Profile could not be applied to an existing TPM 2 instance

[nlgranger]

I cannot start VMs with a preset TPM in libvirt anymore.

The log file mentions the following error: Profile could not be applied to an existing TPM 2 instance. AFAIK, I did recreate the VM and secrets from scratch.

• swtpm 0.10.0
• libvirt 10.10.0
• qemu 9.1.2

The VM TPM device is defined like so:

    <tpm model='tpm-tis'>
      <backend type='emulator' version='2.0' debug='5'>
        <encryption secret='{{ hostvars[item].tpm_secret }}'/>
        <active_pcr_banks>
            <sha256/>
        </active_pcr_banks>
      </backend>
    </tpm>

The TPM secret was defined like so:

<secret ephemeral='no' private='yes'>
   <uuid>{{ hostvars[item].tpm_secret }}</uuid>
   <description>{{ item }} vTPM secret</description>
   <usage type='vtpm'>
      <name>{{ item }} vTPM secret</name>
   </usage>
</secret>

And the preset value was set with:

echo "blabla" | base64 | virsh -c qemu:///system secret-set-value {{ hostvars[item].tpm_secret }} --file /dev/stdin

The log from starting the VM:

  The TPM's state will be encrypted using a key derived from a passphrase (fd).
Starting vTPM manufacturing as tss:tss @ Sun 22 Dec 2024 11:52:15 AM CET
Apply profile: {"Name": "default-v1"}
Active profile: {"Name":"default-v1","StateFormatLevel":7,"Commands":"0x11f-0x122,0x124-0x12e,0x130-0x140,0x142-0x159,0x15b-0x15e,0x160-0x165,0x167-0x174,0x176-0x178,0x17a-0x193,0x197,0x199-0x19c","Algorithms":"rsa,rsa-min-size=1024,tdes,tdes-min-size=128,sha1,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,sha512,null,rsassa,rsaes,rsapss,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,ecmqv,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-nist,ecc-bn,ecc-sm2-p256,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb","Description":"This profile enables all libtpms v0.10-supported commands and algorithms. This profile is compatible with libtpms >= v0.10."}
Successfully created RSA 2048 EK with handle 0x81010001.
  Invoking /usr/bin/swtpm_localca --type ek --ek a9ecc5c95e6d81d268ae207cb009407d3fa73698c7d83e13ce8332fa46f96dd47cb292062af2fdf7198ae7ed2064881dbc1aaace4534c8f28c9b357df5260fe018d0c972a3d14f088a1b164ecfb0f45589c42ab88ff22641e5df439cd3bba925b5892ddcc547f71f2f9abff33598a01b6cfa92745c7b5d29072d013c9e86ba49407fa6250507ac15266ffd5b2228afa4a18dface3ac01672228155c26a8d6324aa9b4fe181381072fb8944214c41471876449a04ffdea936513c058e31052ff67121a664e94970cbfaf068350a375e2949a00cf4b6ca6d78091f1ce95a7b4283518c9e2f6cc761fbe96fd74c817b3a01341755d0cd4c65caaf61dc05dcaa10a3 --dir /tmp/swtpm_setup.certs.MJJ2Y2 --logfile /var/log/swtpm/libvirt/qemu/ctrl1-swtpm.log --vmid ctrl1:44723784-6a8d-4905-9fa3-208addbd673d --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 183 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20240125 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created EK certificate locally.
  Invoking /usr/bin/swtpm_localca --type platform --ek a9ecc5c95e6d81d268ae207cb009407d3fa73698c7d83e13ce8332fa46f96dd47cb292062af2fdf7198ae7ed2064881dbc1aaace4534c8f28c9b357df5260fe018d0c972a3d14f088a1b164ecfb0f45589c42ab88ff22641e5df439cd3bba925b5892ddcc547f71f2f9abff33598a01b6cfa92745c7b5d29072d013c9e86ba49407fa6250507ac15266ffd5b2228afa4a18dface3ac01672228155c26a8d6324aa9b4fe181381072fb8944214c41471876449a04ffdea936513c058e31052ff67121a664e94970cbfaf068350a375e2949a00cf4b6ca6d78091f1ce95a7b4283518c9e2f6cc761fbe96fd74c817b3a01341755d0cd4c65caaf61dc05dcaa10a3 --dir /tmp/swtpm_setup.certs.MJJ2Y2 --logfile /var/log/swtpm/libvirt/qemu/ctrl1-swtpm.log --vmid ctrl1:44723784-6a8d-4905-9fa3-208addbd673d --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 183 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20240125 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created platform certificate locally.
Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate.
Successfully created NVRAM area 0x1c08000 for platform certificate.
Successfully created ECC EK with handle 0x81010016.
  Invoking /usr/bin/swtpm_localca --type ek --ek x=e866f137f21707cf7ec13b46ff8a70f076bb930a2193dbc4d760d7f26b68e3ac8022fb0f00a81359a854e71957622764,y=4bfeac60c16e100b84df8c444b5d42629f48ff540670effd1129d456ad61781a54e7fefbb67d6a2ed87172d5f3054386,id=secp384r1 --dir /tmp/swtpm_setup.certs.MJJ2Y2 --logfile /var/log/swtpm/libvirt/qemu/ctrl1-swtpm.log --vmid ctrl1:44723784-6a8d-4905-9fa3-208addbd673d --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 183 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20240125 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created EK certificate locally.
Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
Successfully activated PCR banks sha256 among sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Sun 22 Dec 2024 11:52:15 AM CET
  The TPM's state will be encrypted using a key derived from a passphrase (fd).
Starting vTPM reconfiguration as tss:tss @ Sun 22 Dec 2024 11:52:15 AM CET
Apply profile: {"Name": "default-v1"}
Error: Profile could not be applied to an existing TPM 2 instance.
  The TPM's state will be encrypted using a key derived from a passphrase (fd).

[nlgranger]

Looks like the libvirt vm xml format changed, it work without secret and using a storage directory:

    <tpm model="tpm-tis">
      <backend type="emulator" version="2.0" debug="5" persistent_state="yes">
        <source type="dir" path="/var/lib/libvirt/swtpm/{{ hostvars[item].uuid }}/tpm2" />
      </backend>
    </tpm>

[stefanberger]

I suppose you are on Fedora >= 40? There's a missing SELinux rule that prevents swtpm from reading the secret/password from a pipe that libvirt uses to pass the password. I filed this issue here: #964

The XML markup has not changed.