2150731 – VMs requiring vTPM fails to create [rhel-9.0.0.z]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2150731 - VMs requiring vTPM fails to create [rhel-9.0.0.z]

Summary: VMs requiring vTPM fails to create [rhel-9.0.0.z]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	9.2
Hardware:	All
OS:	All
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Privoznik
QA Contact:	Yanqiu Zhang
Docs Contact:
URL:
Whiteboard:
Depends On:	2150004 2152188
Blocks:
TreeView+	depends on / blocked

Reported:	2022-12-05 08:04 UTC by RHEL Program Management Team
Modified:	2023-03-22 08:10 UTC (History)
CC List:	12 users (show)
Fixed In Version:	libvirt-8.0.0-8.3.el9_0
Doc Type:	Bug Fix
Doc Text:	Cause: when starting or stopping swtpm emulator or vhost-user-gpu helper libvirt would read their pidfile and then check against /proc/[pid]/exe whether the PID is still valid. This works, but also requires CAP_SYS_PTRACE capability which might not be available in restricted containers. Fortunately, there is a way for libvirt to check the PID without accessing /proc and validating the pidfile. Consequence: The CAP_SYS_PTRACE capability was needed, which did not play nicely with rootless containers. Fix: The code was changed so that the pidfile is locked when swtpm or vhost-user-gpu is started. Now, whenever libvirt wants to read the PID it also tries to lock the pidfile. If the pidfile can be locked successfully, it means that the swtpm process which held the file locked is gone and the PID is invalid. And vice verca - if the file can't be locked then the process is still running and the PID is valid. Result: The swtpm PID and/or vhost-user-gpu PID can be read without the CAP_SYS_PTRACE capability.
Clone Of:	2150004
Environment:
Last Closed:	2023-01-30 15:46:01 UTC
Type:	---
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	yanqzhan: needinfo-

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-141275	0	None	None	None	2022-12-05 08:07:57 UTC

Comment 8 Yanqiu Zhang 2022-12-07 08:42:02 UTC

Tried the strace way:
1. On libvirt-8.0.0-8.2.el9_0.x86_64:
# strace -o output.txt -T -tt -e trace=all -f -p `pidof virtqemud`
[terminal2]# virsh start avocado-vt-vm1 
Domain 'avocado-vt-vm1' started

# cat output_oldpkg.txt |grep -nE 'swtpm.pid|"/usr/bin/swtpm", "socket"|capset|execve'
3144:91348 22:47:09.488201 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=91348}, {effective=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, permitted=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, inheritable=0}) = 0 <0.000016>
3149:91348 22:47:09.488474 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=91348}, {effective=0, permitted=0, inheritable=0}) = 0 <0.000016>
3150:91348 22:47:09.488529 execve("/usr/bin/swtpm", ["/usr/bin/swtpm", "socket", "--daemon", "--ctrl", "type=unixio,path=/run/libvirt/qe"..., "--tpmstate", "dir=/var/lib/libvirt/swtpm/e3c55"..., "--log", "file=/var/log/swtpm/libvirt/qemu"..., "--terminate", "--tpm2", "--pid", "file=/run/libvirt/qemu/swtpm/3-a"...], 0x7ffd2f93efa8 /* 8 vars */) = 0 <0.001495>
3321:91350 22:47:09.501746 openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/3-avocado-vt-vm1-swtpm.pid", O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW, 0644) = 7 <0.000042>
3365:89737 22:47:09.505475 openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/3-avocado-vt-vm1-swtpm.pid", O_RDONLY) = 24 <0.000057>
...

2. Update to libvirt-8.0.0-8.3.el9_0_rc.d5baff84c2.x86_64 and do the operations again:
# cat output_newpkg.txt |grep -nE 'swtpm.pid|"/usr/bin/swtpm", "socket"|capset|execve' 
...
3874:97514 02:03:50.438054 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=97514}, {effective=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, permitted=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, inheritable=0}) = 0 <0.000014>
3881:97514 02:03:50.438285 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=97514}, {effective=0, permitted=0, inheritable=0} <unfinished ...>
3883:97514 02:03:50.438322 <... capset resumed>) = 0 <0.000022>
3884:97514 02:03:50.438359 execve("/usr/bin/swtpm", ["/usr/bin/swtpm", "socket", "--ctrl", "type=unixio,path=/run/libvirt/qe"..., "--tpmstate", "dir=/var/lib/libvirt/swtpm/e3c55"..., "--log", "file=/var/log/swtpm/libvirt/qemu"..., "--terminate", "--tpm2"], 0x7ffce104ebc8 /* 8 vars */ <unfinished ...>
3885:97416 02:03:50.438410 openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.pid", O_RDONLY) = 24 <0.000029>
3891:97514 02:03:50.439748 <... execve resumed>) = 0 <0.001346>


Hi Michal, please help check:
So with the new pkg, only openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.pid", O_RDONLY), does it require ptrace capability? Will this change be enough to fix the 'permission deny' issue? Thank you!

Comment 13 Michal Privoznik 2022-12-07 14:24:14 UTC

(In reply to yanqzhan from comment #8)
> 
> Hi Michal, please help check:
> So with the new pkg, only openat(AT_FDCWD,
> "/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.pid", O_RDONLY), does it
> require ptrace capability? Will this change be enough to fix the 'permission
> deny' issue? Thank you!

That definitely does not require ptrace capability. I think we can consider this fixed.

Comment 14 Yanqiu Zhang 2022-12-08 03:29:35 UTC

Thanks Michal. Then mark pre-verification pass. 

And we can wait for Kedar's or Stu's reply of layered products test results before moving to verified.

Comment 21 Yanqiu Zhang 2022-12-14 08:59:23 UTC

Verify on rhel9.0 with:
libvirt-8.0.0-8.3.el9_0.x86_64
swtpm-0.7.0-1.20211109gitb79fd91.el9.x86_64
qemu-kvm-6.2.0-11.el9_0.6.x86_64
libtpms-0.9.1-0.20211126git1ff6fe1f43.el9.x86_64

# strace -o output.txt -T -tt -e trace=all -f -p `pidof virtqemud`

# virsh start avocado-vt-vm1 
Domain 'avocado-vt-vm1' started

# virsh dumpxml avocado-vt-vm1 |grep /tpm -B8
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'>
        <encryption secret='ba1dfbf5-d0b0-4f27-b278-113731beb2b9'/>
        <active_pcr_banks>
          <sha256/>
        </active_pcr_banks>
      </backend>
      <alias name='tpm0'/>
    </tpm>

# cat output.txt |grep -nE 'swtpm.pid|"/usr/bin/swtpm", "socket"|capset|execve' 
...
12999:99434 03:53:05.197775 execve("/usr/bin/swtpm", ["/usr/bin/swtpm", "socket", "--ctrl", "type=unixio,path=/run/libvirt/qe"..., "--tpmstate", "dir=/var/lib/libvirt/swtpm/b424d"..., "--log", "file=/var/log/swtpm/libvirt/qemu"..., "--terminate", "--tpm2", "--key", "pwdfd=27,mode=aes-256-cbc", "--migration-key", "pwdfd=29,mode=aes-256-cbc"], 0x7ffd031bb098 /* 8 vars */ <unfinished ...>
13003:99201 03:53:05.197973 openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.pid", O_RDONLY) = 24 <0.000016>
13008:99434 03:53:05.198860 <... execve resumed>) = 0 <0.001043>
...

Comment 29 errata-xmlrpc 2023-01-30 15:46:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libvirt bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0521

Note You need to log in before you can comment on or make changes to this bug.