Created attachment 1882372 [details] vm and dv yamls Description of problem: Even with tpm: {} in VM spec, Windows 11 installer still gives error "This PC can't run Windows 11" Version-Release number of selected component (if applicable): cnv 4.11 How reproducible: 100% Steps to Reproduce: (VM and DV yamls attached) 1.Create VM with attached dv with windows installer iso as cd-rom 2.Start VM and go through windows installer process Actual results: Windows installer will be at minimum sys req verifier Expected results: Windows OS is installed Additional info: Installer fails specifically on TPM device validation, since if this check is disabled in installer registry, the installation continues without issues
This is very odd, I'll deploy a 4.11 cluster and try to reproduce. Thanks!
I wasn't able to reproduce this issue, using the latest 4.11 nightlies of OCP and CNV. Any chance I could get access to your cluster? Thank you.
Thank you @vsibirsk for giving me access to your cluster. I was able to find the error in the swtpm logs: libtpms/tpm2: Entering failure mode; code: 6, location: TestSymmetricAlgorithm line 230 libtpms/tpm2: TPM2_Process: Entered failure mode through command: 80 01 00 00 00 0b 00 00 01 43 00 The last 3 bytes indicate a partial self test command (TPM2_SelfTest(fullTest=NO)). After that, the TPM chip is non-functional. This is the code for portion of the test that fails: https://github.com/stefanberger/libtpms/blob/721f6c2e3319dbd65ac420350de878f5660a38d4/src/tpm2/AlgorithmTests.c#L285 The issue unfortunately does not reproduce in upstream KubeVirt, making it really hard to debug. It might be a missing component in virt-launcher, like a library, or something preventing the test, like maybe crypto-policies? I will keep searching.
Hi Jed, short question: As the issue does only reproduce downstream, can you also check that plain RHEL is working (Same VM setup but on RHEL not RHCOS/OCP Virt)? Just to ensure it really is KubeVirt related and not a generic RHEL issue. Thanks! Martin
Thanks Martin for the great suggestion! I just created a session-mode VM in RHEL 8.6 with EFI and emulated TPM-TIS 2.0. There is no error in the swtpm logs and the VM is able to access the chip. So the good news is that the issue is CNV(/RHCOS?) related, the bad news is that I have no idea what could be causing it... My best lead was crypto-policies, but RHEL 8 has them, and even when switched to the stricter "FUTURE" system-wide policy swtpm still works fine.
We found the source of the issue. The cluster used by the reporter was FIPS-enabled, and swtpm is not compatible with FIPS.
Deferring this to 4.12 because the layered product fix isn't ready yet.
We are blocked on an external dependency (swtpm) and hence deferring it to 4.13.
The swtpm version in KubeVirt 1.0 should include the necessary fixed. Moving to ON_QA.
Tested on Openshift version: 4.14.0-ec.3 CNV version: 4.14.0 HCO image: brew.registry.redhat.io/rh-osbs/iib:531794 Tested with Windows11 and Windows2k22 with tpm: {} in VM spec Create, start, mirgate VM all works OK TPM check passes during OS install
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Virtualization 4.14.0 Images security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:6817