Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1359862 - TPM passthru uses wrong cancel-path: should be /sys/class/tpm/tpm0/device/cancel
Summary: TPM passthru uses wrong cancel-path: should be /sys/class/tpm/tpm0/device/cancel
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Libvirt Maintainers
QA Contact: Fangge Jin
URL:
Whiteboard:
Depends On: 1519013 1519016 1654486 1654490 1668199 1327947 1595018
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-25 14:51 UTC by emahoney
Modified: 2019-01-22 08:03 UTC (History)
12 users (show)

Fixed In Version: libvirt-1.3.1-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-26 11:04:36 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1182709 None None None 2019-01-16 09:31:46 UTC
Red Hat Bugzilla 1244895 None CLOSED TPM passthru uses wrong cancel-path: should be /sys/class/tpm/tpm0/device/cancel 2019-01-16 09:31:46 UTC

Description emahoney 2016-07-25 14:51:21 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
map a physical TPM as passthrough to a virtual machine

Steps to Reproduce:
1.
2.
3.

Actual results:
Error starting domain: internal error: early end of file from monitor: possible problem:
2015-07-20T17:32:36.870094Z qemu-system-x86_64: -tpmdev passthrough,id=tpm-tpm0,path=/dev/tpm0,cancel-path=/sys/class/misc/tpm0/device/cancel: Cannot access TPM device using '/dev/tpm0': Device or resource busy

When tpm dev is added through virtManager it displays the bellow error upon domain start. 

Error starting domain: unable to set security context 'system_u:object_r:svirt_image_t:s0:c121,c372' on '/sys/class/misc/tpm0/device/cancel': No such file or directory

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 89, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 125, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1423, in startup
    self._backend.create()
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1007, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c121,c372' on '/sys/class/misc/tpm0/device/cancel': No such file or directory


Expected results:
cancel path for kernel >= 4.0 should be /sys/class/tpm/tpm0/device/cancel

Additional info:
qemu-system-x86_64 supports passing the TPM cancel path on the command line with -tpmdev passthrough,cancel-path=<path>, but it doesn't look like libvirt will recognize this when using virt-install.  It might be worth supporting the cancel-path parameter.

Comment 2 Peter Krempa 2016-07-26 07:39:14 UTC
Upstream fixed this by commit:

commit 5ed7afa9de4e8d2b7e83fee334a0c3f2bddc6a48
Author: Stefan Berger <stefanb@us.ibm.com>
Date:   Tue Nov 17 19:44:13 2015 -0500

    tpm: adapt sysfs cancel path for new TPM driver
    
    This patch addresses BZ 1244895.
    
    Adapt the sysfs TPM command cancel path for the TPM driver that
    does not use a miscdevice anymore since Linux 4.0. Support old
    and new paths and check their availability.
    
    Add a mockup for the test cases to avoid the testing for
    availability of the cancel path.

$ git describe 5ed7afa9de4e8d2b7e83fee334a0c3f2bddc6a48
v1.2.21-67-g5ed7afa

Comment 3 Fangge Jin 2016-08-08 07:38:16 UTC
1. On RHEL7, guest can't start successfully with tpm device, qemu version is qemu-kvm-rhev-2.6.0-17.el7.x86_64
# virsh start rhel7.2
error: Failed to start domain rhel7.2
error: unsupported configuration: The QEMU executable /usr/libexec/qemu-kvm does not support TPM backend type passthrough


2. On fedora, guest can start successfully with tpm device
1) The versions I used on fedora is:
# /usr/bin/qemu-system-x86_64 --version
QEMU emulator version 2.4.1 (qemu-2.4.1-5.fc23), Copyright (c) 2003-2008 Fabrice Bellard

# libvirtd --version
libvirtd (libvirt) 1.3.2

2) Guest can start successfully and qemu cml is:
-tpmdev passthrough,id=tpm-tpm0,path=/dev/fdset/2,cancel-path=/dev/fdset/3
-add-fd set=2,fd=29
-add-fd set=3,fd=30
-device tpm-tis,tpmdev=tpm-tpm0,id=tpm0



More info about guest xml and qemu command line:
1) The guest xml libvirt uses is:
    <tpm model='tpm-tis'>
      <backend type='passthrough'>
        <device path='/dev/tpm0'/>
      </backend>
      <alias name='tpm0'/>
    </tpm>

2) The complete qemu command line is as below in case I miss something above:
 /usr/bin/qemu-system-x86_64 -name rhel7 -S -machine pc-i440fx-2.4,accel=kvm,usb=off -cpu Opteron_G2,+popcnt,+monitor,+ht,+vme,-svm -m size=512000k,slots=16,maxmem=1524736k -realtime mlock=off -smp 4,sockets=4,cores=1,threads=1 -numa node,nodeid=0,cpus=0-3,mem=500 -uuid 7cae86d2-88a2-4c94-95ee-5fdf08e07370 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/usr/local/var/lib/libvirt/qemu/domain-rhel7/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x9.0x7 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/90121/fjin/rhel7.2.qcow2,format=qcow2,if=none,id=drive-virtio-disk0,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x7,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=26,id=hostnet0,vhost=on,vhostfd=28 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:f1:2c:ed,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,path=/usr/local/var/lib/libvirt/qemu/channel/target/domain-rhel7/org.qemu.guest_agent.0,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -chardev spicevmc,id=charchannel1,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=com.redhat.spice.0 -tpmdev passthrough,id=tpm-tpm0,path=/dev/fdset/2,cancel-path=/dev/fdset/3 -add-fd set=2,fd=29 -add-fd set=3,fd=30 -device tpm-tis,tpmdev=tpm-tpm0,id=tpm0 -vnc 127.0.0.1:0 -device qxl-vga,id=video0,ram_size=67108864,vram_size=16777216,vgamem_mb=16,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x8 -device pvpanic,ioport=1285 -msg timestamp=on

Comment 9 Fangge Jin 2016-09-14 06:17:21 UTC
Reproduce this bug with libvirt-1.2.17-13.el7.x86_64, kernel-3.10.0-493.el7.x86_64 and upstream qemu(v2.7.0-217-g7263da7)

Steps:
1. Prepare a guest with tpm device:
# virsh dumpxml rhel7.3-0817
...
    <tpm model='tpm-tis'>
      <backend type='passthrough'>
        <device path='/dev/tpm0'/>
      </backend>
    </tpm>

2. Start guest
# virsh start rhel7.3-0817
error: Failed to start domain rhel7.3-0817
error: Could not open TPM device's cancel path /sys/class/misc/tpm0/device/cancel: No such file or directory

Comment 10 Fangge Jin 2016-09-14 06:32:45 UTC
Verify this bug with libvirt-2.0.0-8.el7.x86_64 and upstream qemu(v2.7.0-217-g7263da7) 

And also test on two different kernel versions: 
For kerne-3.10.0-493.el7.x86_64, the tpm device cancel path is: /sys/class/tpm/tpm0/device/cancel
For kernel-3.10.0-229.el7.x86_64, the tpm device cancel path is:/sys/class/misc/tpm0/device/cancel

Steps:
1.Prepare a guest with tpm device:

# virsh dumpxml rhel7.3-0817

    <tpm model='tpm-tis'>
      <backend type='passthrough'>
        <device path='/dev/tpm0'/>
      </backend>
      <alias name='tpm0'/>
    </tpm>

2. Start guest

# virsh start rhel7.3-0817

3. Check qemu command line:

...-tpmdev passthrough,id=tpm-tpm0,path=/dev/fdset/3,cancel-path=/dev/fdset/4 -add-fd set=3,fd=30 -add-fd set=4,fd=32 -device tpm-tis,tpmdev=tpm-tpm0,id=tpm0...

4. Check the opened file descriptors:

For kerne-3.10.0-493.el7.x86_64:
# lsof /sys/class/tpm/tpm0/device/cancel
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
      Output information may be incomplete.
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
qemu-syst 15117 qemu   11w   REG   0,16     4096 10212 /sys/class/tpm/../../devices/pnp0/00:09/tpm/tpm0/../../../00:09/cancel
qemu-syst 15117 qemu   24w   REG   0,16     4096 10212 /sys/class/tpm/../../devices/pnp0/00:09/tpm/tpm0/../../../00:09/cancel


# lsof /dev/tpm0
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
      Output information may be incomplete.
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
qemu-syst 15117 qemu   10u   CHR 10,224      0t0 1143 /dev/tpm0
qemu-syst 15117 qemu   23u   CHR 10,224      0t0 1143 /dev/tpm0


For kernel-3.10.0-229.el7.x86_64:
# lsof /sys/class/misc/tpm0/device/cancel
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
qemu-syst 31727 qemu   10w   REG   0,16     4096 10111 /sys/class/misc/../../devices/pnp0/00:0d/misc/tpm0/../../../00:0d/cancel
qemu-syst 31727 qemu   23w   REG   0,16     4096 10111 /sys/class/misc/../../devices/pnp0/00:0d/misc/tpm0/../../../00:0d/cancel

\ # lsof /dev/tpm0
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
qemu-syst 31727 qemu    9u   CHR 10,224      0t0 1144 /dev/tpm0
qemu-syst 31727 qemu   22u   CHR 10,224      0t0 1144 /dev/tpm0

Comment 11 Fangge Jin 2016-09-20 08:49:49 UTC
Test with builds qemu-kvm-1.5.3-125.el7.x86_64 and libvirt-2.0.0-9.el7.x86_64.

# virsh start mig1
error: Failed to start domain mig1
error: unsupported configuration: The QEMU executable /usr/libexec/qemu-kvm does not support TPM backend type passthrough

So it seems that qemu-kvm also doesn't support TPM passthrough device.

Comment 12 Xuesong Zhang 2016-09-20 09:17:46 UTC
hi, Evan,

As you can see from the above comments 9 to 11, libvirt component implement this feature support in RHEL7.3, but qemu do not implement this feature in current RHEL7.3, qemu implement it in upstream now.


I have 2 concerns need to confirm with you:
1. from the comment 4 to 7, it seems we should test and verify this bug with qemu-kvm in RHEL OS, not with qemu-kvm-rhev in RHEL OS, right?

2. Can we move this libvirt bug to RHEL7.4 and add Testonly keyword? since qemu-kvm do not support this feature in RHEL7.3 now. Since this bug is from the Customer Portal, we'd like to double condirm with you if it is ok to deal this bug per current support status of libvirt and qemu.
And can we file one corresponding qemu bug to RHEL7.4 for better tracking?

Comment 14 Xuesong Zhang 2016-09-22 03:10:24 UTC
Move this bug to RHEL7.4 with Testonly keyword for better tracking, since qemu do not implement this feature in downstream in RHEL7.3.

Comment 17 Fangge Jin 2017-05-26 10:53:58 UTC
TPM is not supported in RHEL7.4 by either qemu-kvm-rhev or qemu-kvm. So move this bug to RHEL7.5

Comment 24 Marina 2017-06-06 21:11:39 UTC
Thank you!
Here is the qemu-kvm-rhev rfe: https://bugzilla.redhat.com/show_bug.cgi?id=1327947

And here is the kcs documenting current support status:
https://access.redhat.com/solutions/2623641


Note You need to log in before you can comment on or make changes to this bug.