Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2103119

Summary: [RFE] Expose supported TPM version in domCapabilities (via 'swtpm')
Product: Red Hat Enterprise Linux 9 Reporter: Kashyap Chamarthy <kchamart>
Component: libvirtAssignee: Michal Privoznik <mprivozn>
libvirt sub component: CLI & API QA Contact: Yanqiu Zhang <yanqzhan>
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: unspecified CC: chhu, jdenemar, lmen, mprivozn, virt-maint, xuzhang, yanqzhan
Version: 9.0Keywords: AutomationTriaged, FutureFeature, Triaged, Upstream
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-8.5.0-2.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 10:04:39 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1782128    

Description Kashyap Chamarthy 2022-07-01 13:41:00 UTC 
Description of problem
----------------------

It can be useful to management applications to query for supported TPM (Trusted Platform Module) via libvirt's domCapabilities API.  

Some Linux distributions (e.g. RHEL 9) have deprecated/removed[1] support for TPM 1.2 (as it is tied to SHA-1.)

It looks like libvirt already probes the `swtpm` binary for capabilities, and `swtpm_setup` already exposes the info that can be used by higher-level management tools.  (The below is from Fedora 36.)

    $> swtpm_setup --print-capabilities | jq
    {
      "type": "swtpm_setup",
      "features": [
        "tpm-1.2",
        "tpm-2.0",
        "cmdarg-keyfile-fd",
        "cmdarg-pwdfile-fd",
        "tpm12-not-need-root",
        "cmdarg-write-ek-cert-files",
        "cmdarg-create-config-files",
        "cmdarg-reconfigure-pcr-banks",
        "tpm2-rsa-keysize-2048",
        "tpm2-rsa-keysize-3072"
      ],
      "version": "0.7.3"
    }


Here's the corresponding upstream ticket[2].

(Thanks: Andrea Bolognani for a discussion on this.)


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1990153 — Remove swtpm TPM 1.2 support from RHEL9

[2] https://gitlab.com/libvirt/libvirt/-/issues/340
Comment 2 Michal Privoznik 2022-07-12 14:26:32 UTC 
Patches posted on the list:

https://listman.redhat.com/archives/libvir-list/2022-July/232763.html
Comment 3 Michal Privoznik 2022-07-13 09:58:45 UTC 
Merged upstream as:

430ab88ab1 qemu: Report supported TPM version in domcaps
1277a9c884 domcaps: Introduce TPM backendVersion
7b37763278 virtpm: Introduce TPM-1.2 and TPM-2.0 capabilieis
6a00c565c4 docs: Document TPM portion of domcaps

v8.5.0-85-g430ab88ab1
Comment 4 Jiri Denemark 2022-07-14 13:46:51 UTC 
All patches pushed after 8.5.0 upstream release need to be backported to make
it into RHEL 9.1.0.
Comment 5 Michal Privoznik 2022-07-15 12:56:06 UTC 
To POST:

https://gitlab.com/redhat/rhel/src/libvirt/-/merge_requests/34

https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1293353
Comment 6 Yanqiu Zhang 2022-07-18 04:30:27 UTC 
Tested on:
libvirt-8.5.0-2.el9.x86_64
qemu-kvm-7.0.0-8.el9.x86_64
swtpm-0.7.0-3.20211109gitb79fd91.el9.x86_64
libtpms-0.9.1-2.20211126git1ff6fe1f43.el9.x86_64

# /usr/libexec/qemu-kvm -device help|grep tpm
name "tpm-crb"
name "tpm-tis", bus ISA

# /usr/libexec/qemu-kvm -tpmdev help
Supported TPM types (choose only one):
    emulator   TPM emulator backend driver    <== supported backend type

# swtpm_setup --print-capabilities |jq
{
  "type": "swtpm_setup",
  "features": [
    "tpm-2.0",                              <== supported backend version
    "cmdarg-keyfile-fd",
    "cmdarg-pwdfile-fd",
    "tpm12-not-need-root",
    "cmdarg-write-ek-cert-files",
    "cmdarg-create-config-files",
    "cmdarg-reconfigure-pcr-banks",
    "tpm2-rsa-keysize-2048",
    "tpm2-rsa-keysize-3072"
  ],
  "version": "0.7.0"
}

# virsh domcapabilities 
...
    <tpm supported='yes'>
      <enum name='model'>
        <value>tpm-tis</value>
        <value>tpm-crb</value>
      </enum>
      <enum name='backendModel'>
        <value>emulator</value>
      </enum>
      <enum name='backendVersion'>
        <value>2.0</value>
      </enum>
    </tpm>
  </devices>
...

Work as expected.
Comment 7 Yanqiu Zhang 2022-07-18 05:09:31 UTC 
Test with a lower libtpms:
libvirt-8.5.0-2.el9.x86_64
qemu-kvm-7.0.0-8.el9.x86_64
swtpm-0.7.0-3.20211109gitb79fd91.el9.x86_64
libtpms-0.8.2-0.20210301git729fc6a4ca.el9.7.x86_64   <== a lower version supports tpm1.2 (before bz1990152)

# swtpm_setup --print-capabilities |jq
{
  "type": "swtpm_setup",
  "features": [
    "tpm-1.2",                    <== supported backend version
    "tpm-2.0",                    <== supported backend version
    "cmdarg-keyfile-fd",
    "cmdarg-pwdfile-fd",
    "tpm12-not-need-root",
    "cmdarg-write-ek-cert-files",
    "cmdarg-create-config-files",
    "cmdarg-reconfigure-pcr-banks",
    "tpm2-rsa-keysize-2048",
    "tpm2-rsa-keysize-3072"
  ],
  "version": "0.7.0"
}

# virsh domcapabilities|grep /tpm -B12
    <tpm supported='yes'>
      <enum name='model'>
        <value>tpm-tis</value>
        <value>tpm-crb</value>
      </enum>
      <enum name='backendModel'>
        <value>emulator</value>
      </enum>
      <enum name='backendVersion'>
        <value>1.2</value>
        <value>2.0</value>
      </enum>
    </tpm>

Work as expected.
Comment 8 Yanqiu Zhang 2022-07-25 03:20:25 UTC 
Hi Kashyap,

The fix is available on brewweb: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2087909.
Verification is pass in comment6 and comment7. Could you check whether it also works for you?
Thanks.
Comment 11 Yanqiu Zhang 2022-07-27 04:15:22 UTC 
Verified with
libvirt-8.5.0-3.el9.x86_64
qemu-kvm-7.0.0-9.el9.x86_64
swtpm-0.7.0-3.20211109gitb79fd91.el9.x86_64
libtpms-0.9.1-2.20211126git1ff6fe1f43.el9.x86_64  and libtpms-0.8.2-0.20210301git729fc6a4ca.el9.7.x86_64 

Results are same with comment6 and comment7.
Comment 13 errata-xmlrpc 2022-11-15 10:04:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: libvirt security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8003
Comment 14 Kashyap Chamarthy 2022-11-17 16:11:52 UTC 
(In reply to yanqzhan from comment #8)
> Hi Kashyap,
> 
> The fix is available on brewweb:
> https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2087909.
> Verification is pass in comment6 and comment7. Could you check whether it
> also works for you?
> Thanks.

Hi!

I'm asking our fine Compute QE, James Parker, to test it.  He's on it.