Ubuntu
libvirt package

Bug #1948880
Comment #8

Comment 8 for bug 1948880

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2021-11-15:

Paths if used with libvirt before the upgrade

$ sudo apt install swtpm-tools
# Add to the guest a tpm2 emulation
    <tpm model='tpm-tis'>
      <backend type='emulator' version='2.0'/>
    </tpm>

It is important to realize that with the switch of swtpm-tools itself
to swtpm:swtpm broke usage with libvirt (up to this upload).

That is because /var/lib/dpkg/info/swtpm-tools.postinst now sets

$ sudo ls -laFd /var/lib/swtpm-localca
drwxr-x--- 2 swtpm root 4096 Nov 15 13:38 /var/lib/swtpm-localca/

Due to that the default config of libvirt (that was tss:tss) now fails via

$ virsh start f-tpm
error: Failed to start domain 'f-tpm'
error: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1;
Check error log '/var/log/swtpm/libvirt/qemu/f-tpm-swtpm.log' for details.

ubuntu@node-horsea:~$ sudo cat /var/log/swtpm/libvirt/qemu/f-tpm-swtpm.log
Starting vTPM manufacturing as tss:tss @ Mon 15 Nov 2021 01:38:53 PM UTC
Successfully created RSA 2048 EK with handle 0x81010001.
Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek df06f941e4c58e2c043407c1eb2a5afa6825ee93362ebe33e8ada87986bd04bb356ee64d02625f9cb234bf13afbd4d5e93456ad24dccd1b3083b063d4098573045dd1f8c73ee1ca8860f2f5f211ccd6336774388202099dd6117e38ebe162a34e7af024f6eac15c9683979ef4f4fbe5bda39284d209bfe32897ad87df062382e3ce6a070cfbc325223d6e12f366bb115fbadf78e66790d6e04f5d8f27f6e8ca431bb779fe8b67e6707ceb36de8540838f2acab6535fcf1739e7b51f22d4d774c17c1e56d86d64e52319d5303ab7c8e47303c359858ace7b282d6ff696930a595db20202884417fe19b00d2272966979bedc7c36e678fbaf26be84fdfa7059ddf --dir /var/lib/libvirt/swtpm/65113265-34d6-4358-b562-4d7508d6ff17/tpm2 --logfile /var/log/swtpm/libvirt/qemu/f-tpm-swtpm.log --vmid f-tpm:65113265-34d6-4358-b562-4d7508d6ff17 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Need read/write rights on statedir /var/lib/swtpm-localca for user tss.
swtpm-localca exit with status 256:
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Mon 15 Nov 2021 01:38:53 PM UTC

That is ok for Jammy, but we need to think what we want in backports to Focal.
If people used swtpm from a PPA or snap before then the chmod in the postinst
will break running and starting guests.

Paths if used with libvirt before the upgrade

$ sudo apt install swtpm-tools
# Add to the guest a tpm2 emulation
    <tpm model='tpm-tis'>
      <backend type='emulator' version='2.0'/>
    </tpm>

It is important to realize that with the switch of swtpm-tools itself
to swtpm:swtpm broke usage with libvirt (up to this upload).

That is because /var/lib/dpkg/info/swtpm-tools.postinst now sets

$ sudo ls -laFd /var/lib/swtpm-localca
drwxr-x--- 2 swtpm root 4096 Nov 15 13:38 /var/lib/swtpm-localca/

Due to that the default config of libvirt (that was tss:tss) now fails via

ubuntu@node-horsea:~$ sudo cat /var/log/swtpm/libvirt/qemu/f-tpm-swtpm.log
Starting vTPM manufacturing as tss:tss @ Mon 15 Nov 2021 01:38:53 PM UTC
Successfully created RSA 2048 EK with handle 0x81010001.
  Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek df06f941e4c58e2c043407c1eb2a5afa6825ee93362ebe33e8ada87986bd04bb356ee64d02625f9cb234bf13afbd4d5e93456ad24dccd1b3083b063d4098573045dd1f8c73ee1ca8860f2f5f211ccd6336774388202099dd6117e38ebe162a34e7af024f6eac15c9683979ef4f4fbe5bda39284d209bfe32897ad87df062382e3ce6a070cfbc325223d6e12f366bb115fbadf78e66790d6e04f5d8f27f6e8ca431bb779fe8b67e6707ceb36de8540838f2acab6535fcf1739e7b51f22d4d774c17c1e56d86d64e52319d5303ab7c8e47303c359858ace7b282d6ff696930a595db20202884417fe19b00d2272966979bedc7c36e678fbaf26be84fdfa7059ddf --dir /var/lib/libvirt/swtpm/65113265-34d6-4358-b562-4d7508d6ff17/tpm2 --logfile /var/log/swtpm/libvirt/qemu/f-tpm-swtpm.log --vmid f-tpm:65113265-34d6-4358-b562-4d7508d6ff17 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Need read/write rights on statedir /var/lib/swtpm-localca for user tss.
swtpm-localca exit with status 256:
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Mon 15 Nov 2021 01:38:53 PM UTC

That is ok for Jammy, but we need to think what we want in backports to Focal.
If people used swtpm from a PPA or snap before then the chmod in the postinst
will break running and starting guests.

Ubuntulibvirt package

Comment 8 for bug 1948880

Ubuntu
libvirt package