From 312c5404011f6a80d1467a19abd916fd203dd7d4 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 16 Oct 2024 13:51:28 -0400 Subject: [PATCH 1/3] tpm: Use new ptm_cap_n structure for PTM_GET_CAPABILITY MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use the new ptm_cap_n structure for getting the PTM_GET_CAPABILITY response from swtpm. Previously only 17 bits could possibly have been set in ptm_cap (uint64_t) in big endian order and those bits are now found in the 2nd 32bit word in the response in the caps field. This data structure makes it now clear that the 1st 32bit word carries the tpm_result like all the other response structures of all other commands do. The changes are taken from the swtpm project's tpm_ioctl.h. Reviewed-by: Daniel P. Berrangé Signed-off-by: Stefan Berger --- backends/tpm/tpm_emulator.c | 14 ++++++++------ backends/tpm/tpm_ioctl.h | 13 ++++++++++++- backends/tpm/trace-events | 2 +- 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/backends/tpm/tpm_emulator.c b/backends/tpm/tpm_emulator.c index 5a8fba9bde..b0e2fb3fc7 100644 --- a/backends/tpm/tpm_emulator.c +++ b/backends/tpm/tpm_emulator.c @@ -72,7 +72,7 @@ struct TPMEmulator { CharBackend ctrl_chr; QIOChannel *data_ioc; TPMVersion tpm_version; - ptm_cap caps; /* capabilities of the TPM */ + uint32_t caps; /* capabilities of the TPM */ uint8_t cur_locty_number; /* last set locality */ Error *migration_blocker; @@ -239,13 +239,15 @@ static void tpm_emulator_handle_request(TPMBackend *tb, TPMBackendCmd *cmd, static int tpm_emulator_probe_caps(TPMEmulator *tpm_emu) { + ptm_cap_n cap_n; + if (tpm_emulator_ctrlcmd(tpm_emu, CMD_GET_CAPABILITY, - &tpm_emu->caps, 0, sizeof(tpm_emu->caps)) < 0) { + &cap_n, 0, sizeof(cap_n)) < 0) { error_report("tpm-emulator: probing failed : %s", strerror(errno)); return -1; } - tpm_emu->caps = be64_to_cpu(tpm_emu->caps); + tpm_emu->caps = be32_to_cpu(cap_n.u.resp.caps); trace_tpm_emulator_probe_caps(tpm_emu->caps); @@ -254,7 +256,7 @@ static int tpm_emulator_probe_caps(TPMEmulator *tpm_emu) static int tpm_emulator_check_caps(TPMEmulator *tpm_emu) { - ptm_cap caps = 0; + uint32_t caps = 0; const char *tpm = NULL; /* check for min. required capabilities */ @@ -527,8 +529,8 @@ static size_t tpm_emulator_get_buffer_size(TPMBackend *tb) static int tpm_emulator_block_migration(TPMEmulator *tpm_emu) { Error *err = NULL; - ptm_cap caps = PTM_CAP_GET_STATEBLOB | PTM_CAP_SET_STATEBLOB | - PTM_CAP_STOP; + uint32_t caps = PTM_CAP_GET_STATEBLOB | PTM_CAP_SET_STATEBLOB | + PTM_CAP_STOP; if (!TPM_EMULATOR_IMPLEMENTS_ALL_CAPS(tpm_emu, caps)) { error_setg(&tpm_emu->migration_blocker, diff --git a/backends/tpm/tpm_ioctl.h b/backends/tpm/tpm_ioctl.h index 1933ab6855..ee2dd15d35 100644 --- a/backends/tpm/tpm_ioctl.h +++ b/backends/tpm/tpm_ioctl.h @@ -29,6 +29,16 @@ typedef uint32_t ptm_res; +/* PTM_GET_CAPABILITY: Get supported capabilities (ioctl's) */ +struct ptm_cap_n { + union { + struct { + ptm_res tpm_result; /* will always be TPM_SUCCESS (0) */ + uint32_t caps; + } resp; /* response */ + } u; +}; + /* PTM_GET_TPMESTABLISHED: get the establishment bit */ struct ptm_est { union { @@ -242,7 +252,8 @@ struct ptm_lockstorage { } u; }; -typedef uint64_t ptm_cap; +typedef uint64_t ptm_cap; /* CUSE-only; use ptm_cap_n otherwise */ +typedef struct ptm_cap_n ptm_cap_n; typedef struct ptm_est ptm_est; typedef struct ptm_reset_est ptm_reset_est; typedef struct ptm_loc ptm_loc; diff --git a/backends/tpm/trace-events b/backends/tpm/trace-events index cb5cfa6510..05e30533ce 100644 --- a/backends/tpm/trace-events +++ b/backends/tpm/trace-events @@ -16,7 +16,7 @@ tpm_util_show_buffer_content(const char *buf) "%s" # tpm_emulator.c tpm_emulator_set_locality(uint8_t locty) "setting locality to %d" tpm_emulator_handle_request(void) "processing TPM command" -tpm_emulator_probe_caps(uint64_t caps) "capabilities: 0x%"PRIx64 +tpm_emulator_probe_caps(uint32_t caps) "capabilities: 0x%x" tpm_emulator_set_buffer_size(uint32_t buffersize, uint32_t minsize, uint32_t maxsize) "buffer size: %u, min: %u, max: %u" tpm_emulator_startup_tpm_resume(bool is_resume, size_t buffersize) "is_resume: %d, buffer size: %zu" tpm_emulator_get_tpm_established_flag(uint8_t flag) "got established flag: %d" From d2bcaacc17c4427bdb2d959cd91a42425fcca3c9 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 16 Oct 2024 13:51:29 -0400 Subject: [PATCH 2/3] tpm_emulator: Read control channel response in 2 passes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Error responses from swtpm are typically only 4 bytes long with the exception of a few commands that return more bytes. Therefore, read the entire response in 2 steps and stop if the first few bytes indicate an error response with no subsequent bytes readable. Read the rest in a 2nd step, if needed. This avoids getting stuck while waiting for too many bytes in case of an error. The 'getting stuck' condition has not been observed in practice so far, though. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2615 Reviewed-by: Daniel P. Berrangé Signed-off-by: Stefan Berger --- backends/tpm/tpm_emulator.c | 62 +++++++++++++++++++++++++++---------- 1 file changed, 46 insertions(+), 16 deletions(-) diff --git a/backends/tpm/tpm_emulator.c b/backends/tpm/tpm_emulator.c index b0e2fb3fc7..aa05dab6ae 100644 --- a/backends/tpm/tpm_emulator.c +++ b/backends/tpm/tpm_emulator.c @@ -123,12 +123,14 @@ static const char *tpm_emulator_strerror(uint32_t tpm_result) } static int tpm_emulator_ctrlcmd(TPMEmulator *tpm, unsigned long cmd, void *msg, - size_t msg_len_in, size_t msg_len_out) + size_t msg_len_in, size_t msg_len_out_err, + size_t msg_len_out_total) { CharBackend *dev = &tpm->ctrl_chr; uint32_t cmd_no = cpu_to_be32(cmd); ssize_t n = sizeof(uint32_t) + msg_len_in; uint8_t *buf = NULL; + ptm_res res; WITH_QEMU_LOCK_GUARD(&tpm->mutex) { buf = g_alloca(n); @@ -140,8 +142,25 @@ static int tpm_emulator_ctrlcmd(TPMEmulator *tpm, unsigned long cmd, void *msg, return -1; } - if (msg_len_out != 0) { - n = qemu_chr_fe_read_all(dev, msg, msg_len_out); + if (msg_len_out_total > 0) { + assert(msg_len_out_total >= msg_len_out_err); + + n = qemu_chr_fe_read_all(dev, (uint8_t *)msg, msg_len_out_err); + if (n <= 0) { + return -1; + } + if (msg_len_out_err == msg_len_out_total) { + return 0; + } + /* result error code is always in the first 4 bytes */ + assert(sizeof(res) <= msg_len_out_err); + memcpy(&res, msg, sizeof(res)); + if (res) { + return 0; + } + + n = qemu_chr_fe_read_all(dev, (uint8_t *)msg + msg_len_out_err, + msg_len_out_total - msg_len_out_err); if (n <= 0) { return -1; } @@ -204,7 +223,8 @@ static int tpm_emulator_set_locality(TPMEmulator *tpm_emu, uint8_t locty_number, memset(&loc, 0, sizeof(loc)); loc.u.req.loc = locty_number; if (tpm_emulator_ctrlcmd(tpm_emu, CMD_SET_LOCALITY, &loc, - sizeof(loc), sizeof(loc)) < 0) { + sizeof(loc), sizeof(loc.u.resp.tpm_result), + sizeof(loc)) < 0) { error_setg(errp, "tpm-emulator: could not set locality : %s", strerror(errno)); return -1; @@ -241,8 +261,9 @@ static int tpm_emulator_probe_caps(TPMEmulator *tpm_emu) { ptm_cap_n cap_n; - if (tpm_emulator_ctrlcmd(tpm_emu, CMD_GET_CAPABILITY, - &cap_n, 0, sizeof(cap_n)) < 0) { + if (tpm_emulator_ctrlcmd(tpm_emu, CMD_GET_CAPABILITY, &cap_n, 0, + sizeof(cap_n.u.resp.tpm_result), + sizeof(cap_n)) < 0) { error_report("tpm-emulator: probing failed : %s", strerror(errno)); return -1; } @@ -292,7 +313,8 @@ static int tpm_emulator_stop_tpm(TPMBackend *tb) TPMEmulator *tpm_emu = TPM_EMULATOR(tb); ptm_res res; - if (tpm_emulator_ctrlcmd(tpm_emu, CMD_STOP, &res, 0, sizeof(res)) < 0) { + if (tpm_emulator_ctrlcmd(tpm_emu, CMD_STOP, &res, 0, + sizeof(ptm_res), sizeof(res)) < 0) { error_report("tpm-emulator: Could not stop TPM: %s", strerror(errno)); return -1; @@ -319,8 +341,9 @@ static int tpm_emulator_lock_storage(TPMEmulator *tpm_emu) /* give failing side 300 * 10ms time to release lock */ pls.u.req.retries = cpu_to_be32(300); - if (tpm_emulator_ctrlcmd(tpm_emu, CMD_LOCK_STORAGE, &pls, - sizeof(pls.u.req), sizeof(pls.u.resp)) < 0) { + if (tpm_emulator_ctrlcmd(tpm_emu, CMD_LOCK_STORAGE, &pls, sizeof(pls.u.req), + sizeof(pls.u.resp.tpm_result), + sizeof(pls.u.resp)) < 0) { error_report("tpm-emulator: Could not lock storage within 3 seconds: " "%s", strerror(errno)); return -1; @@ -351,7 +374,8 @@ static int tpm_emulator_set_buffer_size(TPMBackend *tb, psbs.u.req.buffersize = cpu_to_be32(wanted_size); if (tpm_emulator_ctrlcmd(tpm_emu, CMD_SET_BUFFERSIZE, &psbs, - sizeof(psbs.u.req), sizeof(psbs.u.resp)) < 0) { + sizeof(psbs.u.req), sizeof(psbs.u.resp.tpm_result), + sizeof(psbs.u.resp)) < 0) { error_report("tpm-emulator: Could not set buffer size: %s", strerror(errno)); return -1; @@ -398,6 +422,7 @@ static int tpm_emulator_startup_tpm_resume(TPMBackend *tb, size_t buffersize, } if (tpm_emulator_ctrlcmd(tpm_emu, CMD_INIT, &init, sizeof(init), + sizeof(init.u.resp.tpm_result), sizeof(init)) < 0) { error_report("tpm-emulator: could not send INIT: %s", strerror(errno)); @@ -439,8 +464,9 @@ static bool tpm_emulator_get_tpm_established_flag(TPMBackend *tb) return tpm_emu->established_flag; } - if (tpm_emulator_ctrlcmd(tpm_emu, CMD_GET_TPMESTABLISHED, &est, - 0, sizeof(est)) < 0) { + if (tpm_emulator_ctrlcmd(tpm_emu, CMD_GET_TPMESTABLISHED, &est, 0, + sizeof(est) /* always returns resp.bit */, + sizeof(est)) < 0) { error_report("tpm-emulator: Could not get the TPM established flag: %s", strerror(errno)); return false; @@ -468,6 +494,7 @@ static int tpm_emulator_reset_tpm_established_flag(TPMBackend *tb, reset_est.u.req.loc = tpm_emu->cur_locty_number; if (tpm_emulator_ctrlcmd(tpm_emu, CMD_RESET_TPMESTABLISHED, &reset_est, sizeof(reset_est), + sizeof(reset_est.u.resp.tpm_result), sizeof(reset_est)) < 0) { error_report("tpm-emulator: Could not reset the establishment bit: %s", strerror(errno)); @@ -499,7 +526,7 @@ static void tpm_emulator_cancel_cmd(TPMBackend *tb) /* FIXME: make the function non-blocking, or it may block a VCPU */ if (tpm_emulator_ctrlcmd(tpm_emu, CMD_CANCEL_TPM_CMD, &res, 0, - sizeof(res)) < 0) { + sizeof(ptm_res), sizeof(res)) < 0) { error_report("tpm-emulator: Could not cancel command: %s", strerror(errno)); } else if (res != 0) { @@ -559,7 +586,7 @@ static int tpm_emulator_prepare_data_fd(TPMEmulator *tpm_emu) qemu_chr_fe_set_msgfds(&tpm_emu->ctrl_chr, fds + 1, 1); if (tpm_emulator_ctrlcmd(tpm_emu, CMD_SET_DATAFD, &res, 0, - sizeof(res)) < 0 || res != 0) { + sizeof(ptm_res), sizeof(res)) < 0 || res != 0) { error_report("tpm-emulator: Failed to send CMD_SET_DATAFD: %s", strerror(errno)); goto err_exit; @@ -706,6 +733,8 @@ static int tpm_emulator_get_state_blob(TPMEmulator *tpm_emu, if (tpm_emulator_ctrlcmd(tpm_emu, CMD_GET_STATEBLOB, &pgs, sizeof(pgs.u.req), + /* always returns up to resp.data */ + offsetof(ptm_getstate, u.resp.data), offsetof(ptm_getstate, u.resp.data)) < 0) { error_report("tpm-emulator: could not get state blob type %d : %s", type, strerror(errno)); @@ -808,7 +837,7 @@ static int tpm_emulator_set_state_blob(TPMEmulator *tpm_emu, /* write the header only */ if (tpm_emulator_ctrlcmd(tpm_emu, CMD_SET_STATEBLOB, &pss, - offsetof(ptm_setstate, u.req.data), 0) < 0) { + offsetof(ptm_setstate, u.req.data), 0, 0) < 0) { error_report("tpm-emulator: could not set state blob type %d : %s", type, strerror(errno)); return -1; @@ -992,7 +1021,8 @@ static void tpm_emulator_shutdown(TPMEmulator *tpm_emu) return; } - if (tpm_emulator_ctrlcmd(tpm_emu, CMD_SHUTDOWN, &res, 0, sizeof(res)) < 0) { + if (tpm_emulator_ctrlcmd(tpm_emu, CMD_SHUTDOWN, &res, 0, + sizeof(ptm_res), sizeof(res)) < 0) { error_report("tpm-emulator: Could not cleanly shutdown the TPM: %s", strerror(errno)); } else if (res != 0) { From d9280ea3174700170d39c4cdd3f587f260757711 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 16 Oct 2024 11:21:59 -0400 Subject: [PATCH 3/3] tests: Wait for migration completion on destination QEMU to avoid failures MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Rather than waiting for the completion of migration on the source side, wait for it on the destination QEMU side to avoid accessing the TPM TIS memory mapped registers before QEMU could restore their state. This error condition could be triggered on busy systems where the destination QEMU did not have enough time to restore the TIS state while the test case was already reading its registers. The test case was for example reading the STS register and received an unexpected value (0xffffffff), which lead to a segmentation fault later on due to trying to read 0xffff bytes from the TIS into a buffer. Cc: Reported-by: Fabiano Rosas Reviewed-by: Daniel P. Berrangé Signed-off-by: Stefan Berger --- tests/qtest/tpm-tests.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/qtest/tpm-tests.c b/tests/qtest/tpm-tests.c index fb94496bbd..197714f8d9 100644 --- a/tests/qtest/tpm-tests.c +++ b/tests/qtest/tpm-tests.c @@ -114,7 +114,7 @@ void tpm_test_swtpm_migration_test(const char *src_tpm_path, sizeof(tpm_pcrread_resp)); tpm_util_migrate(src_qemu, uri); - tpm_util_wait_for_migration_complete(src_qemu); + tpm_util_wait_for_migration_complete(dst_qemu); tpm_util_pcrread(dst_qemu, tx, tpm_pcrread_resp, sizeof(tpm_pcrread_resp));