Merge ~lvoytek/ubuntu/+source/swtpm:swtpm-lp1950631-add-apparmor-jammy into ubuntu/+source/swtpm:ubuntu/devel
Status: | Merged |
---|---|
Merged at revision: | 6439198961ab4b28acf6a347c3c6fbba4998220c |
Proposed branch: | ~lvoytek/ubuntu/+source/swtpm:swtpm-lp1950631-add-apparmor-jammy |
Merge into: | ubuntu/+source/swtpm:ubuntu/devel |
Diff against target: |
85 lines (+41/-0) 5 files modified
debian/changelog (+10/-0) debian/control (+1/-0) debian/rules (+5/-0) debian/swtpm.install (+1/-0) debian/usr.bin.swtpm (+24/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Christian Ehrhardt (community) | Approve | ||
Serge Hallyn (community) | Approve | ||
Canonical Server | Pending | ||
Review via email: mp+415813@code.launchpad.net |
Description of the change
Added an apparmor profile to /usr/bin/swtpm for additional protection. Confirmed it works on its own and with libvirt, QEMU, and virt-manager. Tested with Windows 11 guest.
ppa: ppa:lvoytek/
Manual Tests on Jammy:
Runing help and version:
$ swtpm --help
$ swtpm --version
Using QEMU:
$ /usr/share/
$ qemu-img create -f qcow2 win11.img 64G
$ mkdir /tmp/emulated_tpm
$ swtpm socket --tpmstate dir=/tmp/
$ sudo qemu-system-x86_64 -hda win11.img -boot d -m 4096 -enable-kvm -chardev socket,
Using virt-manager
> Open virt-manager
> Click New Virtual Machine button
Step 1:
> Select "Local install media (ISO image or CDROM)
> Click Forward
Step 2:
> Click Browse and find Windows 11 iso
> Select "Automatically detect from the installation media / source"
> Click Forward
Step 3:
> Use >= 4096 MiB for Memory
> Use >= 2 CPUs
> Click Forward
Step 4:
> Select "Enable storage for this virtual machine"
> Use >= 70 GiB for storage size
> Click Forward
Step 5:
> Select "Customize configuration before install"
> Click Finish
Config Screen:
> For Overview > Firmware select UEFI x86_64: /usr/share/
> For Boot Options select "SATA CDROM 1" and move it to top
> Click Add Hardware
> Select TPM with Model "TIS"
> Click "Begin Installation"
Hi,
this looks worthwhile, however it looks like as is the profile would cause me trouble. We have a project making heavy use of swtpm with kvm (not libvirt) with custom profiles. I assume that allowing full access to ${HOME} would make you uncomfortable?