swtpm icon indicating copy to clipboard operation
swtpm copied to clipboard

Published 20 hours ago verified publisher icon stefanberger

Unable to Run non-root VM with SWTPM

Open kasualkeef opened this issue 3 months ago • 12 comments

I maintain RHEL9 development machines which are configured to allow libvirt/qemu VMs to be run by regular (non-root/sudo) users. We use Unix socket groups to facilitate this non-root access and it works well.

The problem comes in when trying to use SWTPM. I can configure the swtpm_group setting in /etc/libvirt/qemu.conf and it works to change the group ownership of the swtpm socket in /run/libvirt/qemu/swtpm/. However, the POSIX permissions on the socket are 0600, so the group ownership change is moot; even though the socket is owned by the correct group, users still cannot use the socket.

Steps to reproduce the behavior:

  1. Install swtpm on RHEL9 dnf install swtpm swtwpm-tools
  2. Edit /etc/libvirt/qemu.conf, setting swtpm_group to a group of which the standard users are members
  3. Install a VM with swtpm TPM virt-install --connect qemu:///system --name vm01 --memory=8192 --vcpus=4 --cdrom /shared-scratch/virtual-machines/standard.user/BOOT_ISO.iso --disk /data/scratch/vms/standard.user/vm01-system.qcow2,cache=writeback,bus=virtio --disk /data/scratch/vms/standard.user/vm01-storage.qcow2,cache=writeback,bus=virtio --graphics=vnc --tpm backend.type=emulator,backend.version=2.0,model=tpm-tis --os-variant=rhel9.3 --console pty,target_type=serial

Expected behavior

I expect the swtpm socket to be accessible by the standard user based on group membership.

Instead, the following error is displayed:

Starting install...
ERROR    internal error: process exited while connecting to monitor: 2024-03-18T15:36:09.123841Z qemu-kvm: -chardev socket,id=chrtpm,path=/run/libvirt/qemu/swtpm/2-vm01-swtpm.sock: Failed to connect to '/run/libvirt/qemu/swtpm/2-vm01-swtpm.sock': Permission denied
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///system start vm01
otherwise, please restart your installation.

The socket perms look as follows:

[standard.user@dev01 ~]$  ls -l /run/libvirt/qemu/swtpm/
total 4
-rw-r--r--. 1 root root   4 Mar 18 10:29 2-vm01-swtpm.pid
srw-------. 1 tss  users  0 Mar 18 10:29 2-vm01-swtpm.sock

Desktop:

  • OS: Red Hat Enterprise Linux
  • Version: 9.3

Versions of relevant components

  • libvirtd: 9.5.0-7.2
  • qemu: 8.0.0-16
  • swtpm: 0.8.0-1
  • swtpm-libs: 0.8.0-1

kasualkeef avatar Mar 18 '24 15:03 kasualkeef