fix: add permanent swtpm ACL fix script for libvirt TPM permissions

Added scripts/fix-swtpm-permissions.sh that sets default ACLs on /var/lib/libvirt/swtpm/ so new per-VM state directories inherit libvirt-qemu access. This permanently fixes the "CMD_INIT: 0x9" error caused by libvirtd creating swtpm dirs as root:root. The user runs this ONCE with sudo. ACLs persist across reboots and apply to all new VMs automatically. Updated vm_create error message to reference the fix script. Updated AGENTS.md with corrected swtpm setup instructions. All 523 tests pass, 0 lint warnings. 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-07 13:57:15 -05:00
parent 8d59694eef
commit 76d1910e9d
3 changed files with 59 additions and 8 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -534,14 +534,20 @@ The `vm_create()` function in `run.sh` handles TPM gracefully:
 - If not accessible: VM is created WITHOUT TPM with clear warnings
 - TPM is required for Secure Boot and disk encryption testing, but NOT required for live ISO boot testing

-### One-Time swtpm Setup (if needed for full security testing)
+### One-Time swtpm Setup (required for TPM/disk encryption)
+
+Libvirt's swtpm helper creates per-VM state dirs as root:root, but swtpm
+runs as libvirt-qemu and can't write to them. A **permanent** fix using
+default ACLs is provided:

 ```bash
-sudo mkdir -p /var/lib/libvirt/swtpm
-sudo chown libvirt-qemu:libvirt-qemu /var/lib/libvirt/swtpm
+sudo bash scripts/fix-swtpm-permissions.sh
 ```

-After this, `./run.sh test:iso create` will automatically enable TPM.
+This sets default ACLs on `/var/lib/libvirt/swtpm/` so new subdirectories
+inherit libvirt-qemu access. Run **once** - survives reboots and new VMs.
+
+After this, `./run.sh test:iso create` will work with TPM enabled.

 ### VM Lifecycle