Ubuntu
libvirt package

Bug #1948880
Comment #11

Comment 11 for bug 1948880

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2021-11-15:

#11

#3 Fresh install of the new version

This now has /var/lib/swtpm-localca set to swtpm.

$ sudo ls -laF /var/lib/swtpm-localca
total 8
drwxr-x--- 2 swtpm root 4096 Nov 15 14:05 ./
drwxr-xr-x 49 root root 4096 Nov 15 14:05 ../

Starting the guest works and ownership is correct:

$ sudo ls -laFR /var/log/swtpm/libvirt/qemu /run/libvirt/qemu/swtpm /var/lib/libvirt/swtpm /var/lib/swtpm-localca
/run/libvirt/qemu/swtpm:
total 4
drwxrwx--- 2 libvirt-qemu swtpm 80 Nov 15 14:06 ./
drwxr-xr-x 5 root root 180 Nov 15 14:06 ../
-rw-r--r-- 1 swtpm swtpm 5 Nov 15 14:06 6-f-tpm-swtpm.pid
srw------- 1 libvirt-qemu kvm 0 Nov 15 14:06 6-f-tpm-swtpm.sock=

/var/lib/libvirt/swtpm:
total 12
drwx--x--x 3 root root 4096 Nov 15 13:43 ./
drwxr-xr-x 8 root root 4096 Nov 15 13:38 ../
drwx--x--x 3 root root 4096 Nov 15 13:43 65113265-34d6-4358-b562-4d7508d6ff17/

/var/lib/libvirt/swtpm/65113265-34d6-4358-b562-4d7508d6ff17:
total 12
drwx--x--x 3 root root 4096 Nov 15 13:43 ./
drwx--x--x 3 root root 4096 Nov 15 13:43 ../
drwx------ 2 swtpm swtpm 4096 Nov 15 14:06 tpm2/

/var/lib/libvirt/swtpm/65113265-34d6-4358-b562-4d7508d6ff17/tpm2:
total 16
drwx------ 2 swtpm swtpm 4096 Nov 15 14:06 ./
drwx--x--x 3 root root 4096 Nov 15 13:43 ../
-rw-r----- 1 swtpm swtpm 0 Nov 15 14:06 .lock
-rw------- 1 swtpm swtpm 6098 Nov 15 14:06 tpm2-00.permall

/var/lib/swtpm-localca:
total 8
drwxr-x--- 2 swtpm root 4096 Nov 15 14:05 ./
drwxr-xr-x 49 root root 4096 Nov 15 14:05 ../

/var/log/swtpm/libvirt/qemu:
total 16
drwx-wx--- 2 swtpm swtpm 4096 Nov 15 13:38 ./
drwx--x--x 3 root root 4096 Nov 15 13:38 ../
-rw-r--r-- 1 swtpm swtpm 4744 Nov 15 13:43 f-tpm-swtpm.log

Process as well

1 116 16253 1 20 0 7492 3776 - Ss ? 0:00
/usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/run/libvirt/qemu/swtpm/
6-f-tpm-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/65113265-
34d6-4358-b562-4d7508d6ff17/tpm2,mode=0600 --log file=/var/log/swtpm/libvirt
/qemu/f-tpm-swtpm.log --tpm2 --pid file=/run/libvirt/qemu/swtpm/6-f-tpm-swtpm.pid

What slightly puzzles me is the empty /var/lib/swtpm-localca dir

I created a new guest to see if that behaves different than the one used before.
Indeed it behaves differently.

swtpm log on guest that existed before:

Starting vTPM manufacturing as tss:tss @ Mon 15 Nov 2021 01:38:53 PM UTC
Successfully created RSA 2048 EK with handle 0x81010001.
Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek df06f941e4c58e2c043407c1eb2a5afa6825ee93362ebe33e8ada87986bd04bb356ee64d02625f9cb234bf13afbd4d5e93456ad24dccd1b3083b063d4098573045dd1f8c73ee1ca8860f2f5f211ccd6336774388202099dd6117e38ebe162a34e7af024f6eac15c9683979ef4f4fbe5bda39284d209bfe32897ad87df062382e3ce6a070cfbc325223d6e12f366bb115fbadf78e66790d6e04f5d8f27f6e8ca431bb779fe8b67e6707ceb36de8540838f2acab6535fcf1739e7b51f22d4d774c17c1e56d86d64e52319d5303ab7c8e47303c359858ace7b282d6ff696930a595db20202884417fe19b00d2272966979bedc7c36e678fbaf26be84fdfa7059ddf --dir /var/lib/libvirt/swtpm/65113265-34d6-4358-b562-4d7508d6ff17/tpm2 --logfile /var/log/swtpm/libvirt/qemu/f-tpm-swtpm.log --vmid f-tpm:65113265-34d6-4358-b562-4d7508d6ff17 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Need read/write rights on statedir /var/lib/swtpm-localca for user tss.
swtpm-localca exit with status 256:
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Mon 15 Nov 2021 01:38:53 PM UTC

New guest:

$ sudo tail -f /var/log/swtpm/libvirt/qemu/f-tpm2-swtpm.log
Successfully created platform certificate locally.
Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate.
Successfully created NVRAM area 0x1c08000 for platform certificate.
Successfully created ECC EK with handle 0x81010016.
Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek x=58624b50e848bbf1f3797c4ef32343a7ddea7535a7b845276b0810e46e713b671fab5179d3c2a5ef9eb135f18384358b,y=f82f41b8299442346ffe62a9d7b2ea61768aeb9fba3427f7566978ce66618797a9a42ec14451555b1838a820d1e9cbae,id=secp384r1 --dir /var/lib/libvirt/swtpm/87cdb40d-cc2d-4389-b998-95f5e9084954/tpm2 --logfile /var/log/swtpm/libvirt/qemu/f-tpm2-swtpm.log --vmid f-tpm2:87cdb40d-cc2d-4389-b998-95f5e9084954 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created EK certificate locally.
Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
Successfully activated PCR banks sha1,sha256 among sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Mon 15 Nov 2021 02:12:48 PM UTC

And with the new guest now also localca is populated and all owned by swtpm.

/var/lib/swtpm-localca:
total 56
drwxr-x--- 2 swtpm root 4096 Nov 15 14:12 ./
drwxr-xr-x 49 root root 4096 Nov 15 14:05 ../
-rwxr-xr-x 1 swtpm swtpm 0 Nov 15 14:12 .lock.swtpm-localca*
-rw-r--r-- 1 swtpm swtpm 5531 Nov 15 14:12 01.pem
-rw-r--r-- 1 swtpm swtpm 1 Nov 15 14:12 certserial
-rw-r--r-- 1 swtpm swtpm 48 Nov 15 14:12 index.txt
-rw-r--r-- 1 swtpm swtpm 21 Nov 15 14:12 index.txt.attr
-rw-r--r-- 1 swtpm swtpm 0 Nov 15 14:12 index.txt.old
-rw-r--r-- 1 swtpm swtpm 5531 Nov 15 14:12 issuercert.pem
-rw-r--r-- 1 swtpm swtpm 3 Nov 15 14:12 serial
-rw-r--r-- 1 swtpm swtpm 3 Nov 15 14:12 serial.old
-rw-r----- 1 swtpm swtpm 2459 Nov 15 14:12 signkey.pem
-rw-r--r-- 1 swtpm swtpm 1468 Nov 15 14:12 swtpm-localca-rootca-cert.pem
-rw-r----- 1 swtpm swtpm 2459 Nov 15 14:12 swtpm-localca-rootca-privkey.pem

Again for 22.04 that seems all fine, swtpm didn't exist before and we release it
with swtpm as the default.
But for potential SRUs we need to be careful to not break things.
But that said the old guest still worked, just the log entires and
/var/lib/swtpm-localca was odd.
And the former content would have been from an unsupported source where we have
no guarantees how it worked anyway.

#3 Fresh install of the new version

This now has /var/lib/swtpm-localca set to swtpm.

$ sudo ls -laF /var/lib/swtpm-localca
total 8
drwxr-x---  2 swtpm root 4096 Nov 15 14:05 ./
drwxr-xr-x 49 root  root 4096 Nov 15 14:05 ../

Starting the guest works and ownership is correct:

$ sudo ls -laFR /var/log/swtpm/libvirt/qemu /run/libvirt/qemu/swtpm /var/lib/libvirt/swtpm /var/lib/swtpm-localca
/run/libvirt/qemu/swtpm:
total 4
drwxrwx--- 2 libvirt-qemu swtpm  80 Nov 15 14:06 ./
drwxr-xr-x 5 root         root  180 Nov 15 14:06 ../
-rw-r--r-- 1 swtpm        swtpm   5 Nov 15 14:06 6-f-tpm-swtpm.pid
srw------- 1 libvirt-qemu kvm     0 Nov 15 14:06 6-f-tpm-swtpm.sock=

/var/lib/libvirt/swtpm/65113265-34d6-4358-b562-4d7508d6ff17:
total 12
drwx--x--x 3 root  root  4096 Nov 15 13:43 ./
drwx--x--x 3 root  root  4096 Nov 15 13:43 ../
drwx------ 2 swtpm swtpm 4096 Nov 15 14:06 tpm2/

/var/lib/libvirt/swtpm/65113265-34d6-4358-b562-4d7508d6ff17/tpm2:
total 16
drwx------ 2 swtpm swtpm 4096 Nov 15 14:06 ./
drwx--x--x 3 root  root  4096 Nov 15 13:43 ../
-rw-r----- 1 swtpm swtpm    0 Nov 15 14:06 .lock
-rw------- 1 swtpm swtpm 6098 Nov 15 14:06 tpm2-00.permall

/var/lib/swtpm-localca:
total 8
drwxr-x---  2 swtpm root 4096 Nov 15 14:05 ./
drwxr-xr-x 49 root  root 4096 Nov 15 14:05 ../

/var/log/swtpm/libvirt/qemu:
total 16
drwx-wx--- 2 swtpm swtpm 4096 Nov 15 13:38 ./
drwx--x--x 3 root  root  4096 Nov 15 13:38 ../
-rw-r--r-- 1 swtpm swtpm 4744 Nov 15 13:43 f-tpm-swtpm.log

Process as well

1   116   16253       1  20   0   7492  3776 -      Ss   ?          0:00
/usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/run/libvirt/qemu/swtpm/
6-f-tpm-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/65113265-
34d6-4358-b562-4d7508d6ff17/tpm2,mode=0600 --log file=/var/log/swtpm/libvirt
/qemu/f-tpm-swtpm.log --tpm2 --pid file=/run/libvirt/qemu/swtpm/6-f-tpm-swtpm.pid

What slightly puzzles me is the empty /var/lib/swtpm-localca dir

I created a new guest to see if that behaves different than the one used before.
Indeed it behaves differently.

swtpm log on guest that existed before:

Starting vTPM manufacturing as tss:tss @ Mon 15 Nov 2021 01:38:53 PM UTC
Successfully created RSA 2048 EK with handle 0x81010001.
  Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek df06f941e4c58e2c043407c1eb2a5afa6825ee93362ebe33e8ada87986bd04bb356ee64d02625f9cb234bf13afbd4d5e93456ad24dccd1b3083b063d4098573045dd1f8c73ee1ca8860f2f5f211ccd6336774388202099dd6117e38ebe162a34e7af024f6eac15c9683979ef4f4fbe5bda39284d209bfe32897ad87df062382e3ce6a070cfbc325223d6e12f366bb115fbadf78e66790d6e04f5d8f27f6e8ca431bb779fe8b67e6707ceb36de8540838f2acab6535fcf1739e7b51f22d4d774c17c1e56d86d64e52319d5303ab7c8e47303c359858ace7b282d6ff696930a595db20202884417fe19b00d2272966979bedc7c36e678fbaf26be84fdfa7059ddf --dir /var/lib/libvirt/swtpm/65113265-34d6-4358-b562-4d7508d6ff17/tpm2 --logfile /var/log/swtpm/libvirt/qemu/f-tpm-swtpm.log --vmid f-tpm:65113265-34d6-4358-b562-4d7508d6ff17 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Need read/write rights on statedir /var/lib/swtpm-localca for user tss.
swtpm-localca exit with status 256:
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Mon 15 Nov 2021 01:38:53 PM UTC

New guest:

$ sudo tail -f /var/log/swtpm/libvirt/qemu/f-tpm2-swtpm.log
Successfully created platform certificate locally.
Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate.
Successfully created NVRAM area 0x1c08000 for platform certificate.
Successfully created ECC EK with handle 0x81010016.
  Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek x=58624b50e848bbf1f3797c4ef32343a7ddea7535a7b845276b0810e46e713b671fab5179d3c2a5ef9eb135f18384358b,y=f82f41b8299442346ffe62a9d7b2ea61768aeb9fba3427f7566978ce66618797a9a42ec14451555b1838a820d1e9cbae,id=secp384r1 --dir /var/lib/libvirt/swtpm/87cdb40d-cc2d-4389-b998-95f5e9084954/tpm2 --logfile /var/log/swtpm/libvirt/qemu/f-tpm2-swtpm.log --vmid f-tpm2:87cdb40d-cc2d-4389-b998-95f5e9084954 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created EK certificate locally.
Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
Successfully activated PCR banks sha1,sha256 among sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Mon 15 Nov 2021 02:12:48 PM UTC

And with the new guest now also localca is populated and all owned by swtpm.

/var/lib/swtpm-localca:
total 56
drwxr-x---  2 swtpm root  4096 Nov 15 14:12 ./
drwxr-xr-x 49 root  root  4096 Nov 15 14:05 ../
-rwxr-xr-x  1 swtpm swtpm    0 Nov 15 14:12 .lock.swtpm-localca*
-rw-r--r--  1 swtpm swtpm 5531 Nov 15 14:12 01.pem
-rw-r--r--  1 swtpm swtpm    1 Nov 15 14:12 certserial
-rw-r--r--  1 swtpm swtpm   48 Nov 15 14:12 index.txt
-rw-r--r--  1 swtpm swtpm   21 Nov 15 14:12 index.txt.attr
-rw-r--r--  1 swtpm swtpm    0 Nov 15 14:12 index.txt.old
-rw-r--r--  1 swtpm swtpm 5531 Nov 15 14:12 issuercert.pem
-rw-r--r--  1 swtpm swtpm    3 Nov 15 14:12 serial
-rw-r--r--  1 swtpm swtpm    3 Nov 15 14:12 serial.old
-rw-r-----  1 swtpm swtpm 2459 Nov 15 14:12 signkey.pem
-rw-r--r--  1 swtpm swtpm 1468 Nov 15 14:12 swtpm-localca-rootca-cert.pem
-rw-r-----  1 swtpm swtpm 2459 Nov 15 14:12 swtpm-localca-rootca-privkey.pem

Ubuntulibvirt package

Comment 11 for bug 1948880

Ubuntu
libvirt package