Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux: Starting swtpm with encrypted state fails #964

Closed
stefanberger opened this issue Dec 24, 2024 · 0 comments · Fixed by #966
Closed

SELinux: Starting swtpm with encrypted state fails #964

stefanberger opened this issue Dec 24, 2024 · 0 comments · Fixed by #966

Comments

@stefanberger
Copy link
Owner

stefanberger commented Dec 24, 2024
edited
Loading

Describe the bug

When a VM is started with libvirt and its state is encrypted then swtpm fails to start with an error like the following:

error: Failed to start domain 'PLAIN-TPM-VM'
error: internal error: process exited while connecting to monitor: 2024-12-24T22:27:32.024764Z qemu-system-x86_64: tpm-emulator: TPM result for CMD_INIT: 0x101 operation failed

The underlying reason is a missing SELinux policy rule due to an entry like this in audit.log

type=AVC msg=audit(1735079251.599:81009): avc:  denied  { read } for  pid=1566858 comm="swtpm" path="pipe:[16515287]" dev="pipefs" ino=16515287 scontext=system_u:system_r:svirt_t:s0:c484,c858 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0

Running swtpm_setup worked -- see the log.

Required: To Reproduce (without these steps your issue may be deleted)

  1. Define a VM with this type of TPM definition:
   <tpm model='tpm-crb'>
     <backend type='emulator' version='2.0'>
       <encryption secret='715ff528-5784-4506-918d-f2f30bc48d93'/>
       <profile name='default-v1'/>
     </backend>
   </tpm>
  1. Define a TPM secret with this XML and set is value to whatever you want:
<secret ephemeral='no' private='yes'>
   <uuid>715ff528-5784-4506-918d-f2f30bc48d93</uuid>
   <description>My vTPM secret</description>
   <usage type='vtpm'>
      <name>My vTPM secret</name>
   </usage>

virsh secret-set-value 715ff528-5784-4506-918d-f2f30bc48d93 123456

  1. virsh start PLAIN-TPM-VM

The logfile /var/log/swtpm/libvirt/qemu/PLAIN-TPM-VM-swtpm.log looks like this then:

Starting vTPM manufacturing as tss:tss @ Tue 24 Dec 2024 05:27:30 PM EST
Apply profile: {"Name": "default-v1"}
Warning: Profile-enabled algorithms contain disabled 'RSA-1024-sign(SHA1, pkcs1-pss)'
Warning: Setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
[...]
Successfully authored TPM state.
Ending vTPM manufacturing @ Tue 24 Dec 2024 05:27:31 PM EST
Verification of HMAC failed. Data integrity is compromised
SWTPM_NVRAM_LoadData: Error from SWTPM_NVRAM_GetDecryptedData rc = 33
Verification of HMAC failed. Data integrity is compromised
SWTPM_NVRAM_LoadData: Error from SWTPM_NVRAM_GetDecryptedData rc = 33
libtpms/tpm2: Entering failure mode; code: 8, location: NvPowerOn line 175
Error: Could not initialize libtpms.
Error: Could not initialize the TPM
Data client disconnected

Expected behavior

The VM should start

Desktop (please complete the following information):

  • OS: Fedora 41
    Versions of relevant components
  • swtpm: 0.9.0
  • libtpms: 0.9.0
stefanberger added a commit that referenced this issue Dec 26, 2024
@stefanberger
SELinux: Add rule for swtpm to be able to read password from pipe
70a3cec 
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2334271
Resolves: #964
Signed-off-by: Stefan Berger <[email protected]>
stefanberger added a commit that referenced this issue Dec 26, 2024
@stefanberger
SELinux: Add rule for swtpm to be able to read password from pipe
dc18890 
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2334271
Resolves: #964
Signed-off-by: Stefan Berger <[email protected]>
stefanberger added a commit that referenced this issue Dec 26, 2024
@stefanberger
SELinux: Add rule for swtpm to be able to read password from pipe
e9dc3d0 
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2334271
Resolves: #964
Signed-off-by: Stefan Berger <[email protected]>
This was referenced Dec 26, 2024
Merged
Merged
Merged
stefanberger added a commit that referenced this issue Dec 26, 2024
@stefanberger
SELinux: Add rule for swtpm to be able to read password from pipe
2cba948 
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2334271
Resolves: #964
Signed-off-by: Stefan Berger <[email protected]>
stefanberger added a commit that referenced this issue Dec 26, 2024
@stefanberger
SELinux: Add rule for swtpm to be able to read password from pipe
7483a83 
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2334271
Resolves: #964
Signed-off-by: Stefan Berger <[email protected]>
stefanberger added a commit that referenced this issue Dec 26, 2024
@stefanberger
SELinux: Add rule for swtpm to be able to read password from pipe
1f255fe 
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2334271
Resolves: #964
Signed-off-by: Stefan Berger <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

SELinux: Add rule for swtpm to be able to read password from pipe stefanberger/swtpm
1 participant
@stefanberger