using tpm reports "/dev/tpm0: Permission denied"

@André,
Hi over here as well.
The usual suspect that comes to mind is apparmor protection as tpm use isn't common yet.
Depening on how it is configured in your guest it might not have got an apparmor allowance yet.

Please could you report back the following:
1. run `dmesg -w` while you start your guest are there apparmor DENIED messages?
2. if #1 is true, then please report the following
  2.1 xml of your guest `virsh dumpxml <guestname>`
  2.2 apparmor rules that are generated /etc/apparmor.d/libvirt/libvirt-<guestuuid>.files

After we have the above you can try to allow all your guests access to that path, I'm guessing a bit until I see the denial, but maybe

echo "/dev/tpm* rw," >> /etc/apparmor.d/local/abstractions/libvirt-qemu

Afterwards ensure your guests is destroyed and started again (to refresh its profile)
Does it now work better?

That might be too open to commit it, but good for a try if that resolves your issue.

The following is mostly a note to myself, I'm still first of all waiting for the logs I asked above.

The config used in the example you linked is:

    <tpm model='tpm-crb'>
      <backend type='passthrough'>
        <device path='/dev/tpm0'/>
      </backend>
    </tpm>

Per https://libvirt.org/formatdomain.html#tpm-device about tpm-crb
"another available choice is the tpm-crb, which should only be used when the backend device is a TPM 2.0"

tpm-tis could be an alternative, but that also might be odd.
So far I mostly heard people use emulators [1][2]

in libvirt that is something like:
<tpm model="tpm-crb">
  <backend type="emulator" version="2.0"/>
</tpm>

Unfortunately my TPM is unhappy with me, also I have none of the further steps in place. So no testing from me atm (IIRC xnox had a setup like this once):
$ sudo /usr/sbin/tcsd -f
TCSD TDDL ioctl: (25) Inappropriate ioctl for device
TCSD TDDL Falling back to Read/Write device support.
TCSD TCS ERROR: TCS GetCapability failed with result = 0x1e

[1]: https://github.com/stefanberger/swtpm
[2]: https://launchpad.net/~stefanberger/+archive/ubuntu/swtpm-focal

Hi Christian,

I am running this from the 20.04 USB stick again.

Unfortunately, there was nothing on dmesg as I started my guest. And as expected, editing /etc/apparmor.d/local/abstractions/libvirt-qemu changed nothing as well.

Another simple test, using tpm-tis also had the same outcome.

Ok - on the good side that means it is not an libvirt/apparmor issue as I first assumed.
On the bad side, that means a permission issue in a yet to be found place.

Adding the service to apparmor works. Looks like libvirt needs an apparmor rule or prior start of a VM apparmor needs to receive the instruction to allow access as long as the VM is running.

Hi Thomas, in comment #3 Andre said in his case adding of the tpm path in apparmor did not help.
Would you mind to share which rule and file exactly you used for "Adding the service to apparmor works" ?

Hello Christian,

basically it is the same what people do here:
https://askubuntu.com/questions/1365829/qemu-failed-to-passthrough-a-tpm-device

Except that you need to write "/dev/tpm0 rm," into the file, as the colon is missing and starting a VM will give you complaints on an AppArmor rule.

In my opinion, the best solution would be either to let libvirt add an exception when starting a VM that needs a TPM passthrough or the exception will be made in an Apparmor file for libvirt users and its spawned processes.

Regards,
Thomas

Just wanted to say thanks to Christian Ehrhardt. A lot of research led me to #1, which worked perfectly.