Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-39899

openssl 3.0.7 causing problems with VMs under ovirt that use swtpm

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Normal Normal
    • None
    • rhel-9.4
    • openssl
    • None
    • sst_security_crypto
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      Hello, I was trying to use Windows 11 under oVirt w/ swtpm for TPM support.  Specifically this was under Rocky Linux 9, but they have requested that I post the issue upstream as they simply inherit.  Anyway, upon Windows 11 launching, if you run a powershell command to retrieve TPM features, it causes a 'hardware error' in the Windows system log.  (if you use SCCM, it does this over and over every few seconds)  While the TPM functions enough for the OS to install, it fails on that command which breaks a myriad of other things.  In tracking it down with the swtpm developer, we discovered that it was openssl that was the culprit, and that upgrading it to what Fedora 37 is using resolves the issue (openssl 3.0.9).

      The swtpm developer asked that I reach out and also recommend upgrading libtpms as there have been a number of CVE fixes.

      You can see the entire conversation and debugging session here: https://github.com/stefanberger/swtpm/issues/852

      Please provide the package NVR for which bug is seen:

      openssl-3.0.7-27

      How reproducible:

      Trivially, I imagine this would work without oVirt installed as well, like just virt-manager or more raw kvm.

      Steps to reproduce

      1. Set up oVirt (4.5.6 is what I am using) or something similar
      2. Launch a VM with TPM enabled to install Windows 11 on
      3. Install Windows 11 (this should work without issue)
      4. After Windows 11 is installed, log in and open an admin powershell prompt
      5. Type: Get-TPMSupportedFeature
      6. Notice that it returns nothing (it should return: key attestation
      7. Check the Event Viewer -> System log and you should see a TPM error
      8. Repeat 5 and note that every time you run it it reports a new error

      Expected results

      No error and a return of key attestation

      Actual results

      Empty return and system error log entry

            dbelyavs@redhat.com Dmitry Belyavskiy
            uncga.daniel Daniel Henninger
            Dmitry Belyavskiy Dmitry Belyavskiy
            George Pantelakis George Pantelakis
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: