football/scripts/fix-swtpm-permissions.sh

#!/bin/bash
# Fix swtpm permissions for libvirt TPM emulation
#
# PROBLEM: libvirtd (running as root) creates per-VM swtpm state directories
# as root:root, but swtpm runs as libvirt-qemu and can't write to them.
# This causes TPM initialization to fail with "CMD_INIT: 0x9 operation failed".
#
# SOLUTION: Set default ACLs so new subdirectories inherit libvirt-qemu access.
#
# Run this script ONCE with sudo:
#   sudo bash scripts/fix-swtpm-permissions.sh

set -euo pipefail

SWTPM_DIR="/var/lib/libvirt/swtpm"

if [[ "$(id -u)" -ne 0 ]]; then
    echo "ERROR: This script must be run as root (use sudo)"
    exit 1
fi

echo "Fixing swtpm permissions for libvirt TPM emulation..."

# Ensure directory exists with correct ownership
mkdir -p "$SWTPM_DIR"
chown libvirt-qemu:libvirt-qemu "$SWTPM_DIR"

# Set default ACLs so new subdirectories inherit libvirt-qemu read/write/execute
# This is the permanent fix - new per-VM dirs created by libvirtd will be
# accessible by libvirt-qemu even though libvirtd creates them as root:root
setfacl -R -d -m u:libvirt-qemu:rwx "$SWTPM_DIR"
setfacl -R -m u:libvirt-qemu:rwx "$SWTPM_DIR"

# Fix any existing subdirectories
if [[ -d "$SWTPM_DIR" ]]; then
    find "$SWTPM_DIR" -type d -exec setfacl -d -m u:libvirt-qemu:rwx {} \; 2>/dev/null || true
    find "$SWTPM_DIR" -type d -exec setfacl -m u:libvirt-qemu:rwx {} \; 2>/dev/null || true
    find "$SWTPM_DIR" -type f -exec setfacl -m u:libvirt-qemu:rw {} \; 2>/dev/null || true
fi

echo ""
echo "Done. Default ACLs set on $SWTPM_DIR"
echo "New VMs with TPM will now work correctly."
echo ""
echo "Verify with: getfacl $SWTPM_DIR"