swtpm icon indicating copy to clipboard operation
swtpm copied to clipboard

Published 20 hours ago verified publisher icon stefanberger

On Ubuntu 22.04, SWTPM_NVRAM_Lock_Lockfile: Could not open lockfile: Permission denied

Open ncalad opened this issue 1 year ago • 12 comments

I installed swtpm using apt-get install swtpm.

swtpm runs but dies with these errors when qemu connects:

swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=./tmpstatedir swtpm: SWTPM_NVRAM_Lock_Lockfile: Could not open lockfile: No such file or directory swtpm: Error: Could not initialize libtpms. swtpm: Error: Could not initialize the TPM swtpm: Data client disconnected

ncalad avatar Oct 08 '22 15:10 ncalad

Does the directory ./tmpstatedir exist?

stefanberger avatar Oct 08 '22 21:10 stefanberger

Yes, that directory exists and contains this file:

-rw-rw-r-- 1 xxx xxxx 0 oct 8 09:09 TMP2-00.permall, although the file is not recreated if I deleted it and re-run swtpm

ncalad avatar Oct 08 '22 23:10 ncalad

I think you should describe every step that you do to start swtpm , like starting with the creation of the so-far-non-existing directory for the TPM state and so on so that someone else can just copy and past the commands into a terminal and recreate the issue.

stefanberger avatar Oct 09 '22 23:10 stefanberger

These are the steps that I followed before the error occurred: sudo apt-get install update sudo apt-get install swtpm mkdir ./tpmstatedir swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=./tpmstatedir qemu-system-x86_64 -enable-kvm ... to run the VM

Output from swtpm swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=./tpmstatedir swtpm: SWTPM_NVRAM_Lock_Lockfile: Could not open lockfile: Permission denied swtpm: Error: Could not initialize libtpms. swtpm: Error: Could not initialize the TPM swtpm: Data client disconnected

No files were created in the tpmstate dir. syslog contains ...

Dev-Workstation kernel: [ 1929.671401] audit: type=1400 audit(1665412130.135:170): apparmor="DENIED" operation="mknod" profile="swtpm" name="/home/andy/tpmstatedir/.lock" pid=6156 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

ncalad avatar Oct 10 '22 14:10 ncalad

@lvoytek Is this due to the update AppArmor profile?

stefanberger avatar Oct 10 '22 14:10 stefanberger

I tried disabling apparmor but I still have the same problem. sudo systemctl stop apparmor

I also tried building from source. That gives me version 0.8.0 of swtpm, but I have the same issue

ncalad avatar Oct 10 '22 17:10 ncalad

If I run it under gdb, then it works.

ncalad avatar Oct 10 '22 17:10 ncalad

After sudo aa-teardown swtpm works for non root users, otherwise there's something wrong with the AppArmor profile that prevents swtpm from running as non-root user with the given paths. When the tpmstate path is set to /tmp then it works with AppArmor enabled. @lvoytek can you have a look, please.

stefanberger avatar Oct 10 '22 20:10 stefanberger

Alright, I'll look into it

lvoytek avatar Oct 10 '22 20:10 lvoytek

Figured out the issue. The profile here works properly, but Ubuntu 22.04 still hasn't included some of the changes made in the process of getting the apparmor profile added upstream, specifically:

owner @{HOME}/** rwk,

I'll work on getting this fixed asap, downstream bug here: https://bugs.launchpad.net/swtpm/+bug/1992377

lvoytek avatar Oct 10 '22 21:10 lvoytek

In the meantime @ncalad you can add the line to /etc/apparmor.d/local/usr.bin.swtpm as a local change then run

$ sudo service apparmor restart

to get the fix now

lvoytek avatar Oct 10 '22 22:10 lvoytek

Yes, adding that line to /etc/apparmor.d/local/usr.bin.swtpm which was an empty file, and restarting apparmor fixed the problem for me. Thank you.

ncalad avatar Oct 10 '22 22:10 ncalad

Closing this issue now since it's a distro/package issue.

stefanberger avatar Nov 08 '22 17:11 stefanberger