swtpm at /usr/bin/swtpm does not support TPM 2

[Vividly2997]

Running 7.2-11. I recently updated and rebooted the server. Now, any VM with a TPM will not start and shows and exit code of 1. When running the command in question (swtpm_setup --tpmstate file:///dev/HDD-500GB-thin/vm-104-disk-2 --createek --create-ek-cert --create-platform-cert --lock-nvram --config /etc/swtpm_setup.conf --runas 0 --not-overwrite --tpm2 --ecc) from the terminal I get "swtpm at /usr/bin/swtpm does not support TPM 2" Any troubleshooting tips are greatly appreciated.

I have also discovered that when running swtpm I get the following: "swtpm: error while loading shared libraries: libtpms.so.0: failed to map segment from shared object"

Also seeing this in the syslog: apparmor="DENIED" operation="file_mmap" profile="swtpm" name="/usr/local/lib/libtpms.so.0.10.0" pid=46073 comm="swtpm" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

 

[Vividly2997]

I wish I had a good explanation, but I noticed there were several obsolete packages/kernels so I ran "apt-get autoremove". Rebooted and everything is working now.

 

[joerskate]

I am getting the same syslog messages as well. Update and package cleanup/reboot did not resolve the issue for me.

 

[joerskate]

Not a great fix but a workaround until this is resolved is to set the apparmor policy to complain for the swtpm.

apt install apparmor-utils
aa-complain /usr/bin/swtpm

 

[fiona]

Hi,

I am getting the same syslog messages as well. Update and package cleanup/reboot did not resolve the issue for me.

please post the output of pveversion -v and qm config <ID>, replacing <ID> with the ID of an affected VM.

 

[fabian]

/usr/local/lib/libtpms.so.0.10.0 is not part of any Debian Bullseye or PVE package.. you must have installed third party software and/or packages?

 

[joerskate]

Syslog Error: (I allowed this in apparmor with aa-complain)
kernel: audit: type=1400 audit(1669043584.431:72): apparmor="ALLOWED" operation="file_mmap" profile="swtpm" name="/usr/local/lib/libtpms.so.0.8.0" pid=1042371 comm="swtpm" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

Packages:

proxmox-ve: 7.2-1 (running kernel: 5.15.74-1-pve)
pve-manager: 7.2-15 (running version: 7.2-15/963997e8)
pve-kernel-5.15: 7.2-14
pve-kernel-helper: 7.2-14
pve-kernel-5.15.74-1-pve: 5.15.74-1
pve-kernel-5.15.64-1-pve: 5.15.64-1
ceph-fuse: 14.2.21-1
corosync: 3.1.7-pve1
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown: 0.8.36+pve2
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve2
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-5
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-8
libpve-guest-common-perl: 4.2-3
libpve-http-server-perl: 4.1-5
libpve-storage-perl: 7.2-12
libqb0: 1.0.5-1
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.0-3
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
openvswitch-switch: 2.15.0+ds1-2+deb11u1
proxmox-backup-client: 2.2.7-1
proxmox-backup-file-restore: 2.2.7-1
proxmox-mini-journalreader: 1.3-1
proxmox-offline-mirror-helper: 0.5.0-1
proxmox-widget-toolkit: 3.5.2
pve-cluster: 7.2-3
pve-container: 4.4-1
pve-docs: 7.2-5
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-7
pve-firmware: 3.5-6
pve-ha-manager: 3.4.0
pve-i18n: 2.7-3
pve-qemu-kvm: 7.1.0-3
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-12
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.8.0~bpo11+2
vncterm: 1.7-1
zfsutils-linux: 2.1.6-pve1

VM Config:

agent: 1
audio0: device=ich9-intel-hda,driver=spice
balloon: 2046
bios: ovmf
boot: order=ide0;net0;scsi0
cores: 4
cpu: host,flags=+spec-ctrl;+ssbd
efidisk0: local-lvm:vm-521-disk-1,efitype=4m,pre-enrolled-keys=1,size=4M
ide0: local-lvm:vm-521-disk-0,size=110G
machine: pc-q35-7.1
memory: 8192
name: dmz-win11
net0: e1000=A2:B3:7D:D2:B7:60,bridge=vmbr0,firewall=1,tag=101
numa: 0
ostype: win11
smbios1: uuid=4b53ff24-e0d6-4fc1-a988-32fdef30cf70,manufacturer=UUVNVQ==,serial=UUVNVS00YjUzZmYyNC1lMGQ2LTRmYzEtYTk4OC0zMmZkZWYzMGNmNzA=,base64=1
sockets: 1
spice_enhancements: videostreaming=all
tpmstate0: local-lvm:vm-521-disk-2,size=4M,version=v2.0
vga: qxl,memory=64
vmgenid: 0e5f10de-80d4-4bb4-923c-62814bf351b7

 

[cooma]

I'm also having the exact same issue. Seems to be related to this bug: https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/1989100

I tried adding /run/libvirt/qemu/swtpm/*.pid rwk, to /etc/apparmor.d/local/usr.bin.swtpm as mentioned in the bug report but that didn't seem to fix the issue for me. Not sure if the /run/libvirt/qemu directory is the correct path.

Setting the apparmor policy to complain fixed the issue for me.

There's also this submitted issue: https://github.com/stefanberger/swtpm/issues/770

 

[fabian]

the apparmor messages are totally different though could you provide the following:

dpkg --list | grep tpm
ls -lha /usr/local/lib/libtpm*
ldd /usr/bin/swtpm

thanks!

 

[joerskate]

ii  libtpms                              0.8.0-1                        amd64        libtpms
ii  libtpms0:amd64                       0.9.5~bpo11+1                  amd64        TPM emulation library
ii  swtpm                                0.8.0~bpo11+2                  amd64        Libtpms-based TPM emulator
ii  swtpm-libs:amd64                     0.8.0~bpo11+2                  amd64        Common libraries for TPM emulators
ii  swtpm-tools                          0.8.0~bpo11+2                  amd64        Tools for the TPM emulator
rc  tpm2-abrmd                           2.3.3-1+b2                     amd64        TPM2 Access Broker & Resource Management Daemon

-rw-r--r-- 1 root root 9.6M Dec 19  2019 /usr/local/lib/libtpms.a
-rwxr-xr-x 1 root root  941 Dec 19  2019 /usr/local/lib/libtpms.la
lrwxrwxrwx 1 root root   16 Dec 19  2019 /usr/local/lib/libtpms.so -> libtpms.so.0.8.0
lrwxrwxrwx 1 root root   16 Dec 19  2019 /usr/local/lib/libtpms.so.0 -> libtpms.so.0.8.0
-rwxr-xr-x 1 root root 903K Dec 19  2019 /usr/local/lib/libtpms.so.0.8.0

        linux-vdso.so.1 (0x00007ffe2ecc9000)
        libswtpm_libtpms.so.0 => /usr/lib/x86_64-linux-gnu/swtpm/libswtpm_libtpms.so.0 (0x00007fd28e8c6000)
        libtpms.so.0 => /usr/local/lib/libtpms.so.0 (0x00007fd28e7b1000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd28e5dc000)
        libseccomp.so.2 => /lib/x86_64-linux-gnu/libseccomp.so.2 (0x00007fd28e5b9000)
        libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fd28e2c5000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fd28e8eb000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd28e2bf000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd28e29b000)

 

[michaelsage]

Not a great fix but a workaround until this is resolved is to set the apparmor policy to complain for the swtpm.

apt install apparmor-utils
aa-complain /usr/bin/swtpm

This worked for me. Having the same issue after upgrading to 7.3.3

 

[fabian]

ii  libtpms                              0.8.0-1                        amd64        libtpms
ii  libtpms0:amd64                       0.9.5~bpo11+1                  amd64        TPM emulation library
ii  swtpm                                0.8.0~bpo11+2                  amd64        Libtpms-based TPM emulator
ii  swtpm-libs:amd64                     0.8.0~bpo11+2                  amd64        Common libraries for TPM emulators
ii  swtpm-tools                          0.8.0~bpo11+2                  amd64        Tools for the TPM emulator
rc  tpm2-abrmd                           2.3.3-1+b2                     amd64        TPM2 Access Broker & Resource Management Daemon

-rw-r--r-- 1 root root 9.6M Dec 19  2019 /usr/local/lib/libtpms.a
-rwxr-xr-x 1 root root  941 Dec 19  2019 /usr/local/lib/libtpms.la
lrwxrwxrwx 1 root root   16 Dec 19  2019 /usr/local/lib/libtpms.so -> libtpms.so.0.8.0
lrwxrwxrwx 1 root root   16 Dec 19  2019 /usr/local/lib/libtpms.so.0 -> libtpms.so.0.8.0
-rwxr-xr-x 1 root root 903K Dec 19  2019 /usr/local/lib/libtpms.so.0.8.0

        linux-vdso.so.1 (0x00007ffe2ecc9000)
        libswtpm_libtpms.so.0 => /usr/lib/x86_64-linux-gnu/swtpm/libswtpm_libtpms.so.0 (0x00007fd28e8c6000)
        libtpms.so.0 => /usr/local/lib/libtpms.so.0 (0x00007fd28e7b1000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd28e5dc000)
        libseccomp.so.2 => /lib/x86_64-linux-gnu/libseccomp.so.2 (0x00007fd28e5b9000)
        libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fd28e2c5000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fd28e8eb000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd28e2bf000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd28e29b000)

could you also run dpkg -S /usr/local/lib/libtpm*?

 

[Manuel3112]

I've removed the package libtpms and now I can start vm's with tpm2 again
apt remove libtpms

 

[fabian]

please describe you symptoms and include relevant config files/logs/error messages as well as "pveversion -v" output..

 

[Manuel3112]

please describe you symptoms and include relevant config files/logs/error messages as well as "pveversion -v" output..

The error does not seem to only happen on a specific pve- version. I've upgraded to the latest release on saturday.
And found, that the package libtpms was only installed on the one of my cluster nodes where starting a vm with a tpm2 state disk didn't work.

The only difference was the libtpms. so I removed this package and voila... the vm's using tpm2 disk are starting.

so I think the libtpms package causes the problem.

pve1:~#dpkg --list | grep tpm ii libtpms 0.8.0-1 amd64 libtpms ii libtpms0:amd64 0.9.5~bpo11+1 amd64 TPM emulation library ii swtpm 0.8.0~bpo11+2 amd64 Libtpms-based TPM emulator ii swtpm-libs:amd64 0.8.0~bpo11+2 amd64 Common libraries for TPM emulators ii swtpm-tools 0.8.0~bpo11+2 amd64 Tools for the TPM emulator
pve2:~#dpkg --list | grep tpm ii libtpms0:amd64 0.9.5~bpo11+1 amd64 TPM emulation library ii swtpm 0.8.0~bpo11+2 amd64 Libtpms-based TPM emulator ii swtpm-libs:amd64 0.8.0~bpo11+2 amd64 Common libraries for TPM emulators ii swtpm-tools 0.8.0~bpo11+2 amd64 Tools for the TPM emulator


pveversion -v proxmox-ve: 7.3-1 (running kernel: 5.15.102-1-pve) pve-manager: 7.4-3 (running version: 7.4-3/9002ab8a) pve-kernel-helper: 7.3-4 pve-kernel-5.15: 7.3-3 pve-kernel-5.13: 7.1-9 pve-kernel-5.4: 6.4-7 pve-kernel-5.15.102-1-pve: 5.15.102-1 pve-kernel-5.15.85-1-pve: 5.15.85-1 pve-kernel-5.13.19-6-pve: 5.13.19-15 pve-kernel-5.13.19-2-pve: 5.13.19-4 pve-kernel-5.4.143-1-pve: 5.4.143-1 pve-kernel-5.4.34-1-pve: 5.4.34-2 ceph-fuse: 15.2.17-pve1 corosync: 3.1.7-pve1 criu: 3.15-1+pve-1 glusterfs-client: 9.2-1 ifupdown: residual config ifupdown2: 3.1.0-1+pmx3 ksm-control-daemon: 1.4-1 libjs-extjs: 7.0.0-1 libknet1: 1.24-pve2 libproxmox-acme-perl: 1.4.4 libproxmox-backup-qemu0: 1.3.1-1 libproxmox-rs-perl: 0.2.1 libpve-access-control: 7.4-2 libpve-apiclient-perl: 3.2-1 libpve-common-perl: 7.3-4 libpve-guest-common-perl: 4.2-4 libpve-http-server-perl: 4.2-1 libpve-rs-perl: 0.7.5 libpve-storage-perl: 7.4-2 libqb0: 1.0.5-1 libspice-server1: 0.14.3-2.1 lvm2: 2.03.11-2.1 lxc-pve: 5.0.2-2 lxcfs: 5.0.3-pve1 novnc-pve: 1.4.0-1 openvswitch-switch: 2.15.0+ds1-2+deb11u2.1 proxmox-backup-client: 2.3.3-1 proxmox-backup-file-restore: 2.3.3-1 proxmox-mail-forward: 0.1.1-1 proxmox-mini-journalreader: 1.3-1 proxmox-offline-mirror-helper: 0.5.1-1 proxmox-widget-toolkit: 3.6.4 pve-cluster: 7.3-3 pve-container: 4.4-3 pve-docs: 7.4-2 pve-edk2-firmware: 3.20230228-1 pve-firewall: 4.3-1 pve-firmware: 3.6-4 pve-ha-manager: 3.6.0 pve-i18n: 2.11-1 pve-qemu-kvm: 7.2.0-8 pve-xtermjs: 4.16.0-1 qemu-server: 7.4-3 smartmontools: 7.2-pve3 spiceterm: 3.2-2 swtpm: 0.8.0~bpo11+3 vncterm: 1.7-1 zfsutils-linux: 2.1.9-pve1

 

[fabian]

I am still not sure where you got that package from.. are you all on some hoster and using their images that comes/came with it preinstalled maybe?

 

[Manuel3112]

I am still not sure where you got that package from.. are you all on some hoster and using their images that comes/came with it preinstalled maybe?

I think I've tried it when Windows 11 was new and not supported by Proxmox. (I think it was pre 7.0 Proxmox release).
I'm not really sure where I got this from.