2152188 – VMs requiring vTPM fails to create

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2152188 - VMs requiring vTPM fails to create

Summary: VMs requiring vTPM fails to create

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	8.7
Hardware:	All
OS:	All
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Privoznik
QA Contact:	Yanqiu Zhang
Docs Contact:
URL:
Whiteboard:
Depends On:	2150004
Blocks:	2149227 2150730 2150731 2154412 2154413
TreeView+	depends on / blocked

Reported:	2022-12-09 16:25 UTC by Jaroslav Suchanek
Modified:	2023-05-16 09:01 UTC (History)
CC List:	14 users (show)
Fixed In Version:	libvirt-8.0.0-12.module+el8.8.0+17545+95582d4e
Doc Type:	Bug Fix
Doc Text:	Cause: when starting or stopping swtpm emulator or vhost-user-gpu helper libvirt would read their pidfile and then check against /proc/[pid]/exe whether the PID is still valid. This works, but also requires CAP_SYS_PTRACE capability which might not be available in restricted containers. Fortunately, there is a way for libvirt to check the PID without accessing /proc and validating the pidfile. Consequence: The CAP_SYS_PTRACE capability was needed, which did not play nicely with rootless containers. Fix: The code was changed so that the pidfile is locked when swtpm or vhost-user-gpu is started. Now, whenever libvirt wants to read the PID it also tries to lock the pidfile. If the pidfile can be locked successfully, it means that the swtpm process which held the file locked is gone and the PID is invalid. And vice verca - if the file can't be locked then the process is still running and the PID is valid. Result: The swtpm PID and/or vhost-user-gpu PID can be read without the CAP_SYS_PTRACE capability.
Clone Of:	2150004
Clones:	2154412 2154413 (view as bug list)
Environment:
Last Closed:	2023-05-16 08:18:36 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-141793	0	None	None	None	2022-12-09 16:30:07 UTC
Red Hat Product Errata	RHSA-2023:2757	0	None	None	None	2023-05-16 08:19:53 UTC

Description Jaroslav Suchanek 2022-12-09 16:25:05 UTC

+++ This bug was initially created as a clone of Bug #2150004 +++

+++ This bug was initially created as a clone of Bug #2149227 +++

Description of problem:
Recent upstream changes in Kubevirt removed ptrace capability. This means downstream builds need to remove the capability too, causing the Libvirt to fail when vTPM is requested.

This is impacting Windows VMs (as they require vTPM) but not exclusively.

Andrea Bolognani made a preliminary list of commits,

The libvirt change is

  commit a9c500d2b50c5c041a1bb6ae9724402cf1cec8fe
  Author: Vasiliy Ulyanov <vulyanov>
  Date:   Wed Feb 2 17:28:16 2022 +0100

    qemu: tpm: Get swtpm pid without binary validation

plus I guess

  commit 4d7bb0177a33c4e90fd001edfe27bc030354d875
  Author: Michal Prívozník <mprivozn>
  Date:   Mon Mar 21 13:33:06 2022 +0100

    qemu_tpm: Do async IO when starting swtpm emulator

Comment 2 John Ferlan 2022-12-12 14:26:36 UTC

Can we get the qa_ack+ so that release+ can occur?  tks!

Strange when this bug was copied that the release bot didn't request the various flags

Comment 3 Yanqiu Zhang 2022-12-13 09:47:07 UTC

Test on rhel8.8 with:
libvirt-8.0.0-12.el8_rc.1fec897c86.x86_64
swtpm-0.7.0-4.20211109gitb79fd91.module+el8.8.0+16781+9f4724c2.x86_64
qemu-kvm-6.2.0-27.module+el8.8.0+17473+3286524b.x86_64
libtpms-0.9.1-1.20211126git1ff6fe1f43.module+el8.8.0+16781+9f4724c2.x86_64

# virsh dumpxml vm-ovmf --inactive|grep /tpm -B7
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'>
        <encryption secret='a2a3e901-72ad-469b-b6fa-8fc8cc3b1d02'/>
        <active_pcr_banks>
          <sha256/>
        </active_pcr_banks>
      </backend>
    </tpm>

# strace -o output.txt -T -tt -e trace=all -f -p `pidof libvirtd`

# virsh start vm-ovmf 
Domain 'vm-ovmf' started

# cat output.txt|grep -nE 'swtpm.pid|"/usr/bin/swtpm", "socket"|capset|execve'
...
16238:185337 04:40:26.483589 execve("/usr/bin/swtpm", ["/usr/bin/swtpm", "socket", "--ctrl", "type=unixio,path=/run/libvirt/qe"..., "--tpmstate", "dir=/var/lib/libvirt/swtpm/0a74f"..., "--log", "file=/var/log/swtpm/libvirt/qemu"..., "--terminate", "--tpm2", "--key", "pwdfd=40,mode=aes-256-cbc", "--migration-key", "pwdfd=43,mode=aes-256-cbc"], 0x7ffcb468a9d8 /* 7 vars */ <unfinished ...>
16244:185163 04:40:26.483910 openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/1-vm-ovmf-swtpm.pid", O_RDONLY) = 40 <0.000012>
16253:185337 04:40:26.484985 <... execve resumed>) = 0 <0.001362>
...

Comment 6 Yanqiu Zhang 2022-12-14 09:13:47 UTC

Verify on rhel8.8 with downstream pkg:
libvirt-8.0.0-12.module+el8.8.0+17545+95582d4e.x86_64

On env of comment3, upgrade libvirt and restart libvirtd. Then do same test steps for vtpm, get log as below:

11426:212927 04:08:29.845142 execve("/usr/bin/swtpm", ["/usr/bin/swtpm", "socket", "--ctrl", "type=unixio,path=/run/libvirt/qe"..., "--tpmstate", "dir=/var/lib/libvirt/swtpm/0a74f"..., "--log", "file=/var/log/swtpm/libvirt/qemu"..., "--terminate", "--tpm2", "--key", "pwdfd=40,mode=aes-256-cbc", "--migration-key", "pwdfd=43,mode=aes-256-cbc"], 0x7fff0549c958 /* 7 vars */ <unfinished ...>
11432:212712 04:08:29.845463 openat(AT_FDCWD, "/run/libvirt/qemu/swtpm/1-vm-ovmf-swtpm.pid", O_RDONLY) = 40 <0.000012>
11441:212927 04:08:29.846585 <... execve resumed>) = 0 <0.001419>

Comment 15 errata-xmlrpc 2023-05-16 08:18:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2757

Note You need to log in before you can comment on or make changes to this bug.