[FFe] secure boot: TPM version '2.0' is not supported
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Invalid
|
Critical
|
Lena Voytek | ||
Lunar |
Invalid
|
Critical
|
Lena Voytek | ||
swtpm (Ubuntu) |
Fix Released
|
Critical
|
Lena Voytek | ||
Lunar |
Fix Released
|
Critical
|
Lena Voytek |
Bug Description
Dear Release Team,
Please accept this update to swtpm to version 0.7.3 as a Lunar FFe.
PPA: https:/
[Rationale]
Virtual machines with secure boot capabilities currently can not be created in Lunar. This includes Windows 11 and other vms secured with TPM. This is caused by the current version of swtpm not reporting that it has TPM 1.0 and TPM 2.0 capabilities. The best way to fix this alongside lunar's version of Libvirt is to update swtpm to the supported upstream version 0.7.3 from 0.6.3.
[Regression Potential]
Since this is a version update, issues can be caused by upstream changes. These would most likely be related to changes in swtpm_setup and swtpm_localca, which have seen a decent amount of updates and fixes between versions. swtpm itself has also had various bug fixes between versions that may change behavior.
[Proposed upload]
Code: https:/
Build: https:/
[Tests]
autopkgtest output:
=======
Testsuite summary for swtpm 0.7.3
=======
# TOTAL: 68
# PASS: 57
# SKIP: 11
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
=======
make[3]: Leaving directory '/tmp/autopkgte
make[2]: Leaving directory '/tmp/autopkgte
make[1]: Leaving directory '/tmp/autopkgte
make[1]: Entering directory '/tmp/autopkgte
make[1]: Leaving directory '/tmp/autopkgte
autopkgtest [10:05:55]: test run-tests: -------
run-tests PASS
autopkgtest [10:05:56]: test run-tests: - - - - - - - - - - results - - - - - - - - - -
autopkgtest [10:05:57]: @@@@@@@
run-tests PASS
[Original Description]
[Impact]
Trying to create a VM with secure boot enabled in lunar always returns the following error:
ERROR unsupported configuration: TPM version '2.0' is not supported
This is quite critical, because it makes impossible to test secure boot inside VMs, using lunar as host.
[Test case]
$ virt-install --name lunar_secure --arch x86_64 --feature smm=on --boot loader=
Starting install...
ERROR unsupported configuration: TPM version '2.0' is not supported
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
virsh --connect qemu:///system start lunar_secure
otherwise, please restart your installation.
ProblemType: Bug
DistroRelease: Ubuntu 23.04
Package: libvirt-daemon 9.0.0-2ubuntu1
ProcVersionSign
Uname: Linux 6.2.0-17-generic x86_64
ApportVersion: 2.26.0-0ubuntu2
Architecture: amd64
CasperMD5CheckR
Date: Fri Mar 17 07:31:37 2023
InstallationDate: Installed on 2022-07-25 (234 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Alpha amd64 (20220724)
SourcePackage: libvirt
UpgradeStatus: Upgraded to lunar on 2023-02-11 (33 days ago)
modified.
Related branches
- git-ubuntu bot: Approve
- Robie Basak: Approve
- Canonical Server Reporter: Pending requested
-
Diff: 12000 lines (+5652/-1392)191 files modified.github/ISSUE_TEMPLATE/bug_report.md (+3/-0)
.gitignore (+5/-4)
.travis.yml (+0/-1)
CHANGES (+41/-18)
INSTALL (+4/-3)
Makefile.am (+0/-1)
configure.ac (+60/-29)
debian/changelog (+19/-0)
debian/clean (+3/-0)
debian/control (+0/-2)
debian/patches/no-autoconf-in-debian.patch (+5/-7)
debian/patches/openssl-not-certtool.patch (+23/-23)
debian/patches/series (+0/-1)
debian/rules (+6/-0)
debian/swtpm-tools.install (+5/-2)
dev/null (+0/-51)
include/Makefile.am (+2/-0)
include/compiler_dependencies.h (+17/-0)
include/swtpm/tpm_ioctl.h (+4/-0)
include/sys_dependencies.h (+8/-0)
man/man8/Makefile.am (+14/-8)
man/man8/swtpm-create-tpmca.pod (+6/-6)
man/man8/swtpm-localca.8 (+1/-0)
man/man8/swtpm-localca.conf.pod (+3/-3)
man/man8/swtpm-localca.options.pod (+2/-2)
man/man8/swtpm.pod (+75/-10)
man/man8/swtpm_cert.pod (+4/-1)
man/man8/swtpm_cuse.pod (+4/-1)
man/man8/swtpm_localca.pod (+4/-4)
man/man8/swtpm_setup.conf.pod (+6/-0)
man/man8/swtpm_setup.pod (+98/-12)
samples/Makefile.am (+6/-32)
samples/swtpm-create-user-config-files.in (+7/-60)
samples/swtpm-localca.in (+5/-0)
samples/swtpm_setup.conf.in (+3/-1)
src/Makefile.am (+1/-0)
src/selinux/Makefile.am (+1/-1)
src/swtpm/Makefile.am (+13/-6)
src/swtpm/capabilities.c (+21/-4)
src/swtpm/common.c (+65/-16)
src/swtpm/common.h (+4/-2)
src/swtpm/ctrlchannel.c (+3/-3)
src/swtpm/cuse_tpm.c (+74/-41)
src/swtpm/daemonize.c (+302/-0)
src/swtpm/daemonize.h (+6/-5)
src/swtpm/mainloop.c (+12/-6)
src/swtpm/seccomp_profile.c (+3/-1)
src/swtpm/swtpm.c (+61/-32)
src/swtpm/swtpm_aes.c (+84/-44)
src/swtpm/swtpm_chardev.c (+62/-33)
src/swtpm/swtpm_nvstore.c (+174/-317)
src/swtpm/swtpm_nvstore.h (+40/-16)
src/swtpm/swtpm_nvstore_dir.c (+527/-0)
src/swtpm/swtpm_nvstore_linear.c (+480/-0)
src/swtpm/swtpm_nvstore_linear.h (+83/-0)
src/swtpm/swtpm_nvstore_linear_file.c (+295/-0)
src/swtpm/tlv.c (+10/-4)
src/swtpm/tpmlib.c (+11/-9)
src/swtpm/tpmstate.c (+39/-16)
src/swtpm/tpmstate.h (+7/-2)
src/swtpm/utils.c (+1/-1)
src/swtpm/utils.h (+10/-2)
src/swtpm_bios/tpm_bios.c (+2/-2)
src/swtpm_cert/ek-cert.c (+17/-15)
src/swtpm_ioctl/tpm_ioctl.c (+3/-6)
src/swtpm_localca/Makefile.am (+38/-0)
src/swtpm_localca/swtpm_localca.c (+31/-42)
src/swtpm_localca/swtpm_localca_utils.c (+21/-0)
src/swtpm_localca/swtpm_localca_utils.h (+2/-0)
src/swtpm_setup/Makefile.am (+4/-3)
src/swtpm_setup/swtpm.c (+120/-58)
src/swtpm_setup/swtpm.h (+13/-3)
src/swtpm_setup/swtpm_backend_dir.c (+118/-0)
src/swtpm_setup/swtpm_backend_file.c (+108/-0)
src/swtpm_setup/swtpm_setup.c (+415/-208)
src/swtpm_setup/swtpm_setup_conf.h.in (+3/-0)
src/swtpm_setup/swtpm_setup_utils.c (+151/-2)
src/swtpm_setup/swtpm_setup_utils.h (+2/-0)
src/utils/swtpm_utils.c (+23/-0)
src/utils/swtpm_utils.h (+6/-1)
swtpm.spec (+15/-10)
swtpm.spec.in (+14/-9)
tests/Makefile.am (+27/-12)
tests/_test_encrypted_state (+1/-1)
tests/_test_getcap (+1/-1)
tests/_test_hashing (+1/-1)
tests/_test_hashing2 (+1/-1)
tests/_test_init (+1/-1)
tests/_test_locality (+1/-1)
tests/_test_migration_key (+3/-3)
tests/_test_print_capabilities (+6/-6)
tests/_test_print_states (+70/-0)
tests/_test_save_load_encrypted_state (+3/-3)
tests/_test_save_load_state (+60/-8)
tests/_test_setbuffersize (+1/-1)
tests/_test_swtpm_bios (+1/-1)
tests/_test_tpm2_encrypted_state (+1/-1)
tests/_test_tpm2_file_permissions (+255/-0)
tests/_test_tpm2_getcap (+1/-1)
tests/_test_tpm2_hashing (+1/-1)
tests/_test_tpm2_hashing2 (+1/-1)
tests/_test_tpm2_hashing3 (+1/-1)
tests/_test_tpm2_init (+1/-1)
tests/_test_tpm2_locality (+1/-1)
tests/_test_tpm2_migration_key (+4/-4)
tests/_test_tpm2_print_capabilities (+5/-5)
tests/_test_tpm2_print_states (+70/-0)
tests/_test_tpm2_probe (+1/-1)
tests/_test_tpm2_resume_volatile (+1/-1)
tests/_test_tpm2_save_load_encrypted_state (+3/-3)
tests/_test_tpm2_save_load_state (+2/-2)
tests/_test_tpm2_save_load_state_da_timeout (+19/-7)
tests/_test_tpm2_savestate (+1/-1)
tests/_test_tpm2_setbuffersize (+1/-1)
tests/_test_tpm2_swtpm_bios (+1/-1)
tests/_test_tpm2_volatilestate (+1/-1)
tests/_test_tpm2_wrongorder (+1/-1)
tests/_test_tpm_probe (+1/-1)
tests/_test_volatilestate (+1/-1)
tests/_test_wrongorder (+1/-1)
tests/common (+91/-10)
tests/test_commandline (+67/-3)
tests/test_ctrlchannel (+7/-5)
tests/test_ctrlchannel2 (+7/-5)
tests/test_ctrlchannel3 (+2/-1)
tests/test_ctrlchannel4 (+3/-1)
tests/test_encrypted_state (+5/-0)
tests/test_getcap (+5/-0)
tests/test_hashing (+5/-0)
tests/test_hashing2 (+5/-0)
tests/test_init (+5/-0)
tests/test_locality (+5/-0)
tests/test_migration_key (+5/-0)
tests/test_parameters (+3/-2)
tests/test_print_capabilities (+5/-0)
tests/test_print_states (+20/-0)
tests/test_resume_volatile (+5/-0)
tests/test_samples_create_tpmca (+3/-2)
tests/test_save_load_encrypted_state (+5/-0)
tests/test_save_load_state (+16/-0)
tests/test_setbuffersize (+5/-0)
tests/test_setdatafd.py (+0/-3)
tests/test_swtpm_bios (+5/-0)
tests/test_swtpm_cert (+3/-4)
tests/test_swtpm_setup_create_cert (+33/-8)
tests/test_swtpm_setup_file_backend (+112/-0)
tests/test_swtpm_setup_misc (+79/-0)
tests/test_swtpm_setup_overwrite (+114/-0)
tests/test_tpm12 (+3/-2)
tests/test_tpm2_ctrlchannel2 (+3/-1)
tests/test_tpm2_derived_keys (+5/-0)
tests/test_tpm2_encrypted_state (+5/-0)
tests/test_tpm2_file_permissions (+41/-0)
tests/test_tpm2_getcap (+5/-0)
tests/test_tpm2_hashing (+5/-0)
tests/test_tpm2_hashing2 (+5/-0)
tests/test_tpm2_hashing3 (+5/-0)
tests/test_tpm2_ibmtss2 (+14/-2)
tests/test_tpm2_init (+5/-0)
tests/test_tpm2_locality (+5/-0)
tests/test_tpm2_migration_key (+5/-0)
tests/test_tpm2_parameters (+15/-9)
tests/test_tpm2_partial_reads (+2/-1)
tests/test_tpm2_print_capabilities (+5/-0)
tests/test_tpm2_print_states (+29/-0)
tests/test_tpm2_probe (+5/-0)
tests/test_tpm2_resume_volatile (+5/-0)
tests/test_tpm2_samples_create_tpmca.test (+2/-2)
tests/test_tpm2_save_load_encrypted_state (+5/-0)
tests/test_tpm2_save_load_state (+5/-0)
tests/test_tpm2_save_load_state_2 (+19/-5)
tests/test_tpm2_save_load_state_2_block (+36/-0)
tests/test_tpm2_save_load_state_2_linear (+5/-0)
tests/test_tpm2_save_load_state_3 (+3/-1)
tests/test_tpm2_save_load_state_da_timeout (+5/-0)
tests/test_tpm2_savestate (+5/-0)
tests/test_tpm2_setbuffersize (+5/-0)
tests/test_tpm2_swtpm_bios (+5/-0)
tests/test_tpm2_swtpm_cert (+1/-1)
tests/test_tpm2_swtpm_cert_ecc (+1/-1)
tests/test_tpm2_swtpm_localca (+2/-2)
tests/test_tpm2_swtpm_localca_pkcs11.test (+4/-2)
tests/test_tpm2_swtpm_setup_create_cert (+124/-37)
tests/test_tpm2_swtpm_setup_overwrite (+117/-0)
tests/test_tpm2_volatilestate (+5/-0)
tests/test_tpm2_vtpm_proxy (+3/-1)
tests/test_tpm2_wrongorder (+5/-0)
tests/test_tpm_probe (+5/-0)
tests/test_volatilestate (+5/-0)
tests/test_vtpm_proxy (+3/-1)
tests/test_wrongorder (+5/-0)
Changed in libvirt (Ubuntu Lunar): | |
assignee: | nobody → Lena Voytek (lvoytek) |
Changed in swtpm (Ubuntu Lunar): | |
assignee: | nobody → Lena Voytek (lvoytek) |
status: | Confirmed → In Progress |
description: | updated |
summary: |
- secure boot: TPM version '2.0' is not supported + [FFe] secure boot: TPM version '2.0' is not supported |
Changed in libvirt (Ubuntu Lunar): | |
status: | Confirmed → Invalid |
Changed in swtpm (Ubuntu Lunar): | |
importance: | Undecided → Critical |
status: | In Progress → New |
Changed in swtpm (Ubuntu Lunar): | |
status: | Triaged → Fix Committed |
Status changed to 'Confirmed' because the bug affects multiple users.