Ubuntu
swtpm package

Merge ~lvoytek/ubuntu/+source/swtpm:swtpm-add-libvirt-apparmor-rules into ubuntu/+source/swtpm:ubuntu/devel

  1. Git
  2. lp:~lvoytek/ubuntu/+source/swtpm
  3. swtpm-add-libvirt-apparmor-rules
  4. Merge into ubuntu/devel
Proposed by Lena Voytek
Status: Merged
Merged at revision: f252cc704186e0c312ce01628f24cced154e8695
Proposed branch: ~lvoytek/ubuntu/+source/swtpm:swtpm-add-libvirt-apparmor-rules
Merge into: ubuntu/+source/swtpm:ubuntu/devel
Diff against target: 38 lines (+16/-1)
2 files modified
debian/changelog (+8/-0)
debian/usr.bin.swtpm (+8/-1)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Core Reviewers Pending
Canonical Server Pending
Review via email: mp+419328@code.launchpad.net

Description of the change

Fixed access to swtpm binary, added libvirt file permissions, and added socket permissions to the swtpm apparmor profile

See also: https://code.launchpad.net/~lvoytek/ubuntu/+source/libvirt/+git/libvirt/+merge/419329

ppa: ppa:lvoytek/swtpm-fix-apparmor-libvirt

tested by setting up a Windows 11 instance using virt-manager and qemu on its own

tested standalone swtpm

Test details:

Runing help and version:

$ swtpm --help
$ swtpm --version

Using QEMU:

$ /usr/share/swtpm/swtpm-create-user-config-files
$ qemu-img create -f qcow2 win11.img 64G
$ mkdir /tmp/emulated_tpm
$ swtpm socket --tpmstate dir=/tmp/emulated_tpm --ctrl type=unixio,path=/tmp/emulated_tpm/swtpm-sock --log level=20 --tpm2 &
$ sudo qemu-system-x86_64 -hda win11.img -boot d -m 4096 -enable-kvm -chardev socket,id=chrtpm,path=/tmp/emulated_tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -cdrom ~/Downloads/Win11_English_x64v1.iso

Using virt-manager

> Open virt-manager
> Click New Virtual Machine button

Step 1:
> Select "Local install media (ISO image or CDROM)
> Click Forward

Step 2:
> Click Browse and find Windows 11 iso
> Select "Automatically detect from the installation media / source"
> Click Forward

Step 3:
> Use >= 4096 MiB for Memory
> Use >= 2 CPUs
> Click Forward

Step 4:
> Select "Enable storage for this virtual machine"
> Use >= 70 GiB for storage size
> Click Forward

Step 5:
> Select "Customize configuration before install"
> Click Finish

Config Screen:
> For Overview > Firmware select UEFI x86_64: /usr/share/OVMF/OVMF_CODE_4M.secboot.fd
> For Boot Options select "SATA CDROM 1" and move it to top

> Click Add Hardware
> Select TPM with Model "TIS" and version 2.0

> Click "Begin Installation"

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I tested my prior repro for these bugs using a uvt-kvm testguest with TPM.
Worked fine as well

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I confirm the proposed rules match what was discussed in the two referred bugs.
Changelog ok as well.

+1

Revision history for this message
Christian Ehrhardt  (paelzer) :
review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

We are still before final freeze, this is an critical fix for an important new function and many teams/tests depend on it. Uploading now ...

Uploading swtpm_0.6.3-0ubuntu3.dsc
Uploading swtpm_0.6.3-0ubuntu3.debian.tar.xz
Uploading swtpm_0.6.3-0ubuntu3_source.buildinfo
Uploading swtpm_0.6.3-0ubuntu3_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 08d8780..6ccf485 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+swtpm (0.6.3-0ubuntu3) jammy; urgency=medium
7+
8+ * d/usr.bin.swtpm: Add additional apparmor rules
9+ - allow full interaction with libvirt (LP: #1968187)
10+ - add qemu socket rules (LP: #1968335)
11+
12+ -- Lena Voytek <lena.voytek@canonical.com> Tue, 12 Apr 2022 07:49:45 -0700
13+
14 swtpm (0.6.3-0ubuntu2) jammy; urgency=medium
15
16 * d/p/openssl-not-certtool.patch: do not use rnd file (LP: #1968131)
17diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm
18index 3d79c9f..386137b 100644
19--- a/debian/usr.bin.swtpm
20+++ b/debian/usr.bin.swtpm
21@@ -17,9 +17,16 @@ profile swtpm /usr/bin/swtpm {
22 network inet stream,
23 network inet6 stream,
24 unix (send) type=dgram addr=none peer=(addr=none),
25+ unix (send, receive) type=stream addr=none peer=(label=libvirt-*),
26+
27+ /usr/bin/swtpm rm,
28
29 owner /tmp/** rwk,
30- owner /usr/bin/swtpm r,
31 owner /var/lib/libvirt/swtpm/** rwk,
32+ /run/libvirt/qemu/swtpm/*.sock rwk,
33+ owner /var/log/swtpm/libvirt/qemu/*.log rwk,
34+ owner /run/libvirt/qemu/swtpm/*.pid rwk,
35 owner /dev/vtpmx rw,
36+ owner /var/lib/swtpm/** rwk,
37+ owner /run/swtpm/sock rw,
38 }

Subscribers

People subscribed via source and target branches

to all changes: