Description of problem: I added a TPM to a VM in virt-manager, while connected to qemu:///session instance. ie non-root. The VM fails to boot with the following log in ~/.cache/libvirt/qemu/log/win10-swtpm.log Starting vTPM manufacturing as berrange:berrange @ Tue 05 Oct 2021 10:25:18 AM BST Successfully created RSA 2048 EK with handle 0x81010001. Invoking /usr/share/swtpm/swtpm-localca --type ek --ek b05f59430a87e6afdea9e70b0149ee6d67e43913b9e69dff6f04cb16dec30a220410479e4e3261a36db95dda583fbf4106711bb5328c6ece4b2154c700ebe173961c4b71f64fdb69ddbf4104b170986658adbd6e9ca1582305efdc0a0e08a73ef2fd70fba30589f65e9cb0484728b2a403ce0fce1b6144822f10fb0dd8cc8306fa4a7a79a5a88690c939b8ed3662493a4d80585a6a191b0bba2331eb4b4f889ecf88bb9824b0464273bb56639b115f7cce726f8d70ef020748fabd02d8d225d0e9e0d7ff547ebf2bbf046e352ee6a40870e5bcba89bb113dda03d2e08ef20abebcdd2f6f4862a395a33eb2f2e3b40838f3df136ec040c7c921d1fcc0de8ed35d --dir /home/berrange/.config/libvirt/qemu/swtpm/971a57aa-bfd2-4e05-84c8-168ffe77045e/tpm2 --logfile /home/berrange/.cache/libvirt/qemu/log/win10-swtpm.log --vmid win10:971a57aa-bfd2-4e05-84c8-168ffe77045e --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 162 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options Need read/write rights on statedir /var/lib/swtpm-localca for user berrange. swtpm-localca exit with status 256: An error occurred. Authoring the TPM state failed. Ending vTPM manufacturing @ Tue 05 Oct 2021 10:25:18 AM BST Obviously it must not try to use /var/lib when running as non-root. It needs to use one of the standard XDG directories (https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html) when running non-root. Version-Release number of selected component (if applicable): swtpm-0.6.0-1.20210607gitea627b3.fc34.x86_64 How reproducible: Always Steps to Reproduce: 1. Open virt-manager 2. Connect to qemu:///session 3. Add a TPM to a VM 4. Boot the guest Actual results: Fails to run swtpm_setup Expected results: VM boots with a TPM Additional info:
Can you try running '/usr/share/swtpm/swtpm-create-user-config-files' before running swtpm_setup as non-root user. It sets up the config files needed for your user account.
That solves the problem, but is a poor user experiance to require this manual step. If there is some skeleton dir structure that's required, then libvirt needs to be taught to pre-create it.
What swtpm_setup needs is config files and those should probably be created by a script that comes with the project knowing how these config files need to look like: $ cat .config/swtpm-localca.conf statedir = /home/stefanb/.config/var/lib/swtpm-localca signingkey = /home/stefanb/.config/var/lib/swtpm-localca/signkey.pem issuercert = /home/stefanb/.config/var/lib/swtpm-localca/issuercert.pem certserial = /home/stefanb/.config/var/lib/swtpm-localca/certserial $ cat .config/swtpm-localca.options --platform-manufacturer Linux --platform-version 5.12.17-300.fc34.x86_64 --platform-model Linux $ cat .config/swtpm_setup.conf create_certs_tool = /usr/share/swtpm/swtpm-localca create_certs_tool_config = /home/stefanb/.config/swtpm-localca.conf create_certs_tool_options = /home/stefanb/.config/swtpm-localca.options That scripts is a convenience script so that users don't have to create these files manually.
This patch should address this issue (part of libvirt v7.9.0): https://libvirt.org/git/?p=libvirt.git;a=commit;h=c66115b6e81688649da13e00093278ce55c89cb5
Verified with libvirt-7.9.0-1,(swtpm-0.7.0-1): $ virsh start vm-session Domain 'vm-session' started $ ps aux|grep swtpm yqz 178653 0.1 0.0 11112 5516 ? S 22:48 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/home/yqz/.cache/libvirt/qemu/run/swtpm/1-vm-session-swtpm.sock,mode=0600 --tpmstate dir=/home/yqz/.config/libvirt/qemu/swtpm/80b7a738-0d61-4b5d-ae2f-a8f31fca561f/tpm2,mode=0600 --log file=/home/yqz/.cache/libvirt/qemu/log/vm-session-swtpm.log --terminate --tpm2 --pid file=/home/yqz/.cache/libvirt/qemu/run/swtpm/1-vm-session-swtpm.pid yqz 178655 31.8 0.3 2783264 115284 ? Sl 22:48 0:02 /usr/libexec/qemu-kvm -name guest=vm-session,debug-threads=on -S ... -tpmdev emulator,id=tpm-tpm0,chardev=chrtpm -chardev socket,id=chrtpm,path=/home/yqz/.cache/libvirt/qemu/run/swtpm/1-vm-session-swtpm.sock -device tpm-crb,tpmdev=tpm-tpm0,id=tpm0 ... $ cat /home/yqz/.cache/libvirt/qemu/log/vm-session-swtpm.log Starting vTPM manufacturing as yqz:yqz @ Tue 16 Nov 2021 10:48:34 PM EST Successfully created RSA 2048 EK with handle 0x81010001. Invoking /usr/bin/swtpm_localca --type ek --ek 9f884c108ac43aa231f83cd1cba8e75e7cc19fb413a5d02c409cfdc9c22e860465999d7dec9134dc43f140c95db0ddb02318f3ffb19306c61dc287b9070581f19f57f587d6177b202d0ab7172ec5b8303caca5b5b510bbca3ca584b62c5d39dc0167f81c86219c9aa8f522f7261fe3a217dd296b89f3153550a03b87575397b56a364f3d673854012927fe58dea174804ccda9eed214bba966b146a0dd8e615cfd1dc6d0f333ae9139bfec7beae06363fdc64cf2a7f3309d39cc3b308e6f228c22542cc22ec92c88fc2b6e95d0682a84eb21814f5a293edce18fc045921c1fcc7a6a2aaa4be0e0cd45a16dc083b8b859de1028a773ff7166a4e1dc75b99bb07f --dir /tmp/swtpm_setup.certs.RSDVC1 --logfile /home/yqz/.cache/libvirt/qemu/log/vm-session-swtpm.log --vmid vm-session:80b7a738-0d61-4b5d-ae2f-a8f31fca561f --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 162 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /home/yqz/.config/swtpm-localca.conf --optsfile /home/yqz/.config/swtpm-localca.options Creating root CA and a local CA's signing key and issuer cert. Successfully created EK certificate locally. Invoking /usr/bin/swtpm_localca --type platform --ek 9f884c108ac43aa231f83cd1cba8e75e7cc19fb413a5d02c409cfdc9c22e860465999d7dec9134dc43f140c95db0ddb02318f3ffb19306c61dc287b9070581f19f57f587d6177b202d0ab7172ec5b8303caca5b5b510bbca3ca584b62c5d39dc0167f81c86219c9aa8f522f7261fe3a217dd296b89f3153550a03b87575397b56a364f3d673854012927fe58dea174804ccda9eed214bba966b146a0dd8e615cfd1dc6d0f333ae9139bfec7beae06363fdc64cf2a7f3309d39cc3b308e6f228c22542cc22ec92c88fc2b6e95d0682a84eb21814f5a293edce18fc045921c1fcc7a6a2aaa4be0e0cd45a16dc083b8b859de1028a773ff7166a4e1dc75b99bb07f --dir /tmp/swtpm_setup.certs.RSDVC1 --logfile /home/yqz/.cache/libvirt/qemu/log/vm-session-swtpm.log --vmid vm-session:80b7a738-0d61-4b5d-ae2f-a8f31fca561f --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 162 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /home/yqz/.config/swtpm-localca.conf --optsfile /home/yqz/.config/swtpm-localca.options Successfully created platform certificate locally. Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate. Successfully created NVRAM area 0x1c08000 for platform certificate. Successfully created ECC EK with handle 0x81010016. Invoking /usr/bin/swtpm_localca --type ek --ek x=e85414d564340c530266ed5dba39bf96b80aa5736da12c5d9170daa884b7234746b058b8bc863a650e3fe822d0057a42,y=a24d6e8adffcb62b2104b1f8589ca032c51519e0b46fe664c74edeb331b78167a1f68b6bffaf7d64d77ace375b3e4808,id=secp384r1 --dir /tmp/swtpm_setup.certs.RSDVC1 --logfile /home/yqz/.cache/libvirt/qemu/log/vm-session-swtpm.log --vmid vm-session:80b7a738-0d61-4b5d-ae2f-a8f31fca561f --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 162 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /home/yqz/.config/swtpm-localca.conf --optsfile /home/yqz/.config/swtpm-localca.options Successfully created EK certificate locally. Successfully created NVRAM area 0x1c00016 for ECC EK certificate. Successfully activated PCR banks sha256 among sha1,sha256,sha384,sha512. Successfully authored TPM state. Ending vTPM manufacturing @ Tue 16 Nov 2021 10:48:35 PM EST $ cat /home/yqz/.config/swtpm-localca.conf statedir = /home/yqz/.config/var/lib/swtpm-localca signingkey = /home/yqz/.config/var/lib/swtpm-localca/signkey.pem issuercert = /home/yqz/.config/var/lib/swtpm-localca/issuercert.pem certserial = /home/yqz/.config/var/lib/swtpm-localca/certserial $ cat /home/yqz/.config/swtpm-localca.options --platform-manufacturer Linux --platform-version #1_SMP_Thu_Oct_28_18:29:41_EDT_2021 --platform-model Linux
(In reply to yanqzhan from comment #6) > Verified with libvirt-7.9.0-1,(swtpm-0.7.0-1): I suppose the issue is verified/resolved.
This message is a reminder that Fedora Linux 34 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '34'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 34 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Recent versions of libvirt have the necessary changes in libvirt and swtpm packages and will / have become available in those versions of Fedora that package these versions.