[Bug 2016744] Re: swtpm_setup cannot be run as user (AppArmor profile)
Stefan Berger
2016744 at bugs.launchpad.net
Fri May 12 16:40:15 UTC 2023
I verified that it works correctly now on Jammy. Thanks.
Stefan
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/2016744
Title:
swtpm_setup cannot be run as user (AppArmor profile)
Status in swtpm package in Ubuntu:
Fix Released
Status in swtpm source package in Jammy:
Fix Committed
Status in swtpm source package in Kinetic:
Fix Committed
Bug description:
[Impact]
When running the swtpm_setup or swtpm-create-user-config-files script
with the option of creating a cert, it fails with the message:
Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH.
This is due to the patch 0001-Install-swtpm-localca-to-the-correct-
path.patch changing the location of swtpm-localca without modifying
the reference in swtpm-create-user-config-files.
The fix for this issue should be backported to Jammy and Kinetic to
allow users to easily setup certs with swtpm scripts.
This is fixed by changing the reference to swtpm-localca to the
correct location in the swtpm-create-user-config-files script.
[Test Plan]
$ lxc launch ubuntu:{kinetic, jammy} --vm test-swtpm
$ lxc exec test-swtpm bash
# apt update && apt dist-upgrade -y
# apt install swtpm swtpm-tools -y
# su ubuntu
$ cd
$ /usr/share/swtpm/swtpm-create-user-config-files --overwrite
$ swtpm_setup --tpm2 --tpmstate . --overwrite --create-ek-cert
> Before the fix, this will result in
...
Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH.
...
> After it will provide a success message such as:
...
Successfully created RSA 2048 EK with handle 0x81010001.
...
[Where problems could occur]
If problems were to occur, they would be related to swtpm-create-user-
config-files or swtpm_setup using the /usr/libexec directory instead
of upstreams's /usr/share/. Since the original patch, 0001-Install-
swtpm-localca-to-the-correct-path.patch, changes this directory for
swtpm-localca, swtpm-create-user-config-files must reference it there
too.
[Other Info]
This is not an issue in lunar and later as scripts and paths were updated in 0.7.x.
[Original Description]
It looks like the AppArmor profile that Ubuntu added to swtpm 0.6.3
(before it was contributed to the upstream project;
https://github.com/stefanberger/swtpm/commits/master/debian/usr.bin.swtpm)
is insufficient for running swtpm_setup as user. Can you sync the
AppArmor profile in the package with what is in this repo and/or
upgrade to a more recent version of swtpm (v0.8 is available)?
In particular, the following doesn't work for me:
$ swtpm_setup --tpm2 --tpmstate . --overwrite --create-ek-cert
Starting vTPM manufacturing as stefanb:stefanb @ Mon 17 Apr 2023 05:12:05 PM EDT
swtpm process terminated unexpectedly.
Could not start the TPM 2.
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Mon 17 Apr 2023 05:12:05 PM EDT
Also, once I copied the AppArmor profile from this project over onto
the 22.04 machine I ran into this issue here:
$ swtpm_setup --tpm2 --tpmstate . --overwrite --create-ek-cert
Starting vTPM manufacturing as stefanb:stefanb @ Mon 17 Apr 2023 05:14:04 PM EDT
TPM is listening on Unix socket.
Successfully created RSA 2048 EK with handle 0x81010001.
Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH.
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Mon 17 Apr 2023 05:14:04 PM EDT
[ The script requiring @DATAROOTDIR@ has been rewritten in more recent
version of swtpm. ]
This has been previously reported here
https://github.com/stefanberger/swtpm/issues/749 but then also per the
user from issue 749 on Launchpad here (getting a timeout on this
page): https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/1989598
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2016744/+subscriptions
More information about the foundations-bugs
mailing list