F42: Error: Profile could not be applied to an existing TPM 2 instance.

[jmarrero]

On Fedora 42 (pre-release) I can't start a VM, I get:

Successfully created NVRAM area 0x1c08000 for platform certificate.
Successfully created ECC EK with handle 0x81010016.
  Invoking /usr/bin/swtpm_localca --type ek --ek x=eb49b30f5e8efd4462d4bab9ab066758255df982cdb97f534cdc8c9519521360f74c46cd99930abbdd15d34aca5cf377,y=f6b4db87c96b71662c84798eba0825cab31bf229f6a27e12ad3d9f09ee9d3a399428e6a4faaf8e1cc45a5e1eb771858e,id=secp384r1 --dir /tmp/swtpm_setup.certs.GLAD32 --logfile /var/home/jmarrero/.cache/libvirt/qemu/log/podman-bootc-e26ef6887d95-swtpm.log --vmid podman-bootc-e26ef6887d95:d5ffba6f-0dc0-4096-9268-c9f93c7dc2d3 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 183 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20240125 --tpm2 --configfile /var/home/jmarrero/.config/swtpm-localca.conf --optsfile /var/home/jmarrero/.config/swtpm-localca.options
Successfully created EK certificate locally.
Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
Successfully activated PCR banks sha256 among sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Mon 17 Mar 2025 08:27:37 AM EDT
Starting vTPM reconfiguration as jmarrero:jmarrero @ Mon 17 Mar 2025 08:27:37 AM EDT
Apply profile: {"Name":"default-v1"}
Error: Profile could not be applied to an existing TPM 2 instance.
swtpm process terminated unexpectedly.
Could not start the TPM 2.
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Mon 17 Mar 2025 08:27:37 AM EDT

Was working before the upgrade, not sure if I need to do something different on F42.

[cgwalters]

(copying from internal chat) One theory is this relates to SHA1 signatures being rejected.

Offhand AFAIK we aren't doing anything special here with swtpm in this project; we're just doing this https://github.com/containers/podman-bootc/blob/0125ec1a059eae132b3a526f5910abe8a58df8eb/pkg/vm/domain-template.xml#L28 which calls into libvirt.

[cgwalters]

Digging through layers of abstraction I think we could get an error message from here if we enabled the right logging? https://github.com/stefanberger/libtpms/blob/ecb769cdb8ddbef6e3d91c062d9d2105acff5802/src/tpm_tpm2_interface.c#L140
Or maybe the forked swtpm process is actually just printing to stderr but we're not seeing it?

[elmarco]

@cgwalters no idea, I couldn't reproduce on fc42 with virt-manager tis/2.0 TPM device. @stefanberger any idea?

[stefanberger]

> Starting vTPM reconfiguration as jmarrero:jmarrero @ Mon 17 Mar 2025 08:27:37 AM EDT

So there's a problem in swtpm_setup in this sequence here:

swtpm_setup --tpmstate . --tpm2 --overwrite
swtpm_setup --tpmstate . --tpm2 --reconfigure

The 2nd command fails since it treats the TPM as if it was new trying to set a profile on it. I will fix it asap.

Though it's not clear why libvirt would start reconfiguring. It typically should do this if active PCR banks were to be changed and not if <tpm model='tpm-tis'/> is all there is.

[stefanberger]

PR stefanberger/swtpm#987 should fix this issue (it fixes the above sequence when --reconfigure'ing). If you someone give it a try, that would be good.

[cgwalters]

Thanks for replying here both of you!

I forgot to update here that after more debugging of this at least one problem was we were missing /var/lib/swtpm-localca because of a missing systemd-tmpfiles unit for that (I will file a different bug to get that added upstream).

But even after fixing that IIRC @jmarrero still had issues, so hopefully he can try the above. (I may try to make the leap to f42 at some point soon too)

[stefanberger]

I merge my PR now because it does solve an issue. Once I know that it also resolves your issue I will patch the Fedora package and rebuild it...

[stefanberger]

Fedora 42 package with fix now available here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-41a4b1cbee