lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9350fad8-f0e6-44b4-8e69-a281ed0e849b@linux.ibm.com>
Date: Wed, 4 Dec 2024 16:50:24 -0500
From: Stefan Berger <stefanb@...ux.ibm.com>
To: Yuvaraj Ranganathan <quic_yrangana@...cinc.com>, peterhuewe@....de,
        jarkko@...nel.org, jgg@...pe.ca, linux-integrity@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: QEMU launch failure with TPM passthrough



On 12/3/24 2:58 AM, Yuvaraj Ranganathan wrote:
> Hi Everyone,
> 
> We are trying to launch a VM’s using qemu with TPM passthrough
> (https://www.qemu.org/docs/master/specs/tpm.html) and
> we are encountering the QEMU launch is failing on below experiments,
> 
> Problem 1:
> qemu-system-aarch64 \
>      -M virt -m 2G \
>  -tpmdev passthrough,id=tpm0,path=/dev/tpmrm0 -device tpm-tis,tpmdev=tpm0 \
>      -kernel /mnt/overlay/Image \
>      -drive
> file=/mnt/overlay/qcom-guestvm-image-qcs9100-ride-sx-20241118050754.rootfs.ext4,if=virtio,format=raw
> \
>      -append "root=/dev/vda" \
>      -cpu host --enable-kvm -smp 4 -nographic
> 
> 
> qemu-system-aarch64: -tpmdev passthrough,id=tpm0,path=/dev/tpmrm0:
> tpm_passthrough: Could not guess TPM cancel path
> 
> 
> Problem 2: (experimented based on open source discussions)
> qemu-system-aarch64 \
>      -M virt -m 2G \
>  -tpmdev
> passthrough,id=tpm0,path=/dev/tpmrm0,cancel-path=/sys/class/tpm/tpm0/device/cancel
> -device tpm-tis,tpmdev=tpm0 \
>      -kernel /mnt/overlay/Image \
>      -drive
> file=/mnt/overlay/qcom-guestvm-image-qcs9100-ride-sx-20241118050754.rootfs.ext4,if=virtio,format=raw
> \
>      -append "root=/dev/vda" \
>      -cpu host --enable-kvm -smp 4 -nographic
> 
> qemu-system-aarch64: -tpmdev
> passthrough,id=tpm0,path=/dev/tpmrm0,cancel-path=/sys/class/tpm/tpm0/device/cancel:
> tpm_passthrough: Could not open TPM cancel path: No such file or directory

A possibility is to pass /dev/null in this case. When we start VMs like 
with passthrough in libvirt then we also pass /dev/null if the cancel 
sysfs file cannot be found (anymore):

https://github.com/libvirt/libvirt/blob/dba710374d92688f797bf64642cc0d640c301239/src/util/virtpm.c#L67-L93

> 
> On further checking, it is due to /sys/class/tpm/tpm0/device/cancel
> attribute is not created by TPM driver.
> 
> Temporary Solution explored:
> 
> We made the change in TPM driver to use tpm1_dev_group irrespective of
> TPM version.
> tpm2_dev_group is creating only tpm_version_major attribute while
> tpm1_dev_group is creating multiple attributes including cancel + tpm2
> attributes.
> With this change, we are able to launch VM’s successfully using QEMU
> command.
> 
> TPM HW version: 2.0
> QEMU emulator version: 6.2.0
> 
> This seems to be basic issue with QEMU + TPM 2.0 HW.
> Could you please help us know are we missing any procedure in the QEMU
> steps ?
> 
> If the procedure is good, I shall go ahead to post an upstream patch
> with the fix. Need your comments here!!!
> 
> Thanks,
> Yuvaraj.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ