swtpm at /usr/bin/swtpm does not support TPM 2

Vividly2997

New Member
Nov 18, 2022
2
0
1
Running 7.2-11. I recently updated and rebooted the server. Now, any VM with a TPM will not start and shows and exit code of 1. When running the command in question (swtpm_setup --tpmstate file:///dev/HDD-500GB-thin/vm-104-disk-2 --createek --create-ek-cert --create-platform-cert --lock-nvram --config /etc/swtpm_setup.conf --runas 0 --not-overwrite --tpm2 --ecc) from the terminal I get "swtpm at /usr/bin/swtpm does not support TPM 2" Any troubleshooting tips are greatly appreciated.

I have also discovered that when running swtpm I get the following: "swtpm: error while loading shared libraries: libtpms.so.0: failed to map segment from shared object"

Also seeing this in the syslog: apparmor="DENIED" operation="file_mmap" profile="swtpm" name="/usr/local/lib/libtpms.so.0.10.0" pid=46073 comm="swtpm" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
 
Last edited:

Vividly2997

New Member
Nov 18, 2022
2
0
1
I wish I had a good explanation, but I noticed there were several obsolete packages/kernels so I ran "apt-get autoremove". Rebooted and everything is working now. :confused:
 

joerskate

Member
Jun 15, 2017
5
2
23
40
I am getting the same syslog messages as well. Update and package cleanup/reboot did not resolve the issue for me.
 

joerskate

Member
Jun 15, 2017
5
2
23
40
Not a great fix but a workaround until this is resolved is to set the apparmor policy to complain for the swtpm.

apt install apparmor-utils
aa-complain /usr/bin/swtpm
 

fiona

Proxmox Staff Member
Staff member
Aug 1, 2019
2,649
557
118
Hi,
I am getting the same syslog messages as well. Update and package cleanup/reboot did not resolve the issue for me.
please post the output of pveversion -v and qm config <ID>, replacing <ID> with the ID of an affected VM.
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
8,412
1,675
174
/usr/local/lib/libtpms.so.0.10.0 is not part of any Debian Bullseye or PVE package.. you must have installed third party software and/or packages?
 

joerskate

Member
Jun 15, 2017
5
2
23
40
Syslog Error: (I allowed this in apparmor with aa-complain)
kernel: audit: type=1400 audit(1669043584.431:72): apparmor="ALLOWED" operation="file_mmap" profile="swtpm" name="/usr/local/lib/libtpms.so.0.8.0" pid=1042371 comm="swtpm" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

Packages:
Code:
proxmox-ve: 7.2-1 (running kernel: 5.15.74-1-pve)
pve-manager: 7.2-15 (running version: 7.2-15/963997e8)
pve-kernel-5.15: 7.2-14
pve-kernel-helper: 7.2-14
pve-kernel-5.15.74-1-pve: 5.15.74-1
pve-kernel-5.15.64-1-pve: 5.15.64-1
ceph-fuse: 14.2.21-1
corosync: 3.1.7-pve1
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown: 0.8.36+pve2
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve2
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-5
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-8
libpve-guest-common-perl: 4.2-3
libpve-http-server-perl: 4.1-5
libpve-storage-perl: 7.2-12
libqb0: 1.0.5-1
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.0-3
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
openvswitch-switch: 2.15.0+ds1-2+deb11u1
proxmox-backup-client: 2.2.7-1
proxmox-backup-file-restore: 2.2.7-1
proxmox-mini-journalreader: 1.3-1
proxmox-offline-mirror-helper: 0.5.0-1
proxmox-widget-toolkit: 3.5.2
pve-cluster: 7.2-3
pve-container: 4.4-1
pve-docs: 7.2-5
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-7
pve-firmware: 3.5-6
pve-ha-manager: 3.4.0
pve-i18n: 2.7-3
pve-qemu-kvm: 7.1.0-3
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-12
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.8.0~bpo11+2
vncterm: 1.7-1
zfsutils-linux: 2.1.6-pve1

VM Config:
Code:
agent: 1
audio0: device=ich9-intel-hda,driver=spice
balloon: 2046
bios: ovmf
boot: order=ide0;net0;scsi0
cores: 4
cpu: host,flags=+spec-ctrl;+ssbd
efidisk0: local-lvm:vm-521-disk-1,efitype=4m,pre-enrolled-keys=1,size=4M
ide0: local-lvm:vm-521-disk-0,size=110G
machine: pc-q35-7.1
memory: 8192
name: dmz-win11
net0: e1000=A2:B3:7D:D2:B7:60,bridge=vmbr0,firewall=1,tag=101
numa: 0
ostype: win11
smbios1: uuid=4b53ff24-e0d6-4fc1-a988-32fdef30cf70,manufacturer=UUVNVQ==,serial=UUVNVS00YjUzZmYyNC1lMGQ2LTRmYzEtYTk4OC0zMmZkZWYzMGNmNzA=,base64=1
sockets: 1
spice_enhancements: videostreaming=all
tpmstate0: local-lvm:vm-521-disk-2,size=4M,version=v2.0
vga: qxl,memory=64
vmgenid: 0e5f10de-80d4-4bb4-923c-62814bf351b7
 

cooma

New Member
Oct 6, 2021
4
0
1
46
I'm also having the exact same issue. Seems to be related to this bug: https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/1989100

I tried adding /run/libvirt/qemu/swtpm/*.pid rwk, to /etc/apparmor.d/local/usr.bin.swtpm as mentioned in the bug report but that didn't seem to fix the issue for me. Not sure if the /run/libvirt/qemu directory is the correct path.

Setting the apparmor policy to complain fixed the issue for me.

There's also this submitted issue: https://github.com/stefanberger/swtpm/issues/770
 
Last edited:

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
8,412
1,675
174
the apparmor messages are totally different though ;) could you provide the following:

Code:
dpkg --list | grep tpm
ls -lha /usr/local/lib/libtpm*
ldd /usr/bin/swtpm

thanks!
 

joerskate

Member
Jun 15, 2017
5
2
23
40
Code:
ii  libtpms                              0.8.0-1                        amd64        libtpms
ii  libtpms0:amd64                       0.9.5~bpo11+1                  amd64        TPM emulation library
ii  swtpm                                0.8.0~bpo11+2                  amd64        Libtpms-based TPM emulator
ii  swtpm-libs:amd64                     0.8.0~bpo11+2                  amd64        Common libraries for TPM emulators
ii  swtpm-tools                          0.8.0~bpo11+2                  amd64        Tools for the TPM emulator
rc  tpm2-abrmd                           2.3.3-1+b2                     amd64        TPM2 Access Broker & Resource Management Daemon

Code:
-rw-r--r-- 1 root root 9.6M Dec 19  2019 /usr/local/lib/libtpms.a
-rwxr-xr-x 1 root root  941 Dec 19  2019 /usr/local/lib/libtpms.la
lrwxrwxrwx 1 root root   16 Dec 19  2019 /usr/local/lib/libtpms.so -> libtpms.so.0.8.0
lrwxrwxrwx 1 root root   16 Dec 19  2019 /usr/local/lib/libtpms.so.0 -> libtpms.so.0.8.0
-rwxr-xr-x 1 root root 903K Dec 19  2019 /usr/local/lib/libtpms.so.0.8.0

Code:
        linux-vdso.so.1 (0x00007ffe2ecc9000)
        libswtpm_libtpms.so.0 => /usr/lib/x86_64-linux-gnu/swtpm/libswtpm_libtpms.so.0 (0x00007fd28e8c6000)
        libtpms.so.0 => /usr/local/lib/libtpms.so.0 (0x00007fd28e7b1000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd28e5dc000)
        libseccomp.so.2 => /lib/x86_64-linux-gnu/libseccomp.so.2 (0x00007fd28e5b9000)
        libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fd28e2c5000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fd28e8eb000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd28e2bf000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd28e29b000)
 

michaelsage

Member
Jul 10, 2020
4
0
6
41
Not a great fix but a workaround until this is resolved is to set the apparmor policy to complain for the swtpm.

apt install apparmor-utils
aa-complain /usr/bin/swtpm
This worked for me. Having the same issue after upgrading to 7.3.3
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
8,412
1,675
174
Code:
ii  libtpms                              0.8.0-1                        amd64        libtpms
ii  libtpms0:amd64                       0.9.5~bpo11+1                  amd64        TPM emulation library
ii  swtpm                                0.8.0~bpo11+2                  amd64        Libtpms-based TPM emulator
ii  swtpm-libs:amd64                     0.8.0~bpo11+2                  amd64        Common libraries for TPM emulators
ii  swtpm-tools                          0.8.0~bpo11+2                  amd64        Tools for the TPM emulator
rc  tpm2-abrmd                           2.3.3-1+b2                     amd64        TPM2 Access Broker & Resource Management Daemon

Code:
-rw-r--r-- 1 root root 9.6M Dec 19  2019 /usr/local/lib/libtpms.a
-rwxr-xr-x 1 root root  941 Dec 19  2019 /usr/local/lib/libtpms.la
lrwxrwxrwx 1 root root   16 Dec 19  2019 /usr/local/lib/libtpms.so -> libtpms.so.0.8.0
lrwxrwxrwx 1 root root   16 Dec 19  2019 /usr/local/lib/libtpms.so.0 -> libtpms.so.0.8.0
-rwxr-xr-x 1 root root 903K Dec 19  2019 /usr/local/lib/libtpms.so.0.8.0

Code:
        linux-vdso.so.1 (0x00007ffe2ecc9000)
        libswtpm_libtpms.so.0 => /usr/lib/x86_64-linux-gnu/swtpm/libswtpm_libtpms.so.0 (0x00007fd28e8c6000)
        libtpms.so.0 => /usr/local/lib/libtpms.so.0 (0x00007fd28e7b1000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd28e5dc000)
        libseccomp.so.2 => /lib/x86_64-linux-gnu/libseccomp.so.2 (0x00007fd28e5b9000)
        libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fd28e2c5000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fd28e8eb000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd28e2bf000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd28e29b000)
could you also run dpkg -S /usr/local/lib/libtpm*?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!