$ sudo apt install swtpm-tools
# Add to the guest a tpm2 emulation
<tpm model='tpm-tis'>
<backend type='emulator' version='2.0'/>
</tpm>
It is important to realize that with the switch of swtpm-tools itself
to swtpm:swtpm broke usage with libvirt (up to this upload).
That is because /var/lib/dpkg/info/swtpm-tools.postinst now sets
$ sudo ls -laFd /var/lib/swtpm-localca
drwxr-x--- 2 swtpm root 4096 Nov 15 13:38 /var/lib/swtpm-localca/
Due to that the default config of libvirt (that was tss:tss) now fails via
$ virsh start f-tpm
error: Failed to start domain 'f-tpm'
error: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1;
Check error log '/var/log/swtpm/libvirt/qemu/f-tpm-swtpm.log' for details.
ubuntu@node-horsea:~$ sudo cat /var/log/swtpm/libvirt/qemu/f-tpm-swtpm.log
Starting vTPM manufacturing as tss:tss @ Mon 15 Nov 2021 01:38:53 PM UTC
Successfully created RSA 2048 EK with handle 0x81010001.
Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek df06f941e4c58e2c043407c1eb2a5afa6825ee93362ebe33e8ada87986bd04bb356ee64d02625f9cb234bf13afbd4d5e93456ad24dccd1b3083b063d4098573045dd1f8c73ee1ca8860f2f5f211ccd6336774388202099dd6117e38ebe162a34e7af024f6eac15c9683979ef4f4fbe5bda39284d209bfe32897ad87df062382e3ce6a070cfbc325223d6e12f366bb115fbadf78e66790d6e04f5d8f27f6e8ca431bb779fe8b67e6707ceb36de8540838f2acab6535fcf1739e7b51f22d4d774c17c1e56d86d64e52319d5303ab7c8e47303c359858ace7b282d6ff696930a595db20202884417fe19b00d2272966979bedc7c36e678fbaf26be84fdfa7059ddf --dir /var/lib/libvirt/swtpm/65113265-34d6-4358-b562-4d7508d6ff17/tpm2 --logfile /var/log/swtpm/libvirt/qemu/f-tpm-swtpm.log --vmid f-tpm:65113265-34d6-4358-b562-4d7508d6ff17 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Need read/write rights on statedir /var/lib/swtpm-localca for user tss.
swtpm-localca exit with status 256:
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Mon 15 Nov 2021 01:38:53 PM UTC
That is ok for Jammy, but we need to think what we want in backports to Focal.
If people used swtpm from a PPA or snap before then the chmod in the postinst
will break running and starting guests.
Paths if used with libvirt before the upgrade
$ sudo apt install swtpm-tools
# Add to the guest a tpm2 emulation
<tpm model='tpm-tis'>
<backend type='emulator' version='2.0'/>
</tpm>
It is important to realize that with the switch of swtpm-tools itself
to swtpm:swtpm broke usage with libvirt (up to this upload).
That is because /var/lib/ dpkg/info/ swtpm-tools. postinst now sets
$ sudo ls -laFd /var/lib/ swtpm-localca swtpm-localca/
drwxr-x--- 2 swtpm root 4096 Nov 15 13:38 /var/lib/
Due to that the default config of libvirt (that was tss:tss) now fails via
$ virsh start f-tpm swtpm_setup' . exitstatus: 1; swtpm/libvirt/ qemu/f- tpm-swtpm. log' for details.
error: Failed to start domain 'f-tpm'
error: internal error: Could not run '/usr/bin/
Check error log '/var/log/
ubuntu@ node-horsea: ~$ sudo cat /var/log/ swtpm/libvirt/ qemu/f- tpm-swtpm. log x86_64- linux-gnu/ swtpm/swtpm- localca --type ek --ek df06f941e4c58e2 c043407c1eb2a5a fa6825ee93362eb e33e8ada87986bd 04bb356ee64d026 25f9cb234bf13af bd4d5e93456ad24 dccd1b3083b063d 4098573045dd1f8 c73ee1ca8860f2f 5f211ccd6336774 388202099dd6117 e38ebe162a34e7a f024f6eac15c968 3979ef4f4fbe5bd a39284d209bfe32 897ad87df062382 e3ce6a070cfbc32 5223d6e12f366bb 115fbadf78e6679 0d6e04f5d8f27f6 e8ca431bb779fe8 b67e6707ceb36de 8540838f2acab65 35fcf1739e7b51f 22d4d774c17c1e5 6d86d64e52319d5 303ab7c8e47303c 359858ace7b282d 6ff696930a595db 20202884417fe19 b00d2272966979b edc7c36e678fbaf 26be84fdfa7059d df --dir /var/lib/ libvirt/ swtpm/65113265- 34d6-4358- b562-4d7508d6ff 17/tpm2 --logfile /var/log/ swtpm/libvirt/ qemu/f- tpm-swtpm. log --vmid f-tpm:65113265- 34d6-4358- b562-4d7508d6ff 17 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm- localca. conf --optsfile /etc/swtpm- localca. options swtpm-localca for user tss.
Starting vTPM manufacturing as tss:tss @ Mon 15 Nov 2021 01:38:53 PM UTC
Successfully created RSA 2048 EK with handle 0x81010001.
Invoking /usr/lib/
Need read/write rights on statedir /var/lib/
swtpm-localca exit with status 256:
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Mon 15 Nov 2021 01:38:53 PM UTC
That is ok for Jammy, but we need to think what we want in backports to Focal.
If people used swtpm from a PPA or snap before then the chmod in the postinst
will break running and starting guests.