Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH in libvirt on Ubuntu 22.04

[jptrmn]

Describe the bug
Hi, I am unable to launch a libvirt user session with a tpm-tis TPM-2 Module.
When I launch the VM, I get the error: Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH.

To Reproduce
Steps to reproduce the behavior:

1. Install swtpm
2. add a tpm-tis model TPMv2.0 to a user session in virt manager
3. create an AppArmor Profile with aa-complain for swtpm
4. Start VM

Expected behavior
I would expect libvirt to find and execute the swtpm-localca binary (located in /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca ) and create the appropriate files; Launch the VM.

Desktop (please complete the following information):

• OS: Ubuntu
• Version 22.04 LTS

Versions of relevant components

• swtpm: 0.6.3-0ubuntu3
• libtpms: 0.9.3-0ubuntu1
• openssl: 3.0.2-0ubuntu1.6
• libgnutls: 3.7.3-4ubuntu1.1
• libvirt-daemon: 8.0.0-1ubuntu7.1
• qemu-utils: 1:6.2+dfsg-2ubuntu6.3

Log files
Please attach any log files. If using a VM and it was started with libvirt, attach the logfile found in /var/log/swtpm/libvirt/qemu/VM-NAME-swtpm.log.

Virt Manager Output:

Fehler beim Starten der Domain: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/home/josef/.cache/libvirt/qemu/log/win10-swtpm.log' for details.

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 108, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/object/domain.py", line 1384, in startup
    self._backend.create()
  File "/usr/lib/python3/dist-packages/libvirt.py", line 1353, in create
    raise libvirtError('virDomainCreate() failed')
libvirt.libvirtError: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/home/josef/.cache/libvirt/qemu/log/win10-swtpm.log' for details.

The win10-swtpm.log:

Starting vTPM manufacturing as josef:josef @ Wed 14 Sep 2022 03:36:06 PM CEST
Successfully created RSA 2048 EK with handle 0x81010001.
Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH.
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Wed 14 Sep 2022 03:36:06 PM CEST

Additional context
I had to enable an AppArmor profile because initially the swtpm.log error was:

Starting vTPM manufacturing as josef:josef @ Wed 14 Sep 2022 12:44:47 PM CEST
swtpm process terminated unexpectedly.
Could not start the TPM 2.
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Wed 14 Sep 2022 12:44:47 PM CEST

kern.log:Sep 14 12:44:47 josef-T460s kernel: [23521.549692] audit: type=1400 audit(1663152287.776:649): apparmor="DENIED" operation="mknod" profile="swtpm" name="/home/josef/.config/libvirt/qemu/swtpm/ffdcb282-04d3-4fdd-a006-c435bde80529/tpm2/.swtpm_setup.pidfile" pid=31032 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Any Input would be greatly appreciated.

Thanks,
Josef

[stefanberger]

When I launch the VM, I get the error: Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH.

You did not build swtpm on this system, did you?

Otherwise, this looks like a packaging error.

Can you dump the /etc/swtpm_setup.conf config file. It should only have concrete paths like I have on my 22.04 system with swtpm-tools installed from the Ubuntu repo:

# cat /etc/swtpm_setup.conf
# Program invoked for creating certificates
create_certs_tool= /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca
create_certs_tool_config = /etc/swtpm-localca.conf
create_certs_tool_options = /etc/swtpm-localca.options

# dpkg --list | grep swtpm
ii  swtpm                    0.6.3-0ubuntu3                          amd64        Libtpms-based TPM emulator
ii  swtpm-tools              0.6.3-0ubuntu3                          amd64        Tools for the TPM emulator

[stefanberger]

I think I know where it may come from. Are you starting the VM as root or as a non-root user? You may have a non-root config file that was created by a tool that has an issue.

There seems to be a packaging error:

# grep DATAROOT /usr/share/swtpm/swtpm-create-user-config-files
create_certs_tool = @DATAROOTDIR@/swtpm/swtpm-localca

The @DATAROOTDIR@ shouldn't be there but should look like this after the configure step during build:

create_certs_tool = /usr/share/swtpm/swtpm-localca

At least when I build the package locally and install the package (swtpm-tools_0.6.4_amd64.deb) then the file /usr/share/swtpm/swtpm-create-user-config-files looks like this:

        cat <<_EOF_ > "${SWTPM_SETUP_CONF}"
create_certs_tool = /usr/share/swtpm/swtpm-localca
create_certs_tool_config = ${SWTPM_LOCALCA_CONF}

[jptrmn]

Hi Stefan,
thanks for the pointer. I indeed use ubuntu's packaged swtpm. I actually upgraded to Ubuntu 22.04 to get it from the official repos ;)

dpkg -l | grep swtpm
ii  libtss2-tcti-swtpm0:amd64                   3.2.0-1ubuntu1                          amd64        TPM2 Software stack library - TSS and TCTI libraries
ii  swtpm                                       0.6.3-0ubuntu3                          amd64        Libtpms-based TPM emulator
ii  swtpm-tools                                 0.6.3-0ubuntu3                          amd64        Tools for the TPM emulator

The global /etc/swtpm_setup.conf looks good:

# Program invoked for creating certificates
create_certs_tool= /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca
create_certs_tool_config = /etc/swtpm-localca.conf
create_certs_tool_options = /etc/swtpm-localca.options

The user's swtpm_setup.conf (/home/josef/.config/swtpm_setup.conf ) looks broken though, explaining the error:

create_certs_tool = @DATAROOTDIR@/swtpm/swtpm-localca
create_certs_tool_config = /home/josef/.config/swtpm-localca.conf
create_certs_tool_options = /home/josef/.config/swtpm-localca.options

When I fix the user's config to reflect the global one, I can boot the system and see the TPM inside the guest (and use "Windows Hello").

Thanks a lot!

[jptrmn]

Where could I report this issue to the ubuntu packaging maintainers?

[stefanberger]

@jptrmn You would have to file it here I think: https://bugs.launchpad.net/ubuntu

You can reference what I said above. This must be a packaging error of some sort...

Thanks a lot!

[stefanberger]

@jptrmn If you have a link to the Bugreport on Launchpad, can you post it here as well, please.

[jptrmn]

@jptrmn If you have a link to the Bugreport on Launchpad, can you post it here as well, please.

@stefanberger Sure, here is the link to Launchpad: https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/1989598

Best,
Josef