[Bug 2027635] Re: Libvirt 8.0.0 Error When Starting Windows 11 VM "'/var/lib/libvirt/qemu/nvram/win11_VARS.fd': Permission denied"

Jesse Lopez 2027635 at bugs.launchpad.net
Thu Jul 13 00:04:30 UTC 2023 

** Description changed:

  - Windows 11 guest OS
  - swtpm TPM emulator version 0.6.1
  - TPM with Model "TIS" and version 2.0
  - Libvirt 8.0.0
  
  I am unable to start a Windows 11 VM with libvirt/QEMU and see the
  following error message. This happens after I add firmware="efi" in the
  VM's XML configuration and attempt to start the VM. This is caused by
  AppArmor.
  
  <os firmware="efi">
      <type arch="x86_64" machine="pc-q35-6.1">hvm</type>
      <boot dev="hd"/>
  </os>
  
  Here is the error:
  
  Traceback (most recent call last):
    File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
      callback(asyncjob, *args, **kwargs)
    File "/usr/share/virt-manager/virtManager/asyncjob.py", line 108, in tmpcb
      callback(*args, **kwargs)
    File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
      ret = fn(self, *args, **kwargs)
    File "/usr/share/virt-manager/virtManager/object/domain.py", line 1329, in startup
      self._backend.create()
    File "/usr/local/lib/python3.8/dist-packages/libvirt.py", line 1353, in create
      raise libvirtError('virDomainCreate() failed')
  libvirt.libvirtError: internal error: process exited while connecting to monitor: 2023-07-12T23:10:04.929455Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/win11_x64_1_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}: Could not open '/var/lib/libvirt/qemu/nvram/win11_x64_1_VARS.fd': Permission denied
  
  Here are the AppArmor logs for qemu:
  
  apparmor="DENIED" operation="open"
  profile="libvirt-8ac25d83-8270-4f50-a201-18264ff41652"
  name="/var/lib/libvirt/qemu/nvram/win11_VARS.fd" pid=27563 comm="qemu-
  system-x86" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  
  apparmor="DENIED" operation="file_lock"
  profile="libvirt-8ac25d83-8270-4f50-a201-18264ff41652"
  name="/var/lib/libvirt/qemu/nvram/win11_VARS.fd" pid=26033 comm="qemu-
  system-x86" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
  
  apparmor="DENIED" operation="file_lock"
  profile="libvirt-8ac25d83-8270-4f50-a201-18264ff41652"
  name="/usr/share/OVMF/OVMF_CODE_4M.secboot.fd" pid=24034 comm="qemu-
  system-x86" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
  
  apparmor="DENIED" operation="open"
  profile="libvirt-8ac25d83-8270-4f50-a201-18264ff41652"
  name="/sys/kernel/mm/transparent_hugepage/enabled" pid=23369 comm="qemu-
  system-x86" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  
+ apparmor="DENIED" operation="mknod"
+ profile="libvirt-8ac25d83-8270-4f50-a201-18264ff41652"
+ name="/run/libvirt/qemu/swtpm/3-win11-swtpm.sock" pid=33103 comm="swtpm"
+ requested_mask="c" denied_mask="c" fsuid=106 ouid=106
+ 
  ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  
- Found partial solution -
+ Found solution -
  
  1. Add the following lines to the end of
  /etc/apparmor.d/abstractions/libvirt-qemu
  
  /var/lib/libvirt/qemu/nvram/* rwk,
  /sys/kernel/mm/transparent_hugepage/enabled r,
  /usr/share/OVMF/OVMF_CODE_4M.secboot.fd rk,
+ /run/libvirt/qemu/swtpm/* rwk,
  
  2. Reload apparmor, restart libvirtd:
  
  sudo systemctl reload apparmor.service
  sudo systemctl restart libvirtd
- 
- 
- This results in the following errors for swtpm:
- 
- 
- libvirt.libvirtError: internal error: Could not start 'swtpm'. exitstatus: 1, error: swtpm: Could not open UnixIO socket: Permission denied
- 
- apparmor="DENIED" operation="mknod"
- profile="libvirt-8ac25d83-8270-4f50-a201-18264ff41652"
- name="/run/libvirt/qemu/swtpm/3-win11-swtpm.sock" pid=33103 comm="swtpm"
- requested_mask="c" denied_mask="c" fsuid=106 ouid=106

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/2027635

Title:
  Libvirt 8.0.0 Error When Starting Windows 11 VM
  "'/var/lib/libvirt/qemu/nvram/win11_VARS.fd': Permission denied"

Status in libvirt package in Ubuntu:
  New
Status in swtpm package in Ubuntu:
  New

Bug description:
  - Windows 11 guest OS
  - swtpm TPM emulator version 0.6.1
  - TPM with Model "TIS" and version 2.0
  - Libvirt 8.0.0

  I am unable to start a Windows 11 VM with libvirt/QEMU and see the
  following error message. This happens after I add firmware="efi" in
  the VM's XML configuration and attempt to start the VM. This is caused
  by AppArmor.

  <os firmware="efi">
      <type arch="x86_64" machine="pc-q35-6.1">hvm</type>
      <boot dev="hd"/>
  </os>

  Here is the error:

  Traceback (most recent call last):
    File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
      callback(asyncjob, *args, **kwargs)
    File "/usr/share/virt-manager/virtManager/asyncjob.py", line 108, in tmpcb
      callback(*args, **kwargs)
    File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
      ret = fn(self, *args, **kwargs)
    File "/usr/share/virt-manager/virtManager/object/domain.py", line 1329, in startup
      self._backend.create()
    File "/usr/local/lib/python3.8/dist-packages/libvirt.py", line 1353, in create
      raise libvirtError('virDomainCreate() failed')
  libvirt.libvirtError: internal error: process exited while connecting to monitor: 2023-07-12T23:10:04.929455Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/win11_x64_1_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}: Could not open '/var/lib/libvirt/qemu/nvram/win11_x64_1_VARS.fd': Permission denied

  Here are the AppArmor logs for qemu:

  apparmor="DENIED" operation="open"
  profile="libvirt-8ac25d83-8270-4f50-a201-18264ff41652"
  name="/var/lib/libvirt/qemu/nvram/win11_VARS.fd" pid=27563 comm="qemu-
  system-x86" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  apparmor="DENIED" operation="file_lock"
  profile="libvirt-8ac25d83-8270-4f50-a201-18264ff41652"
  name="/var/lib/libvirt/qemu/nvram/win11_VARS.fd" pid=26033 comm="qemu-
  system-x86" requested_mask="k" denied_mask="k" fsuid=0 ouid=0

  apparmor="DENIED" operation="file_lock"
  profile="libvirt-8ac25d83-8270-4f50-a201-18264ff41652"
  name="/usr/share/OVMF/OVMF_CODE_4M.secboot.fd" pid=24034 comm="qemu-
  system-x86" requested_mask="k" denied_mask="k" fsuid=0 ouid=0

  apparmor="DENIED" operation="open"
  profile="libvirt-8ac25d83-8270-4f50-a201-18264ff41652"
  name="/sys/kernel/mm/transparent_hugepage/enabled" pid=23369
  comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=0
  ouid=0

  apparmor="DENIED" operation="mknod"
  profile="libvirt-8ac25d83-8270-4f50-a201-18264ff41652"
  name="/run/libvirt/qemu/swtpm/3-win11-swtpm.sock" pid=33103
  comm="swtpm" requested_mask="c" denied_mask="c" fsuid=106 ouid=106

  ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

  Found solution -

  1. Add the following lines to the end of
  /etc/apparmor.d/abstractions/libvirt-qemu

  /var/lib/libvirt/qemu/nvram/* rwk,
  /sys/kernel/mm/transparent_hugepage/enabled r,
  /usr/share/OVMF/OVMF_CODE_4M.secboot.fd rk,
  /run/libvirt/qemu/swtpm/* rwk,

  2. Reload apparmor, restart libvirtd:

  sudo systemctl reload apparmor.service
  sudo systemctl restart libvirtd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2027635/+subscriptions

More information about the foundations-bugs mailing list