[Bug 1968131] Re: Starting VM with UEFI firmware fails with swtpm

Christian Ehrhardt  1968131 at bugs.launchpad.net
Thu Apr 7 15:03:22 UTC 2022 

Install fine:

ubuntu at swtpm-jammy:/var/lib/swtpm$ sudo apt update; sudo apt upgrade
Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease                                
Hit:3 http://security.ubuntu.com/ubuntu jammy-security InRelease                              
Hit:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease                       
Get:5 https://ppa.launchpadcontent.net/paelzer/lp-1968131-swtpm-rndfile/ubuntu jammy InRelease [18.1 kB]
Get:6 https://ppa.launchpadcontent.net/paelzer/lp-1968131-swtpm-rndfile/ubuntu jammy/main amd64 Packages [768 B]
Get:7 https://ppa.launchpadcontent.net/paelzer/lp-1968131-swtpm-rndfile/ubuntu jammy/main Translation-en [472 B]
Fetched 19.3 kB in 2s (10.4 kB/s)                          
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  swtpm swtpm-tools
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 138 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 https://ppa.launchpadcontent.net/paelzer/lp-1968131-swtpm-rndfile/ubuntu jammy/main amd64 swtpm-tools amd64 0.6.3-0ubuntu2~jammyppa1 [90.4 kB]
Get:2 https://ppa.launchpadcontent.net/paelzer/lp-1968131-swtpm-rndfile/ubuntu jammy/main amd64 swtpm amd64 0.6.3-0ubuntu2~jammyppa1 [47.4 kB]
Fetched 138 kB in 2s (85.7 kB/s)
(Reading database ... 113960 files and directories currently installed.)
Preparing to unpack .../swtpm-tools_0.6.3-0ubuntu2~jammyppa1_amd64.deb ...
Unpacking swtpm-tools (0.6.3-0ubuntu2~jammyppa1) over (0.6.3-0ubuntu1) ...
Preparing to unpack .../swtpm_0.6.3-0ubuntu2~jammyppa1_amd64.deb ...
Unpacking swtpm (0.6.3-0ubuntu2~jammyppa1) over (0.6.3-0ubuntu1) ...
Setting up swtpm (0.6.3-0ubuntu2~jammyppa1) ...
Setting up swtpm-tools (0.6.3-0ubuntu2~jammyppa1) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for libc-bin (2.35-0ubuntu3) ...
Scanning processes...                                                                                                                                                                          
Scanning linux images...                                                                                                                                                                       

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this
host.



Now it works:
ubuntu at swtpm-jammy:/var/lib/swtpm$ virsh start testguest
Domain 'testguest' started



P.S. it also made me find that the modified swtpm triggers a non fatal apparmor issue now that we want to fix in another bug

Apr 07 15:02:26 swtpm-jammy kernel: audit: type=1400
audit(1649343746.681:87): apparmor="DENIED" operation="open"
profile="libvirt-202a34a9-2ee2-4826-b206-c249f535be90"
name="/etc/ssl/openssl.cnf" pid=15149 comm="swtpm" requested_mask="r"
denied_mask="r" fsuid=113 ouid=0

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1968131

Title:
  Starting VM with UEFI firmware fails with swtpm

Status in libvirt package in Ubuntu:
  Invalid
Status in swtpm package in Ubuntu:
  In Progress
Status in virt-manager package in Ubuntu:
  Invalid
Status in libvirt source package in Jammy:
  Invalid
Status in swtpm source package in Jammy:
  In Progress
Status in virt-manager source package in Jammy:
  Invalid

Bug description:
  https://launchpad.net/ubuntu/+source/libvirt/8.0.0-1ubuntu6 introduced
  a recommendation to "swtpm", so this package now gets installed by
  default when installing libvirt. But this broke UEFI:

    touch /var/lib/libvirt/empty.iso
    virt-install --name t1 --os-variant fedora28 --memory 128 --wait -1 --noautoconsole --disk 'size=0.25,format=qcow2' --cdrom /var/lib/libvirt/empty.iso --boot uefi

  This fails:

  WARNING  Requested memory 128 MiB is less than the recommended 1024
  MiB for OS fedora28

  Starting install...
  Allocating 't1.qcow2'                                                                                                          |    0 B  00:00:00 ... 
  Removing disk 't1.qcow2'                                                                                                       |    0 B  00:00:00     
  ERROR    internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/t1-swtpm.log' for details.
  Domain installation does not appear to have been successful.

  
  # cat /var/log/swtpm/libvirt/qemu/t1-swtpm.log
  Starting vTPM manufacturing as swtpm:swtpm @ Thu 07 Apr 2022 07:11:55 AM UTC
  Successfully created RSA 2048 EK with handle 0x81010001.
    Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek 91863a7321edf06c0feb6f388950774acca7813f0d595a78463c1ce29798ab015bebb70da8a1fb8c4c353507240d32afd0e51ff173068e86e40c8f71bfa311919dd8f840e7a11576515eff08739822cfe7d3c4cc0e228623f140fc2948a0c519bc2b3d06d0a7f5bd9add9d27d9d2132459ae7911dc441dd156c842ac7b8fcb5611e589fde7ca9516eaf3a32b64b7ece348b023a6567e64a9ad491c12b1309624f7fcaa4dc9f69387bc59a743c64db664f78258dccda63635e5e934f22e594e073906e737486268601fd812979a16db23faf0512d3b714d832d69a80fc01b31cec1d5603ee06544338907f38164636df6cfbdc1168ac5eda01ff5def64076e5e7 --dir /var/lib/libvirt/swtpm/ade6145c-3d22-46d8-8bbc-29792e4cfa0c/tpm2 --logfile /var/log/swtpm/libvirt/qemu/t1-swtpm.log --vmid t1:ade6145c-3d22-46d8-8bbc-29792e4cfa0c --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
  Creating root CA and a local CA's signing key and issuer cert.
  Could not create root-CA:Can't load ./.rnd into RNG
  40D7AD231A7F0000:error:12000079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:106:Filename=./.rnd
  Cannot write random bytes:
  40D7AD231A7F0000:error:12000079:random number generator:RAND_write_file:Cannot open file:../crypto/rand/randfile.c:240:Filename=./.rnd

  Error creating local CA's signing key and cert.
  swtpm-localca exit with status 1: 
  An error occurred. Authoring the TPM state failed.
  Ending vTPM manufacturing @ Thu 07 Apr 2022 07:11:56 AM UTC

  When I uninstall swtpm, the domain creation/starting works (of course
  it does not actually do anything due to the fake empty iso, but it
  does get past that bug).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968131/+subscriptions

More information about the foundations-bugs mailing list