[CentOS-virt] virsh doesn't support vtpm using XEN?
Hi again!
More TPM + XEN stuff.
have look at the following:
= "xl list -l centos7.0" ==
[
{
"domid": 31,
"config": {
"c_info": {
"type": "hvm",
"name": "centos7.0",
"uuid": "feef6cac-8148-4040-a7cb-ad1f82d8d68a",
"run_hotplug_scripts": "True"
},
"b_info": {
"max_vcpus": 4,
"avail_vcpus": [
0,
1,
2,
3
],
"max_memkb": 4194304,
"target_memkb": 4194304,
"video_memkb": 8192,
"shadow_memkb": 36864,
"localtime": "False",
"sched_params": {
},
"claim_mode": "True",
"acpi": "True",
"type.hvm": {
"pae": "True",
"apic": "True",
"viridian": "False",
"vga": {
},
"vnc": {
"enable": "True",
"listen": "127.0.0.1",
"findunused": "True"
},
"keymap": "en-us",
"sdl": {
"enable": "False"
},
"spice": {
},
"serial": "pty",
"boot": "c",
"usb": "True",
"usbdevice": "tablet",
"rdm": {
}
},
"arch_arm": {
}
},
"disks": [
{
"pdev_path": "/dev/node_b_vg/testimage",
"vdev": "hda",
"format": "raw",
"readwrite": 1,
"colo_restore_enable": "False"
}
],
"nics": [
{
"devid": 0,
"mac": "00:16:3e:7c:04:3a",
"bridge": "bc_br0",
"script": "vif-bridge",
"nictype": "vif_ioemu"
},
{
"devid": 1,
"mac": "00:16:3e:b4:c1:c6",
"bridge": "mgmt_br0",
"script": "vif-bridge",
"nictype": "vif_ioemu"
},
{
"devid": 2,
"mac": "00:16:3e:3a:78:01",
"bridge": "dsip_int_br0",
"script": "vif-bridge",
"nictype": "vif_ioemu"
},
{
"devid": 3,
"mac": "00:16:3e:fd:44:a6",
"bridge": "dsip_ext_br0",
"script": "vif-bridge",
"nictype": "vif_ioemu"
}
],
"vtpms": [
{
"backend_domname": "vtpm01",
"devid": 0,
"uuid": "163088d1-1565-49a0-8e0b-64dfc62460bc"
}
],
"on_reboot": "restart",
"on_soft_reset": "soft_reset"
}
}
]
===
And then:
== "virsh dumpxml centos7.0" ==
centos7.0
feef6cac-8148-4040-a7cb-ad1f82d8d68a
4194304
4194304
4
hvm
/usr/lib64/xen/boot/hvmloader
destroy
restart
destroy
/usr/lib64/xen/bin/qemu-system-i386
===
A closer look at this will reveal the correct vtpm specification
for the native xl command, but it is completely missing from
the XML when running virsh.
Do we need a more current version of libvirt?
Best
Dag
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] We need a patch in the kernel for tpm
On torsdag 13 september 2018 kl. 15:50:11 EEST George Dunlap wrote: > On Thu, Sep 13, 2018 at 1:42 PM Dag Nygren wrote: > > But I would appreciate it if somebody used to the > > procedures would pick it up from here. > > It's not a mailing list, it's the public git repo for the xen kernel > packages. :-) > > As I said, Anthony or I will probably do it at some point (and I've > also forwarded your mail to the upstream Linux Xen maintainers). But > you sending a PR accomplishes a few things: > > 1. It gets things there faster > 2. It gets you more familiar with the CentOS workflow, so that you can > more easily send improvements / fixes in the future. :-) Fair enough. But the problem seems to be that I don't have push access to xen-kernel.git to create a new fork and a pull request for my changes. And I am not familiar enough with git to do it in any other way... Best Dag ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] We need a patch in the kernel for tpm
On torsdag 13 september 2018 kl. 12:58:03 EEST George Dunlap wrote: > Dag, > Just verified after a lengthy compilation of the kernel that the patch really works and now I can see a TPM on the virtual side! > Thanks for tracking this down. Any chance you could send a PR to > https://github.com/CentOS-virt7/xen-kernel? I will definitely join that mailing list. Have a feeling this is not the last problem I will see :-) > Otherwise, Anthony or I will take a look when we get a chance. But I would appreciate it if somebody used to the procedures would pick it up from here. The patch was the following: === diff --git a/drivers/char/tpm/xen-tpmfront.c b/drivers/char/tpm/xen-tpmfront.c index 5aaa268..dd83a07 100644 --- a/drivers/char/tpm/xen-tpmfront.c +++ b/drivers/char/tpm/xen-tpmfront.c @@ -203,7 +203,7 @@ static int setup_ring(struct xenbus_device *dev, struct tpm_private *priv) return -ENOMEM; } - rv = xenbus_grant_ring(dev, &priv->shr, 1, &gref); + rv = xenbus_grant_ring(dev, priv->shr, 1, &gref); if (rv < 0) return rv; Best Dag ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
[CentOS-virt] We need a patch in the kernel for tpm
Hi! Think I found a reference to the problem(s) I am seeing with xen-tpmfront in my setup on the net: https://patchwork.kernel.org/patch/9485637/ This patch has not been officially entered and it is not included in the kernel provided in SIG virt either Can we please get it in ? Best Dag ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
[CentOS-virt] virsh support for TPM?
Hi again! Succeeded in creating vtpmmgr-stubdom.gz from the source RPM with some shortcuts. ow the next problem seems to be that the libvirt we have will not support the XEN vtpm:s For example: virsh dumpxml will not contain any info on the vtpm :-( Am I really the first one around with a need for TPM support in the VM:s ?? Best Dag ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] vtpm support in the rpms ?
On onsdag 5 september 2018 kl. 11:45:29 EEST Dag Nygren wrote: > Trying to enable vtpm in a Centos7 XEN installation > and can find very little of the needed stuff. > > Is vtpm enabled in the SIG rpms? In other words: In which rpm do I find the file: /usr/lib/xen/boot/vtpmmgr-stubdom.gz Best Dag ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
[CentOS-virt] vtpm support in the rpms ?
Hi! Trying to enable vtpm in a Centos7 XEN installation and can find very little of the needed stuff. Is vtpm enabled in the SIG rpms? Best Dag ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] TPM
On onsdag 29 augusti 2018 kl. 15:46:54 EEST Dag Nygren wrote: > On onsdag 29 augusti 2018 kl. 15:37:47 EEST Alvin Starr wrote: > > You could try using Xen. > > A quick search implies that Xen from 4.3 onward will virtualize TPM. > > I am not sure if the libvirt drivers for xen will support the feature > > but some work around may be possible. > > Thanks! Seems to be exactly what is needed. Had a look at this and am still full of questions.. 1. the XEN TPM virtualization doesn't seem to support TPM 2.0 up to the guest - Only down to the HW TPM. Not entirely a showstopper, but 2.0 was a wish from the customer... 2. Still investigating the security implications in going from QEMU to XEN ... Appreciate the good advice I have been getting so far! Best Dag ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] TPM
On onsdag 29 augusti 2018 kl. 20:19:22 EEST Alvin Starr wrote: > So in this case do the VM's need to be protected from each other or are > they all inside a safe controlled network. No, the environment is quite controlled. What need to be achieved is that IF someone steal the image for one or several of the VM:s they will not be able to emulate the functionality on any other hardware platform. The VM:s are together making up a functional setup where they are all needed. Isolation between them is not critical. > Is this to secure one VM from another or is it being used for something > like software licensing validation? > > One has serious security implications the other is just making it > possible for someone to run a stupid licensing model on a virtual machine. No licensing :-) Best Dag ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] TPM
On onsdag 29 augusti 2018 kl. 17:39:18 EEST Stephen John Smoogen wrote: > On Wed, 29 Aug 2018 at 10:25, Dag Nygren wrote: > > Anyone here with an experience in transitioning QEMU -> XEN ? > http://www.cse.psu.edu/~pdm12/cse544/slides/cse544-schiffman-vTPM.pdf goes > through some of the problems. Yes, I had a look at that earlier and it seems XEN has solved most of the problems > You need to be aware of the limitations of > the specific TPM your hardware has, and what you are giving up in the trust > model with any vTPM [aka your virtual machine can't move from its server, > your TPM isn't real and can possibly looked at by other guests, etc etc.] Couldn't find anything on the issue of migration of the VM, but I thought that Xen has that one also taken care of? (Exporting and importing keys) Am I completely wrong here? Best Dag ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] TPM
On onsdag 29 augusti 2018 kl. 15:37:47 EEST Alvin Starr wrote: > You could try using Xen. > A quick search implies that Xen from 4.3 onward will virtualize TPM. > I am not sure if the libvirt drivers for xen will support the feature > but some work around may be possible. Nice attitude and helpfulness in this list! Just had a look and it doesn't seem to be that an intrusive change going from QEMU to XEN. pacemaker,corosync and libvirt all seem to isolate the engine and most settings should work as is. Anyone here with an experience in transitioning QEMU -> XEN ? Best Dag ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] TPM
On onsdag 29 augusti 2018 kl. 15:37:47 EEST Alvin Starr wrote: > On 08/29/2018 07:38 AM, Dag Nygren wrote: > > > On onsdag 29 augusti 2018 kl. 10:00:39 EEST Sandro Bonazzola wrote: > >> 2018-08-28 13:52 GMT+02:00 Dag Nygren : > >> > >>> We have a desperate need for TPM support and: > >>> > >>> 1. Tried the "standard" distro install. linvirt supports > >>>TPM passthrough but kvm-qemu barfs: > >>>"unsupported configuration: The QEMU executable /usr/libexec/qemu-kvm > >>> does not support TPM backend type passthrough" > >>> > >>> 2. The activated the qemu-ev repo and updated qemu-kvm to version 2.10.0, > >>> which for sure > >>> should support at least passthrough. No luck - Same error message. > >>> Downloaded the source for th rpm and found a line: "--disable-tpm" > >>> in build_configure.sh. Guess that the maintainers has some reason > >>> to turn tpm off. Can somone confirm this? > >>> > >> Not sure about reasons for turning off, but request to enable it has been > >> closed wontfix: https://bugzilla.redhat.com/show_bug.cgi?id=1327947 > > Thanks for the comments and reactions so far! > > > > Well. Changed -disable-tpm to enable-tpm in the rpmbuild and > > built myself a version with TPM passthrough enabled. Just to find > > out that it only supports tpm_tis in 2.10.0 and our device > > only seem to speak tpm_cdr :-(. Bugger.. But we really do need multiple > > VM:s accessing the hardware TPM anyway and this would only give us > > one VM ... > > > > Also downloaded qemu 2.12.0 and tried to very optimistically just > > throw it in the rpmbuild. And got a heap of patch fails already > > at the first patch. Expected of course... So no such luck. > > > > Now looking further it also seems like even 2.12.0 will not solve > > our problem as it only gives multiple VM access to the swtpm emulator. > > We need access to the hardware TPM... > > > > Can you make swtpm use the hardware ? > > > > Any advice would/will be valuable! > > > You could try using Xen. > A quick search implies that Xen from 4.3 onward will virtualize TPM. > I am not sure if the libvirt drivers for xen will support the feature > but some work around may be possible. Thanks! Seems to be exactly what is needed. The problem here is that we have invested a lot of work and money in a QEMU solution already and have everything else working smoothly... The client just recently figured out that they will need TPM so nobody looked for it until now. But I will look into this! Best Dag ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] TPM
On onsdag 29 augusti 2018 kl. 10:00:39 EEST Sandro Bonazzola wrote: > 2018-08-28 13:52 GMT+02:00 Dag Nygren : > > > We have a desperate need for TPM support and: > > > > 1. Tried the "standard" distro install. linvirt supports > > TPM passthrough but kvm-qemu barfs: > > "unsupported configuration: The QEMU executable /usr/libexec/qemu-kvm > > does not support TPM backend type passthrough" > > > > 2. The activated the qemu-ev repo and updated qemu-kvm to version 2.10.0, > > which for sure > >should support at least passthrough. No luck - Same error message. > >Downloaded the source for th rpm and found a line: "--disable-tpm" > >in build_configure.sh. Guess that the maintainers has some reason > >to turn tpm off. Can somone confirm this? > > > > Not sure about reasons for turning off, but request to enable it has been > closed wontfix: https://bugzilla.redhat.com/show_bug.cgi?id=1327947 Thanks for the comments and reactions so far! Well. Changed -disable-tpm to enable-tpm in the rpmbuild and built myself a version with TPM passthrough enabled. Just to find out that it only supports tpm_tis in 2.10.0 and our device only seem to speak tpm_cdr :-(. Bugger.. But we really do need multiple VM:s accessing the hardware TPM anyway and this would only give us one VM ... Also downloaded qemu 2.12.0 and tried to very optimistically just throw it in the rpmbuild. And got a heap of patch fails already at the first patch. Expected of course... So no such luck. Now looking further it also seems like even 2.12.0 will not solve our problem as it only gives multiple VM access to the swtpm emulator. We need access to the hardware TPM... Can you make swtpm use the hardware ? Any advice would/will be valuable! Best Dag ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
[CentOS-virt] TPM
Hi all! Just setting up a cluster using Centos 7 We have a desperate need for TPM support and: 1. Tried the "standard" distro install. linvirt supports TPM passthrough but kvm-qemu barfs: "unsupported configuration: The QEMU executable /usr/libexec/qemu-kvm does not support TPM backend type passthrough" 2. The activated the qemu-ev repo and updated qemu-kvm to version 2.10.0, which for sure should support at least passthrough. No luck - Same error message. Downloaded the source for th rpm and found a line: "--disable-tpm" in build_configure.sh. Guess that the maintainers has some reason to turn tpm off. Can somone confirm this? 3. And now what next? The setup would really need swtpm, which should be available in 2.11.0. Can someone confirm that tpm will be enabled here? Would also be nice having a libvirt that will accept the swtpm configuration. the current don't like it. Could of course recompile qemu myself, but really wouldn't like going that route. The sheer number of patches applied is quite scary... Best Dag ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
