[Bug 1913552] Re: using tpm reports "/dev/tpm0: Permission denied"
Just wanted to say thanks to Christian Ehrhardt. A lot of research led me to #1, which worked perfectly. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913552 Title: using tpm reports "/dev/tpm0: Permission denied" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1913552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913552] Re: using tpm reports "/dev/tpm0: Permission denied"
Hello Christian, basically it is the same what people do here: https://askubuntu.com/questions/1365829/qemu-failed-to-passthrough-a-tpm-device Except that you need to write "/dev/tpm0 rm," into the file, as the colon is missing and starting a VM will give you complaints on an AppArmor rule. In my opinion, the best solution would be either to let libvirt add an exception when starting a VM that needs a TPM passthrough or the exception will be made in an Apparmor file for libvirt users and its spawned processes. Regards, Thomas -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913552 Title: using tpm reports "/dev/tpm0: Permission denied" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1913552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913552] Re: using tpm reports "/dev/tpm0: Permission denied"
Hi Thomas, in comment #3 Andre said in his case adding of the tpm path in apparmor did not help. Would you mind to share which rule and file exactly you used for "Adding the service to apparmor works" ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913552 Title: using tpm reports "/dev/tpm0: Permission denied" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1913552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913552] Re: using tpm reports "/dev/tpm0: Permission denied"
Adding the service to apparmor works. Looks like libvirt needs an apparmor rule or prior start of a VM apparmor needs to receive the instruction to allow access as long as the VM is running. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913552 Title: using tpm reports "/dev/tpm0: Permission denied" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1913552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913552] Re: using tpm reports "/dev/tpm0: Permission denied"
Ok - on the good side that means it is not an libvirt/apparmor issue as I first assumed. On the bad side, that means a permission issue in a yet to be found place. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913552 Title: using tpm reports "/dev/tpm0: Permission denied" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1913552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913552] Re: using tpm reports "/dev/tpm0: Permission denied"
Hi Christian, I am running this from the 20.04 USB stick again. Unfortunately, there was nothing on dmesg as I started my guest. And as expected, editing /etc/apparmor.d/local/abstractions/libvirt-qemu changed nothing as well. Another simple test, using tpm-tis also had the same outcome. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913552 Title: using tpm reports "/dev/tpm0: Permission denied" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1913552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913552] Re: using tpm reports "/dev/tpm0: Permission denied"
The following is mostly a note to myself, I'm still first of all waiting for the logs I asked above. The config used in the example you linked is: Per https://libvirt.org/formatdomain.html#tpm-device about tpm-crb "another available choice is the tpm-crb, which should only be used when the backend device is a TPM 2.0" tpm-tis could be an alternative, but that also might be odd. So far I mostly heard people use emulators [1][2] in libvirt that is something like: Unfortunately my TPM is unhappy with me, also I have none of the further steps in place. So no testing from me atm (IIRC xnox had a setup like this once): $ sudo /usr/sbin/tcsd -f TCSD TDDL ioctl: (25) Inappropriate ioctl for device TCSD TDDL Falling back to Read/Write device support. TCSD TCS ERROR: TCS GetCapability failed with result = 0x1e [1]: https://github.com/stefanberger/swtpm [2]: https://launchpad.net/~stefanberger/+archive/ubuntu/swtpm-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913552 Title: using tpm reports "/dev/tpm0: Permission denied" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1913552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913552] Re: using tpm reports "/dev/tpm0: Permission denied"
@André, Hi over here as well. The usual suspect that comes to mind is apparmor protection as tpm use isn't common yet. Depening on how it is configured in your guest it might not have got an apparmor allowance yet. Please could you report back the following: 1. run `dmesg -w` while you start your guest are there apparmor DENIED messages? 2. if #1 is true, then please report the following 2.1 xml of your guest `virsh dumpxml ` 2.2 apparmor rules that are generated /etc/apparmor.d/libvirt/libvirt-.files After we have the above you can try to allow all your guests access to that path, I'm guessing a bit until I see the denial, but maybe echo "/dev/tpm* rw," >> /etc/apparmor.d/local/abstractions/libvirt-qemu Afterwards ensure your guests is destroyed and started again (to refresh its profile) Does it now work better? That might be too open to commit it, but good for a try if that resolves your issue. ** Changed in: libvirt (Ubuntu) Status: New => Incomplete ** Changed in: libvirt (Ubuntu) Assignee: (unassigned) => André Abrantes (andreadps) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913552 Title: using tpm reports "/dev/tpm0: Permission denied" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1913552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs