RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2039246 - Vtpm pcrbank does not changed if swtiching guest xml from active_pcr_banks to default
Summary: Vtpm pcrbank does not changed if swtiching guest xml from active_pcr_banks to...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libvirt
Version: 9.0
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Virtualization Maintenance
QA Contact: Yanqiu Zhang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-11 10:48 UTC by Yanqiu Zhang
Modified: 2022-05-17 13:07 UTC (History)
7 users (show)

Fixed In Version: libvirt-8.0.0-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-17 12:46:17 UTC
Type: Bug
Target Upstream Version: 8.0.0
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-107400 0 None None None 2022-01-11 10:49:26 UTC
Red Hat Product Errata RHBA-2022:2390 0 None None None 2022-05-17 12:46:49 UTC

Description Yanqiu Zhang 2022-01-11 10:48:26 UTC 
Description of problem:
After using a <active_pcr_banks>(e.g. sha384) for once guest start, if next time deleting this element and start, guest will still use last configured pcrbank, not default sha256:


Version-Release number of selected component (if applicable):
libvirt-8.0.0-0rc1.1.el9.x86_64
qemu-kvm-6.2.0-3.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
1. start guest with sha384
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'>
        <encryption secret='e7442270-f813-4e48-a57b-5a5ff9d67ace'/>
        <active_pcr_banks>
          <sha384/>
        </active_pcr_banks>
      </backend>
    </tpm>

#  cat /var/log/libvirt/virtqemud.log |grep 'to run /usr/bin/swtpm'
2022-01-11 09:18:09.943+0000: 273880: debug : virCommandRunAsync:2630 : About to run /usr/bin/swtpm_setup --tpm2 --pwdfile-fd 27 --cipher aes-256-cbc --tpm-state /var/lib/libvirt/swtpm/bbd16783-8077-43f3-bf37-3f0c486cc586/tpm2 --logfile /var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log --pcr-banks sha384 --reconfigure
2022-01-11 09:18:09.967+0000: 273880: debug : virCommandRunAsync:2630 : About to run /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/run/libvirt/qemu/swtpm/9-avocado-vt-vm1-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/bbd16783-8077-43f3-bf37-3f0c486cc586/tpm2,mode=0600 --log file=/var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log --terminate --tpm2 --pid file=/run/libvirt/qemu/swtpm/9-avocado-vt-vm1-swtpm.pid --key pwdfd=27,mode=aes-256-cbc --migration-key pwdfd=29,mode=aes-256-cbc

# grep sha /var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log
Successfully activated PCR banks sha384 among sha1,sha256,sha384,sha512.

Login to guest os and check #tpm2_pcrread, only sha384 pcrbank has pcr values.

2. shutdown guest and start again with no pcrbank specified:
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'>
        <encryption secret='e7442270-f813-4e48-a57b-5a5ff9d67ace'/>
      </backend>
      <alias name='tpm0'/>
    </tpm>

# cat  /var/log/libvirt/virtqemud.log |grep 'to run /usr/bin/swtpm'
2022-01-11 09:19:21.335+0000: 273883: debug : virCommandRunAsync:2630 : About to run /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/run/libvirt/qemu/swtpm/10-avocado-vt-vm1-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/bbd16783-8077-43f3-bf37-3f0c486cc586/tpm2,mode=0600 --log file=/var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log --terminate --tpm2 --pid file=/run/libvirt/qemu/swtpm/10-avocado-vt-vm1-swtpm.pid --key pwdfd=27,mode=aes-256-cbc --migration-key pwdfd=29,mode=aes-256-cbc

# grep sha /var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log
(no new output)

Login to guest os:
# virsh console avocado-vt-vm1 
[root@localhost ~]# tpm2_pcrread
sha1:
sha256:
sha384:
  0 : 0x7E3ED52A368A6F622196F2676578005D4DBF957A305190DC6ED9BDCE123A4C259163A247A64DC8F96F01608BE7958DB9
  1 : 0x6C340682CE451190A62A323D3AFA396289725C1BA094A91A32CFBC800486CAD0DC50D88C33C05A15BDAC92F274CB258F
  ...
  23: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
sha512:

Actual results:


Expected results:
Maybe libvirt can detect difference between last configuration(<sha384/>) and current default setting(no <active_pcr_banks>), then call swtpm_setup to reconfigure pcrbank for once.

Additional info:
# swtpm_setup --help|grep pcr -A3
--pcr-banks <banks>
                 : Set of PCR banks to activate. Provide a comma separated list
                   like 'sha1,sha256'. '-' to skip and leave all banks active.
                   Default: sha256

# tail -2 /etc/swtpm_setup.conf 
# Comma-separated list (no spaces) of PCR banks to activate by default
active_pcr_banks = sha256
Comment 1 Stefan Berger 2022-01-11 13:45:02 UTC 
The behavior of libvirt is so that it activates the PCR banks given in the XML every time the VM is cold-started. It leaves the PCR bank configuration alone if no XML is given. This way the user can change the active PCR banks using the firmware menu (UEFI or SeaBIOS or SLOF) and libvirt will leave it at that.

> Expected results:
> Maybe libvirt can detect difference between last configuration(<sha384/>) and current default setting(no <active_pcr_banks>), then call swtpm_setup to reconfigure pcrbank for once.

No, leave the user the possibility to reconfigure the PCR banks with the firmware and don't touch it from the libvirt level anymore. 

My suggestion: Do not fix.
Comment 2 Michal Privoznik 2022-01-11 14:27:05 UTC 
@stefanb.com should libvirt then at least report what PCR banks are configured (assuming we are able to get that info from the host)? Alternatively, we might just document this behavior.
Comment 3 Stefan Berger 2022-01-11 14:32:13 UTC 
The current documentation states:

active_pcr_banks

    The active_pcr_banks node is used to define which of the PCR banks of a TPM 2.0 to activate. Valid names are for example sha1, sha256, sha384, and sha512. If this node is provided, the set of PCR banks are activated before every start of a VM and this step is logged in the swtpm's log. This attribute requires that swtpm_setup v0.7 or later is installed and may not have any effect otherwise. The selection of PCR banks only works with the emulator backend. since:Since 7.10.0


We can maybe add the following documentation clarifying what is happening if the XML node is not provided.


[...] If this node is provided, the set of PCR banks are activated before every start of a VM and this step is logged in the swtpm's log. >If this node is missing, the configuration of the PCR banks will not be modified.< This attribute requires ...
Comment 4 Stefan Berger 2022-01-11 14:37:46 UTC 
(In reply to Michal Privoznik from comment #2)
> @stefanb.com should libvirt then at least report what PCR banks are
> configured (assuming we are able to get that info from the host)?

It's not easy for libvirt to get to the current configuration information nor does swtpm or swtpm_setup support o retrieve the info other than users sending proper TPM commands to it. 
The user can figure these things out on the UEFI/SeaBIOS/SLOF TPM menu level because it's all displayed there. Under Linux one can figure it out using TSS tools or sysfs. I am not familiar with Windows.
Comment 5 Jiri Denemark 2022-01-13 09:48:09 UTC 
Fixed upstream by

commit 7c1757279861759533e77425b4726f0a94448c37
Refs: v8.0.0-rc2-7-g7c17572798
Author:     Stefan Berger <stefanb.com>
AuthorDate: Wed Jan 12 10:49:52 2022 -0500
Commit:     Jiri Denemark <jdenemar>
CommitDate: Thu Jan 13 10:44:15 2022 +0100

    docs: tpm: Clarify omission or removal of active_pcr_banks node

    Add a sentence to the active_pcr_banks node documentation that clarifies
    that when the active_pcr_banks node is removed from the XML or when it
    is omitted that the set of active PCR banks is not changed anymore.

    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2039246
    Signed-off-by: Stefan Berger <stefanb.com>
    Reviewed-by: Jiri Denemark <jdenemar>
Comment 6 Yanqiu Zhang 2022-01-14 03:34:22 UTC 
Pre-verify on:
v8.0.0-rc2-11-g55a248d354

# grep "If this node is removed"  /usr/share/doc/libvirt-docs/html/formatdomain.html -4
<dd><p>The <span class="docutils literal">active_pcr_banks</span> node is used to define which of the PCR banks
of a TPM 2.0 to activate. Valid names are for example sha1, sha256, sha384,
and sha512. If this node is provided, the set of PCR banks are activated
before every start of a VM and this step is logged in the swtpm's log.
If this node is removed or omitted then libvirt will not modify the
active PCR banks upon VM start but leave them at their last configuration.
This attribute requires that swtpm_setup v0.7 or later is installed
and may not have any effect otherwise. The selection of PCR banks only works
with the <span class="docutils literal">emulator</span> backend. since:<cite>Since 7.10.0</cite></p>
Comment 10 Yanqiu Zhang 2022-01-17 08:10:29 UTC 
Verified with:
libvirt-docs-8.0.0-1.el9.x86_64

1.# grep "If this node is removed"  /usr/share/doc/libvirt-docs/html/formatdomain.html -4
<dd><p>The <span class="docutils literal">active_pcr_banks</span> node is used to define which of the PCR banks
of a TPM 2.0 to activate. Valid names are for example sha1, sha256, sha384,
and sha512. If this node is provided, the set of PCR banks are activated
before every start of a VM and this step is logged in the swtpm's log.
If this node is removed or omitted then libvirt will not modify the
active PCR banks upon VM start but leave them at their last configuration.
This attribute requires that swtpm_setup v0.7 or later is installed
and may not have any effect otherwise. The selection of PCR banks only works
with the <span class="docutils literal">emulator</span> backend. since:<cite>Since 7.10.0</cite></p>

2. Check last https://libvirt.org/formatdomain.html#tpm-device
active_pcr_banks
The active_pcr_banks node is used to define which of the PCR banks of a TPM 2.0 to activate. Valid names are for example sha1, sha256, sha384, and sha512. If this node is provided, the set of PCR banks are activated before every start of a VM and this step is logged in the swtpm's log. If this node is removed or omitted then libvirt will not modify the active PCR banks upon VM start but leave them at their last configuration. This attribute requires that swtpm_setup v0.7 or later is installed and may not have any effect otherwise. The selection of PCR banks only works with the emulator backend. since:Since 7.10.0
Comment 12 errata-xmlrpc 2022-05-17 12:46:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: libvirt), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2390
Note You need to log in before you can comment on or make changes to this bug.