[Bug 2081995] Re: Cannot start libvirt/qemu VM with TPM device added

Lévai Dániel 2081995 at bugs.launchpad.net
Wed Oct 2 06:22:05 UTC 2024 

Config files seem to be in order, no placeholders:

===== /etc/swtpm_setup.conf =====
# Program invoked for creating certificates
create_certs_tool= /usr/bin/swtpm_localca
create_certs_tool_config = /etc/swtpm-localca.conf
create_certs_tool_options = /etc/swtpm-localca.options
# Comma-separated list (no spaces) of PCR banks to activate by default
active_pcr_banks = sha256

===== /etc/swtpm-localca.conf =====
statedir = /var/lib/swtpm-localca
signingkey = /var/lib/swtpm-localca/signkey.pem
issuercert = /var/lib/swtpm-localca/issuercert.pem
certserial = /var/lib/swtpm-localca/certserial


However, while I was there, started grep(1)ing through /etc, /usr/share
and /var for 'DATAROOTDIR' and this came up:

===== /var/lib/swtpm/.config/swtpm_setup.conf =====
create_certs_tool = @DATAROOTDIR@/swtpm/swtpm-localca
create_certs_tool_config = /var/lib/swtpm/.config/swtpm-localca.conf
create_certs_tool_options = /var/lib/swtpm/.config/swtpm-localca.options

===== /var/lib/swtpm/.config/swtpm-localca.conf =====
statedir = /var/lib/swtpm/.config/var/lib/swtpm-localca
signingkey = /var/lib/swtpm/.config/var/lib/swtpm-localca/signkey.pem
issuercert = /var/lib/swtpm/.config/var/lib/swtpm-localca/issuercert.pem
certserial = /var/lib/swtpm/.config/var/lib/swtpm-localca/certserial


# find /var/lib/swtpm/
/var/lib/swtpm/
/var/lib/swtpm/.config
/var/lib/swtpm/.config/var
/var/lib/swtpm/.config/var/lib
/var/lib/swtpm/.config/var/lib/swtpm-localca
/var/lib/swtpm/.config/swtpm-localca.conf
/var/lib/swtpm/.config/swtpm-localca.options
/var/lib/swtpm/.config/swtpm_setup.conf

Seemingly, there's another set of config files under
/var/lib/swtpm/.config, containing different paths than the files in
/etc/.

The ones in /var/lib/swtpm are somewhat older than the ones in /etc/:

# ls -l  /etc/swtpm_setup.conf   /var/lib/swtpm/.config/swtpm_setup.conf
-rw-r--r-- 1 root  root  289 2024-07-31 00:16:43 /etc/swtpm_setup.conf
-rw-rw-r-- 1 swtpm swtpm 196 2023-02-15 19:23:27 /var/lib/swtpm/.config/swtpm_setup.conf

# ls -l  /etc/swtpm-localca.conf    /var/lib/swtpm/.config/swtpm-localca.conf
-rw-r--r-- 1 root  root  180 2022-04-12 16:49:45 /etc/swtpm-localca.conf
-rw-rw-r-- 1 swtpm swtpm 268 2023-02-15 19:23:27 /var/lib/swtpm/.config/swtpm-localca.conf


Are files under /etc/ only some kind of templates and swtpm copies them over to /var/lib/swtpm/.config when it starts being used?

What should be the end game here? Are these files in /var/lib/swtpm some
remnants of and old way of configuring swtpm? Or is maybe swtpm being
chrooted somewhere there so I need to sync the config files from /etc/
after swtpm package upgrades?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/2081995

Title:
  Cannot start libvirt/qemu VM with TPM device added

Status in swtpm package in Ubuntu:
  Incomplete

Bug description:
  Description:    Ubuntu 24.04.1 LTS
  Release:        24.04

  I've upgraded from 22.04 a couple of weeks ago.

  swtpm:
    Installed: 0.7.3-0ubuntu5.24.04.1
    Candidate: 0.7.3-0ubuntu5.24.04.1
    Version table:
   *** 0.7.3-0ubuntu5.24.04.1 500
          500 http://openbsd-httpd:56002/ubuntu/ubuntu noble-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       0.7.3-0ubuntu5 500
          500 http://openbsd-httpd:56002/ubuntu/ubuntu noble/main amd64 Packages

  
  swtpm-tools:
    Installed: 0.7.3-0ubuntu5.24.04.1
    Candidate: 0.7.3-0ubuntu5.24.04.1
    Version table:
   *** 0.7.3-0ubuntu5.24.04.1 500
          500 http://openbsd-httpd:56002/ubuntu/ubuntu noble-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       0.7.3-0ubuntu5 500
          500 http://openbsd-httpd:56002/ubuntu/ubuntu noble/main amd64 Packages

  
  I have a working Windows 11 guest VM in qemu/libvirt that has a TPM device (added ages ago, still on 22.04). Even though this existing VM is still working, I'm not sure since when but it seems it's not possible anymore for me to start/create a libvirt/qemu VM with a TPM device.
  If I add a TPM device to a VM - the model (TIS/CRB) or version (1.2/2.0) doesn't matter -, or create a new VM in libvirt (virt-manager), it simply won't start, saying:

  ===================8<===================
  Unable to complete install: 'internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/ubuntu24.04-swtpm.log' for details.'

  Traceback (most recent call last):
    File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
      callback(asyncjob, *args, **kwargs)
    File "/usr/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install
      installer.start_install(guest, meter=meter)
    File "/usr/share/virt-manager/virtinst/install/installer.py", line 695, in start_install
      domain = self._create_guest(
               ^^^^^^^^^^^^^^^^^^^
    File "/usr/share/virt-manager/virtinst/install/installer.py", line 637, in _create_guest
      domain = self.conn.createXML(initial_xml or final_xml, 0)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/usr/lib/python3.12/site-packages/libvirt.py", line 4545, in createXML
      raise libvirtError('virDomainCreateXML() failed')
  libvirt.libvirtError: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/ubuntu24.04-swtpm.log' for details.
  ===================8<===================

  Checking the log file mentioned:
  ===================8<===================
  Starting vTPM manufacturing as swtpm:swtpm @ Wed 25 Sep 2024 05:30:50 PM CEST
  Successfully created RSA 2048 EK with handle 0x81010001.
  Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH.
  An error occurred. Authoring the TPM state failed.
  Error getting next filename: No child processes
  Ending vTPM manufacturing @ Wed 25 Sep 2024 05:30:50 PM CEST
  ===================8<===================

  @DATAROOTDIR@ is suspicious to me, like something failed to replace a placeholder somewhere (maybe during compile time) but it could just be how it logs, I don't know.
  I presume @DATAROOTDIR@ should've been /usr/share, and there's a wrapper script at /usr/share/swtpm/swtpm-localca, containing:
  ===================8<===================
  #!/usr/bin/env sh

  /usr/bin/swtpm_localca "$@"

  exit $?
  ===================8<===================

  Way back, after OS installation I had to modify my /etc/apparmor.d/usr.bin.swtpm file to add my custom path to my disk that stores VM-stuff:
     owner /mnt/virt/libvirt/swtpm/** rwk,
     /mnt/virt/libvirt/swtpm/** wk,

  
  /var/lib/libvirt is a symlink to /mnt/virt/libvirt:
  # ls -la /var/lib/libvirt
  lrwxrwxrwx 1 root root 18 2022-04-05 13:04:27 /var/lib/libvirt -> /mnt/virt/libvirt//

  But this doesn't seem like an apparmor issue.

  
  What's interesting is that /var/lib/libvirt/swtpm/ has a directory named after the qemu VM UID of the (still working) Windows 11 guest VM:
  /var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68
  ... and this has a tpm2 directory that holds a .lock and a tpm2-00.permall file.

  I though I "prepare" the same directory for my other guest VM that I'm
  trying to add the TPM device to, by creating the same directory
  hierarchy there, using its VM UID and a tpm2 directory underneath
  that:

  # find /var/lib/libvirt/swtpm/
  /var/lib/libvirt/swtpm/
  /var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68
  /var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68/tpm2
  /var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68/tpm2/.lock
  /var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68/tpm2/tpm2-00.permall
  /var/lib/libvirt/swtpm/a6d59ec7-bf07-4836-b897-5c3d8757079b
  /var/lib/libvirt/swtpm/a6d59ec7-bf07-4836-b897-5c3d8757079b/tpm2

  Interestingly enough, the latter directory (a6d59... which I created)
  gets deleted completely every time I try to start the VM (and it
  fails).

  I tried reinstalling the swtpm and swtpm-tools packages to no avail.

  Any hint would be appreciated.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: swtpm 0.7.3-0ubuntu5.24.04.1
  ProcVersionSignature: Ubuntu 6.8.0-45.45-generic 6.8.12
  Uname: Linux 6.8.0-45-generic x86_64
  ApportVersion: 2.28.1-0ubuntu3.1
  Architecture: amd64
  CasperMD5CheckResult: pass
  Date: Wed Sep 25 17:20:28 2024
  InstallationDate: Installed on 2022-03-10 (930 days ago)
  InstallationMedia: Ubuntu-Server 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220307)
  SourcePackage: swtpm
  UpgradeStatus: Upgraded to noble on 2024-09-05 (20 days ago)
  mtime.conffile..etc.apparmor.d.usr.bin.swtpm: 2024-09-25T17:22:43.567834
  mtime.conffile..etc.init.d.apport: 2024-07-22T16:59:07

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2081995/+subscriptions

More information about the foundations-bugs mailing list