RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2029612 - Rebase swtpm to at least 0.7.0 for rhel-8.6
Summary: Rebase swtpm to at least 0.7.0 for rhel-8.6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: swtpm
Version: 8.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Marc-Andre Lureau
QA Contact: Yanqiu Zhang
URL:
Whiteboard:
Depends On: 1940893 1972785 2021580 2021628
Blocks: 1990153
TreeView+ depends on / blocked
 
Reported: 2021-12-06 21:29 UTC by John Ferlan
Modified: 2022-07-13 18:48 UTC (History)
15 users (show)

Fixed In Version: swtpm-0.7.0-1.20211109gitb79fd91.module+el8.6.0+13853+e8cd34b9
Doc Type: Enhancement
Doc Text:
Clone Of: 2021580
Environment:
Last Closed: 2022-05-10 13:24:19 UTC
Type: Feature Request
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-104910 0 None None None 2021-12-06 21:32:49 UTC

Description John Ferlan 2021-12-06 21:29:01 UTC 
+++ This bug was initially created as a clone of Bug #2021580 +++

+++ This bug was initially created as a clone of Bug #1972785 +++

+++ This bug was initially created as a clone of Bug #1972783 +++

Please rebase swtpm to at least 0.7.0 (to be released soon)

This is necessary to pick-up the necessary changes to disable SHA-1 PCR banks (see Bug 1935497)

Those are the relevant patches:
  * gets a config file option to specify the pcr banks which should be
    active by default.
https://github.com/stefanberger/swtpm/commit/a5cc0bf6e26eb4af5cbfd0e66fcd7e6af13f503d

  * gets support for reconfiguring the active pcr banks in an existing
    swtpm config
https://github.com/stefanberger/swtpm/commit/25d4ac2d3a7bf63ea2eb0621f0a1f416b7ce5481

--- Additional comment from RHEL Program Management on 2021-11-09 16:48:28 UTC ---

850ITRStrip 9BetaITRStrip AtFullFreeze

Attention assignees: This BZ was automatically returned to the backlog by changing the Internal Target Release (ITR) to '---'. The change was made because the final release+ deadline was passed and no request for an exception, blocker, or zstream was made.  Please consult with your PO and team to decide what action to take next with this BZ:

1. Important changes that cannot wait for the next minor release should request an exception or blocker (Reset ITR/ITM, set exception? or blocker?, save, then follow the instructions appended to the BZ).

2. Bug fixes that may be best managed post-release can start following the z-stream process (Set ZTR, ITR, and zstream? flag)

3. Changes that can wait for a future release can have their ITR/ITM set to the optimal release target.  Acks are preserved and release+ will again be added.

If you are unsure of what action to take it is safe to leave this BZ in the backlog for the time being.  You may wish to unset your acks in this case.

--- Additional comment from RHEL Program Management on 2021-11-09 16:48:28 UTC ---

Internal Target Release is not set so the Development Target Milestone has been unset.

--- Additional comment from Marc-Andre Lureau on 2021-11-09 19:00:38 UTC ---

upstream got released: https://github.com/stefanberger/swtpm/releases/tag/v0.7.0

--- Additional comment from Marc-Andre Lureau on 2021-11-12 13:48:24 UTC ---

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=41237963

--- Additional comment from errata-xmlrpc on 2021-11-12 13:53:20 UTC ---

This bug has been added to advisory RHEA-2021:84109 by Marc-Andre Lureau (mlureau)

--- Additional comment from errata-xmlrpc on 2021-11-12 13:53:20 UTC ---

Bug report changed to ON_QA status by Errata System.
A QE request has been submitted for advisory RHEA-2021:84109-01
https://errata.devel.redhat.com/advisory/84109

--- Additional comment from errata-xmlrpc on 2021-11-12 13:53:31 UTC ---

This bug has been added to advisory RHEA-2021:84109 by Marc-Andre Lureau (mlureau)

--- Additional comment from yanqzhan on 2021-11-15 01:30:33 UTC ---

Set ITM to 26 to ensure the last rebase version works well.

--- Additional comment from yanqzhan on 2021-11-24 07:29:49 UTC ---

Vtpm regression test for linux guest passed:
  swtpm-0.7.0-1.20211109gitb79fd91.el9
  libtpms-0.9.0-0.20211004gitdc4e3f6313.el9
  edk2-ovmf-20210527gite1999b264f1f-7.el
  libvirt-7.9.0-1.el9.x86_64
  qemu-kvm-6.1.0-6.el9.x86_64
  kernel-5.14.0-17.el9.x86_64
Job url:
  https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/libvirt-RHEL-9.0-runtest-x86_64-function-tpm_emulator/89/testReport/
    2 failed by kernel issue: bz2025520
Comment 1 John Ferlan 2021-12-06 21:36:07 UTC 
Moving to Marc-Andre since he owns the packages (we may need to fix the bugzilla components though)

This just makes sure what we have for RHEL 9.0 is the same for RHEL 8.6
Comment 5 Meina Li 2021-12-24 02:05:49 UTC 
Hi Marc-Andre,

I have encountered a failure with encrypted swtpm in RHEL8.6 gating job, but it can be passed in RHEL9 with swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64,so can I think this failure was caused by this bug? Or actually it's a new bug about vtpm encryption support in RHEL 8.6? 

If it was caused by this bug, can we solve it as soon as possible? Because it will block our gating test.

Can you help me to check this issue? Thanks.

Test Version:
libvirt-7.10.0-1.module+el8.6.0+13502+4f24a11d.x86_64
qemu-kvm-6.2.0-1.module+el8.6.0+13725+61ae1949.x86_64
swtpm-0.6.0-2.20210607gitea627b3.module+el8.6.0+12861+13975d62.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.module+el8.6.0+13725+61ae1949.x86_64

# virsh dumpxml avocado-vt-vm1 | grep tpm -B4
...
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'>
        <encryption secret='b5714cef-5a84-45e1-bcde-adfe0d895b09'/>
      </backend>
    </tpm>

# virsh start avocado-vt-vm1
error: Failed to start domain 'avocado-vt-vm1'
error: argument unsupported: /usr/bin/swtpm does not support passing passphrase via file descriptor

But in RHEL9, this feature can be passed.

Test Version:
libvirt-7.10.0-1.el9.x86_64
qemu-kvm-6.2.0-1.el9.x86_64
swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.el9.x86_64

# virsh dumpxml avocado-vt-vm1 | grep tpm -B4
...
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'>
        <encryption secret='6bd21af4-c870-4bcf-9f5a-399265d0098c'/>
      </backend>
    </tpm>
# virsh start avocado-vt-vm1
Domain 'avocado-vt-vm1' started
Comment 6 Marc-Andre Lureau 2021-12-24 08:03:25 UTC 
(In reply to Meina Li from comment #5)
> # virsh start avocado-vt-vm1
> error: Failed to start domain 'avocado-vt-vm1'
> error: argument unsupported: /usr/bin/swtpm does not support passing
> passphrase via file descriptor

Hi, this is really strange. cmdarg-pwdfile-fd should be supported in swtpm 0.6.

Perhaps the simplest is now to update swtpm to 0.7 to fix this hopefully.

Could you check `swtpm_setup --print-capabilities` output? thanks
Comment 7 Meina Li 2021-12-27 02:16:54 UTC 
(In reply to Marc-Andre Lureau from comment #6)
> 
> Hi, this is really strange. cmdarg-pwdfile-fd should be supported in swtpm
> 0.6.
> 
> Perhaps the simplest is now to update swtpm to 0.7 to fix this hopefully.
> 
> Could you check `swtpm_setup --print-capabilities` output? thanks

# swtpm_setup --print-capabilities在里边
{ "type": "swtpm_setup", "features": [ "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd", "tpm12-not-need-root", "tpm2-rsa-keysize-2048", "tpm2-rsa-keysize-3072" ] }

We can see cmdarg-pwdfile-fd inside.
Comment 8 Yanqiu Zhang 2022-01-13 02:42:11 UTC 
Hi, 
The issue in comment 5 can not reproduce after upgrade swtpm to 0.7.0.

# avocado run --vt-type libvirt tpm_device..encrypted.basic  --vt-machine-type q35
JOB ID     : c78f63f73e7519a3ac82cfca9ee77964b4b45a90
JOB LOG    : /root/avocado/job-results/job-2022-01-12T21.14-c78f63f/job.log
 (1/1) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.basic: FAIL: VM 'avocado-vt-vm1' failed to start: error: Failed to start domain 'avocado-vt-vm1'\nerror: argument unsupported: /usr/bin/swtpm does not support passing passphrase via file descriptor (9.49 s)
RESULTS    : PASS 0 | ERROR 0 | FAIL 1 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0
JOB TIME   : 10.08 s
# rpm -q libvirt qemu-kvm swtpm libtpms edk2-ovmf
libvirt-7.10.0-1.module+el8.6.0+13502+4f24a11d.x86_64
qemu-kvm-6.2.0-2.module+el8.6.0+13738+17338784.x86_64
swtpm-0.6.0-2.20210607gitea627b3.module+el8.6.0+12861+13975d62.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.module+el8.6.0+13725+61ae1949.x86_64
edk2-ovmf-20210527gite1999b264f1f-3.el8.noarch

# yum upgrade swtpm

JOB ID     : 29ce6abad4713c9a0670b670a41b2aacd476e0f0
JOB LOG    : /root/avocado/job-results/job-2022-01-12T21.17-29ce6ab/job.log
 (1/1) type_specific.io-github-autotest-libvirt.virtual_devices.tpm_device.normal_test.tpm-crb_model.emulator.encrypted.basic: PASS (69.33 s)
RESULTS    : PASS 1 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0
JOB TIME   : 69.92 s
# rpm -q libvirt qemu-kvm swtpm libtpms edk2-ovmf
libvirt-7.10.0-1.module+el8.6.0+13502+4f24a11d.x86_64
qemu-kvm-6.2.0-2.module+el8.6.0+13738+17338784.x86_64
swtpm-0.7.0-1.20211109gitb79fd91.module+el8.6.0+13831+a03bf401.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.module+el8.6.0+13725+61ae1949.x86_64
edk2-ovmf-20210527gite1999b264f1f-3.el8.noarch


And since swtpm-0.7.0-1.*el8.6.0 is available, is this bug need to be moved to ON_QA?

Thanks.
Comment 12 Yanqiu Zhang 2022-01-24 03:04:09 UTC 
Vtpm regression test for linux guest PASS:
https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/libvirt/view/RHEL-8.6%20x86_64/job/libvirt-RHEL-8.6-runtest-x86_64-function-tpm_emulator/21/testReport/
(2 failed by existing bz2025520)
libvirt-8.0.0-1.module+el8.6.0+13888+55157bfb.x86_64
qemu-kvm-6.2.0-4.module+el8.6.0+13919+adb438db.x86_64
kernel-4.18.0-359.el8.x86_64
swtpm-0.7.0-1.20211109gitb79fd91.module+el8.6.0+13853+e8cd34b9
libtpms-0.9.1-0.20211126git1ff6fe1f43
Comment 14 errata-xmlrpc 2022-05-10 13:24:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1759
Note You need to log in before you can comment on or make changes to this bug.