[Bug 2081995] [NEW] Cannot start libvirt/qemu VM with TPM device added
Lévai Dániel
2081995 at bugs.launchpad.net
Wed Sep 25 15:49:25 UTC 2024
Public bug reported:
Description: Ubuntu 24.04.1 LTS
Release: 24.04
I've upgraded from 22.04 a couple of weeks ago.
swtpm:
Installed: 0.7.3-0ubuntu5.24.04.1
Candidate: 0.7.3-0ubuntu5.24.04.1
Version table:
*** 0.7.3-0ubuntu5.24.04.1 500
500 http://openbsd-httpd:56002/ubuntu/ubuntu noble-updates/main amd64 Packages
100 /var/lib/dpkg/status
0.7.3-0ubuntu5 500
500 http://openbsd-httpd:56002/ubuntu/ubuntu noble/main amd64 Packages
swtpm-tools:
Installed: 0.7.3-0ubuntu5.24.04.1
Candidate: 0.7.3-0ubuntu5.24.04.1
Version table:
*** 0.7.3-0ubuntu5.24.04.1 500
500 http://openbsd-httpd:56002/ubuntu/ubuntu noble-updates/main amd64 Packages
100 /var/lib/dpkg/status
0.7.3-0ubuntu5 500
500 http://openbsd-httpd:56002/ubuntu/ubuntu noble/main amd64 Packages
I have a working Windows 11 guest VM in qemu/libvirt that has a TPM device (added ages ago, still on 22.04). Even though this existing VM is still working, I'm not sure since when but it seems it's not possible anymore for me to start/create a libvirt/qemu VM with a TPM device.
If I add a TPM device to a VM - the model (TIS/CRB) or version (1.2/2.0) doesn't matter -, or create a new VM in libvirt (virt-manager), it simply won't start, saying:
===================8<===================
Unable to complete install: 'internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/ubuntu24.04-swtpm.log' for details.'
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install
installer.start_install(guest, meter=meter)
File "/usr/share/virt-manager/virtinst/install/installer.py", line 695, in start_install
domain = self._create_guest(
^^^^^^^^^^^^^^^^^^^
File "/usr/share/virt-manager/virtinst/install/installer.py", line 637, in _create_guest
domain = self.conn.createXML(initial_xml or final_xml, 0)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/libvirt.py", line 4545, in createXML
raise libvirtError('virDomainCreateXML() failed')
libvirt.libvirtError: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/ubuntu24.04-swtpm.log' for details.
===================8<===================
Checking the log file mentioned:
===================8<===================
Starting vTPM manufacturing as swtpm:swtpm @ Wed 25 Sep 2024 05:30:50 PM CEST
Successfully created RSA 2048 EK with handle 0x81010001.
Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH.
An error occurred. Authoring the TPM state failed.
Error getting next filename: No child processes
Ending vTPM manufacturing @ Wed 25 Sep 2024 05:30:50 PM CEST
===================8<===================
@DATAROOTDIR@ is suspicious to me, like something failed to replace a placeholder somewhere (maybe during compile time) but it could just be how it logs, I don't know.
I presume @DATAROOTDIR@ should've been /usr/share, and there's a wrapper script at /usr/share/swtpm/swtpm-localca, containing:
===================8<===================
#!/usr/bin/env sh
/usr/bin/swtpm_localca "$@"
exit $?
===================8<===================
Way back, after OS installation I had to modify my /etc/apparmor.d/usr.bin.swtpm file to add my custom path to my disk that stores VM-stuff:
owner /mnt/virt/libvirt/swtpm/** rwk,
/mnt/virt/libvirt/swtpm/** wk,
/var/lib/libvirt is a symlink to /mnt/virt/libvirt:
# ls -la /var/lib/libvirt
lrwxrwxrwx 1 root root 18 2022-04-05 13:04:27 /var/lib/libvirt -> /mnt/virt/libvirt//
But this doesn't seem like an apparmor issue.
What's interesting is that /var/lib/libvirt/swtpm/ has a directory named after the qemu VM UID of the (still working) Windows 11 guest VM:
/var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68
... and this has a tpm2 directory that holds a .lock and a tpm2-00.permall file.
I though I "prepare" the same directory for my other guest VM that I'm
trying to add the TPM device to, by creating the same directory
hierarchy there, using its VM UID and a tpm2 directory underneath that:
# find /var/lib/libvirt/swtpm/
/var/lib/libvirt/swtpm/
/var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68
/var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68/tpm2
/var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68/tpm2/.lock
/var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68/tpm2/tpm2-00.permall
/var/lib/libvirt/swtpm/a6d59ec7-bf07-4836-b897-5c3d8757079b
/var/lib/libvirt/swtpm/a6d59ec7-bf07-4836-b897-5c3d8757079b/tpm2
Interestingly enough, the latter directory (a6d59... which I created)
gets deleted completely every time I try to start the VM (and it fails).
I tried reinstalling the swtpm and swtpm-tools packages to no avail.
Any hint would be appreciated.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: swtpm 0.7.3-0ubuntu5.24.04.1
ProcVersionSignature: Ubuntu 6.8.0-45.45-generic 6.8.12
Uname: Linux 6.8.0-45-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.1
Architecture: amd64
CasperMD5CheckResult: pass
Date: Wed Sep 25 17:20:28 2024
InstallationDate: Installed on 2022-03-10 (930 days ago)
InstallationMedia: Ubuntu-Server 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220307)
SourcePackage: swtpm
UpgradeStatus: Upgraded to noble on 2024-09-05 (20 days ago)
mtime.conffile..etc.apparmor.d.usr.bin.swtpm: 2024-09-25T17:22:43.567834
mtime.conffile..etc.init.d.apport: 2024-07-22T16:59:07
** Affects: swtpm (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug noble
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/2081995
Title:
Cannot start libvirt/qemu VM with TPM device added
Status in swtpm package in Ubuntu:
New
Bug description:
Description: Ubuntu 24.04.1 LTS
Release: 24.04
I've upgraded from 22.04 a couple of weeks ago.
swtpm:
Installed: 0.7.3-0ubuntu5.24.04.1
Candidate: 0.7.3-0ubuntu5.24.04.1
Version table:
*** 0.7.3-0ubuntu5.24.04.1 500
500 http://openbsd-httpd:56002/ubuntu/ubuntu noble-updates/main amd64 Packages
100 /var/lib/dpkg/status
0.7.3-0ubuntu5 500
500 http://openbsd-httpd:56002/ubuntu/ubuntu noble/main amd64 Packages
swtpm-tools:
Installed: 0.7.3-0ubuntu5.24.04.1
Candidate: 0.7.3-0ubuntu5.24.04.1
Version table:
*** 0.7.3-0ubuntu5.24.04.1 500
500 http://openbsd-httpd:56002/ubuntu/ubuntu noble-updates/main amd64 Packages
100 /var/lib/dpkg/status
0.7.3-0ubuntu5 500
500 http://openbsd-httpd:56002/ubuntu/ubuntu noble/main amd64 Packages
I have a working Windows 11 guest VM in qemu/libvirt that has a TPM device (added ages ago, still on 22.04). Even though this existing VM is still working, I'm not sure since when but it seems it's not possible anymore for me to start/create a libvirt/qemu VM with a TPM device.
If I add a TPM device to a VM - the model (TIS/CRB) or version (1.2/2.0) doesn't matter -, or create a new VM in libvirt (virt-manager), it simply won't start, saying:
===================8<===================
Unable to complete install: 'internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/ubuntu24.04-swtpm.log' for details.'
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install
installer.start_install(guest, meter=meter)
File "/usr/share/virt-manager/virtinst/install/installer.py", line 695, in start_install
domain = self._create_guest(
^^^^^^^^^^^^^^^^^^^
File "/usr/share/virt-manager/virtinst/install/installer.py", line 637, in _create_guest
domain = self.conn.createXML(initial_xml or final_xml, 0)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/libvirt.py", line 4545, in createXML
raise libvirtError('virDomainCreateXML() failed')
libvirt.libvirtError: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/ubuntu24.04-swtpm.log' for details.
===================8<===================
Checking the log file mentioned:
===================8<===================
Starting vTPM manufacturing as swtpm:swtpm @ Wed 25 Sep 2024 05:30:50 PM CEST
Successfully created RSA 2048 EK with handle 0x81010001.
Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH.
An error occurred. Authoring the TPM state failed.
Error getting next filename: No child processes
Ending vTPM manufacturing @ Wed 25 Sep 2024 05:30:50 PM CEST
===================8<===================
@DATAROOTDIR@ is suspicious to me, like something failed to replace a placeholder somewhere (maybe during compile time) but it could just be how it logs, I don't know.
I presume @DATAROOTDIR@ should've been /usr/share, and there's a wrapper script at /usr/share/swtpm/swtpm-localca, containing:
===================8<===================
#!/usr/bin/env sh
/usr/bin/swtpm_localca "$@"
exit $?
===================8<===================
Way back, after OS installation I had to modify my /etc/apparmor.d/usr.bin.swtpm file to add my custom path to my disk that stores VM-stuff:
owner /mnt/virt/libvirt/swtpm/** rwk,
/mnt/virt/libvirt/swtpm/** wk,
/var/lib/libvirt is a symlink to /mnt/virt/libvirt:
# ls -la /var/lib/libvirt
lrwxrwxrwx 1 root root 18 2022-04-05 13:04:27 /var/lib/libvirt -> /mnt/virt/libvirt//
But this doesn't seem like an apparmor issue.
What's interesting is that /var/lib/libvirt/swtpm/ has a directory named after the qemu VM UID of the (still working) Windows 11 guest VM:
/var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68
... and this has a tpm2 directory that holds a .lock and a tpm2-00.permall file.
I though I "prepare" the same directory for my other guest VM that I'm
trying to add the TPM device to, by creating the same directory
hierarchy there, using its VM UID and a tpm2 directory underneath
that:
# find /var/lib/libvirt/swtpm/
/var/lib/libvirt/swtpm/
/var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68
/var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68/tpm2
/var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68/tpm2/.lock
/var/lib/libvirt/swtpm/cdf3de04-31c9-459d-8bb2-39214d737c68/tpm2/tpm2-00.permall
/var/lib/libvirt/swtpm/a6d59ec7-bf07-4836-b897-5c3d8757079b
/var/lib/libvirt/swtpm/a6d59ec7-bf07-4836-b897-5c3d8757079b/tpm2
Interestingly enough, the latter directory (a6d59... which I created)
gets deleted completely every time I try to start the VM (and it
fails).
I tried reinstalling the swtpm and swtpm-tools packages to no avail.
Any hint would be appreciated.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: swtpm 0.7.3-0ubuntu5.24.04.1
ProcVersionSignature: Ubuntu 6.8.0-45.45-generic 6.8.12
Uname: Linux 6.8.0-45-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.1
Architecture: amd64
CasperMD5CheckResult: pass
Date: Wed Sep 25 17:20:28 2024
InstallationDate: Installed on 2022-03-10 (930 days ago)
InstallationMedia: Ubuntu-Server 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220307)
SourcePackage: swtpm
UpgradeStatus: Upgraded to noble on 2024-09-05 (20 days ago)
mtime.conffile..etc.apparmor.d.usr.bin.swtpm: 2024-09-25T17:22:43.567834
mtime.conffile..etc.init.d.apport: 2024-07-22T16:59:07
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2081995/+subscriptions
More information about the foundations-bugs
mailing list