swtpm at /usr/bin/swtpm does not support TPM 2

fabian said:
is your system correctly usr-merged? (is /bin a symlink to /usr/bin)? was this system upgraded or freshly installed? anything else that is peculiar about it?
Click to expand...
Code: 
# ls -laF
total 64
drwxr-xr-x  19 root root  4096 Aug 13 09:32 ./
drwxr-xr-x  19 root root  4096 Aug 13 09:32 ../
lrwxrwxrwx   1 root root     7 May 12 15:25 bin -> usr/bin/

It's a fairly new install, I have a few Linux VMs and a Win7 Pro VM on it.
 
okay. could attach the output of strace -ff swtpm socket --print-capabilities as well as sha256sum /usr/bin/swtpm* /usr/lib/x86_64-linux-gnu/swtpm/*?
 
Code: 
# sha256sum /usr/bin/swtpm* /usr/lib/x86_64-linux-gnu/swtpm/*
26c56c56ec7f362c60f7c86cc50835a61c16eb94f88539a6bdc94e7b250a3d9e  /usr/bin/swtpm
dbda0719f6c9d1db6146dad225b1408f82269bb911a97f7677ce8befad2c3157  /usr/bin/swtpm_bios
b419ed933f83d7e96402a06eec847a99b3055cf537dc866a73b43691573a132a  /usr/bin/swtpm_cert
57be908e90a63115625105e5f270b4da14796b194f6f96d560ec33dd8058d01e  /usr/bin/swtpm_ioctl
40f7108376df8a65ad761b2dfc84a5c8a28a0cd8d6e50b0106449cbdb049e119  /usr/bin/swtpm_localca
1200ab95b592f9963a8f613a2b811007834fb774b0470ef1a569ee3390c8f90c  /usr/bin/swtpm_setup
e5b6df0b3d31983e493d1ae230a0f1c1d4a73ff71ca1e235e63159a6e9577809  /usr/lib/x86_64-linux-gnu/swtpm/libswtpm_libtpms.so.0
e5b6df0b3d31983e493d1ae230a0f1c1d4a73ff71ca1e235e63159a6e9577809  /usr/lib/x86_64-linux-gnu/swtpm/libswtpm_libtpms.so.0.0.0

Wow --- it really didn't like that strace command:

Code: 
# strace -ff swtpm socket --print-capabilities
execve("/usr/bin/swtpm", ["swtpm", "socket", "--print-capabilities"], 0x7fffc3955fb8 /* 17 vars */) = 0
brk(NULL)                               = 0x61ae264c1000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ecac603f000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/swtpm/glibc-hwcaps/x86-64-v3/libswtpm_libtpms.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/swtpm/glibc-hwcaps/x86-64-v3/", 0x7ffc43c12010, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/swtpm/glibc-hwcaps/x86-64-v2/libswtpm_libtpms.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/swtpm/glibc-hwcaps/x86-64-v2/", 0x7ffc43c12010, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/swtpm/libswtpm_libtpms.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=96360, ...}) = 0
mmap(NULL, 98808, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ecac6026000
mmap(0x7ecac602b000, 49152, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7ecac602b000
mmap(0x7ecac6037000, 24576, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x7ecac6037000
mmap(0x7ecac603d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7ecac603d000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/swtpm/libtpms.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=27515, ...}) = 0
mmap(NULL, 27515, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ecac601f000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libtpms.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=953080, ...}) = 0
mmap(NULL, 1166080, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ecac5f02000
mmap(0x7ecac5f0c000, 569344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7ecac5f0c000
mmap(0x7ecac5f97000, 319488, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x95000) = 0x7ecac5f97000
mmap(0x7ecac5fe5000, 28672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xe2000) = 0x7ecac5fe5000
mmap(0x7ecac5fec000, 207616, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ecac5fec000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/swtpm/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\236\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 840, 64) = 840
fstat(3, {st_mode=S_IFREG|0755, st_size=2003408, ...}) = 0
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 840, 64) = 840
mmap(NULL, 2055800, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ecac5d0c000
mmap(0x7ecac5d34000, 1462272, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x28000) = 0x7ecac5d34000
mmap(0x7ecac5e99000, 352256, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18d000) = 0x7ecac5e99000
mmap(0x7ecac5eef000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e2000) = 0x7ecac5eef000
mmap(0x7ecac5ef5000, 52856, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ecac5ef5000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libseccomp.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=182560, ...}) = 0
mmap(NULL, 184672, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ecac5cde000
mmap(0x7ecac5ce1000, 61440, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7ecac5ce1000
mmap(0x7ecac5cf0000, 106496, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12000) = 0x7ecac5cf0000
mmap(0x7ecac5d0a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2b000) = 0x7ecac5d0a000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libcrypto.so.3", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=6505024, ...}) = 0
mmap(NULL, 6519848, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ecac5600000
mmap(0x7ecac56f7000, 3674112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xf7000) = 0x7ecac56f7000
mmap(0x7ecac5a78000, 1273856, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x478000) = 0x7ecac5a78000
mmap(0x7ecac5baf000, 548864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5ae000) = 0x7ecac5baf000
mmap(0x7ecac5c35000, 11304, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ecac5c35000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=125376, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ecac5cdc000
mmap(NULL, 127376, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ecac5cbc000
mmap(0x7ecac5cbf000, 81920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7ecac5cbf000
mmap(0x7ecac5cd3000, 28672, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7ecac5cd3000
mmap(0x7ecac5cda000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d000) = 0x7ecac5cda000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libzstd.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=825336, ...}) = 0
mmap(NULL, 823352, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ecac5536000
mmap(0x7ecac553b000, 716800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7ecac553b000
mmap(0x7ecac55ea000, 81920, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb4000) = 0x7ecac55ea000
mmap(0x7ecac55fe000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc8000) = 0x7ecac55fe000
close(3)                                = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ecac5cb9000
arch_prctl(ARCH_SET_FS, 0x7ecac5cb9740) = 0
set_tid_address(0x7ecac5cb9a10)         = 1270565
set_robust_list(0x7ecac5cb9a20, 24)     = 0
rseq(0x7ecac5cb9680, 0x20, 0, 0x53053053) = 0
mprotect(0x7ecac5eef000, 16384, PROT_READ) = 0
mprotect(0x7ecac55fe000, 4096, PROT_READ) = 0
mprotect(0x7ecac5cda000, 4096, PROT_READ) = 0
mprotect(0x7ecac5baf000, 536576, PROT_READ) = 0
mprotect(0x7ecac5d0a000, 4096, PROT_READ) = 0
mprotect(0x7ecac5fe5000, 16384, PROT_READ) = 0
mprotect(0x7ecac603d000, 4096, PROT_READ) = 0
mprotect(0x61ae05668000, 4096, PROT_READ) = 0
mprotect(0x7ecac607b000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7ecac601f000, 27515)           = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
 
elder said:
26c56c56ec7f362c60f7c86cc50835a61c16eb94f88539a6bdc94e7b250a3d9e /usr/bin/swtpm
Click to expand...

that checksum doesn't match the one from the trixie package.. it's also not the one from our bookworm package..

elder said:
Wow --- it really didn't like that strace command:
Click to expand...

and that also looks rather strange..

could you save that binary somewhere and then reinstall swtpm and see if the problem goes away? if it does, could you maybe post the binary somewhere so we can see if this was some outdated version/build, memory or disk corruption or something malicious going on?
 
fabian said:
that checksum doesn't match the one from the trixie package.. it's also not the one from our bookworm package..



and that also looks rather strange..

could you save that binary somewhere and then reinstall swtpm and see if the problem goes away? if it does, could you maybe post the binary somewhere so we can see if this was some outdated version/build, memory or disk corruption or something malicious going on?
Click to expand...

Sure -- if you would kindly give me the steps to do so, please.

I didn't install swtpm from anywhere by itself, it's whatever came with the Proxmox VE (unless it got pulled in with another apt install and I didn't notice).
 
Last edited:
elder said:
Sure -- if you would kindly give me the steps to do so, please.
Click to expand...
I am not @fabian ;-) but I can show you this:

My system is using non-subscription, everything updated.
Code: 
~# pveversion 
pve-manager/9.0.6/49c767b70aeb6648 (running kernel: 6.14.11-1-pve)

The swtpm binary comes from the corresponding package:
Code: 
~# dpkg -S /usr/bin/swtpm 
swtpm: /usr/bin/swtpm

~# apt policy swtpm
swtpm:
  Installed: 0.8.0+pve2
  Candidate: 0.8.0+pve2
  Version table:
 *** 0.8.0+pve2 500
        500 http://download.proxmox.com/debian/pve trixie/pve-no-subscription amd64 Packages

To check the integrity of the package I utilize "debsums":
Code: 
~# apt install debsums

~# debsums swtpm
/usr/bin/swtpm                                                                OK
/usr/share/doc/swtpm/changelog.gz                                             OK
/usr/share/doc/swtpm/copyright                                                OK
/usr/share/man/man8/swtpm.8.gz                                                OK

The specific "swtpm" file has this sha256 sum:
Code: 
~# sha256sum /usr/bin/swtpm* /usr/lib/x86_64-linux-gnu/swtpm/*
10650d421a11ddd6461164d25edcf30d914413ccdec6b81308b4876e04912854  /usr/bin/swtpm

Please compare...
 
  • Like
Reactions: fabian
You must log in or register to reply here.
Top Bottom