Bug 1197104

Summary: measured boot is broken in VMs in Tumbleweed
Product: [openSUSE] openSUSE Tumbleweed Reporter: Alberto Planas Dominguez <aplanas>
Component: SecurityAssignee: Joey Lee <jlee>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P5 - None CC: fvogt, guillaume.gardet, kukuk, richard.fan
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1197267, 1197324    

Description Alberto Planas Dominguez 2022-03-14 17:06:33 UTC 
I am executing VMs with TPM2 virtualized using swtpm with ovmf with secure boot. Once booted I do not see the event log in securityfs, and /sys/kernel/security/tpm0 is missing.

There is some component in the virtualization stack, or in the kernel, that is breaking the measure boot log in VMs. I tested:

- Use different versions of swtpm with --tpm2 option (from 6.0.0 to git). With logs activated, I will expect to see communication from the UEFI firmware inside the VM doing measurements and PCR expansions, but the log that I see I think do not represent this information. The command used is some variations for:

rm -fr tpm; mkdir tpm
swtpm socket --tpmstate dir=tpm \
  --ctrl type=unixio,path=tpm/swtpm-sock \
  --log level=20 --tpm2 &


- Use different OVMF firmwares. I am using the one deployed with Tumbleweed, and some OVMF packages from Fedora, with and without secure boot.

- Use different QEMU. I tested 6.1.1, 6.2.0 and git, using the expected cli. Always variations of:

qemu-system-x86_64\
 -enable-kvm \
 -smp 1 \
 -m 2048 \
 -machine q35 \
 -cpu host \
 -global ICH9-LPC.disable_s3=1 \
 -net nic,model=virtio \
 -net user,hostfwd=tcp::8022-:22,hostfwd=tcp::8090-:80  \
 -drive file=/usr/share/qemu/ovmf-x86_64-opensuse-code.bin,if=pflash,format=raw,unit=0,readonly=on \
 -drive file=./ovmf-x86_64-ms-vars-tw.bin,if=pflash,format=raw,unit=1 \
 -chardev socket,id=chrtpm,path=./tpm/swtpm-sock \
 -tpmdev emulator,id=tpm0,chardev=chrtpm \
 -device tpm-tis,tpmdev=tpm0 \
 -boot menu=on \
 -hda hda.qcow2

Some of the variations are changing the device from tpm-tis to tpm-cbr, or pointing to different versions of QEMU or OVMF.

- Using different distributions in the VM, including ubuntu 21, ubuntu core, and tumbleweed.

In all the cases the /sys/kernel/security/tpm0 directory is missing, and I can see the PCR (tpm2_pcrread) register, mostly at 0x00.

The only fixed point that still remains is that the two machines that I used (my desktop and a remote server) have the same kernel version (5.16.11-1-default #1 SMP PREEMPT Thu Feb 24 05:07:05 UTC 2022 (90630c5) x86_64 x86_64 x86_64 GNU/Linux), but I do not see how this can be relevant (the TPM used is emulated without root). A check in /var/log/audit or journalctl do not shows anything related.
Comment 1 Alberto Planas Dominguez 2022-03-15 12:37:24 UTC 
@jlee, seems that can be OVMF. Fabian realizes that in TW we are not building Tcg2ConfigPei, but we do in older versions.
Comment 2 Alberto Planas Dominguez 2022-03-15 13:00:41 UTC 
Seems that TPM_ENABLE / CONFIG is now separated in two: TPM1_ENABLE and TPM2_ENABLE, to be aligned with the Arm configuration. Seems that the CONFIG option is still in use in some arm code, but that can be a bug, as there is a patch to remove the CONFIG option.
Comment 3 Alberto Planas Dominguez 2022-03-15 13:07:55 UTC 
Fabian just send: https://build.opensuse.org/request/show/961877

After some more digging, TPM1 is by default TRUE, and TPM2 is FALSE. So this PR should do.
Comment 4 Fabian Vogt 2022-03-15 14:16:53 UTC 
(In reply to Alberto Planas Dominguez from comment #2)
> Seems that TPM_ENABLE / CONFIG is now separated in two: TPM1_ENABLE and
> TPM2_ENABLE, to be aligned with the Arm configuration. Seems that the CONFIG
> option is still in use in some arm code, but that can be a bug, as there is
> a patch to remove the CONFIG option.

Yep. Would be nice if that could be clarified with upstream. TPM_CONFIG_ENABLE was removed with https://github.com/tianocore/edk2/commit/5711ff4d0b56ff4c58dc7a780e706bc58aed2253, but Arm kept TPM2_CONFIG_ENABLE: https://github.com/tianocore/edk2/commit/e521b3c54edf6f6251c71da44086a1022ad90c94
Comment 5 Joey Lee 2022-03-16 05:16:05 UTC 
(In reply to Alberto Planas Dominguez from comment #3)
> Fabian just send: https://build.opensuse.org/request/show/961877
> 
> After some more digging, TPM1 is by default TRUE, and TPM2 is FALSE. So this
> PR should do.

I have pushed Fabian's fix to Virtualization project and also pushing to Factory.
It works to me to create /sys/kernel/security/tpm0 in guest.
Comment 6 Joey Lee 2022-03-16 06:03:21 UTC 
(In reply to Fabian Vogt from comment #4)
> (In reply to Alberto Planas Dominguez from comment #2)
> > Seems that TPM_ENABLE / CONFIG is now separated in two: TPM1_ENABLE and
> > TPM2_ENABLE, to be aligned with the Arm configuration. Seems that the CONFIG
> > option is still in use in some arm code, but that can be a bug, as there is
> > a patch to remove the CONFIG option.
> 
> Yep. Would be nice if that could be clarified with upstream.
> TPM_CONFIG_ENABLE was removed with
> https://github.com/tianocore/edk2/commit/
> 5711ff4d0b56ff4c58dc7a780e706bc58aed2253, but Arm kept TPM2_CONFIG_ENABLE:
> https://github.com/tianocore/edk2/commit/
> e521b3c54edf6f6251c71da44086a1022ad90c94

Yes, looks that the TPM2_CONFIG_ENABLE can also be removed from ArmVirtPkg.
Comment 9 Joey Lee 2022-03-31 04:12:37 UTC 
*** Bug 1197324 has been marked as a duplicate of this bug. ***
Comment 10 Joey Lee 2022-03-31 04:14:26 UTC 
*** Bug 1197267 has been marked as a duplicate of this bug. ***
Comment 11 Fabian Vogt 2022-06-22 14:10:25 UTC 
Fixes got released some time ago.