On Ubuntu 22.04, SWTPM_NVRAM_Lock_Lockfile: Could not open lockfile: Permission denied

[ncalad]

I installed swtpm using apt-get install swtpm.

swtpm runs but dies with these errors when qemu connects:

swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=./tmpstatedir
swtpm: SWTPM_NVRAM_Lock_Lockfile: Could not open lockfile: No such file or directory
swtpm: Error: Could not initialize libtpms.
swtpm: Error: Could not initialize the TPM
swtpm: Data client disconnected

[stefanberger]

Does the directory ./tmpstatedir exist?

[ncalad]

Yes, that directory exists and contains this file:

-rw-rw-r-- 1 xxx xxxx 0 oct 8 09:09 TMP2-00.permall, although the file is not recreated if I deleted it and re-run swtpm

[stefanberger]

I think you should describe every step that you do to start swtpm , like starting with the creation of the so-far-non-existing directory for the TPM state and so on so that someone else can just copy and past the commands into a terminal and recreate the issue.

[ncalad]

These are the steps that I followed before the error occurred:
sudo apt-get install update
sudo apt-get install swtpm
mkdir ./tpmstatedir
swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=./tpmstatedir
qemu-system-x86_64 -enable-kvm ... to run the VM

Output from swtpm
swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=./tpmstatedir
swtpm: SWTPM_NVRAM_Lock_Lockfile: Could not open lockfile: Permission denied
swtpm: Error: Could not initialize libtpms.
swtpm: Error: Could not initialize the TPM
swtpm: Data client disconnected

No files were created in the tpmstate dir. syslog contains ...

Dev-Workstation kernel: [ 1929.671401] audit: type=1400 audit(1665412130.135:170): apparmor="DENIED" operation="mknod" profile="swtpm" name="/home/andy/tpmstatedir/.lock" pid=6156 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

[stefanberger]

@lvoytek Is this due to the update AppArmor profile?

[ncalad]

I tried disabling apparmor but I still have the same problem.
sudo systemctl stop apparmor

I also tried building from source. That gives me version 0.8.0 of swtpm, but I have the same issue

[ncalad]

If I run it under gdb, then it works.

[stefanberger]

After sudo aa-teardown swtpm works for non root users, otherwise there's something wrong with the AppArmor profile that prevents swtpm from running as non-root user with the given paths. When the tpmstate path is set to /tmp then it works with AppArmor enabled. @lvoytek can you have a look, please.

[lvoytek]

Alright, I'll look into it

[lvoytek]

Figured out the issue. The profile here works properly, but Ubuntu 22.04 still hasn't included some of the changes made in the process of getting the apparmor profile added upstream, specifically:

owner @{HOME}/** rwk,

I'll work on getting this fixed asap, downstream bug here:
https://bugs.launchpad.net/swtpm/+bug/1992377

[lvoytek]

In the meantime @ncalad you can add the line to /etc/apparmor.d/local/usr.bin.swtpm as a local change then run

$ sudo service apparmor restart

to get the fix now

[ncalad]

Yes, adding that line to /etc/apparmor.d/local/usr.bin.swtpm which was an empty file, and restarting apparmor fixed the problem for me. Thank you.

[stefanberger]

Closing this issue now since it's a distro/package issue.

[ekrekeler]

For any GNS3 users that come across this error:
If the GNS3 projects directory on the server is located on a different partition than the partition for the root directory (/), additional permissions need to be configured for swtpm in AppArmor. On my installation the projects directory is located under /opt/gns3/projects. I was able to get this working by adding the following configuration to /etc/apparmor.d/local/usr.bin.swtpm and then restarting apparmor service:

owner /opt/gns3/** rwk,