpm_tpm0,id=emulator_vtpm_tpm0 \
    -device tpm-tis-device,id=tpm-tis-device_vtpm_tpm0,tpmdev=emulator_vtpm_tpm0 \
    -enable-kvm \
    -monitor stdio

3. Check the guest's dmesg
dmesg | grep "efi:"
dmesg | grep -i tpm

Actual results:
[    0.000000] efi: EFI v2.70 by EDK II
[    0.000000] efi: SMBIOS 3.0=0x23f5c0000 MEMATTR=0x23ce56418 ACPI 2.0=0x23c040018 MEMRESERVE=0x23c233e18 

[    0.000000] ACPI: TPM2 0x000000023C04E418 00004C (v04 BOCHS  BXPC     00000001 BXPC 00000001)
[    2.423967] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1)
[    2.426814] tpm tpm0: A TPM error (256) occurred attempting the self test
[    2.428487] tpm tpm0: starting up the TPM manually

Expected results:
[    0.000000] efi: EFI v2.70 by EDK II
[    0.000000] efi: SMBIOS 3.0=0x23f540000 TPMFinalLog=0x23bc50000 MEMATTR=0x23c907418 ACPI 2.0=0x23bbf0000 TPMEventLog=0x23c1b0018 MEMRESERVE=0x23c1b3e18 

[    0.000000] efi:  SMBIOS 3.0=0x23f530000  TPMFinalLog=0x23bda0000  MEMATTR=0x23e1d8018  ACPI 2.0=0x23bd20018  RNG=0x23f63bc18  MEMRESERVE=0x23c1a3e18 
[    0.000000] ACPI: TPM2 0x000000023BD2E418 00004C (v04 BOCHS  BXPC     00000001 BXPC 00000001)
[    5.438785] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1)

Additional info:
I downgraded to edk2-aarch64-20200602gitca407c7246bf-2.el9.noarch, then the test case passed smoothly.
Also, can not reproduce this problem in x86 with edk2-ovmf-20210527gite1999b264f1f-6.el9.noarch:

[    0.000000] efi: SMBIOS=0x7e9d6000 TPMFinalLog=0x7ebf6000 ACPI=0x7eb7d000 ACPI 2.0=0x7eb7d014 MEMATTR=0x7da29198 TPMEventLog=0x7da21018
[    0.018348] ACPI: TPM2 0x000000007EB76000 00004C (v04 BOCHS  BXPC     00000001 BXPC 00000001)
[    0.018369] ACPI: Reserving TPM2 table memory at [mem 0x7eb76000-0x7eb7604b]

Comment 1 Eric Auger 2021-09-02 06:59:55 UTC

Looks like the EDK2 FW was not compiled with 
build -a AARCH64 -p ./ArmVirtPkg/ArmVirtQemu.dsc -b DEBUG -t GCC5 -D SECURE_BOOT_ENABLE -D TPM2_ENABLE
Adding Philippe to check FW compilation flags

Comment 13 Gerd Hoffmann 2021-10-22 08:17:19 UTC

shameless plug: there is https://gitlab.com/kraxel/edk2-tests/-/blob/master/tools/dumpfv.py which dumps edk2 firmware volumes so one can inspect what modules got compiled in.

Comment 15 Yihuang Yu 2021-11-02 14:38:38 UTC

Verify this bug with edk2-aarch64-20210527gite1999b264f1f-7.el9.noarch

Environment:
qemu version: qemu-kvm-6.1.0-6.el9.aarch64
host kernel version: kernel-5.14.0-11.el9.aarch64
guest kernel version: 


1. Setup vTPM daemon:
/usr/bin/swtpm_setup --tpm2 --tpm-state /tmp/avocado_bg23ku8o/avocado-vt-vm1_tpm0_tpm_state --createek --create-ek-cert --create-platform-cert --lock-nvram --not-overwrite

/usr/bin/swtpm socket --ctrl type=unixio,path=/tmp/avocado_bg23ku8o/avocado-vt-vm1_tpm0_swtpm.sock,mode=0600 --tpmstate dir=/tmp/avocado_bg23ku8o/avocado-vt-vm1_tpm0_tpm_state,mode=0600 --tpm2 --log file=/root/avocado/job-results/job-2021-11-02T10.24-2e63516/test-results/1-Host_RHEL.m9.u0.qcow2.virtio_scsi.up.virtio_net.Guest.RHEL.9.0.0.aarch64.io-github-autotest-qemu.tpm_verify_device.with_emulator.arm64-pci/vtpm_tpm0_swtpm.log

2. Launch a guest:
MALLOC_PERTURB_=1  /usr/libexec/qemu-kvm \
    -name 'avocado-vt-vm1'  \
    -sandbox on  \
    -blockdev node-name=file_aavmf_code,driver=file,filename=/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw,auto-read-only=on,discard=unmap \
    -blockdev node-name=drive_aavmf_code,driver=raw,read-only=on,file=file_aavmf_code \
    -blockdev node-name=file_aavmf_vars,driver=file,filename=/home/kvm_autotest_root/images/avocado-vt-vm1_rhel900-aarch64-virtio-scsi.qcow2_VARS.fd,auto-read-only=on,discard=unmap \
    -blockdev node-name=drive_aavmf_vars,driver=raw,read-only=off,file=file_aavmf_vars \
    -machine virt,gic-version=host,memory-backend=mem-machine_mem,pflash0=drive_aavmf_code,pflash1=drive_aavmf_vars \
    -device pcie-root-port,id=pcie-root-port-0,multifunction=on,bus=pcie.0,addr=0x1,chassis=1 \
    -device pcie-pci-bridge,id=pcie-pci-bridge-0,addr=0x0,bus=pcie-root-port-0  \
    -nodefaults \
    -device pcie-root-port,id=pcie-root-port-1,port=0x1,addr=0x1.0x1,bus=pcie.0,chassis=2 \
    -device virtio-gpu-pci,bus=pcie-root-port-1,addr=0x0 \
    -m 14336 \
    -object memory-backend-ram,size=14336M,id=mem-machine_mem  \
    -smp 8,maxcpus=8,cores=4,threads=1,sockets=2  \
    -cpu 'host' \
    -chardev socket,id=qmp_id_qmpmonitor1,server=on,wait=off,path=/tmp/avocado_bg23ku8o/monitor-qmpmonitor1-20211102-102458-9MJNc8JD  \
    -mon chardev=qmp_id_qmpmonitor1,mode=control \
    -chardev socket,id=qmp_id_catch_monitor,server=on,wait=off,path=/tmp/avocado_bg23ku8o/monitor-catch_monitor-20211102-102458-9MJNc8JD  \
    -mon chardev=qmp_id_catch_monitor,mode=control  \
    -serial unix:'/tmp/avocado_bg23ku8o/serial-serial0-20211102-102458-9MJNc8JD',server=on,wait=off \
    -device pcie-root-port,id=pcie-root-port-2,port=0x2,addr=0x1.0x2,bus=pcie.0,chassis=3 \
    -device qemu-xhci,id=usb1,bus=pcie-root-port-2,addr=0x0 \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 \
    -device pcie-root-port,id=pcie-root-port-3,port=0x3,addr=0x1.0x3,bus=pcie.0,chassis=4 \
    -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie-root-port-3,addr=0x0 \
    -blockdev node-name=file_image1,driver=file,auto-read-only=on,discard=unmap,aio=threads,filename=/home/kvm_autotest_root/images/rhel900-aarch64-virtio-scsi.qcow2,cache.direct=on,cache.no-flush=off \
    -blockdev node-name=drive_image1,driver=qcow2,read-only=off,cache.direct=on,cache.no-flush=off,file=file_image1 \
    -device scsi-hd,id=image1,drive=drive_image1,write-cache=on \
    -device pcie-root-port,id=pcie-root-port-4,port=0x4,addr=0x1.0x4,bus=pcie.0,chassis=5 \
    -device virtio-net-pci,mac=9a:33:3f:5c:88:48,rombar=0,id=idRoqMPx,netdev=idf3ZSTI,bus=pcie-root-port-4,addr=0x0  \
    -netdev tap,id=idf3ZSTI,vhost=on,vhostfd=21,fd=5  \
    -vnc :0  \
    -rtc base=utc,clock=host,driftfix=slew \
    -chardev socket,id=char_vtpm_tpm0,path=/tmp/avocado_bg23ku8o/avocado-vt-vm1_tpm0_swtpm.sock \
    -tpmdev emulator,chardev=char_vtpm_tpm0,id=emulator_vtpm_tpm0 \
    -device tpm-tis-device,id=tpm-tis-device_vtpm_tpm0,tpmdev=emulator_vtpm_tpm0 \
    -enable-kvm \
    -device pcie-root-port,id=pcie_extra_root_port_0,multifunction=on,bus=pcie.0,addr=0x2,chassis=6 \
    -device pcie-root-port,id=pcie_extra_root_port_1,addr=0x2.0x1,bus=pcie.0,chassis=7

3. Verify dmesg output inside guest:

dmesg | grep -i tpm
[    0.000000] efi: SMBIOS 3.0=0x3bf5a0000 TPMFinalLog=0x3bc020000 MEMATTR=0x3bcf03698 ACPI 2.0=0x3bbe00018 TPMEventLog=0x3bc210018 MEMRESERVE=0x3bc213e18
[    0.000000] ACPI: TPM2 0x00000003BBE0FC18 00004C (v04 BOCHS  BXPC     00000001 BXPC 00000001)
[    2.638808] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1)

Comment 19 Yihuang Yu 2021-11-03 02:21:02 UTC

Move the bug status to "VERIFIED" based on comment 15

Comment 23 errata-xmlrpc 2022-05-17 12:53:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: edk2), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2415

Note You need to log in before you can comment on or make changes to this bug.