Comments

19 Comments
BZ#2271074 SELinux is preventing swtpm from 'open' accesses on the arquivo /var/log/swtpm/libvirt/qemu/fedora-swtpm.log.
BZ#2277041 SELinux is preventing swtpm from 'open' accesses on the file /var/log/swtpm/libvirt/qemu/win10-swtpm.log.
BZ#2278123 libvirt virtual machines cannot be created with SWTPM when SELinux is enabled: SELinux denials logged. No issues without SWTPM. Multiple user reports
BZ#1939665 CVE-2021-3446 libtpms: return of wrong initialization vector when certain symmetric ciphers are used [fedora-all]

I am not sure why this still hasn't made it to stable.

I just tried this package and get this result on F31:

# tpm2_ptool init
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/tpm2_pkcs11/commandlets_store.py", line 95, in __call__
    ctx = tpm2.createprimary(ownerauth, pobjauth)
  File "/usr/lib/python3.7/site-packages/tpm2_pkcs11/tpm2.py", line 30, in createprimary
    stderr)
RuntimeError: Could not execute tpm2_createprimary: b"tpm2_createprimary: invalid option -- 'p'\n"
Could not execute tpm2_createprimary: b"tpm2_createprimary: invalid option -- 'p'\n"

I am on F30. It looks like it's due to an outdated tpm2-tools package because the tpm2_createprimary from the git repo master tip does understand the -p option, while the one in F30 does not understand it.

Properly formatted:

$ tpm2_ptool init --pobj-pin pin
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/tpm2_pkcs11/commandlets_store.py", line 96, in __call__
    ctx = tpm2.createprimary(ownerauth, pobjauth)
  File "/usr/lib/python3.7/site-packages/tpm2_pkcs11/tpm2.py", line 32, in createprimary
    stderr)
RuntimeError: Could not execute tpm2_createprimary: b"tpm2_createprimary: invalid option -- 'p'\n"
Could not execute tpm2_createprimary: b"tpm2_createprimary: invalid option -- 'p'\n"

Unfortunately the pkcs11 git repo you took this from wasn't in sync with the tpm2-tools project it seems (it looks like they changed the command line parameters for the tpm2_createprimary tool):

tpm2_ptool init --pobj-pin pin

Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/tpm2_pkcs11/commandlets_store.py", line 96, in call ctx = tpm2.createprimary(ownerauth, pobjauth) File "/usr/lib/python3.7/site-packages/tpm2_pkcs11/tpm2.py", line 32, in createprimary stderr) RuntimeError: Could not execute tpm2_createprimary: b"tpm2_createprimary: invalid option -- 'p'\n" Could not execute tpm2_createprimary: b"tpm2_createprimary: invalid option -- 'p'\n"

I just had done some test with this stuff yesterday (https://github.com/tpm2-software/tpm2-pkcs11/issues/44) but took everything from the git repos master branches' tips.

The F30 build of just the pkcs11 package isn't very useful without this tool...

I know this module from the git repo. There is also a python tool to setup tokens. Did you maybe forget to package it or how can one setup a token without it?

This is a build of libtpms-0.6.0 with a patches beyond the release. Due to changes in the code, this update doesn't allow downgrading to a previous version.

I uploaded a new version of the package addressing the lint concerns, particularly those of ownership of swtpm_setup.sh.

karma

Downloaded from below link and tested. Fixes the problem.

https://koji.fedoraproject.org/koji/buildinfo?buildID=1134340