[Bug 1968131] Re: Starting VM with UEFI firmware fails with swtpm
Christian Ehrhardt
1968131 at bugs.launchpad.net
Thu Apr 7 13:47:54 UTC 2022
In a set of cross checks I ran it as
#1 root, but this time in /home/ubuntu instead of in /root.
I got:
lrwxrwxrwx 1 root root 0 Apr 7 13:40 /proc/11805/cwd -> /home/ubuntu/
And afterwards
-rw------- 1 root root 1024 Apr 7 13:40 /home/ubuntu/.rnd
So it fully ignores $HOME
So root cause of the problem is that it wants to access some
"$CWD/.rnd", but not where it is supposed to do so.
#2 user swtpm being in /var/lib/swtpm
This showed that this user is good if it would use the right paths.
ubuntu at swtpm-jammy:/var/lib/swtpm$ sudo -u swtpm -E HOME=/var/lib/swtpm /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek b2e69cdcfc19832f9d174ef4c3af14cf9843efed4e986f35d011a4ac0af4a84adf93a24937bf00da5519272a1f722ae3aa33b8efbe44b3bcde8ac2cf781302801643791f379eab400482f0c4b8a9aba1676eb7b0ae45792d39746a82164c247d4d348aecba70025d74f7025d2e1896743617396337f6221bd81429c3498069056635f9ddf288fe32d9759fa6a825665e56d819b5657f5ce828e72db17e6073cf4e4c7f9dfd8ea18eebae28e9cffa6ff406d03a8a15e48a3f5acd7a3cca7d64b9aef250cc40a301132d466f346843f9a3e084bf9e19fe48b31d2512f39ddd6bc324d22db77dad619158efa5680ff4816c7fc645014e6fa03fb11ede6bc720bbd7 --dir /tmp/test --vmid testguest:202a34a9-2ee2-4826-b206-c249f535be90 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created EK certificate locally.
ubuntu at swtpm-jammy:/var/lib/swtpm$ ll /tmp/test
total 20
drwxrwxr-x 2 swtpm swtpm 4096 Apr 7 13:44 ./
drwxrwxrwt 14 root root 4096 Apr 7 13:44 ../
-rw------- 1 swtpm swtpm 1053 Apr 7 13:44 ek.cert
ubuntu at swtpm-jammy:/var/lib/swtpm$ sudo ls -laF /var/lib/swtpm-localca/
total 56
drwxr-x--- 2 swtpm root 4096 Apr 7 13:44 ./
drwxr-xr-x 44 root root 4096 Apr 7 13:17 ../
-rwxr-xr-x 1 swtpm swtpm 0 Apr 7 10:50 .lock.swtpm-localca*
-rw-rw-r-- 1 swtpm swtpm 5519 Apr 7 13:44 01.pem
-rw-rw-r-- 1 swtpm swtpm 1 Apr 7 13:44 certserial
-rw-rw-r-- 1 swtpm swtpm 48 Apr 7 13:44 index.txt
-rw-rw-r-- 1 swtpm swtpm 21 Apr 7 13:44 index.txt.attr
-rw-rw-r-- 1 swtpm swtpm 0 Apr 7 13:44 index.txt.old
-rw-rw-r-- 1 swtpm swtpm 5519 Apr 7 13:44 issuercert.pem
-rw-rw-r-- 1 swtpm swtpm 3 Apr 7 13:44 serial
-rw-rw-r-- 1 swtpm swtpm 3 Apr 7 13:44 serial.old
-rw-r----- 1 swtpm swtpm 2459 Apr 7 13:44 signkey.pem
-rw-rw-r-- 1 swtpm swtpm 1468 Apr 7 13:44 swtpm-localca-rootca-cert.pem
-rw-r----- 1 swtpm swtpm 2455 Apr 7 13:44 swtpm-localca-rootca-privkey.pem
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1968131
Title:
Starting VM with UEFI firmware fails with swtpm
Status in libvirt package in Ubuntu:
Invalid
Status in swtpm package in Ubuntu:
Confirmed
Status in virt-manager package in Ubuntu:
Invalid
Status in libvirt source package in Jammy:
Invalid
Status in swtpm source package in Jammy:
Confirmed
Status in virt-manager source package in Jammy:
Invalid
Bug description:
https://launchpad.net/ubuntu/+source/libvirt/8.0.0-1ubuntu6 introduced
a recommendation to "swtpm", so this package now gets installed by
default when installing libvirt. But this broke UEFI:
touch /var/lib/libvirt/empty.iso
virt-install --name t1 --os-variant fedora28 --memory 128 --wait -1 --noautoconsole --disk 'size=0.25,format=qcow2' --cdrom /var/lib/libvirt/empty.iso --boot uefi
This fails:
WARNING Requested memory 128 MiB is less than the recommended 1024
MiB for OS fedora28
Starting install...
Allocating 't1.qcow2' | 0 B 00:00:00 ...
Removing disk 't1.qcow2' | 0 B 00:00:00
ERROR internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/t1-swtpm.log' for details.
Domain installation does not appear to have been successful.
# cat /var/log/swtpm/libvirt/qemu/t1-swtpm.log
Starting vTPM manufacturing as swtpm:swtpm @ Thu 07 Apr 2022 07:11:55 AM UTC
Successfully created RSA 2048 EK with handle 0x81010001.
Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek 91863a7321edf06c0feb6f388950774acca7813f0d595a78463c1ce29798ab015bebb70da8a1fb8c4c353507240d32afd0e51ff173068e86e40c8f71bfa311919dd8f840e7a11576515eff08739822cfe7d3c4cc0e228623f140fc2948a0c519bc2b3d06d0a7f5bd9add9d27d9d2132459ae7911dc441dd156c842ac7b8fcb5611e589fde7ca9516eaf3a32b64b7ece348b023a6567e64a9ad491c12b1309624f7fcaa4dc9f69387bc59a743c64db664f78258dccda63635e5e934f22e594e073906e737486268601fd812979a16db23faf0512d3b714d832d69a80fc01b31cec1d5603ee06544338907f38164636df6cfbdc1168ac5eda01ff5def64076e5e7 --dir /var/lib/libvirt/swtpm/ade6145c-3d22-46d8-8bbc-29792e4cfa0c/tpm2 --logfile /var/log/swtpm/libvirt/qemu/t1-swtpm.log --vmid t1:ade6145c-3d22-46d8-8bbc-29792e4cfa0c --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Creating root CA and a local CA's signing key and issuer cert.
Could not create root-CA:Can't load ./.rnd into RNG
40D7AD231A7F0000:error:12000079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:106:Filename=./.rnd
Cannot write random bytes:
40D7AD231A7F0000:error:12000079:random number generator:RAND_write_file:Cannot open file:../crypto/rand/randfile.c:240:Filename=./.rnd
Error creating local CA's signing key and cert.
swtpm-localca exit with status 1:
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Thu 07 Apr 2022 07:11:56 AM UTC
When I uninstall swtpm, the domain creation/starting works (of course
it does not actually do anything due to the fake empty iso, but it
does get past that bug).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968131/+subscriptions
More information about the foundations-bugs
mailing list