swtpm
swtpm copied to clipboard
Unable to Run non-root VM with SWTPM
I maintain RHEL9 development machines which are configured to allow libvirt/qemu VMs to be run by regular (non-root/sudo) users. We use Unix socket groups to facilitate this non-root access and it works well.
The problem comes in when trying to use SWTPM. I can configure the swtpm_group
setting in /etc/libvirt/qemu.conf
and it works to change the group ownership of the swtpm socket in /run/libvirt/qemu/swtpm/
. However, the POSIX permissions on the socket are 0600, so the group ownership change is moot; even though the socket is owned by the correct group, users still cannot use the socket.
Steps to reproduce the behavior:
- Install swtpm on RHEL9
dnf install swtpm swtwpm-tools
- Edit
/etc/libvirt/qemu.conf
, setting swtpm_group to a group of which the standard users are members - Install a VM with swtpm TPM
virt-install --connect qemu:///system --name vm01 --memory=8192 --vcpus=4 --cdrom /shared-scratch/virtual-machines/standard.user/BOOT_ISO.iso --disk /data/scratch/vms/standard.user/vm01-system.qcow2,cache=writeback,bus=virtio --disk /data/scratch/vms/standard.user/vm01-storage.qcow2,cache=writeback,bus=virtio --graphics=vnc --tpm backend.type=emulator,backend.version=2.0,model=tpm-tis --os-variant=rhel9.3 --console pty,target_type=serial
Expected behavior
I expect the swtpm socket to be accessible by the standard user based on group membership.
Instead, the following error is displayed:
Starting install...
ERROR internal error: process exited while connecting to monitor: 2024-03-18T15:36:09.123841Z qemu-kvm: -chardev socket,id=chrtpm,path=/run/libvirt/qemu/swtpm/2-vm01-swtpm.sock: Failed to connect to '/run/libvirt/qemu/swtpm/2-vm01-swtpm.sock': Permission denied
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
virsh --connect qemu:///system start vm01
otherwise, please restart your installation.
The socket perms look as follows:
[standard.user@dev01 ~]$ ls -l /run/libvirt/qemu/swtpm/
total 4
-rw-r--r--. 1 root root 4 Mar 18 10:29 2-vm01-swtpm.pid
srw-------. 1 tss users 0 Mar 18 10:29 2-vm01-swtpm.sock
Desktop:
- OS: Red Hat Enterprise Linux
- Version: 9.3
Versions of relevant components
- libvirtd: 9.5.0-7.2
- qemu: 8.0.0-16
- swtpm: 0.8.0-1
- swtpm-libs: 0.8.0-1