libvirt should not use user tss for swtpm
Bug #1948880 reported by
Steve Langasek
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
High
|
Christian Ehrhardt |
Bug Description
libvirt encodes 'tss' as the user (and group) to use when running swtpm.
This overloads the tss user, which is already used by the tpm-udev package for controlling access to the host's *physical* TPM devices, which should not be conflated with virtual TPMs.
I suggest libvirt should instead use a user/group 'swtpm', that would be provided by the swtpm-tools package.
Related branches
~paelzer/ubuntu/+source/libvirt:lp-1927519-corrupted-1948880-swtpm-JAMMY
Merged
into
ubuntu/+source/libvirt:ubuntu/jammy-devel
at
revision e7e14293232b18bd68a8610e51590e9dc5312788
- Sergio Durigan Junior (community): Approve
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 197 lines (+140/-0)6 files modifieddebian/changelog (+13/-0)
debian/control (+1/-0)
debian/libvirt-daemon-system.postinst (+8/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1927519-virt-aa-helper-Purge-profile-if-corrupted.patch (+76/-0)
debian/patches/ubuntu/swtpm-by-swtpm-user.patch (+40/-0)
tags: | added: server-next |
Changed in libvirt (Ubuntu): | |
assignee: | nobody → Utkarsh Gupta (utkarsh) |
Changed in libvirt (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
tags: | removed: server-next |
To post a comment you must log in.
Hi Steve,
after just "agreeing and tagging" before I have done an initial check on the case.
Tasks:
Similar to the .spec file dir ownership needs to be set: r}/log/ swtpm/libvirt/ qemu/
%dir %attr(0730, tss, tss) %{_localstatedi
We might want to look at the ALL swtpm related directories being: swtpm/libvirt/ qemu qemu/swtpm libvirt/ swtpm
swtpmLogDir: /var/log/
swtpmStateDir: /run/libvirt/
swtpmStorageDir: /var/lib/
Log and storage are static, but state is /run and thereby needs to be recreated each time.
The actually used user is encoded in libvirt/ qemu.conf
/etc/
# User for the swtpm TPM Emulator
#
# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
# and uses; alternative is 'root'
#
#swtpm_user = "tss"
#swtpm_group = "tss"
And we might want to switch that default by changing the config at PKG build time.
That most likely also needs a change in the build time self tests and augeas usage at test_libvirtd_ qemu.aug. in
src/qemu/
113 { "swtpm_user" = "tss" }
114 { "swtpm_group" = "tss" }
Finally, so far it didn't exists but right now we should consider adding swtpm as a suggests.
Once things are more complete and swtpm MIR is ready (bug 1948748) we can bump this to a recommends then.
Next steps once I really get to this (after sprint week):
- get a PPA set up with the changes
- run various tests with/without PPA
- upload to Ubuntu
- clarify potential Debian usage
- bump to Recommends once MIR is ready