Automate enabling vTPM support in one-6.10Β #7422
Description
Description
TPM-enabled VM deployment on one-6.10 fails with the following error:
Thu Dec 18 20:16:35 2025 [Z0][VMM][I]: error: internal error: process exited while connecting to monitor: 2025-12-18T20:16:34.821241Z qemu-kvm-one: -chardev socket,id=chrtpm,path=/run/libvirt/qemu/swtpm/1-one-0-swtpm.sock: Failed to connect to '/run/libvirt/qemu/swtpm/1-one-0-swtpm.sock': Permission denied
To make it work on one-6.10 one needs to perform the steps as below.
AlmaLinux9
- Add the following lines into the /etc/libvirt/qemu.conf file:
swtpm_user = "oneadmin"
swtpm_group = "oneadmin"
and restart libvirtd.service:
systemctl restart libvirtd.service
- Change the ownership of
/run/libvirt/qemu/swtpm/and/var/lib/swtpm-localcadirs:
chown oneadmin:oneadmin -R /run/libvirt/qemu/swtpm/ /var/lib/swtpm-localca
Ubuntu 24.04
Ubuntu 24.04 requires one more additional step which is related to proper OVMF path:
cd /usr/share/OVMF/
ln -s OVMF_CODE_4M.secboot.fd OVMF_CODE.secboot.fd
ln -s OVMF_VARS_4M.fd OVMF_VARS.fd
Interface Changes
No interface changes are required.
Additional Context
Current implementation of vTPM support in the OpenNebula 6.10.5 has the following critical limitations: power off -> on cycle as well as backup operations trigger TPM state loss. For example it means if the VM disk was encrypted with a key protected by the TPM the VM will typically no longer be able to unseal the disk key and thus unable to access the disk data. Although VM migration works since the corresponding vTPM operations are implemented on the libvirt level.
Progress Status
- Code committed
- Testing - QA
- Documentation (Release notes - resolved issues, compatibility, known issues)