2325901 – swtpm 0.9.0 not working with qemu/libvirt, swtpm_setup exit status 1

Bug 2325901 - swtpm 0.9.0 not working with qemu/libvirt, swtpm_setup exit status 1

Summary: swtpm 0.9.0 not working with qemu/libvirt, swtpm_setup exit status 1

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	swtpm
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Stefan Berger
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-11-13 14:02 UTC by Katerina Koukiou
Modified:	2024-11-13 17:49 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-11-13 17:49:05 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Katerina Koukiou 2024-11-13 14:02:33 UTC

Here is the VM log:

kkoukiou@easy:~/repos/anaconda-webui$ cat /home/kkoukiou/.cache/libvirt/qemu/log/fedora-rawhide-boot-127.0.0.2-2201-swtpm.log
Starting vTPM manufacturing as kkoukiou:kkoukiou @ Wed 13 Nov 2024 02:51:23 PM CET
Successfully created RSA 2048 EK with handle 0x81010001.
  Invoking /usr/bin/swtpm_localca --type ek --ek eebb8a7689035f7d0927fd5b14a947f5ee23de6c2860a5cab98c4cfccf8491915c951a9a3057205c9dc0051337f3f044bbadf4733bbbdec19c0cec572b1928693b772a322cdaae332980f1368c1bd87c156038fec89565eb78dc1e0fb40dbefaac67acf038a3867c0609b97975d10242b2f76560de2b48cd67eea40b0d4da20e07369eea53a76180e066bc95d500a9b544345e94c6c072f4016bc397519e43b5d7186ed0e6082a32259bc45eb45e7a506cc63b348783e28c9c8fc6ef1b0637f15e431759d66dc0a6ab2eae1a2dcf56d4f6b03cd67861a2d47e4666bc2affe6a55d16ccb4d5dafd66eb874015eb7d5a3f117a06f949a9c98110d4e5e4b00d5bc5 --dir /tmp/swtpm_setup.certs.OKI0W2 --logfile /home/kkoukiou/.cache/libvirt/qemu/log/fedora-rawhide-boot-127.0.0.2-2201-swtpm.log --vmid fedora-rawhide-boot-127.0.0.2-2201:70fee0b8-cf97-41e6-8e53-0bc3f77ea70f --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /home/kkoukiou/.config/swtpm-localca.conf --optsfile /home/kkoukiou/.config/swtpm-localca.options
Could not create EK certificate locally
Could not import signing key : The requested data were not available.

swtpm_localca exit with status 1: 
An error occurred. Authoring the TPM state failed.
Error getting next filename: No child processes
Ending vTPM manufacturing @ Wed 13 Nov 2024 02:51:23 PM CET
Could not create EK certificate locally
Got an odd number of hex digits (137).
    hex digits: eebb8a7689035f7d0927fd5b14a947f5ee23de6c2860a5cab98c4cfccf8491915c951a9a3057205c9dc0051337f3f044bbadf4733bbbdec19c0cec572b1928693b772a322

swtpm-0.9.0-4.fc42.x86_64
selinux-policy-41.24-1.fc42.noarch

Reproducible: Always

Steps to Reproduce:
Happens always when I try to boot a UEFI VM with the following command:

virt-install --wait --connect qemu:///session --quiet --boot uefi --name fedora-rawhide-boot-127.0.0.2-2201 --os-variant=detect=on --memory 4096 --noautoconsole --graphics vnc,listen=127.0.0.2 --extra-args inst.sshd inst.webui.remote inst.updates=http://10.0.2.2:8001/fedora-rawhide-boot-127.0.0.2-2201-updates.img --network none --qemu-commandline=-netdev user,id=hostnet0,hostfwd=tcp:127.0.0.2:2201-:22,hostfwd=tcp:127.0.0.2:9091-:80 -device virtio-net-pci,netdev=hostnet0,id=net0,addr=0x16 --extra-args  --disk=none --location /home/kkoukiou/repos/anaconda-webui/bots/images/fedora-rawhide-boot
Actual Results:  
ERROR    internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/home/kkoukiou/.cache/libvirt/qemu/log/fedora-rawhide-boot-127.0.0.2-2201-swtpm.log' for details.

Comment 1 Katerina Koukiou 2024-11-13 14:03:25 UTC

Some extra information, I have selinux set to Permissive mode, so this is *not* a selinux issue.
The journal does not contain any other useful info.

Comment 2 Stefan Berger 2024-11-13 15:30:01 UTC

> Could not create EK certificate locally
> Could not import signing key : The requested data were not available.

The signing key for signing the certificate is not readable or missing. It could be a permission problem accessing the key.

You need to check ~/.config/swtpm_setup.conf  if this files exists, /etc/swtpm_setup.conf otherwise.


My ~/.config/swtpm_setup.conf looks like this:

create_certs_tool = /usr/bin/swtpm_localca
create_certs_tool_config = /home/stefanb/.config/swtpm-localca.conf
create_certs_tool_options = /home/stefanb/.config/swtpm-localca.options
[...]

Now you have to look into what create_certs_tool_config points to -- my '/home/stefanb/.config/swtpm-localca.conf' looks like this:

statedir = /home/stefanb/.config/var/lib/swtpm-localca
signingkey = /home/stefanb/.config/var/lib/swtpm-localca/signkey.pem
issuercert = /home/stefanb/.config/var/lib/swtpm-localca/issuercert.pem
certserial = /home/stefanb/.config/var/lib/swtpm-localca/certserial


The signing key and all the other files must available:

$ ls -lZ /home/stefanb/.config/var/lib/swtpm-localca/*
-rw-r--r--. 1 stefanb stefanb unconfined_u:object_r:config_home_t:s0    3 Oct 14 17:22 /home/stefanb/.config/var/lib/swtpm-localca/certserial
-rw-rw-r--. 1 stefanb stefanb unconfined_u:object_r:config_home_t:s0 1505 May 25  2022 /home/stefanb/.config/var/lib/swtpm-localca/issuercert.pem
-rw-r-----. 1 stefanb stefanb unconfined_u:object_r:config_home_t:s0 8170 May 25  2022 /home/stefanb/.config/var/lib/swtpm-localca/signkey.pem
-rw-rw-r--. 1 stefanb stefanb unconfined_u:object_r:config_home_t:s0 1468 May 25  2022 /home/stefanb/.config/var/lib/swtpm-localca/swtpm-localca-rootca-cert.pem
-rw-r-----. 1 stefanb stefanb unconfined_u:object_r:config_home_t:s0 8177 May 25  2022 /home/stefanb/.config/var/lib/swtpm-localca/swtpm-localca-rootca-privkey.pem


The path for /etc/swtpm_setup.conf leads to these files here:

$ sudo ls -l /var/lib/swtpm-localca/
[sudo] password for stefanb:
total 36
-rw-r--r--. 1 tss root 2973 Oct 15  2023 bundle.pem
-rw-r--r--. 1 tss root   27 Nov 12 15:20 certserial
-rw-r--r--. 1 tss root 1505 May 28  2021 issuercert.pem
-rw-r-----. 1 tss root 8170 May 28  2021 signkey.pem
-rw-r--r--. 1 tss root 1468 May 28  2021 swtpm-localca-rootca-cert.pem
-rw-r-----. 1 tss root 8170 May 28  2021 swtpm-localca-rootca-privkey.pem

If all these files are available and have their permissions set properly (as should be by default) the certificate should be created. 

Another configuration that may play a role is that of libvirt /etc/libvirt/qemu.conf:

It shows this here by default:
# User for the swtpm TPM Emulator
#
# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
# and uses; alternative is 'root'
#
#swtpm_user = "tss"
#swtpm_group = "tss"

Comment 3 Stefan Berger 2024-11-13 16:29:31 UTC

> Could not create EK certificate locally
> Could not import signing key : The requested data were not available.

Actually above is not correct. The signing key can be read but something is wrong with the format of the key that does not allow gnutls to read it:

        if (sigkeypass) {
            err = gnutls_x509_privkey_import2(sigkey, &datum, GNUTLS_X509_FMT_PEM,
                                              sigkeypass, 0);
        } else {
            err = gnutls_x509_privkey_import(sigkey, &datum, GNUTLS_X509_FMT_PEM);
        }
    }
    gnutls_free(datum.data);
    datum.data = NULL;
    CHECK_GNUTLS_ERROR(err, "Could not import signing key : %s\n",
                       gnutls_strerror(err));


So this here should work for the private key:

certtool --infile ~/.config/var/lib/swtpm-localca/signkey.pem  -k

Comment 4 Katerina Koukiou 2024-11-13 17:49:05 UTC

Looks like that was some incorrect permissions I had in the swtpm files in the ~/.config directory.
I recently copied the ~/.config folder from another system and I probably messed up with the permissions in that directory. Anyway, did a `sudo chown -R kkoukiou:kkoukiou ~/.config/` and now it works. 

Sorry for the noise.

Note You need to log in before you can comment on or make changes to this bug.