This bug was fixed in the package swtpm - 0.6.3-0ubuntu2
---
swtpm (0.6.3-0ubuntu2) jammy; urgency=medium
* d/p/openssl-not-certtool.patch: do not use rnd file (LP: #1968131)
RANDFILE isn't needed anymore in openssl and furthermore breaks many
use cases here as HOME isn't
Apparmor follow up filed as:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187
Uploaded the tested fix for swtpm:
Uploading swtpm_0.6.3-0ubuntu2.dsc
Uploading swtpm_0.6.3-0ubuntu2.debian.tar.xz
Uploading swtpm_0.6.3-0ubuntu2_source.buildinfo
Uploading
Install fine:
ubuntu@swtpm-jammy:/var/lib/swtpm$ sudo apt update; sudo apt upgrade
Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:3 http://security.ubuntu.com/ubuntu jammy-security
I tested the PPA, and it works like a charm now. Thanks Christian and
Simon!
For once, kicking some{thing,one} out of their $HOME does something
good..
** Changed in: swtpm (Ubuntu Jammy)
Status: Confirmed => In Progress
--
You received this bug notification because you are a member
Your comment #13 is what hinted me. I've been messing with openssl
lately and noticed an annoying message about .rnd but only on Bionic
machines ;)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
The fix needed some polishing, but was a great hint.
Test PPA started to build at:
https://launchpad.net/~paelzer/+archive/ubuntu/lp-1968131-swtpm-rndfile
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Yes Simon,
that is much better than me trying to fetch home and insert it into the string
:-)
Thanks for the reference.
It feels a bit odd seeing myself coming by between meetings all day and
make debug progress to then see such a simple solution. Please tell me
that my debug helped to make that
@paelzer, upstream OpenSSL stopped using RANDFILE a while ago, I've
linked a MR to drop that directive from swtpm's patch.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968131
Title:
Starting VM
A new interim summary
Problem:
- debian/patches/openssl-not-certtool.patch adds "RANDFILE =
$ENV::HOME/.rnd\n"
- this is not picked up correctly at the time this file is evaluated
- Due to that swtpm-localca tries to access $CWD/.rnd and fails in most cases
- The upstreaming of this
** Merge proposal linked:
https://code.launchpad.net/~sdeziel/ubuntu/+source/swtpm/+git/swtpm/+merge/418865
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968131
Title:
Starting VM with UEFI
In a set of cross checks I ran it as
#1 root, but this time in /home/ubuntu instead of in /root.
I got:
lrwxrwxrwx 1 root root 0 Apr 7 13:40 /proc/11805/cwd -> /home/ubuntu/
And afterwards
-rw--- 1 root root 1024 Apr 7 13:40 /home/ubuntu/.rnd
So it fully ignores $HOME
So root cause
Ok, it has
HOME=/var/lib/swtpm
So due to the config being
"RANDFILE = $ENV::HOME/.rnd\n"
one might expect `/var/lib/swtpm/.rnd`
But that isn't what it will resolve to, instead we see in strace that it uses:
"./.rnd"
And surprise :-P, it does not set CWD, I checked a running
The swtpm user is created as:
swtpm:x:113:121:virtual TPM software stack,,,:/var/lib/swtpm:/bin/false
But
$ ls -laF /var/lib/swtpm
ls: cannot access '/var/lib/swtpm': No such file or directory
I guess we need to give him a better home dir?
For example drop `--no-create-home` from the postinst
I think I got it, it is around that .rnd file as mentioned in the log.
Indeed after running this as root I have:
$ sudo ls -laF /root/.rnd
-rw--- 1 root root 1024 Apr 7 08:16 /root/.rnd
But running as swtpm I get this with strace:
This is the initial failure:
[pid 3049] 13:10:20 (+
# clean
$ sudo apt remove --purge swtpm swtpm-tools
$ sudo rm -rf /var/lib/libvirt/swtpm /var/lib/swtpm-localca /var/log/swtpm
# re-create a clean env by re-installing swtpm
$ sudo apt install swtpm swtpm-tools
# Status after install
$ sudo ls -laF /var/lib/libvirt/swtpm
Summary of initial triage:
- It is reproducible for me as reported => confirmed
- Other than hoped it is not "just" an apparmor denial (it is in the setup
stage,
not the later swtpm that talks with the guest) :-/
- running the failing command as root locally works
- seems to be associated to
I found it in ps
4 1131814 758 20 0 13772 5784 - S? 0:00 \_
/usr/bin/swtpm_setup --tpm2 --tpm-state
/var/lib/libvirt/swtpm/202a34a9-2ee2-4826-b206-c249f535be90/tpm2 --vmid
testguest:202a34a9-2ee2-4826-b206-c249f535be90 --logfile
I wanted to check if this is more virt-manager or libvirt to call it
badly (or call it in a bad environment).
I spawned a default libvirt based guest with uvtool.
In there I then added the most common pattern of
This is showing kind of the same behavior.
So while most tests before were
As invoked by the virt-stack we see:
Starting vTPM manufacturing as swtpm:swtpm @ Thu 07 Apr 2022 08:14:26 AM UTC
Successfully created RSA 2048 EK with handle 0x81010001.
Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek
I agree that worst-case dropping the recommends is an option.
But only to mitigate - it is meant to be available and working.
It worked for me in the (far) past, but it might have been one of the
extra updates/features landing in the meantime. Although I have not used
it with virt-install yet
Our CI uses a Jammy Ubuntu cloud image, but with quite a large list of
extra installed packages. To make sure it's not something specific to
that environment, I tried this:
autopkgtest-buildvm-ubuntu-cloud
qemu-system-x86_64 -enable-kvm -nographic -m 2048 -device virtio-rng-pci
-drive
Right, I understand -- but introducing the dependency was an explicit
decision (#1948748), and it seems it is broken for its main use case. So
in the simplest case the recommends: could be reverted, and reintroduced
once this is understood?
--
You received this bug notification because you are a
Understanding what happens is critical, then - once we know what it is -
it might be tuned down in priority.
Also tagged/subscribed for foundations (fow swtpm) and server (for the
virt bits) attention.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Thanks Martin,
IIRC the new virt-manager tries to provide swtpm if present and due tot he
dependency change it now it present. Since we do not yet know where the
root-cause or fix will land I've added a few more affected packages for now.
But I must admit I'm super busy and this makes me feel
24 matches
Mail list logo
