vTPM on KVM does not persist data (ACS 4.20.1.0, Ubuntu 24.04)

[jgotteswinter]

problem

after a shutdown, the /var/lib/libvirt/swtpm/ which holds the tpm data is gone. When starting the vm again, the folder is re-created with empty tpm files.

I am using a similar tpm definition in manually configured kvm guests, if those vm are powered off the folder remains.

versions

4.20.1.0
Ubuntu 24.04

The steps to reproduce the bug

root@VM-647bf7bc-bdca-48fa-8329-8b7a103f9ab6:~# echo "Hello, TPM!" > datafile
root@VM-647bf7bc-bdca-48fa-8329-8b7a103f9ab6:~# tpm2_nvwrite -C o -i datafile 0x1500016
root@VM-647bf7bc-bdca-48fa-8329-8b7a103f9ab6:~# tpm2_nvread -C o 0x1500016
WARN: Reading full size of the NV index
Hello, TPM!

Instance power cycle, and tryi to read our value again from the tpm

root@VM-647bf7bc-bdca-48fa-8329-8b7a103f9ab6:~# tpm2_nvread -C o 0x1500016
WARN: Reading full size of the NV index
WARNING:esys:src/tss2-esys/api/Esys_NV_ReadPublic.c:309:Esys_NV_ReadPublic_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/esys_tr.c:243:Esys_TR_FromTPMPublic_Finish() Error NV_ReadPublic ErrorCode (0x0000018b)
ERROR:esys:src/tss2-esys/esys_tr.c:398:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x0000018b)
ERROR: Esys_TR_FromTPMPublic(0x18B) - tpm:handle(1):the handle is not correct for the use
ERROR: Unable to run tpm2_nvread
root@VM-647bf7bc-bdca-48fa-8329-8b7a103f9ab6:

What to do about it?

No response

[weizhouapache]

@jgotteswinter
added to 4.20.3.0 milestone

[weizhouapache]

if vm runs on local storage, this might work

@@ -123,7 +123,7 @@
       <alias name='input2'/>
     </input>
     <tpm model='tpm-tis'>
-      <backend type='emulator' version='2.0'/>
+      <backend type='emulator' version='2.0' persistent_state='yes'/>
       <alias name='tpm0'/>
     </tpm>

however, if vm runs on shared storage, when vm is migrated, or started on another host, it will not work, as the tpm file is saved on the original host, for example /var/lib/libvirt/swtpm/<vm uuid>/tpm2/tpm2-00.permall

we could save the tpm file on the same primary pool as ROOT disk, for example <path of ROOT disk>.tpm2, add then create a vm with tpm device (it is supported since libivrt v10.10.0, so it does not work on RHEL 8/9 and ubuntu 22/24, it only works with RHEL 10)

       <alias name='input2'/>
     </input>
     <tpm model='tpm-tis'>
-      <backend type='emulator' version='2.0'/>
+      <backend type='emulator' version='2.0' persistent_state='yes'>
+          <source type='file' path='<path of ROOT disk>.tpm2'/>
+      </backend>
       <alias name='tpm0'/>
     </tpm>

then we need to handle the migration of the tpm2 file when migrate ROOT disk to another storage pool.

[jgotteswinter]

i am using the swtpm together with manually deployed vms, using this tpm definition

    <tpm model='tpm-tis'>
      <backend type='emulator' version='2.0'/>
      <alias name='tpm0'/>
    </tpm>

the files remain, even after the vm has been powered off

[weizhouapache]

i am using the swtpm together with manually deployed vms, using this tpm definition

    <tpm model='tpm-tis'>
      <backend type='emulator' version='2.0'/>
      <alias name='tpm0'/>
    </tpm>

the files remain, even after the vm has been powered off

it may be because the vms you created are defined and persistent on the kvm host.
when you stop them, you can still find them by virsh list --all

but the vms created by ACS, are not persistent on the kvm host.

[jgotteswinter]

yes, you are absolutely right

[jgotteswinter]

i did not yet test moving the tpm files to a different host, but it might be also needed to handle /var/lib/swtpm-localca to get migration working

[jgotteswinter]

Is there currently any warning or hint in the docs somewhere that the current implementation is non-persisting? I think this should mentioned.

[weizhouapache]

Is there currently any warning or hint in the docs somewhere that the current implementation is non-persisting? I think this should mentioned.

created a doc PR: apache/cloudstack-documentation#598