RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2064115 - Start encrypted tpm guest failed
Summary: Start encrypted tpm guest failed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libvirt
Version: 9.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Michal Privoznik
QA Contact: Yanqiu Zhang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-15 05:44 UTC by Meina Li
Modified: 2022-11-15 10:39 UTC (History)
12 users (show)

Fixed In Version: libvirt-8.2.0-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-15 10:03:40 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-115577 0 None None None 2022-03-15 05:49:55 UTC
Red Hat Product Errata RHSA-2022:8003 0 None None None 2022-11-15 10:04:28 UTC

Description Meina Li 2022-03-15 05:44:53 UTC
Description of problem:
Start encrypted tpm guest failed

Version-Release number of selected component (if applicable):
libvirt-8.1.0-1.el9.x86_64
qemu-kvm-6.2.0-11.el9.x86_64
swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.el9.x86_64
edk2-ovmf-20220126gitbb1bba3d77-3.el9.noarch
kernel-5.14.0-70.1.1.el9.x86_64
openssl-3.0.1-17.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Prepare a tpm secret.
# cat secret.xml 
<secret ephemeral="no" private="yes">
<description>sample vTPM secret</description>
<usage type="vtpm">
<name>VTPM_example</name>
</usage>
</secret>
# virsh secret-define secret.xml 
Secret fe7c5949-528a-404b-9a63-2be66113796b created
# MYSECRET=`printf %s "open sesame" | base64`
# virsh secret-set-value --secret fe7c5949-528a-404b-9a63-2be66113796b $MYSECRET
error: Passing secret value as command-line argument is insecure!
Secret value set
# virsh secret-list
 UUID                                   Usage
-----------------------------------------------------------
 fe7c5949-528a-404b-9a63-2be66113796b   vtpm VTPM_example

2. Define a tpm guest with tpm device.
# vim lmn.xml
......
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'>
        <encryption secret='fe7c5949-528a-404b-9a63-2be66113796b'/>
      </backend>
    </tpm>
......
# virsh define lmn.xml 
Domain 'lmn' defined from lmn.xml

3.Start the guest.
# ls /var/lib/libvirt/swtpm/  --no tpm file
# virsh start lmn
error: Failed to start domain 'lmn'
error: internal error: qemu unexpectedly closed the monitor: 2022-03-15T05:28:05.862730Z qemu-kvm: tpm-emulator: TPM result for CMD_INIT: 0x101 operation failed

Actual results:
Start the guest failed

Expected results:
Can start guest

Additional info:
1) Swtpm.log:
Successfully created EK certificate locally.
Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
Successfully activated PCR banks sha256 among sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Tue 15 Mar 2022 06:28:05 AM CET
Verification of HMAC failed. Data integrity is compromised
SWTPM_NVRAM_LoadData: Error from SWTPM_NVRAM_GetDecryptedData rc = 33
Verification of HMAC failed. Data integrity is compromised
SWTPM_NVRAM_LoadData: Error from SWTPM_NVRAM_GetDecryptedData rc = 33
libtpms/tpm2: Entering failure mode; code: 8, location: NvPowerOn line 126
Error: Could not initialize libtpms.
Error: Could not initialize the TPM
Data client disconnected
2) After step 3, if we remove the tpm file and start again, the guest will start.
# rm -rf /var/lib/libvirt/swtpm/2108a219-bdf5-46b3-9ff2-acef47b48d23/tpm2/tpm2-00.permall 
# virsh start lmn
Domain 'lmn' started

Comment 6 Jaroslav Suchanek 2022-03-21 11:01:12 UTC
Michal, pls, have a look. Thanks.

Comment 9 Michal Privoznik 2022-03-21 15:03:05 UTC
Patch proposed on the list:

https://listman.redhat.com/archives/libvir-list/2022-March/229433.html

Comment 11 Yanqiu Zhang 2022-04-02 08:08:57 UTC
Issue is not reproduced on rhel9.1 with:
qemu-kvm-6.2.0-12.el9.x86_64
libvirt-8.2.0-1.el9.x86_64
swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.el9.x86_64
edk2-ovmf-20220126gitbb1bba3d77-4.el9.noarch
openssl-3.0.1-21.el9.x86_64

Steps:
# virsh start vm-ovmf 
Domain 'vm-ovmf' started

# virsh dumpxml vm-ovmf |grep /tpm -B5
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'>
        <encryption secret='40f4e01e-02d9-48e3-8b1d-b5985238d1e2'/>
      </backend>
      <alias name='tpm0'/>
    </tpm>

In guest os:
[root@localhost ~]# ls /dev/|grep tpm
tpm0
tpmrm0
[root@localhost ~]# tpm2_getrandom  --hex 16
d6837351b53a77315daee10a1414c784

Comment 13 Michal Privoznik 2022-04-04 06:56:01 UTC
Merged upstream as:

commit 4d7bb0177a33c4e90fd001edfe27bc030354d875
Author:     Michal Prívozník <mprivozn>
AuthorDate: Mon Mar 21 13:33:06 2022 +0100
Commit:     Michal Prívozník <mprivozn>
CommitDate: Mon Mar 28 10:00:18 2022 +0200

    qemu_tpm: Do async IO when starting swtpm emulator
    
    When vTPM is secured via virSecret libvirt passes the secret
    value via an FD when swtpm is started (arguments --key and
    --migration-key). The writing of the secret into the FDs is
    handled via virCommand, specifically qemu_tpm calls
    virCommandSetSendBuffer()) and then virCommandRunAsync() spawns a
    thread to handle writing into the FD via
    virCommandDoAsyncIOHelper. But the thread is not created unless
    VIR_EXEC_ASYNC_IO flag is set, which it isn't. In order to fix
    it, virCommandDoAsyncIO() must be called.
    
    The credit goes to Marc-André Lureau
    <marcandre.lureau> who has done all the debugging and
    proposed fix in the bugzilla.
    
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2064115
    Fixes: a9c500d2b50c5c041a1bb6ae9724402cf1cec8fe
    Signed-off-by: Michal Privoznik <mprivozn>
    Reviewed-by: Jiri Denemark <jdenemar>

v8.1.0-229-g4d7bb0177a

While there are more fixes in the patchset, those are more cleanup of an internal code than bugfixes:

https://listman.redhat.com/archives/libvir-list/2022-March/229480.html

Comment 17 Yanqiu Zhang 2022-04-14 02:33:53 UTC
Auto regression test passed:
Pkgs info:
    libvirt	libvirt-8.2.0-1.el9.x86_64
    qemu-kvm	qemu-kvm-6.2.0-12.el9.x86_64
    kernel	kernel-5.14.0-75.el9.x86_64
    swtpm       0.7.0-1.20211109gitb79fd91.el9
    libtpms     0.9.1-0.20211126git1ff6fe1f43.el9
    edk2-ovmf   20220221gitb24306f15d-1.el9
Job url:
    https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/libvirt/view/RHEL-9.1%20x86_64/job/libvirt-RHEL-9.1-runtest-x86_64-function-tpm_emulator/6/testReport/
    All cases passed except 2 skipped by existing bz2025520.

Comment 19 errata-xmlrpc 2022-11-15 10:03:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: libvirt security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8003


Note You need to log in before you can comment on or make changes to this bug.