Unable to build on ubuntu 21.04

[odror]

Describe the bug When building under Ubuntu 21.04 using the command "dpkg-buildpackage -us -uc -j32" I get a fatal error

make[5]: *** [Makefile:731: test-suite.log] Error 1
make[5]: Leaving directory '/home/dror/work/swtpm/swtpm/tests'
make[4]: *** [Makefile:839: check-TESTS] Error 2
make[4]: Leaving directory '/home/dror/work/swtpm/swtpm/tests'
make[3]: *** [Makefile:1354: check-am] Error 2
make[3]: Leaving directory '/home/dror/work/swtpm/swtpm/tests'
make[2]: *** [Makefile:479: check-recursive] Error 1
make[2]: Leaving directory '/home/dror/work/swtpm/swtpm'
make[1]: *** [debian/rules:11: override_dh_auto_test] Error 2
make[1]: Leaving directory '/home/dror/work/swtpm/swtpm'
make: *** [debian/rules:4: binary] Error 2
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2

To Reproduce Steps to reproduce the behavior:

1. git clone https://github.com/stefanberger/swtpm
2. cd swtpm
3. dpkg-buildpackage -us -uc -j32

Expected behavior I expected to have a debian *.deb package

Desktop (please complete the following information):

• OS: Ubuntu
• Version 21.04

Versions of relevant components

• swtpm: 0.7.0~dev1.dsc
• libtpms: Not installed and not available for ubuntu
• openssl: 1.1.1j-1ubuntu3.5
• gnutls: Not installed and not available for ubuntu
• ...:

Additional context Attached tests/test-suite.log test-suite.log .

[stefanberger]

You have to first build libtpms using the instructions here: https://github.com/stefanberger/libtpms/wiki#build-a-package-on-ubuntu

The follow the instructions for building swtpm for Ubuntu here: https://github.com/stefanberger/swtpm/wiki#build-deb-package-ubuntu-debian

[odror]

I have done it again remove and following https://github.com/stefanberger/libtpms/wiki#build-a-package-on-ubuntu
I get the same error This is the procedure that I followed:

sudo apt-get -y install automake autoconf libtool gcc build-essential libssl-dev dh-exec pkg-config dh-autoreconf
./autogen.sh --with-openssl
make dist
dpkg-buildpackage -us -uc -j32

See attachment test-suite.log

[stefanberger]

When you get these errors then you have to updated your libtpms to either master or follow one of the stable branches to its end. v0.8.7 is the latest version.

FAIL: test_tpm2_save_load_state
===============================

Need to be root to run test with CUSE interface.
Need to be root to run test with CUSE interface.
==== Starting swtpm with interfaces socket+socket ====
Error: (1) Did not get expected result from TPM_PCRRead(17)
expected:  80 01 00 00 00 3e 00 00 00 00 00 00 00 18 00 00 00 01 00 0b 03 00 00 02 00 00 00 01 00 20 fc a5 d6 49 bf b0 c9 22 fd 33 0f 79 b2 00 43 28 9d af d6 0d 01 a4 c4 37 3c f2 8a db 56 c9 b4 54
received:  80 01 00 00 00 3e 00 00 00 00 00 00 00 19 00 00 00 01 00 0b 03 00 00 02 00 00 00 01 00 20 fc a5 d6 49 bf b0 c9 22 fd 33 0f 79 b2 00 43 28 9d af d6 0d 01 a4 c4 37 3c f2 8a db 56 c9 b4 54
_test_tpm2_save_load_state: line 23: 482727 Killed                  ${SWTPM_EXE} socket "$@" ${SWTPM_TEST_SECCOMP_OPT} --server type=tcp,port=${SWTPM_SERVER_PORT}${swtpm_server_disconnect} --ctrl type=tcp,port=${SWTPM_CTRL_PORT}

[odror]

Yes the Ubuntu default libtpms version is old.it is 0.8.0 I have install version 0.9 for your git. Then swtpm compiles and created the deb packages.

There is one issue.

When installing swtpm-tools_0.7.0~dev1_amd64.deb it failed because it needed the package trousers This particular package could not be configured because of this error:

Sep 26 18:23:47 R9-5950x systemd[1]: Starting LSB: starts tcsd...
Sep 26 18:23:47 R9-5950x trousers[5565]:  * Starting Trusted Computing daemon tcsd
Sep 26 18:23:47 R9-5950x trousers[5565]: /etc/init.d/trousers: 32: [: /dev/tpm0: unexpected operator
Sep 26 18:23:47 R9-5950x tcsd[5591]: TCSD TDDL[5591]: TrouSerS ioctl: (25) Inappropriate ioctl for device
Sep 26 18:23:47 R9-5950x tcsd[5591]: TCSD TDDL[5591]: TrouSerS Falling back to Read/Write device support.
Sep 26 18:23:47 R9-5950x tcsd[5591]: TCSD TCS[5591]: TrouSerS ERROR: TCS GetCapability failed with result = 0x1e
Sep 26 18:23:47 R9-5950x trousers[5565]:    ...fail!

Is this a big issue for swtpm?

[odror]

One more issue. After installing swtpm. Was not able to install W11 on KVM. I do not think that the VM recognized the tpm. Do I need an additional driver inside windows.

[stefanberger]

I don't know about Windows 11. There was never a driver need from what I know and the TPM was recognized with Win 11 and others. We run various tests with it also: https://github.com/stefanberger/libtpms/wiki/Testing-of-libtpms-Functionality#windows-hardware-lab-kit-tests

[stefanberger]

When installing swtpm-tools_0.7.0~dev1_amd64.deb it failed because it needed the package trousers This particular package could not be configured because of this error:

Sep 26 18:23:47 R9-5950x systemd[1]: Starting LSB: starts tcsd...
Sep 26 18:23:47 R9-5950x trousers[5565]:  * Starting Trusted Computing daemon tcsd
Sep 26 18:23:47 R9-5950x trousers[5565]: /etc/init.d/trousers: 32: [: /dev/tpm0: unexpected operator
Sep 26 18:23:47 R9-5950x tcsd[5591]: TCSD TDDL[5591]: TrouSerS ioctl: (25) Inappropriate ioctl for device
Sep 26 18:23:47 R9-5950x tcsd[5591]: TCSD TDDL[5591]: TrouSerS Falling back to Read/Write device support.
Sep 26 18:23:47 R9-5950x tcsd[5591]: TCSD TCS[5591]: TrouSerS ERROR: TCS GetCapability failed with result = 0x1e
Sep 26 18:23:47 R9-5950x trousers[5565]:    ...fail!

Is this a big issue for swtpm?

No it's not a big issue. We should be able to remove this dependency from the debian/control file. @nchevsky , what do you think?

[stefanberger]

I opened PR #562 to remove the trousers dependency. I think what you are hitting above is a packaging/scripting issue in Ubuntu and/or Debian. I can install trousers on a machine that doesn't have /dev/tpm0 and it doesn't complain about it. Also, I don't understand what the unexpected operator issue is but maybe that's due to the shell your system is configure with. Mine has this configuration here using the dash as shell.

# ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Jun 27  2019 /bin/sh -> dash

What's the shell on your system?

[nchevsky]

Thank you for asking for my input, @stefanberger. For the record, TrouSerS on my Debian system doesn't have the problem shown above, which as you said appears to be Ubuntu-specific and I believe is localized to tcsd's init script. Now, regardless of the actual cause, I'm not sure we can just up and remove the TrouSerS dependency without breaking things—I'll comment further in #562 in a few minutes.

[odror]

I have the same,

# ls -ls /bin/sh
1 lrwxrwxrwx 1 root root 4 Feb 13  2021 /bin/sh -> dash*

It might not be related to this discussion, but ultimately my goal is to install W11 beta on KVM ( I can install W11 development brunch). I think the TPM issue is holding me back. Any thoughts about that.

[stefanberger]

I think the TPM issue is holding me back. Any thoughts about that.

How are you starting the VM? Via QEMU on the command line or via libvirt or virt-manager. You are sure that you have attached a TPM 2 (swtpm ... --tpm2) to the VM, not a TPM 1.2 , right?

[odror]

I use virt-manager. Yes it is 2.0 The embedded code is

<tpm model="tpm-tis">
  <backend type="emulator" version="2.0"/>
</tpm>

[stefanberger]

Can you try the CRB interface to see whether that makes any difference? Which version of QEMU are you using? And you are using EDK2 / UEFI?

[odror]

I tried CRB initially. It did not work. I have the default Qemu in 21.04, which is 5.2+dfsg-9ubuntu3.1. I use UEFI/OVMF_CODE_4M, which comes with Ubuntu. is that EDK2

[stefanberger]

I use UEFI/OVMF_CODE_4M, which comes with Ubuntu. is that EDK2

Yes, that's EDK2.

I don't know what could be wrong on W11. We have it working on Window 2016 (https://github.com/stefanberger/libtpms/issues/217#issuecomment-851516146) , Windows 2019 (https://github.com/stefanberger/libtpms/issues/217#issuecomment-851492786), Windows 10 (https://github.com/stefanberger/libtpms/wiki/Testing-of-libtpms-Functionality#windows-hardware-lab-kit-tests), and iirc also Windows 2012.

[nchevsky]

I don't know what could be wrong on W11.

There's no issue with Windows 11; I've had mine working (on a Proxmox VE host) for months and, combined with EDK2's secure boot support (which depending on distribution may need to be manually switched on and rebuilt), it passes all of Windows 11's security checks. Without secure boot, though, TPM only satisfies part of Windows 11's requirements.

[stefanberger]

@nchevsky Good to know! I take it as a reference that Windows 11 can be made to be/is also working.

[odror]

There is a hacked W11 iso that will install, but cannot be licensed. There is W11 Developmental brunch that will install, but cannot be downgraded to the Beta version. I am interested in the W11 beta. This one can be licensed. It does fail the test during the installation, most likely because of the TPM.

[nchevsky]

There is a hacked W11 iso that will install, but cannot be licensed. There is W11 Developmental brunch that will install, but cannot be downgraded to the Beta version. I am interested in the W11 beta. This one can be licensed. I does fail the test during the installation, most likely because of the TPM.

It could be due to TPM, secure boot, processor, or any of the other requirements. I recommend that you first install one of the non-locked-down images you mentioned and, once running, open the Windows Security app and navigate to Device security to see which security checks (if any) are failing, as per the screenshot in my previous post.

[odror]

I getting something else. Window 11 "knows" that I am running in VM. When installing the developmental brunch.

[nchevsky]

I getting something else. Window 11 "knows" that I am running in VM. When installing the developmental brunch.

The "… that use virtualization-based security" part of the sentence in your screenshot refers to the "Security features available," not to "your device." It's not telling you that your device is a VM (Windows does know that it is, but that's irrelevant here).

The Core isolation screen has nothing to do with the security requirements we were discussing—you need to check the Security processor and Secure boot sections under Device security instead:

[odror]

Ok I do not get this screen. I think because of TPM issue. On the device manager I get the following error, which basically indicate that the TPM does not work. I tried both TIS and CRB

I use UEFI OVMFCODE$M.md.fd. Secure boot is not enabled on it by default. It does not allow me to enable it either. Does this have to do with my issues.

[stefanberger]

I use UEFI OVMFCODE$M.md.fd. Secure boot is not enabled on it by default. It does not allow me to enable it either. Does this have to do with my issues.

I don't typically use Ubuntu hosts to run VMs with attached TPM 2, but mostly Fedora where TPM 2 is supported via swtpm + qemu + libvirt etc. right out of the installed packages. My guess is that using the Ubuntu OVMF (=edk2) may not be suitable when using a TPM 2. Since Ubuntu itself doesn't support TPM 2 they may not have compiled TPM 2 support into OVMF either, so the TPM 2 doesn't get initialized, possibly leading Windows to react like this. You could check the menus in the OVMF menu for TPM device support, if it's there or not, which I think would be key to find out. TPM 2 support in OVMF initializes the TPM 2 and if that doesn't happen maybe Windows reacts like this.

I can send you a OVMF file with secure boot and TPM 2 support in it, if you want. You would have to adapt your libvirt VM config to point to that file then and see whether that improves the situation.

The QEMU repo also holds edk2 files: https://github.com/qemu/qemu/tree/master/pc-bios edk2-x86_64-secure-code.fd.bz2 looks most interesting.

[odror]

If you can send that file, at least for diagnostic purposes it will help. I have a fedora lxd container. I will try that too.

[stefanberger]

So this is the screenshot with the TPM 2 support menu in the red circle and also showing secure boot support.

I attached the (gzip'ed) OVMF file I used.

edk2-x86_64-secure-code.fd.gz

[JooJooBee666]

This looks like issue #484; libvirt is too old on Ubuntu 21.04. I saw the same thing when using swtpm .7. Have you tried using .61 instead?

[odror]

I tried the new OVMF file/. It did not work.

[odror]

This looks like issue #484; libvirt is too old on Ubuntu 21.04. I saw the same thing when using swtpm .7. Have you tried using .61 instead?

Where did you get the swtpm 0.6.1, which is compatible with ubnutu 21.04

[stefanberger]

I tried the new OVMF file/. It did not work.

Not sure what this means... You unpacked it, right? It doesn't even show anything on the screen? Can you enter the menu with the UEFI you got with Ubuntu?

[odror]

I have the old menu as if I did not change anything. I have unpacked it and placed in in /usr/share/OVMF and then I edited the xml file of my VM to replace it with the old one. Was I supposed to redo the whole installation of the VM.

[stefanberger]

Was I supposed to redo the whole installation of the VM.

Not sure, but wouldn't exclude it.

[odror]

Success!!. I have upgraded to Ubuntu 21.10 and it works. Ubuntu 21.04 was not compatible with the new swtpm. I was able to install Windows 11 Beta. Windows think that my device meet the security requirements. Only one issue is left (unrelated to tpm) Windows 11 does not like the the "unsigned Redhad QXL" display driver. So I am stuck at 800x600 resolution, Unless I am going to use a PCI passthrough Graphics.

[stefanberger]

That's great!

Oooh, the compatibility issue is that swtpm cannot store its data due to fsync not being allowed by the old AppArmor profile (issue #484). You should see errors in the swptm log I believe. For sure we see the malfunctioning more clearly in the Linux log than in the Windows log (if there's such a thing).

[stefanberger]

I am now trying to solve this swtpm 0.7 issue with PR #573 to turn off the offending fsync() if it doesn't work.

[odror]

My main machine is still running 21.04. I'll be happy to test it when it is ready.

[JooJooBee666]

Yep, same here. 👍

[stefanberger]

I merged it now. Hope this ends the headache.

[odror]

I am still getting the fsync error. Also the downloaded version is 0.7.0

SWTPM_NVRAM_StoreData: Error (fatal) opening /var/lib/libvirt/swtpm/08e176a4-12cc-4579-9d60-2950234f76cd/tpm2 for fsync failed, Permission denied
libtpms/tpm2: Entering failure mode; code: 3, location: ExecuteCommand line 308
libtpms/tpm2: TPM2_Process: Entered failure mode through command:

[stefanberger]

This is an old error message. Master now has this (https://github.com/stefanberger/swtpm/blob/master/src/swtpm/swtpm_nvstore_dir.c#L397-L408):

            logprintf(STDERR_FILENO,
                      "SWTPM_NVRAM_StoreData: Error syncing file, %s. Check AppArmor profile.\n",
                      strerror(errno));

[JooJooBee666]

Hmm, still not working here. Switched to master, updated repo, rebuilt and reinstalled. Vm boots but the TPM device is not functional. Log shows;

SWTPM_NVRAM_StoreData: Error (fatal) opening /var/lib/libvirt/swtpm/e92f8c63-16b1-4390-8576-12101b39130c/tpm2 for fsync failed, Permission denied
libtpms/tpm2: Entering failure mode; code: 3, location: ExecuteCommand line 308
libtpms/tpm2: TPM2_Process: Entered failure mode through command:
80 01 00 00 00 0c 00 00 01 44 00 00

Reverting back to .62 for now, all working fine again.

[odror]

my version have

            logprintf(STDERR_FILENO,
                      "SWTPM_NVRAM_StoreData: Error syncing file, %s. Check AppArmor profile.\n",
                      strerror(errno));

but I am still getting the fsync error

[stefanberger]

@odror Can you try the version on the stefanberger/fsync_best_effort branch, please.

[odror]

https://github.com/stefanberger/fsync_best_effort is not accessible I get 404 web error

[stefanberger]

That's the name of the branch. Do

git fetch --all
git checkout origin/stefanberger/fsync_best_effort -b stefanberger/fsync_best_effort
make
sudo make install

to get back to master do

git checkout master

[odror]

It is working now I have WIndows 11 beta working in KVM ubuntu 210.04 with swtpm. It passed the W11 requirements. I had to use the fsync_best_effort branch.

[stefanberger]

Thanks for testing. I merged this now.

[ifnkhan]

In Windows 11, functionality wise there is no issues with swtpm security processor. But under "Security processor troubleshooting" there is an error message reported "Can't get TPM information. Contact your device manufacturer".

Any idea how to debug this from within the Windows 11 OS?