OpenStack Compute (nova)

libvirt: swtpm_ioctl is required for vTPM support

Bug #2052761 reported by Takashi Kajinami on 2024-02-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Undecided	Takashi Kajinami

Bug Description

Description
===========
Libvirt uses swtpm_ioctl to shutdown the swtpm process at VM termination, because QEMU does not send shutdown command.
However the binary is not included in the required binaries (swtpm and swtpm_setup, at the time of writing) checked by libvirt driver. So users can use vTPM support without binaries, which leaves swtpm processes kept running.

Steps to reproduce
==================
* Deploy nova-compute with vTPM support
* Move swtpm_ioctl from PATH
* Restart nova-compute

Expected result
===============
nova-compute fails to start because swtpm_ioctl is missing

Actual result
=============
nova-compute starts without error and reports TPM traits.

Environment
===========
This issue was initially found in master, but would be present in stable branches.

Logs & Configs
==============
N/A

See original description

Takashi Kajinami (kajinamit) on 2024-02-09

Changed in nova:
assignee:	nobody → Takashi Kajinami (kajinamit)
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-09: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/nova/+/908546

Changed in nova:
status:	New → In Progress

Takashi Kajinami (kajinamit) on 2024-02-13

description:

updated

Revision history for this message

Takashi Kajinami (kajinamit) wrote on 2024-02-13:

The relevant commit in libvirt is https://github.com/libvirt/libvirt/commit/69122bc2f1a4f33a019e4e939bb12687a0f527d3 .

Currently libvirt reports availability of emulated vTPM only when swtpm_ioctl exists, but the logic in nova is not aligned with it.

Revision history for this message

Takashi Kajinami (kajinamit) wrote on 2024-02-13:

Ignore my previous comment...

Usage of swtpm_ioctl was addedx when support for external TPM, run by swtpm, was added in https://github.com/libvirt/libvirt/commit/2a606b863ebdc0a74e87c453bb9b76278a72d13b .

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-08-09: Fix merged to nova (master)

Reviewed: https://review.opendev.org/c/openstack/nova/+/908546
Committed: https://opendev.org/openstack/nova/commit/9a11bb25238288139c4473d9d91bf365ed88f435
Submitter: "Zuul (22348)"
Branch: master

commit 9a11bb25238288139c4473d9d91bf365ed88f435
Author: Takashi Kajinami <email address hidden>
Date: Fri Feb 9 12:16:45 2024 +0900

libvirt: Ensure swtpm_ioctl is available for vTPM support

    Libvirt uses swtpm_ioctl to terminate swtpm processes. If the binary
    does not exist, swtpm processes are kept running after the associated
    VM terminates, because QEMU does not send shutdown to swtpm.

Closes-Bug: #2052761
Change-Id: I682f71512fc33a49b8dfe93894f144e48f33abe6

Changed in nova:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-09-20: Fix included in openstack/nova 30.0.0.0rc1

This issue was fixed in the openstack/nova 30.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.