When a VM is started with libvirt and its state is encrypted then swtpm fails to start with an error like the following: ``` error: Failed to start domain 'PLAIN-TPM-VM' error: internal error: process exited while connecting to monitor: 2024-12-24T22:27:32.024764Z qemu-system-x86_64: tpm-emulator: TPM result for CMD_INIT: 0x101 operation failed ``` The underlying reason is a missing SELinux policy rule due to an entry like this in audit.log ``` type=AVC msg=audit(1735079251.599:81009): avc: denied { read } for pid=1566858 comm="swtpm" path="pipe:[16515287]" dev="pipefs" ino=16515287 scontext=system_u:system_r:svirt_t:s0:c484,c858 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 ``` Running swtpm_setup worked -- see the log. Reproducible: Always Steps to Reproduce: 1. Define a VM with this type of TPM definition: <tpm model='tpm-crb'> <backend type='emulator' version='2.0'> <encryption secret='715ff528-5784-4506-918d-f2f30bc48d93'/> <profile name='default-v1'/> </backend> </tpm> 2. Define a TPM secret with this XML and set is value to whatever you want: <secret ephemeral='no' private='yes'> <uuid>715ff528-5784-4506-918d-f2f30bc48d93</uuid> <description>My vTPM secret</description> <usage type='vtpm'> <name>My vTPM secret</name> </usage> virsh secret-set-value 715ff528-5784-4506-918d-f2f30bc48d93 123456 3. virsh start PLAIN-TPM-VM Actual Results: The logfile /var/log/swtpm/libvirt/qemu/PLAIN-TPM-VM-swtpm.log looks like this then: Starting vTPM manufacturing as tss:tss @ Tue 24 Dec 2024 05:27:30 PM EST Apply profile: {"Name": "default-v1"} Warning: Profile-enabled algorithms contain disabled 'RSA-1024-sign(SHA1, pkcs1-pss)' Warning: Setting OPENSSL_ENABLE_SHA1_SIGNATURES=1 [...] Successfully authored TPM state. Ending vTPM manufacturing @ Tue 24 Dec 2024 05:27:31 PM EST Verification of HMAC failed. Data integrity is compromised SWTPM_NVRAM_LoadData: Error from SWTPM_NVRAM_GetDecryptedData rc = 33 Verification of HMAC failed. Data integrity is compromised SWTPM_NVRAM_LoadData: Error from SWTPM_NVRAM_GetDecryptedData rc = 33 libtpms/tpm2: Entering failure mode; code: 8, location: NvPowerOn line 175 Error: Could not initialize libtpms. Error: Could not initialize the TPM Data client disconnected Expected Results: VM should start
FEDORA-2024-c2c751215d (swtpm-0.9.0-5.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-c2c751215d
FEDORA-2024-23605f77a2 (swtpm-0.9.0-3.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-23605f77a2
FEDORA-2024-c2c751215d has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-c2c751215d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-c2c751215d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-23605f77a2 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-23605f77a2` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-23605f77a2 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-c2c751215d (swtpm-0.9.0-5.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-23605f77a2 (swtpm-0.9.0-3.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.