using tpm reports "/dev/tpm0: Permission denied"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Incomplete
|
Undecided
|
André Abrantes |
Bug Description
Split from a different bug at
https:/
--- quote ---
Hey,
I was able to reboot my machine and run some tests tonight. From my side, I am following the template in the following link: https:/
First, your command looks good:
ubuntu@ubuntu:~$ sudo qemu-system-x86_64 -nodefaults -S -display none -monitor stdio -tpmdev passthrough,
QEMU 5.2.0 monitor - type 'help' for more information
(qemu)
For my VM, I do get past tpm (yey!), but I am stuck on this other issue. I am attaching the results of the commands bellow with LIBVIRT_DEBUG=1. Sorry, I am really just guessing that this is the debugging info needed.
ubuntu@ubuntu:~$ virsh start win10.2
error: Failed to start domain win10.2
error: Could not open TPM device /dev/tpm0: Permission denied
ubuntu@ubuntu:~$ sudo virsh start win10.2
error: failed to get domain 'win10.2'
--- end quote ---
@André,
Hi over here as well.
The usual suspect that comes to mind is apparmor protection as tpm use isn't common yet.
Depening on how it is configured in your guest it might not have got an apparmor allowance yet.
Please could you report back the following: d/libvirt/ libvirt- <guestuuid> .files
1. run `dmesg -w` while you start your guest are there apparmor DENIED messages?
2. if #1 is true, then please report the following
2.1 xml of your guest `virsh dumpxml <guestname>`
2.2 apparmor rules that are generated /etc/apparmor.
After we have the above you can try to allow all your guests access to that path, I'm guessing a bit until I see the denial, but maybe
echo "/dev/tpm* rw," >> /etc/apparmor. d/local/ abstractions/ libvirt- qemu
Afterwards ensure your guests is destroyed and started again (to refresh its profile)
Does it now work better?
That might be too open to commit it, but good for a try if that resolves your issue.