KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: add permanent swtpm ACL fix script for libvirt TPM permissions

Browse Source 
Added scripts/fix-swtpm-permissions.sh that sets default ACLs on
/var/lib/libvirt/swtpm/ so new per-VM state directories inherit
libvirt-qemu access. This permanently fixes the "CMD_INIT: 0x9" error
caused by libvirtd creating swtpm dirs as root:root.

The user runs this ONCE with sudo. ACLs persist across reboots and
apply to all new VMs automatically.

Updated vm_create error message to reference the fix script.
Updated AGENTS.md with corrected swtpm setup instructions.

All 523 tests pass, 0 lint warnings.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble - admin
2026-05-07 13:57:15 -05:00
parent 8d59694eef
commit 76d1910e9d
3 changed files with 59 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
AGENTS.md
View File

@@ -534,14 +534,20 @@ The `vm_create()` function in `run.sh` handles TPM gracefully:
- If not accessible: VM is created WITHOUT TPM with clear warnings - If not accessible: VM is created WITHOUT TPM with clear warnings
- TPM is required for Secure Boot and disk encryption testing, but NOT required for live ISO boot testing - TPM is required for Secure Boot and disk encryption testing, but NOT required for live ISO boot testing
### One-Time swtpm Setup (if needed for full security testing) ### One-Time swtpm Setup (required for TPM/disk encryption)
Libvirt's swtpm helper creates per-VM state dirs as root:root, but swtpm
runs as libvirt-qemu and can't write to them. A **permanent** fix using
default ACLs is provided:
```bash ```bash
sudo mkdir -p /var/lib/libvirt/swtpm sudo bash scripts/fix-swtpm-permissions.sh
sudo chown libvirt-qemu:libvirt-qemu /var/lib/libvirt/swtpm
``` ```
After this, `./run.sh test:iso create` will automatically enable TPM. This sets default ACLs on `/var/lib/libvirt/swtpm/` so new subdirectories
inherit libvirt-qemu access. Run **once** - survives reboots and new VMs.
After this, `./run.sh test:iso create` will work with TPM enabled.
### VM Lifecycle ### VM Lifecycle

8
run.sh
View File

@@ -307,10 +307,10 @@ vm_create() {
vm_uuid=$(virsh -c "$LIBVIRT_URI" dominfo "$VM_NAME" 2>/dev/null | grep "UUID:" | awk '{print $2}') vm_uuid=$(virsh -c "$LIBVIRT_URI" dominfo "$VM_NAME" 2>/dev/null | grep "UUID:" | awk '{print $2}')
local swtpm_vm_dir="/var/lib/libvirt/swtpm/${vm_uuid}" local swtpm_vm_dir="/var/lib/libvirt/swtpm/${vm_uuid}"
if [[ -d "$swtpm_vm_dir" ]]; then if [[ -d "$swtpm_vm_dir" ]]; then
log_error "TPM initialization failed - likely a swtpm permission issue" log_error "TPM initialization failed - swtpm permission issue"
log_error "Libvirt created swtpm state dir as root: $swtpm_vm_dir" log_error "Libvirt creates per-VM swtpm state dirs as root:root."
log_error "Fix by running:" log_error "Permanent fix (run once with sudo):"
log_error " sudo chown -R libvirt-qemu:libvirt-qemu /var/lib/libvirt/swtpm/" log_error " sudo bash ${SCRIPT_DIR}/scripts/fix-swtpm-permissions.sh"
log_error "Then retry: ./run.sh test:iso destroy && ./run.sh test:iso create" log_error "Then retry: ./run.sh test:iso destroy && ./run.sh test:iso create"
# Undefine so user can retry after fixing # Undefine so user can retry after fixing
virsh -c "$LIBVIRT_URI" undefine "$VM_NAME" --nvram 2>/dev/null || true virsh -c "$LIBVIRT_URI" undefine "$VM_NAME" --nvram 2>/dev/null || true

45
scripts/fix-swtpm-permissions.sh Executable file
View File

@@ -0,0 +1,45 @@
#!/bin/bash
# Fix swtpm permissions for libvirt TPM emulation
#
# PROBLEM: libvirtd (running as root) creates per-VM swtpm state directories
# as root:root, but swtpm runs as libvirt-qemu and can't write to them.
# This causes TPM initialization to fail with "CMD_INIT: 0x9 operation failed".
#
# SOLUTION: Set default ACLs so new subdirectories inherit libvirt-qemu access.
#
# Run this script ONCE with sudo:
# sudo bash scripts/fix-swtpm-permissions.sh
set -euo pipefail
SWTPM_DIR="/var/lib/libvirt/swtpm"
if [[ "$(id -u)" -ne 0 ]]; then
echo "ERROR: This script must be run as root (use sudo)"
exit 1
fi
echo "Fixing swtpm permissions for libvirt TPM emulation..."
# Ensure directory exists with correct ownership
mkdir -p "$SWTPM_DIR"
chown libvirt-qemu:libvirt-qemu "$SWTPM_DIR"
# Set default ACLs so new subdirectories inherit libvirt-qemu read/write/execute
# This is the permanent fix - new per-VM dirs created by libvirtd will be
# accessible by libvirt-qemu even though libvirtd creates them as root:root
setfacl -R -d -m u:libvirt-qemu:rwx "$SWTPM_DIR"
setfacl -R -m u:libvirt-qemu:rwx "$SWTPM_DIR"
# Fix any existing subdirectories
if [[ -d "$SWTPM_DIR" ]]; then
find "$SWTPM_DIR" -type d -exec setfacl -d -m u:libvirt-qemu:rwx {} \; 2>/dev/null || true
find "$SWTPM_DIR" -type d -exec setfacl -m u:libvirt-qemu:rwx {} \; 2>/dev/null || true
find "$SWTPM_DIR" -type f -exec setfacl -m u:libvirt-qemu:rw {} \; 2>/dev/null || true
fi
echo ""
echo "Done. Default ACLs set on $SWTPM_DIR"
echo "New VMs with TPM will now work correctly."
echo ""
echo "Verify with: getfacl $SWTPM_DIR"