From 76d1910e9d054c39e6be36faf49dee93a822238d Mon Sep 17 00:00:00 2001
From: reachableceo <charles@turnsys.com>
Date: Thu, 7 May 2026 13:57:15 -0500
Subject: [PATCH] fix: add permanent swtpm ACL fix script for libvirt TPM
 permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added scripts/fix-swtpm-permissions.sh that sets default ACLs on
/var/lib/libvirt/swtpm/ so new per-VM state directories inherit
libvirt-qemu access. This permanently fixes the "CMD_INIT: 0x9" error
caused by libvirtd creating swtpm dirs as root:root.

The user runs this ONCE with sudo. ACLs persist across reboots and
apply to all new VMs automatically.

Updated vm_create error message to reference the fix script.
Updated AGENTS.md with corrected swtpm setup instructions.

All 523 tests pass, 0 lint warnings.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
---
 AGENTS.md                        | 14 +++++++---
 run.sh                           |  8 +++---
 scripts/fix-swtpm-permissions.sh | 45 ++++++++++++++++++++++++++++++++
 3 files changed, 59 insertions(+), 8 deletions(-)
 create mode 100755 scripts/fix-swtpm-permissions.sh

diff --git a/AGENTS.md b/AGENTS.md
index ead2b01..2c37928 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -534,14 +534,20 @@ The `vm_create()` function in `run.sh` handles TPM gracefully:
 - If not accessible: VM is created WITHOUT TPM with clear warnings
 - TPM is required for Secure Boot and disk encryption testing, but NOT required for live ISO boot testing
 
-### One-Time swtpm Setup (if needed for full security testing)
+### One-Time swtpm Setup (required for TPM/disk encryption)
+
+Libvirt's swtpm helper creates per-VM state dirs as root:root, but swtpm
+runs as libvirt-qemu and can't write to them. A **permanent** fix using
+default ACLs is provided:
 
 ```bash
-sudo mkdir -p /var/lib/libvirt/swtpm
-sudo chown libvirt-qemu:libvirt-qemu /var/lib/libvirt/swtpm
+sudo bash scripts/fix-swtpm-permissions.sh
 ```
 
-After this, `./run.sh test:iso create` will automatically enable TPM.
+This sets default ACLs on `/var/lib/libvirt/swtpm/` so new subdirectories
+inherit libvirt-qemu access. Run **once** - survives reboots and new VMs.
+
+After this, `./run.sh test:iso create` will work with TPM enabled.
 
 ### VM Lifecycle
 
diff --git a/run.sh b/run.sh
index 20c7982..909f502 100755
--- a/run.sh
+++ b/run.sh
@@ -307,10 +307,10 @@ vm_create() {
             vm_uuid=$(virsh -c "$LIBVIRT_URI" dominfo "$VM_NAME" 2>/dev/null | grep "UUID:" | awk '{print $2}')
             local swtpm_vm_dir="/var/lib/libvirt/swtpm/${vm_uuid}"
             if [[ -d "$swtpm_vm_dir" ]]; then
-                log_error "TPM initialization failed - likely a swtpm permission issue"
-                log_error "Libvirt created swtpm state dir as root: $swtpm_vm_dir"
-                log_error "Fix by running:"
-                log_error "  sudo chown -R libvirt-qemu:libvirt-qemu /var/lib/libvirt/swtpm/"
+                log_error "TPM initialization failed - swtpm permission issue"
+                log_error "Libvirt creates per-VM swtpm state dirs as root:root."
+                log_error "Permanent fix (run once with sudo):"
+                log_error "  sudo bash ${SCRIPT_DIR}/scripts/fix-swtpm-permissions.sh"
                 log_error "Then retry: ./run.sh test:iso destroy && ./run.sh test:iso create"
                 # Undefine so user can retry after fixing
                 virsh -c "$LIBVIRT_URI" undefine "$VM_NAME" --nvram 2>/dev/null || true
diff --git a/scripts/fix-swtpm-permissions.sh b/scripts/fix-swtpm-permissions.sh
new file mode 100755
index 0000000..7269e98
--- /dev/null
+++ b/scripts/fix-swtpm-permissions.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+# Fix swtpm permissions for libvirt TPM emulation
+#
+# PROBLEM: libvirtd (running as root) creates per-VM swtpm state directories
+# as root:root, but swtpm runs as libvirt-qemu and can't write to them.
+# This causes TPM initialization to fail with "CMD_INIT: 0x9 operation failed".
+#
+# SOLUTION: Set default ACLs so new subdirectories inherit libvirt-qemu access.
+#
+# Run this script ONCE with sudo:
+#   sudo bash scripts/fix-swtpm-permissions.sh
+
+set -euo pipefail
+
+SWTPM_DIR="/var/lib/libvirt/swtpm"
+
+if [[ "$(id -u)" -ne 0 ]]; then
+    echo "ERROR: This script must be run as root (use sudo)"
+    exit 1
+fi
+
+echo "Fixing swtpm permissions for libvirt TPM emulation..."
+
+# Ensure directory exists with correct ownership
+mkdir -p "$SWTPM_DIR"
+chown libvirt-qemu:libvirt-qemu "$SWTPM_DIR"
+
+# Set default ACLs so new subdirectories inherit libvirt-qemu read/write/execute
+# This is the permanent fix - new per-VM dirs created by libvirtd will be
+# accessible by libvirt-qemu even though libvirtd creates them as root:root
+setfacl -R -d -m u:libvirt-qemu:rwx "$SWTPM_DIR"
+setfacl -R -m u:libvirt-qemu:rwx "$SWTPM_DIR"
+
+# Fix any existing subdirectories
+if [[ -d "$SWTPM_DIR" ]]; then
+    find "$SWTPM_DIR" -type d -exec setfacl -d -m u:libvirt-qemu:rwx {} \; 2>/dev/null || true
+    find "$SWTPM_DIR" -type d -exec setfacl -m u:libvirt-qemu:rwx {} \; 2>/dev/null || true
+    find "$SWTPM_DIR" -type f -exec setfacl -m u:libvirt-qemu:rw {} \; 2>/dev/null || true
+fi
+
+echo ""
+echo "Done. Default ACLs set on $SWTPM_DIR"
+echo "New VMs with TPM will now work correctly."
+echo ""
+echo "Verify with: getfacl $SWTPM_DIR"