[Bug 2016744] Re: swtpm_setup cannot be run as user (AppArmor profile)

Lena Voytek 2016744 at bugs.launchpad.net
Tue Apr 25 16:31:21 UTC 2023 

Confirmed this is an issue for kinetic and jammy-proposed

$ lxc launch ubuntu:jammy --vm test-swtpm
$ lxc exec test-swtpm bash

# cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

# apt update && apt dist-upgrade -y
# apt install swtpm swtpm-tools -y

# su ubuntu

$ cd
$ /usr/share/swtpm/swtpm-create-user-config-files --overwrite
Environment variable XDG_CONFIG_HOME is not set. Using ${HOME}/.config.
Writing /home/ubuntu/.config/swtpm_setup.conf.
Writing /home/ubuntu/.config/swtpm-localca.conf.
Writing /home/ubuntu/.config/swtpm-localca.options.

$ swtpm_setup --tpm2 --tpmstate . --overwrite --create-ek-cert
Starting vTPM manufacturing as ubuntu:ubuntu @ Tue 25 Apr 2023 04:15:36 PM UTC
TPM is listening on Unix socket.
Successfully created RSA 2048 EK with handle 0x81010001.
Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH.
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Tue 25 Apr 2023 04:15:36 PM UTC


$ lxc launch ubuntu:kinetic --vm test-swtpm
$ lxc exec test-swtpm bash

# apt update && apt dist-upgrade -y
# apt install swtpm swtpm-tools -y

# su ubuntu

$ cd
$ /usr/share/swtpm/swtpm-create-user-config-files --overwrite
Environment variable XDG_CONFIG_HOME is not set. Using ${HOME}/.config.
Writing /home/ubuntu/.config/swtpm_setup.conf.
Writing /home/ubuntu/.config/swtpm-localca.conf.
Writing /home/ubuntu/.config/swtpm-localca.options.

$ swtpm_setup --tpm2 --tpmstate . --overwrite --create-ek-cert
Starting vTPM manufacturing as ubuntu:ubuntu @ Tue 25 Apr 2023 04:07:27 PM UTC
TPM is listening on Unix socket.
Successfully created RSA 2048 EK with handle 0x81010001.
Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH.
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Tue 25 Apr 2023 04:07:28 PM UTC


Lunar, however, is working properly:
$ lxc launch ubuntu:lunar --vm test-swtpm
$ lxc exec test-swtpm bash

# apt update && apt dist-upgrade -y
# apt install swtpm swtpm-tools -y

# su ubuntu

$ cd
$ /usr/share/swtpm/swtpm-create-user-config-files --overwrite
Environment variable XDG_CONFIG_HOME is not set. Using ${HOME}/.config.
Writing /home/ubuntu/.config/swtpm_setup.conf.
Writing /home/ubuntu/.config/swtpm-localca.conf.
Writing /home/ubuntu/.config/swtpm-localca.options.

$ swtpm_setup --tpm2 --tpmstate . --overwrite --create-ek-cert
Starting vTPM manufacturing as ubuntu:ubuntu @ Tue 25 Apr 2023 04:29:45 PM UTC
TPM is listening on Unix socket.
Successfully created RSA 2048 EK with handle 0x81010001.
  Invoking /usr/bin/swtpm_localca --type ek --ek c3c156cd0c219f097b180d7884f5911c428f7b1e8ccbd829b28c317302a28e35edddbc334e07c0b87c771243ab7e4794ffd6f5e45a7e69d3f2182ff50956b1eb6bd90f947401a392f940b2a6fd0cb1223d25d476ac24f94490a0177885b7bc481d1facddf880e2c1c36f9712d1ae3988dfe6637170c79f53ec8e57c4eb60280058ed032c7c802ddd6d2186d4a53b04c45ef47ef7a6691d263410810cae81cf236491cf54059a250268402e30b8590b8f98d7dbd1fa58b978c0d62d0310b8212a8104a3eb2731d551265eb414be3f33319c2459deed673204f5f6e2e7bc3ef494ac8f3bc2e63439661f57d3486e0a45411b0971ec02c14e811c520b4e9349be4b --dir /tmp/swtpm_setup.certs.CBV031 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /home/ubuntu/.config/swtpm-localca.conf --optsfile /home/ubuntu/.config/swtpm-localca.options
swtpm_localca: Creating root CA and a local CA's signing key and issuer cert.
swtpm_localca: Successfully created EK certificate locally.
Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate.
Successfully created ECC EK with handle 0x81010016.
  Invoking /usr/bin/swtpm_localca --type ek --ek x=d0021840ce6fb63cffc1dea32aca965b2d6fd188ca41b204b8a4eb0a7177854b6b21f8e4f69a5fce21093cac74be4ae3,y=5ec8b20819c0e9f2890a9e408d46ceb3645b7691942efb36c0bc5206d492676e061556371d8a37db33f86e6da21c8f11,id=secp384r1 --dir /tmp/swtpm_setup.certs.CBV031 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /home/ubuntu/.config/swtpm-localca.conf --optsfile /home/ubuntu/.config/swtpm-localca.options
swtpm_localca: Successfully created EK certificate locally.
Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
Successfully activated PCR banks sha256 among sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Tue 25 Apr 2023 04:29:47 PM UTC

I'll update the bug accordingly and get started on a fix for this


** Also affects: swtpm (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: swtpm (Ubuntu Kinetic)
   Importance: Undecided
       Status: New

** Changed in: swtpm (Ubuntu)
       Status: New => Fix Released

** Changed in: swtpm (Ubuntu Jammy)
     Assignee: (unassigned) => Lena Voytek (lvoytek)

** Changed in: swtpm (Ubuntu Kinetic)
     Assignee: (unassigned) => Lena Voytek (lvoytek)

** Changed in: swtpm (Ubuntu Jammy)
       Status: New => In Progress

** Changed in: swtpm (Ubuntu Kinetic)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/2016744

Title:
  swtpm_setup cannot be run as user (AppArmor profile)

Status in swtpm package in Ubuntu:
  Fix Released
Status in swtpm source package in Jammy:
  In Progress
Status in swtpm source package in Kinetic:
  In Progress

Bug description:
  It looks like the AppArmor profile that Ubuntu added to swtpm 0.6.3
  (before it was contributed to the upstream project;
  https://github.com/stefanberger/swtpm/commits/master/debian/usr.bin.swtpm)
  is insufficient for running swtpm_setup as user. Can you sync the
  AppArmor profile in the package with what is in this repo and/or
  upgrade to a more recent version of swtpm (v0.8 is available)?

  In particular, the following doesn't work for me:

  $ swtpm_setup --tpm2 --tpmstate . --overwrite --create-ek-cert
  Starting vTPM manufacturing as stefanb:stefanb @ Mon 17 Apr 2023 05:12:05 PM EDT
  swtpm process terminated unexpectedly.
  Could not start the TPM 2.
  An error occurred. Authoring the TPM state failed.
  Ending vTPM manufacturing @ Mon 17 Apr 2023 05:12:05 PM EDT

  Also, once I copied the AppArmor profile from this project over onto
  the 22.04 machine I ran into this issue here:

  $ swtpm_setup --tpm2 --tpmstate . --overwrite --create-ek-cert
  Starting vTPM manufacturing as stefanb:stefanb @ Mon 17 Apr 2023 05:14:04 PM EDT
  TPM is listening on Unix socket.
  Successfully created RSA 2048 EK with handle 0x81010001.
  Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH.
  An error occurred. Authoring the TPM state failed.
  Ending vTPM manufacturing @ Mon 17 Apr 2023 05:14:04 PM EDT

  [ The script requiring @DATAROOTDIR@ has been rewritten in more recent
  version of swtpm. ]

  This has been previously reported here
  https://github.com/stefanberger/swtpm/issues/749 but then also per the
  user from issue 749 on Launchpad here (getting a timeout on this
  page): https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/1989598

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2016744/+subscriptions

More information about the foundations-bugs mailing list