Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2150731

Summary: VMs requiring vTPM fails to create [rhel-9.0.0.z]
Product: Red Hat Enterprise Linux 9 Reporter: RHEL Program Management Team <pgm-rhel-tools>
Component: libvirtAssignee: Michal Privoznik <mprivozn>
libvirt sub component: General QA Contact: Yanqiu Zhang <yanqzhan>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: acardace, fdeutsch, jdenemar, kbidarka, lmen, lpivarc, mprivozn, sgott, virt-maint, yafu, yanqzhan, ymankad
Version: 9.2Keywords: Triaged, ZStream
Target Milestone: rcFlags: yanqzhan: needinfo-
pm-rhel: mirror+
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: libvirt-8.0.0-8.3.el9_0 Doc Type: Bug Fix
Doc Text:
Cause: when starting or stopping swtpm emulator or vhost-user-gpu helper libvirt would read their pidfile and then check against /proc/[pid]/exe whether the PID is still valid. This works, but also requires CAP_SYS_PTRACE capability which might not be available in restricted containers. Fortunately, there is a way for libvirt to check the PID without accessing /proc and validating the pidfile. Consequence: The CAP_SYS_PTRACE capability was needed, which did not play nicely with rootless containers. Fix: The code was changed so that the pidfile is locked when swtpm or vhost-user-gpu is started. Now, whenever libvirt wants to read the PID it also tries to lock the pidfile. If the pidfile can be locked successfully, it means that the swtpm process which held the file locked is gone and the PID is invalid. And vice verca - if the file can't be locked then the process is still running and the PID is valid. Result: The swtpm PID and/or vhost-user-gpu PID can be read without the CAP_SYS_PTRACE capability.
 Story Points: ---
Clone Of: 2150004 Environment:
Last Closed: 2023-01-30 15:46:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2150004, 2152188    
Bug Blocks:    

Comment 8 Yanqiu Zhang 2022-12-07 08:42:02 UTC 
Tried the strace way:
1. On libvirt-8.0.0-8.2.el9_0.x86_64:
# strace -o output.txt -T -tt -e trace=all -f -p `pidof virtqemud`
[terminal2]# virsh start avocado-vt-vm1 
Domain 'avocado-vt-vm1' started

# cat output_oldpkg.txt |grep -nE 'swtpm.pid|"/usr/bin/swtpm", "socket"|capset|execve'
3144:91348 22:47:09.488201 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=91348}, {effective=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, permitted=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, inheritable=0}) = 0 <0.000016>
3149:91348 22:47:09.488474 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=91348}, {effective=0, permitted=0, inheritable=0}) = 0 <0.000016>
3150:91348 22:47:09.488529 execve("/usr/bin/swtpm", ["/usr/bin/swtpm", "socket", "--daemon", "--ctrl", "type=unixio,path=/run/libvirt/qe"..., "--tpmstate", "dir=/var/lib/libvirt/swtpm/e3c55"..., "--log", "file=/var/log/swtpm/libvirt/qemu"..., "--terminate", "--tpm2", "--pid", "file=/run/libvirt/qemu/swtpm/3-a"...], 0x7ffd2f93efa8 /* 8 vars */) = 0 <0.001495>
3321:91350 22:47:09.501746 openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/3-avocado-vt-vm1-swtpm.pid", O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW, 0644) = 7 <0.000042>
3365:89737 22:47:09.505475 openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/3-avocado-vt-vm1-swtpm.pid", O_RDONLY) = 24 <0.000057>
...

2. Update to libvirt-8.0.0-8.3.el9_0_rc.d5baff84c2.x86_64 and do the operations again:
# cat output_newpkg.txt |grep -nE 'swtpm.pid|"/usr/bin/swtpm", "socket"|capset|execve' 
...
3874:97514 02:03:50.438054 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=97514}, {effective=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, permitted=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, inheritable=0}) = 0 <0.000014>
3881:97514 02:03:50.438285 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=97514}, {effective=0, permitted=0, inheritable=0} <unfinished ...>
3883:97514 02:03:50.438322 <... capset resumed>) = 0 <0.000022>
3884:97514 02:03:50.438359 execve("/usr/bin/swtpm", ["/usr/bin/swtpm", "socket", "--ctrl", "type=unixio,path=/run/libvirt/qe"..., "--tpmstate", "dir=/var/lib/libvirt/swtpm/e3c55"..., "--log", "file=/var/log/swtpm/libvirt/qemu"..., "--terminate", "--tpm2"], 0x7ffce104ebc8 /* 8 vars */ <unfinished ...>
3885:97416 02:03:50.438410 openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.pid", O_RDONLY) = 24 <0.000029>
3891:97514 02:03:50.439748 <... execve resumed>) = 0 <0.001346>


Hi Michal, please help check:
So with the new pkg, only openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.pid", O_RDONLY), does it require ptrace capability? Will this change be enough to fix the 'permission deny' issue? Thank you!
Comment 13 Michal Privoznik 2022-12-07 14:24:14 UTC 
(In reply to yanqzhan from comment #8)
> 
> Hi Michal, please help check:
> So with the new pkg, only openat(AT_FDCWD,
> "/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.pid", O_RDONLY), does it
> require ptrace capability? Will this change be enough to fix the 'permission
> deny' issue? Thank you!

That definitely does not require ptrace capability. I think we can consider this fixed.
Comment 14 Yanqiu Zhang 2022-12-08 03:29:35 UTC 
Thanks Michal. Then mark pre-verification pass. 

And we can wait for Kedar's or Stu's reply of layered products test results before moving to verified.
Comment 21 Yanqiu Zhang 2022-12-14 08:59:23 UTC 
Verify on rhel9.0 with:
libvirt-8.0.0-8.3.el9_0.x86_64
swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64
qemu-kvm-6.2.0-11.el9_0.6.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.el9.x86_64

# strace -o output.txt -T -tt -e trace=all -f -p `pidof virtqemud`

# virsh start avocado-vt-vm1 
Domain 'avocado-vt-vm1' started

# virsh dumpxml avocado-vt-vm1 |grep /tpm -B8
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'>
        <encryption secret='ba1dfbf5-d0b0-4f27-b278-113731beb2b9'/>
        <active_pcr_banks>
          <sha256/>
        </active_pcr_banks>
      </backend>
      <alias name='tpm0'/>
    </tpm>

# cat output.txt |grep -nE 'swtpm.pid|"/usr/bin/swtpm", "socket"|capset|execve' 
...
12999:99434 03:53:05.197775 execve("/usr/bin/swtpm", ["/usr/bin/swtpm", "socket", "--ctrl", "type=unixio,path=/run/libvirt/qe"..., "--tpmstate", "dir=/var/lib/libvirt/swtpm/b424d"..., "--log", "file=/var/log/swtpm/libvirt/qemu"..., "--terminate", "--tpm2", "--key", "pwdfd=27,mode=aes-256-cbc", "--migration-key", "pwdfd=29,mode=aes-256-cbc"], 0x7ffd031bb098 /* 8 vars */ <unfinished ...>
13003:99201 03:53:05.197973 openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.pid", O_RDONLY) = 24 <0.000016>
13008:99434 03:53:05.198860 <... execve resumed>) = 0 <0.001043>
...
Comment 29 errata-xmlrpc 2023-01-30 15:46:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libvirt bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0521