Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
Start encrypted tpm guest failed
Version-Release number of selected component (if applicable):
libvirt-8.1.0-1.el9.x86_64
qemu-kvm-6.2.0-11.el9.x86_64
swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.el9.x86_64
edk2-ovmf-20220126gitbb1bba3d77-3.el9.noarch
kernel-5.14.0-70.1.1.el9.x86_64
openssl-3.0.1-17.el9.x86_64
How reproducible:
100%
Steps to Reproduce:
1. Prepare a tpm secret.
# cat secret.xml
<secret ephemeral="no" private="yes">
<description>sample vTPM secret</description>
<usage type="vtpm">
<name>VTPM_example</name>
</usage>
</secret>
# virsh secret-define secret.xml
Secret fe7c5949-528a-404b-9a63-2be66113796b created
# MYSECRET=`printf %s "open sesame" | base64`
# virsh secret-set-value --secret fe7c5949-528a-404b-9a63-2be66113796b $MYSECRET
error: Passing secret value as command-line argument is insecure!
Secret value set
# virsh secret-list
UUID Usage
-----------------------------------------------------------
fe7c5949-528a-404b-9a63-2be66113796b vtpm VTPM_example
2. Define a tpm guest with tpm device.
# vim lmn.xml
......
<tpm model='tpm-crb'>
<backend type='emulator' version='2.0'>
<encryption secret='fe7c5949-528a-404b-9a63-2be66113796b'/>
</backend>
</tpm>
......
# virsh define lmn.xml
Domain 'lmn' defined from lmn.xml
3.Start the guest.
# ls /var/lib/libvirt/swtpm/ --no tpm file
# virsh start lmn
error: Failed to start domain 'lmn'
error: internal error: qemu unexpectedly closed the monitor: 2022-03-15T05:28:05.862730Z qemu-kvm: tpm-emulator: TPM result for CMD_INIT: 0x101 operation failed
Actual results:
Start the guest failed
Expected results:
Can start guest
Additional info:
1) Swtpm.log:
Successfully created EK certificate locally.
Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
Successfully activated PCR banks sha256 among sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Tue 15 Mar 2022 06:28:05 AM CET
Verification of HMAC failed. Data integrity is compromised
SWTPM_NVRAM_LoadData: Error from SWTPM_NVRAM_GetDecryptedData rc = 33
Verification of HMAC failed. Data integrity is compromised
SWTPM_NVRAM_LoadData: Error from SWTPM_NVRAM_GetDecryptedData rc = 33
libtpms/tpm2: Entering failure mode; code: 8, location: NvPowerOn line 126
Error: Could not initialize libtpms.
Error: Could not initialize the TPM
Data client disconnected
2) After step 3, if we remove the tpm file and start again, the guest will start.
# rm -rf /var/lib/libvirt/swtpm/2108a219-bdf5-46b3-9ff2-acef47b48d23/tpm2/tpm2-00.permall
# virsh start lmn
Domain 'lmn' started
Comment 6Jaroslav Suchanek
2022-03-21 11:01:12 UTC
Issue is not reproduced on rhel9.1 with:
qemu-kvm-6.2.0-12.el9.x86_64
libvirt-8.2.0-1.el9.x86_64
swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.el9.x86_64
edk2-ovmf-20220126gitbb1bba3d77-4.el9.noarch
openssl-3.0.1-21.el9.x86_64
Steps:
# virsh start vm-ovmf
Domain 'vm-ovmf' started
# virsh dumpxml vm-ovmf |grep /tpm -B5
<tpm model='tpm-crb'>
<backend type='emulator' version='2.0'>
<encryption secret='40f4e01e-02d9-48e3-8b1d-b5985238d1e2'/>
</backend>
<alias name='tpm0'/>
</tpm>
In guest os:
[root@localhost ~]# ls /dev/|grep tpm
tpm0
tpmrm0
[root@localhost ~]# tpm2_getrandom --hex 16
d6837351b53a77315daee10a1414c784
Comment 13Michal Privoznik
2022-04-04 06:56:01 UTC
Merged upstream as:
commit 4d7bb0177a33c4e90fd001edfe27bc030354d875
Author: Michal Prívozník <mprivozn>
AuthorDate: Mon Mar 21 13:33:06 2022 +0100
Commit: Michal Prívozník <mprivozn>
CommitDate: Mon Mar 28 10:00:18 2022 +0200
qemu_tpm: Do async IO when starting swtpm emulator
When vTPM is secured via virSecret libvirt passes the secret
value via an FD when swtpm is started (arguments --key and
--migration-key). The writing of the secret into the FDs is
handled via virCommand, specifically qemu_tpm calls
virCommandSetSendBuffer()) and then virCommandRunAsync() spawns a
thread to handle writing into the FD via
virCommandDoAsyncIOHelper. But the thread is not created unless
VIR_EXEC_ASYNC_IO flag is set, which it isn't. In order to fix
it, virCommandDoAsyncIO() must be called.
The credit goes to Marc-André Lureau
<marcandre.lureau> who has done all the debugging and
proposed fix in the bugzilla.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2064115
Fixes: a9c500d2b50c5c041a1bb6ae9724402cf1cec8fe
Signed-off-by: Michal Privoznik <mprivozn>
Reviewed-by: Jiri Denemark <jdenemar>
v8.1.0-229-g4d7bb0177a
While there are more fixes in the patchset, those are more cleanup of an internal code than bugfixes:
https://listman.redhat.com/archives/libvir-list/2022-March/229480.html
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Low: libvirt security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2022:8003
Description of problem: Start encrypted tpm guest failed Version-Release number of selected component (if applicable): libvirt-8.1.0-1.el9.x86_64 qemu-kvm-6.2.0-11.el9.x86_64 swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64 libtpms-0.9.1-0.20211126git1ff6fe1f43.el9.x86_64 edk2-ovmf-20220126gitbb1bba3d77-3.el9.noarch kernel-5.14.0-70.1.1.el9.x86_64 openssl-3.0.1-17.el9.x86_64 How reproducible: 100% Steps to Reproduce: 1. Prepare a tpm secret. # cat secret.xml <secret ephemeral="no" private="yes"> <description>sample vTPM secret</description> <usage type="vtpm"> <name>VTPM_example</name> </usage> </secret> # virsh secret-define secret.xml Secret fe7c5949-528a-404b-9a63-2be66113796b created # MYSECRET=`printf %s "open sesame" | base64` # virsh secret-set-value --secret fe7c5949-528a-404b-9a63-2be66113796b $MYSECRET error: Passing secret value as command-line argument is insecure! Secret value set # virsh secret-list UUID Usage ----------------------------------------------------------- fe7c5949-528a-404b-9a63-2be66113796b vtpm VTPM_example 2. Define a tpm guest with tpm device. # vim lmn.xml ...... <tpm model='tpm-crb'> <backend type='emulator' version='2.0'> <encryption secret='fe7c5949-528a-404b-9a63-2be66113796b'/> </backend> </tpm> ...... # virsh define lmn.xml Domain 'lmn' defined from lmn.xml 3.Start the guest. # ls /var/lib/libvirt/swtpm/ --no tpm file # virsh start lmn error: Failed to start domain 'lmn' error: internal error: qemu unexpectedly closed the monitor: 2022-03-15T05:28:05.862730Z qemu-kvm: tpm-emulator: TPM result for CMD_INIT: 0x101 operation failed Actual results: Start the guest failed Expected results: Can start guest Additional info: 1) Swtpm.log: Successfully created EK certificate locally. Successfully created NVRAM area 0x1c00016 for ECC EK certificate. Successfully activated PCR banks sha256 among sha1,sha256,sha384,sha512. Successfully authored TPM state. Ending vTPM manufacturing @ Tue 15 Mar 2022 06:28:05 AM CET Verification of HMAC failed. Data integrity is compromised SWTPM_NVRAM_LoadData: Error from SWTPM_NVRAM_GetDecryptedData rc = 33 Verification of HMAC failed. Data integrity is compromised SWTPM_NVRAM_LoadData: Error from SWTPM_NVRAM_GetDecryptedData rc = 33 libtpms/tpm2: Entering failure mode; code: 8, location: NvPowerOn line 126 Error: Could not initialize libtpms. Error: Could not initialize the TPM Data client disconnected 2) After step 3, if we remove the tpm file and start again, the guest will start. # rm -rf /var/lib/libvirt/swtpm/2108a219-bdf5-46b3-9ff2-acef47b48d23/tpm2/tpm2-00.permall # virsh start lmn Domain 'lmn' started