[SOLVED] virt-manager: swtpm problem. CBR TPM 2.0
Hey, I'm using virt-manager via rpm-ostree.
I just layered virt-manager and used
ujust to add my user to Libvirt.
Now every time I want to create a VM (Windows or Linux)
and add TPM (CBR and 2.0) I get this Error:
and this is the log:
I read that swtpm needs at least version 0.7 and mine is:
I tried this on Bazzite 41 & 42
70 Replies
Tried on both
couldnt u use hw tpm passthru?
how long ago did you use the ujust for setting up virtualization?
this is a very old issue
i think it was fixed
I never tried that and always used emulated. I know it worked before.
But yea.. I could try that.
the fix i think was to set SELinux to permissive while making the swtpm
try that
then put it back on enforced
I know that the old way was ujust setup virtualization and it installed the whole qemu suite then.
But
My qemu came preinstalled, I just used
ujust setup-virtualization to put myself into the libvirt group, not to install qemu
this is a fresh installyou didn't actually enable virtualization?
for the kargs
I tried that a couple minitus ago but it said something with kargs and flatpak, but nothing happend
i would still try the selinux thing, maybe the old bug is back for some reason
the weird part about the bug was that selinux didn't even complain at all it just wouldn't work with enforced
so there was no way to use audit2allow to fix it
lmao
Sorry, I'm a bit lost... I didn't get what I should do now š
But before qemu was included in the image - it always worked.
When qemu got included into the image - it also worked.
Just 9 days ago I did a fresh install and now I get this error ... on 41 and 42
setenforce 0
then try to create VM again
if that works we got the old bug backOkay I will try that, but I'm on 41 now, because of Gsconnect.
when did they fix the bug? roughly?
i can't use tpm passthrough because lenovo doesn't want to update AGESA that fixes the interrupt issue with the tpm
causing huge stutter every time the TPM is probed
š
I mean I could also try to passthrough, I was just scared that there is any security risk. Just in case I do some dumb stuff xd
nah tpm passthrough actually safer technically lmao
wtf
swtpm is just a file on your filesystem
but for VM it really doesn't matter that much since you're isolated
I want to share a dir soon :clueless:
but thanks for the info, didnt know that
and to turn it back on again it's probably 1?
ye but it won't survive a reboot
. . .
i mean
the whole setting
is temporary
so it goes back to enforced automatically
when you reboot
Ah okay. I mean I want to keep nice RedHat and NSA security on tbh
and if it's just temp anyway...
its just for creating the swtpm file
once its made it doesn't break anymore
so back to enforced is fine
thx. got you.
so turn off.
create vm.
and after a reboot everything is normal but my swtpm is there āļø
right?
yep
you can just setenforce 1 to if you want
but it doesn't matter if you forget
good
but now that you said this š¤
š
well i mean technically since for a VM it doesn't really matter than much
alright
i mean i guess if you make passkeys for your accounts in the VM?
and tbh idk if my mobo (msi) and cpu (amd) support this
i have a 5800H laptop that has this issue, zen 4+ doesn't have this issue
Oh okay, I'm on 5800x3d
yeah make sure your bios is up to date then
they fixed this bug ages ago
should be š¤
And no.. no passkeys, I just use some niche windows software in VM's and I want to create a shared dir. Other than that I just use VM"s to try Linux Distros and just for fun. Some bash.. so I don't F up my main machine
yeah matters little if you use swtpm or passthrough then
Thanks š
Do you think I should close this issue then?
But I mean I still can't create swtpm vms without turning selinux off
but I will just try passthrough
and I don't even need tpm
wtf... I'm just weird
When you create VM just go to the big hardware screen
Somewhere there u can change the TPM or disable it even
If pass thru doesnt work try layering virt manager
Oh wait you already have it layered
I tried that, but I got this now ...
With Passthrough
You'll need to fix swtpm
Pass through won't work
weird
i guess setting selinux permissive no longer works on current version
42
It worked on 41 now.
I set it to 0 just for the vm creation
and did it work?:
yes āļø
thanks again
@HikariKnight The problem with swtpm is back on 42 š
but this time it can't be worked around
because setting permissive selinux no longer works
š
there's nothing in sealert about swtpm right?
i will do some testing
@CheckYourFax And since yesterday I'm trying to get VirtioFS to work.
I did everything clean again. rpm-ostree reset
And then I used the ujust command to enable virtualization (now with the virtmanager flatpak) I can passthrough drives via USB yeaaah!!
But... every time I try to setup virtiofs, it doesn't work. Linux and Windows can't see the shared folder. Even with virtio drivers on Windows and afaik on linux guests it should work ootb.
I mean I'm more than happy, that usb storage works, but a virtiofs would be so much easier. and faster. Sorry, I'm completely new to this and I'm just not sure if the virtiofs problem is on my end, or an issue in general
or maby flatpak related. idk...
the swtpm is not made inside the flatpak
it uses qemu for that
only some virt manager related things could have some sandbox related issues
and qemu should have permission for that right?
but I mean the virtiofs
shared dir
that's a classic bug that cannot be fixed easily
the tpm passthrough
not sure if its fixable at all
sorry for being a help vampire, ik this is a different problem
I'm just a bit frustrated
its that your tpm expects a buffer of exactly 4096 bytes but the host (the os inside the VM) asks for a smaller buffer
question: did you type your sudo password another time after enabling virtualization?
it asks for it twice
the second time it does some relabeling to fix issues
because i don't have this swtpm issue at all and my spawn time is about the same as yours
I'm not 100% sure... I don't want to lie.
But I remember the ujust script saying something like: "Making sure ... will work"
And I also ran the script again, just to be on the safe side. Followed by a reboot.
But I'm happy atm! Because I can use the virt-manager Flatpak, I don't need to layer something and I even managed to do VirtioFS shared folders from on my host and I can passthrough USB Sticks now š
But yeah.. I still can't create emulated tpm or vms with tpm in general.
On 41 I just set selinux to permissive, create the vm and done. But iirc you said that wont work on 42 anymore...........
try running the ujust again
and enabling virtualization
i can't reproduce your issue
with the swtpm
i know hikari fixed it a whiiiiile ago
typed my passwd 2x
I will reboot and report back. brb
ok try now
yes
reboot and try again with swtpm
It works now.... I'm so sorry
:/
it works š„³
thanks for your time. Sorry..I wasn't sure with the double passwd
@HikariKnight is there a way we can make the ujust only require password once?
when you enable virtualization it asks for root password twice, leading to users not finishing the entire script. Cause you don't expect that to happen.
Once in a window, and once in the terminal
no not really
it essentially times out the token i guess because things take time
and people dont read
i think its because the password/token is not bound to the terminal the first time because its rpm-ostree kargs directly asking for it in a window
IIRC
because rpm-ostree uses pkexec in the background because it has rules for it
yeah pkexec doesn't create a sudo timestamp
that's it
rip
!fixed !closed
User Error, you don't need need to layer anything, just use the
ujust command, it will take care of everything. If you setup virtualization with ujust setup-virtualization make sure to read and type your sudo password twice.