[Bug 2081995] Re: Cannot start libvirt/qemu VM with TPM device added

Lévai Dániel 2081995 at bugs.launchpad.net
Wed Oct 2 13:57:32 UTC 2024 

That actually makes sense, because the swtpm user's home directory is
/var/lib/swtpm. So I guess swtpm_* commands are run as user swtpm, which
then updates that user's config files under $HOME/.config/.

Thanks for the pointers! Fixed this by editing swtpm user's config files
under its $HOME/.config/, like you suggested originally with the config
files under /etc.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/2081995

Title:
  Cannot start libvirt/qemu VM with TPM device added

Status in swtpm package in Ubuntu:
  Incomplete

Bug description:
  Description:    Ubuntu 24.04.1 LTS
  Release:        24.04

  I've upgraded from 22.04 a couple of weeks ago.

  swtpm:
    Installed: 0.7.3-0ubuntu5.24.04.1
    Candidate: 0.7.3-0ubuntu5.24.04.1
    Version table:
   *** 0.7.3-0ubuntu5.24.04.1 500
          500 http://openbsd-httpd:56002/ubuntu/ubuntu noble-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       0.7.3-0ubuntu5 500
          500 http://openbsd-httpd:56002/ubuntu/ubuntu noble/main amd64 Packages

  
  swtpm-tools:
    Installed: 0.7.3-0ubuntu5.24.04.1
    Candidate: 0.7.3-0ubuntu5.24.04.1
    Version table:
   *** 0.7.3-0ubuntu5.24.04.1 500
          500 http://openbsd-httpd:56002/ubuntu/ubuntu noble-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       0.7.3-0ubuntu5 500
          500 http://openbsd-httpd:56002/ubuntu/ubuntu noble/main amd64 Packages

  
  I have a working Windows 11 guest VM in qemu/libvirt that has a TPM device (added ages ago, still on 22.04). Even though this existing VM is still working, I'm not sure since when but it seems it's not possible anymore for me to start/create a libvirt/qemu VM with a TPM device.
  If I add a TPM device to a VM - the model (TIS/CRB) or version (1.2/2.0) doesn't matter -, or create a new VM in libvirt (virt-manager), it simply won't start, saying:

  ===================8<===================
  Unable to complete install: 'internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/ubuntu24.04-swtpm.log' for details.'

  Traceback (most recent call last):
    File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
      callback(asyncjob, *args, **kwargs)
    File "/usr/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install
      installer.start_install(guest, meter=meter)
    File "/usr/share/virt-manager/virtinst/install/installer.py", line 695, in start_install
      domain = self._create_guest(
               ^^^^^^^^^^^^^^^^^^^
    File "/usr/share/virt-manager/virtinst/install/installer.py", line 637, in _create_guest
      domain = self.conn.createXML(initial_xml or final_xml, 0)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/usr/lib/python3.12/site-packages/libvirt.py", line 4545, in createXML
      raise libvirtError('virDomainCreateXML() failed')
  libvirt.libvirtError: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/ubuntu24.04-swtpm.log' for details.
  ===================8<===================

  Checking the log file mentioned:
  ===================8<===================
  Starting vTPM manufacturing as swtpm:swtpm @ Wed 25 Sep 2024 05:30:50 PM CEST
  Successfully created RSA 2048 EK with handle 0x81010001.
  Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH.
  An error occurred. Authoring the TPM state failed.
  Error getting next filename: No child processes
  Ending vTPM manufacturing @ Wed 25 Sep 2024 05:30:50 PM CEST
  ===================8<===================

  @DATAROOTDIR@ is suspicious to me, like something failed to replace a placeholder somewhere (maybe during compile time) but it could just be how it logs, I don't know.
  I presume @DATAROOTDIR@ should've been /usr/share, and there's a wrapper script at /usr/share/swtpm/swtpm-localca, containing:
  ===================8<===================
  #!/usr/bin/env sh

  /usr/bin/swtpm_localca "$@"

  exit $?
  ===================8<===================

  Way back, after OS installation I had to modify my /etc/apparmor.d/usr.bin.swtpm file to add my custom path to my disk that stores VM-stuff:
     owner /mnt/virt/libvirt/swtpm/** rwk,
     /mnt/virt/libvirt/swtpm/** wk,

  
  /var/lib/libvirt is a symlink to /mnt/virt/libvirt:
  # ls -la /var/lib/libvirt
  lrwxrwxrwx 1 root root 18 2022-04-05 13:04:27 /var/lib/libvirt -> /mnt/virt/libvirt//

  But this doesn't seem like an apparmor issue.

  
  What's interesting is that /var/lib/libvirt/swtpm/ has a directory named after the qemu VM UID of the (still working) Windows 11 guest VM:
  /var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68
  ... and this has a tpm2 directory that holds a .lock and a tpm2-00.permall file.

  I though I "prepare" the same directory for my other guest VM that I'm
  trying to add the TPM device to, by creating the same directory
  hierarchy there, using its VM UID and a tpm2 directory underneath
  that:

  # find /var/lib/libvirt/swtpm/
  /var/lib/libvirt/swtpm/
  /var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68
  /var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68/tpm2
  /var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68/tpm2/.lock
  /var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68/tpm2/tpm2-00.permall
  /var/lib/libvirt/swtpm/a6d59ec7-bf07-4836-b897-5c3d8757079b
  /var/lib/libvirt/swtpm/a6d59ec7-bf07-4836-b897-5c3d8757079b/tpm2

  Interestingly enough, the latter directory (a6d59... which I created)
  gets deleted completely every time I try to start the VM (and it
  fails).

  I tried reinstalling the swtpm and swtpm-tools packages to no avail.

  Any hint would be appreciated.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: swtpm 0.7.3-0ubuntu5.24.04.1
  ProcVersionSignature: Ubuntu 6.8.0-45.45-generic 6.8.12
  Uname: Linux 6.8.0-45-generic x86_64
  ApportVersion: 2.28.1-0ubuntu3.1
  Architecture: amd64
  CasperMD5CheckResult: pass
  Date: Wed Sep 25 17:20:28 2024
  InstallationDate: Installed on 2022-03-10 (930 days ago)
  InstallationMedia: Ubuntu-Server 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220307)
  SourcePackage: swtpm
  UpgradeStatus: Upgraded to noble on 2024-09-05 (20 days ago)
  mtime.conffile..etc.apparmor.d.usr.bin.swtpm: 2024-09-25T17:22:43.567834
  mtime.conffile..etc.init.d.apport: 2024-07-22T16:59:07

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2081995/+subscriptions

More information about the foundations-bugs mailing list