Ubuntu
swtpm package

Allow non-owned lockfile writes in /var/lib/libvirt/swtpm/

Bug #2072524 reported by Lena Voytek
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
swtpm (Ubuntu)
Status tracked in Oracular
Jammy
Fix Committed
Undecided
Lena Voytek
Mantic
Won't Fix
Undecided
Lena Voytek
Noble
Fix Committed
Undecided
Lena Voytek
Oracular
Fix Released
Undecided
Lena Voytek

Bug Description

[Impact]

The default apparmor profile for swtpm blocks access to libvirt TPM2 NVRAM state lockfiles. This causes denials for users who want to view TPM states via swtpm's socket API.

The fix for this should be backported so print-states for libvirt TPM works for users by default.

The issue is fixed by adding non-owner write permissions to the /var/lib/libvirt/swtpm/ directory.

[Test Plan]

$ sudo apt update && sudo apt dist-upgrade -y
$ sudo apt install swtpm virt-manager apparmor -y

# Create a vm with virt-manager that uses a TPM2 device and start it
# A directory will show up in /var/lib/libvirt/swtpm/ using the vm's ID, such as:
# /var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5

# Before fix
$ sudo swtpm socket --print-states --tpmstate dir=/var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5/tpm2,mode=0600
swtpm: SWTPM_NVRAM_Lock_Dir: Could not open lockfile: Permission denied

# After fix
$ sudo swtpm socket --print-states --tpmstate dir=/var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5/tpm2,mode=0600
{ "type": "swtpm", "states": [] }

[Where problems could occur]

This change will provide swtpm greater access to /var/lib/libvirt/swtpm/. So if malicious code were to exist within swtpm, it would be able to modify and write to files in the directory created by other processes.

Likewise, with a change to the apparmor profile, a conflict will occur on update for users that modified their profile directly.

[Other Info]

The issue was fixed in oracular in 0.7.3-0ubuntu7.

[Original Description]

Based on the upstream comment here - https://github.com/stefanberger/swtpm/issues/852#issuecomment-2156039973 - users are having issues with apparmor denials when attempting to use TPM2 NVRAM state lockfiles. This is due to the file not being owned by the swtpm user. The issue is fixed by allowing write access to non-owned lock files in /var/lib/libvirt/swtpm/. This was fixed upstream in my pr here - https://github.com/stefanberger/swtpm/pull/868

See original description

Related branches

~lvoytek/ubuntu/+source/swtpm:aa-sysadmin-lockfile-jammy
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 38 lines (+12/-0)
2 files modified
debian/changelog (+10/-0)
debian/usr.bin.swtpm (+2/-0)
~lvoytek/ubuntu/+source/swtpm:aa-sysadmin-lockfile-noble
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 38 lines (+12/-0)
2 files modified
debian/changelog (+10/-0)
debian/usr.bin.swtpm (+2/-0)
~lvoytek/ubuntu/+source/swtpm:add-sys-admin-oracular
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 38 lines (+12/-0)
2 files modified
debian/changelog (+10/-0)
debian/usr.bin.swtpm (+2/-0)
Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Jammy):
assignee: nobody → Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Mantic):
assignee: nobody → Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Noble):
assignee: nobody → Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Oracular):
assignee: nobody → Lena Voytek (lvoytek)
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package swtpm - 0.7.3-0ubuntu7

---------------
swtpm (0.7.3-0ubuntu7) oracular; urgency=medium

  * d/usr.bin.swtpm:
    - Add sys_admin capability to apparmor profile to allow access to kernel
      modules such as tpm_vtpm_proxy (LP: #2071478)
    - Allow non-owned lockfile write access in /var/lib/libvirt/swtpm/ to fix
      apparmor denials when working with TPM2 locks (LP: #2072524)

 -- Lena Voytek <email address hidden> Tue, 09 Jul 2024 06:06:00 -0700

Changed in swtpm (Ubuntu Oracular):
status: In Progress → Fix Released
Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Jammy):
status: New → In Progress
Changed in swtpm (Ubuntu Mantic):
status: New → In Progress
Changed in swtpm (Ubuntu Noble):
status: New → In Progress
Revision history for this message
Lena Voytek (lvoytek) wrote :

Removing mantic - eol

Changed in swtpm (Ubuntu Mantic):
status: In Progress → Won't Fix
Lena Voytek (lvoytek)
description: updated
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Lena, or anyone else affected,

Accepted swtpm into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/swtpm/0.6.3-0ubuntu3.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in swtpm (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Changed in swtpm (Ubuntu Noble):
status: In Progress → Fix Committed
tags: added: verification-needed-noble
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Lena, or anyone else affected,

Accepted swtpm into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/swtpm/0.7.3-0ubuntu5.24.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (swtpm/0.6.3-0ubuntu3.3)

All autopkgtests for the newly accepted swtpm (0.6.3-0ubuntu3.3) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

swtpm/0.6.3-0ubuntu3.3 (armhf)
swtpm/unknown (s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#swtpm

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Lena Voytek (lvoytek) wrote :

Verified for noble and jammy:

Enabled proposed then created a windows 11 vm with virt-manager using the TPM v2.0 addition.
Started the vm, then ran:

$ sudo swtpm socket --print-states --tpmstate dir=/var/lib/libvirt/swtpm/aa5b37e8-6edf-4f2e-8550-7316cab991c6/tpm2,mode=0600
{ "type": "swtpm", "states": [] }

tags: added: verification-done verification-done-jammy verification-done-noble
removed: verification-needed verification-needed-jammy verification-needed-noble
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (swtpm/0.7.3-0ubuntu5.24.04.1)

All autopkgtests for the newly accepted swtpm (0.7.3-0ubuntu5.24.04.1) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

swtpm/unknown (s390x)
tpm2-pytss/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#swtpm

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.