| 2024-07-08 23:00:18 |
Lena Voytek |
bug |
|
|
added bug |
| 2024-07-08 23:00:28 |
Lena Voytek |
nominated for series |
|
Ubuntu Mantic |
|
| 2024-07-08 23:00:28 |
Lena Voytek |
bug task added |
|
swtpm (Ubuntu Mantic) |
|
| 2024-07-08 23:00:28 |
Lena Voytek |
nominated for series |
|
Ubuntu Noble |
|
| 2024-07-08 23:00:28 |
Lena Voytek |
bug task added |
|
swtpm (Ubuntu Noble) |
|
| 2024-07-08 23:00:28 |
Lena Voytek |
nominated for series |
|
Ubuntu Oracular |
|
| 2024-07-08 23:00:28 |
Lena Voytek |
bug task added |
|
swtpm (Ubuntu Oracular) |
|
| 2024-07-08 23:00:28 |
Lena Voytek |
nominated for series |
|
Ubuntu Jammy |
|
| 2024-07-08 23:00:28 |
Lena Voytek |
bug task added |
|
swtpm (Ubuntu Jammy) |
|
| 2024-07-08 23:00:32 |
Lena Voytek |
swtpm (Ubuntu Jammy): assignee |
|
Lena Voytek (lvoytek) |
|
| 2024-07-08 23:00:34 |
Lena Voytek |
swtpm (Ubuntu Mantic): assignee |
|
Lena Voytek (lvoytek) |
|
| 2024-07-08 23:00:36 |
Lena Voytek |
swtpm (Ubuntu Noble): assignee |
|
Lena Voytek (lvoytek) |
|
| 2024-07-08 23:00:37 |
Lena Voytek |
swtpm (Ubuntu Oracular): assignee |
|
Lena Voytek (lvoytek) |
|
| 2024-07-08 23:00:41 |
Lena Voytek |
swtpm (Ubuntu Oracular): status |
New |
In Progress |
|
| 2024-07-09 00:46:22 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/468957 |
|
| 2024-07-09 17:56:30 |
Launchpad Janitor |
swtpm (Ubuntu Oracular): status |
In Progress |
Fix Released |
|
| 2024-07-09 17:58:10 |
Lena Voytek |
swtpm (Ubuntu Jammy): status |
New |
In Progress |
|
| 2024-07-09 17:58:12 |
Lena Voytek |
swtpm (Ubuntu Mantic): status |
New |
In Progress |
|
| 2024-07-09 17:58:14 |
Lena Voytek |
swtpm (Ubuntu Noble): status |
New |
In Progress |
|
| 2024-07-17 14:59:03 |
Lena Voytek |
swtpm (Ubuntu Mantic): status |
In Progress |
Won't Fix |
|
| 2024-07-30 22:08:49 |
Lena Voytek |
description |
Based on the upstream comment here - https://github.com/stefanberger/swtpm/issues/852#issuecomment-2156039973 - users are having issues with apparmor denials when attempting to use TPM2 NVRAM state lockfiles. This is due to the file not being owned by the swtpm user. The issue is fixed by allowing write access to non-owned lock files in /var/lib/libvirt/swtpm/. This was fixed upstream in my pr here - https://github.com/stefanberger/swtpm/pull/868 |
[Impact]
The default apparmor profile for swtpm blocks access to libvirt TPM2 NVRAM state lockfiles. This causes denials for users who want to view TPM states via swtpm's socket API.
The fix for this should be backported so print-states for libvirt TPM works for users by default.
The issue is fixed by adding non-owner write permissions to the /var/lib/libvirt/swtpm/ directory.
[Test Plan]
$ sudo apt update && sudo apt dist-upgrade -y
$ sudo apt install swtpm virt-manager apparmor -y
# Create a vm with virt-manager that uses a TPM2 device and start it
# A directory will show up in /var/lib/libvirt/swtpm/ using the vm's ID, such as:
# /var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5
# Before fix
$ sudo swtpm socket --print-states --tpmstate dir=/var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5/tpm2,mode=0600
swtpm: SWTPM_NVRAM_Lock_Dir: Could not open lockfile: Permission denied
# After fix
$ sudo swtpm socket --print-states --tpmstate dir=/var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5/tpm2,mode=0600
{ "type": "swtpm", "states": [] }
[Where problems could occur]
This change will provide swtpm greater access to /var/lib/libvirt/swtpm/. So if malicious code were to exist within swtpm, it would be able to modify and write to files in the directory created by other processes.
Likewise, with a change to the apparmor profile, a conflict will occur on update for users that modified their profile directly.
[Other Info]
The issue was fixed in oracular in 0.7.3-0ubuntu7.
[Original Description]
Based on the upstream comment here - https://github.com/stefanberger/swtpm/issues/852#issuecomment-2156039973 - users are having issues with apparmor denials when attempting to use TPM2 NVRAM state lockfiles. This is due to the file not being owned by the swtpm user. The issue is fixed by allowing write access to non-owned lock files in /var/lib/libvirt/swtpm/. This was fixed upstream in my pr here - https://github.com/stefanberger/swtpm/pull/868 |
|
| 2024-07-30 22:30:59 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/470383 |
|
| 2024-07-30 22:33:18 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/470384 |
|
| 2024-08-09 05:24:36 |
Timo Aaltonen |
swtpm (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
| 2024-08-09 05:24:38 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2024-08-09 05:24:39 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
| 2024-08-09 05:24:43 |
Timo Aaltonen |
tags |
|
verification-needed verification-needed-jammy |
|
| 2024-08-09 05:25:40 |
Timo Aaltonen |
swtpm (Ubuntu Noble): status |
In Progress |
Fix Committed |
|
| 2024-08-09 05:25:44 |
Timo Aaltonen |
tags |
verification-needed verification-needed-jammy |
verification-needed verification-needed-jammy verification-needed-noble |
|
| 2024-08-09 14:42:29 |
Lena Voytek |
tags |
verification-needed verification-needed-jammy verification-needed-noble |
verification-done verification-done-jammy verification-done-noble |
|
