swtpm: error while loading shared libraries: libtpms.so.0

[paul-ororke]

Hi there,

I wonder, where does /usr/bin/swtpm look for libtpms.so.0? I have it installed in /usr/local/lib/libtpms.so.0 with simlinks to it in /usr/lib64/, /usr/local/lib, and /usr/local/lib64/ on Ubuntu 20.04

On guest start I get /usr/bin swtpm: error while loading shared libraries: libtpms.so.0: cannot open shared object file: No such file or directory

It seems to creating the certificates. In /var/log/swtpm/libvirt/qemu/win11p-x64-swtpm.log I see:

Starting vTPM manufacturing as <unknown>:<unknown> @ Fri 29 Oct 2021 03:21:45 PM PDT
Successfully created RSA 2048 EK with handle 0x81010001.
  Invoking /usr/bin/swtpm_localca --type ek --ek d1baafc9db7031e3cc88e2f1ee5eb212beb70fa8da63702760eb36d1d885f45634307e5da6290f2cafb651cd8a0e670ac028a7d8bd10d4dcfde6f94de7d8dad5b5714a065c09441e298fb684b9af849e2d2e5a6b9ee75f942f8d7a7caced02c1bd48b933815df9df9f955f2a5a2714f431e3baad89b4f832ec6292fd3d705b07b0212d275637b52fb680271c6f5304ad5b47bbe072fda013054c1b60deeb964a32b11a61b88b180fdedd2d23298f401419dfc22a503154fc5b2b403c3d59bc5329e4a76f169c1e14cc3b242b4c54199ebbfffec8003df02e318649293238a3a89fd9aa5971c891e990b1b6698fff87b306eb58ad6715406f430aeed1183d8e8f --dir /tmp/swtpm_setup.certs.I4YXB1 --logfile /var/log/swtpm/libvirt/qemu/win11p-x64-swtpm.log --vmid win11p-x64:de36c8fe-810b-461e-b8ff-433f3a97cae6 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created EK certificate locally.
  Invoking /usr/bin/swtpm_localca --type platform --ek d1baafc9db7031e3cc88e2f1ee5eb212beb70fa8da63702760eb36d1d885f45634307e5da6290f2cafb651cd8a0e670ac028a7d8bd10d4dcfde6f94de7d8dad5b5714a065c09441e298fb684b9af849e2d2e5a6b9ee75f942f8d7a7caced02c1bd48b933815df9df9f955f2a5a2714f431e3baad89b4f832ec6292fd3d705b07b0212d275637b52fb680271c6f5304ad5b47bbe072fda013054c1b60deeb964a32b11a61b88b180fdedd2d23298f401419dfc22a503154fc5b2b403c3d59bc5329e4a76f169c1e14cc3b242b4c54199ebbfffec8003df02e318649293238a3a89fd9aa5971c891e990b1b6698fff87b306eb58ad6715406f430aeed1183d8e8f --dir /tmp/swtpm_setup.certs.I4YXB1 --logfile /var/log/swtpm/libvirt/qemu/win11p-x64-swtpm.log --vmid win11p-x64:de36c8fe-810b-461e-b8ff-433f3a97cae6 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created platform certificate locally.
Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate.
Successfully created NVRAM area 0x1c08000 for platform certificate.
Successfully created ECC EK with handle 0x81010016.
  Invoking /usr/bin/swtpm_localca --type ek --ek x=591eb62aa90ba4cd843caba14b77cfff7296c44337b439d8a41f6917b97069f584af5d88a7e996bf31edeafe97725755,y=1653ab77839ca5341501ff85bc1dc59e9428244f07eca5dbb4899c09e90cc24ef2efa64c036e95b19e183fd589a6d97b,id=secp384r1 --dir /tmp/swtpm_setup.certs.I4YXB1 --logfile /var/log/swtpm/libvirt/qemu/win11p-x64-swtpm.log --vmid win11p-x64:de36c8fe-810b-461e-b8ff-433f3a97cae6 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created EK certificate locally.
Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
Successfully activated PCR banks sha256 among sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Fri 29 Oct 2021 03:21:45 PM PDT

then balks on loading libtpms.so.0

Any suggestions?

[stefanberger]

Do something like this starting out with swtpm:

$ ldd /usr/bin/swtpm
    linux-vdso.so.1 (0x00007ffec37c1000)
    libasan.so.6 => /lib64/libasan.so.6 (0x00007f50d765c000)
    libswtpm_libtpms.so.0 => /usr/lib64/swtpm/libswtpm_libtpms.so.0 (0x00007f50d75d4000)
    libglib-2.0.so.0 => /lib64/libglib-2.0.so.0 (0x00007f50d749a000)
    libtpms.so.0 => /lib64/libtpms.so.0 (0x00007f50d7355000)
    libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f50d7067000)
    libubsan.so.1 => /lib64/libubsan.so.1 (0x00007f50d66f7000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f50d66d4000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f50d6505000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f50d64fe000)
    librt.so.1 => /lib64/librt.so.1 (0x00007f50d64f3000)
    libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f50d62d4000)
    libm.so.6 => /lib64/libm.so.6 (0x00007f50d6190000)
    libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f50d6173000)
    libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f50d60fb000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f50d60e1000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f50d8043000)

Here you already see it: libtpms.so.0 => /lib64/libtpms.so.0 (0x00007f50d7355000)

If you don't see it yet, follow libtswtpm_libtpms.so:

$ ldd /usr/lib64/swtpm/libswtpm_libtpms.so.0
    linux-vdso.so.1 (0x00007ffd6a360000)
    libtpms.so.0 => /lib64/libtpms.so.0 (0x00007f72eac21000)
    libglib-2.0.so.0 => /lib64/libglib-2.0.so.0 (0x00007f72eaae7000)
    libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f72ea7f9000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f72ea7d8000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f72ea609000)
    libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f72ea591000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f72ea575000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f72ea56e000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f72eae04000)

Here it is again: libtpms.so.0 => /lib64/libtpms.so.0 (0x00007f50d7355000)

[paul-ororke]

Thank you, I appreciate the help.

This is what I get:

$ ldd /usr/bin/swtpm
        linux-vdso.so.1 (0x00007ffc879ce000)
        libswtpm_libtpms.so.0 => /usr/lib/swtpm/libswtpm_libtpms.so.0 (0x00007f9a89c2f000)
        libfuse.so.2 => /lib/x86_64-linux-gnu/libfuse.so.2 (0x00007f9a89be4000)
        libglib-2.0.so.0 => /lib/x86_64-linux-gnu/libglib-2.0.so.0 (0x00007f9a89abb000)
        libtpms.so.0 => /usr/local/lib/libtpms.so.0 (0x00007f9a8999f000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f9a8997c000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9a8978a000)
        libseccomp.so.2 => /lib/x86_64-linux-gnu/libseccomp.so.2 (0x00007f9a89766000)
        libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f9a89490000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f9a8948a000)
        libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f9a89417000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f9a89c5b000)

so I tried:

~$ ldd /usr/local/lib/libtpms.so.0
        linux-vdso.so.1 (0x00007fff699c2000)
        libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fe028347000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe028155000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe02814f000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fe02812c000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fe028747000)

I took a look at

~$ ldd /lib64/libtpms.so.0
        linux-vdso.so.1 (0x00007ffe91f8b000)
        libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f0cf4ac7000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f0cf48d5000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f0cf48cf000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f0cf48ac000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f0cf4ec7000)

and ibtpms.so is not to be seen.

Everything seems to be pointing to libtpms.so.0.10.0

:/usr/local/lib$ ls -lh
total 16M
-rw-r--r-- 1 root root   11M Oct 29 13:27 libtpms.a
-rwxr-xr-x 1 root root   944 Oct 29 13:27 libtpms.la
lrwxrwxrwx 1 root root    17 Oct 29 13:27 libtpms.so -> libtpms.so.0.10.0
lrwxrwxrwx 1 root root    10 Oct 29 16:48 libtpms.so.0 -> libtpms.so
-rwxr-xr-x 1 root root  5.1M Oct 29 13:27 libtpms.so.0.10.0
drwxr-xr-x 2 root root  4.0K Oct 29 13:27 pkgconfig
drwxrwsr-x 3 root staff 4.0K Jul 31  2020 python3.8

But it looks like I am missing something?

Thanks again,

Paul

[stefanberger]

Do which swtpm to check which swtpm it's picking up. Do you have one in /usr/local/bin/swtpm that has a linking issue? Or call it explicitly using /usr/bin/swtpm socket --help or /usr/local/bin/swtpm socket --help.

[paul-ororke]

Thanks Stefan,

I stepped away from this over the weekend. Looking at it again now and I see:

$ which swtpm
/usr/bin/swtpm

/usr/local/bin/ is empty.

Or call it explicitly using /usr/bin/swtpm socket --help

Please forgive my ignorance, I am not sure what to do with this. Should I be editing the XML config file for the guest with this so it starts differently to how it is via the virt-manager create functionality?

I have been using virt-manager to create guests and get these errors when "starting the install".

Is there a compelling reason to manually create the XML files and avoid virt-manager?

Thanks for the help, I will confess, I am a generalist, I need to know enough about a lot of things to be dangerous, and I am an expert in none of them.

please and thanks for the guidance.

Paul

[stefanberger]

I am also a bit confused. Above you are showing a perfectly fine run of swtpm_setup:

Starting vTPM manufacturing as <unknown>:<unknown> @ Fri 29 Oct 2021 03:21:45 PM PDT
Successfully created RSA 2048 EK with handle 0x81010001.
  Invoking /usr/bin/swtpm_localca --type ek --ek d1baafc9db7031e3cc88e2f1ee5eb212beb70fa8da63702760eb36d1d885f45634307e5da6290f2cafb651cd8a0e670ac028a7d8bd10d4dcfde6f94de7d8dad5b5714a065c09441e298fb684b9af849e2d2e5a6b9ee75f942f8d7a7caced02c1bd48b933815df9df9f955f2a5a2714f431e3baad89b4f832ec6292fd3d705b07b0212d275637b52fb680271c6f5304ad5b47bbe072fda013054c1b60deeb964a32b11a61b88b180fdedd2d23298f401419dfc22a503154fc5b2b403c3d59bc5329e4a76f169c1e14cc3b242b4c54199ebbfffec8003df02e318649293238a3a89fd9aa5971c891e990b1b6698fff87b306eb58ad6715406f430aeed1183d8e8f --dir /tmp/swtpm_setup.certs.I4YXB1 --logfile /var/log/swtpm/libvirt/qemu/win11p-x64-swtpm.log --vmid win11p-x64:de36c8fe-810b-461e-b8ff-433f3a97cae6 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created EK certificate locally.
  Invoking /usr/bin/swtpm_localca --type platform --ek d1baafc9db7031e3cc88e2f1ee5eb212beb70fa8da63702760eb36d1d885f45634307e5da6290f2cafb651cd8a0e670ac028a7d8bd10d4dcfde6f94de7d8dad5b5714a065c09441e298fb684b9af849e2d2e5a6b9ee75f942f8d7a7caced02c1bd48b933815df9df9f955f2a5a2714f431e3baad89b4f832ec6292fd3d705b07b0212d275637b52fb680271c6f5304ad5b47bbe072fda013054c1b60deeb964a32b11a61b88b180fdedd2d23298f401419dfc22a503154fc5b2b403c3d59bc5329e4a76f169c1e14cc3b242b4c54199ebbfffec8003df02e318649293238a3a89fd9aa5971c891e990b1b6698fff87b306eb58ad6715406f430aeed1183d8e8f --dir /tmp/swtpm_setup.certs.I4YXB1 --logfile /var/log/swtpm/libvirt/qemu/win11p-x64-swtpm.log --vmid win11p-x64:de36c8fe-810b-461e-b8ff-433f3a97cae6 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Successfully created platform certificate locally.
Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate.
Successfully created NVRAM area 0x1c08000 for platform certificate.
[...]

swtpm_setup run swtpm, so why would there be any problem with swtpm if this succeeded here?

What does swtpm --version show? Under what circumstances does it show that error?

What does ldd /usr/lib/swtpm/libswtpm_libtpms.so.0 show?

[nicowilliams]

I've seen this also. IIRC the RPATH is not getting set. This is only noticeable when using ./configure --prefix=... with a prefix other than /usr.

[paul-ororke]

as root

# swtpm --version
TPM emulator version 0.7.0, Copyright (c) 2014-2021 IBM Corp.

and

# ldd /usr/lib/swtpm/libswtpm_libtpms.so.0
        linux-vdso.so.1 (0x00007ffe67d3a000)
        libtpms.so.0 => /usr/local/lib/libtpms.so.0 (0x00007f22cdbe8000)
        libglib-2.0.so.0 => /lib/x86_64-linux-gnu/libglib-2.0.so.0 (0x00007f22cdabf000)
        libseccomp.so.2 => /lib/x86_64-linux-gnu/libseccomp.so.2 (0x00007f22cda9d000)
        libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f22cd7c7000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f22cd5d5000)
        libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f22cd562000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f22cd53d000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f22cd537000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f22cdd2b000)

Maybe I didn't do the build correctly.

Last week I was getting signature isues with your PPA for Ubuntu using

**add-apt-repository ppa:smoser/swtpm**

Today it is working. Perhaps I should start again with the repo versions?

[paul-ororke]

I've seen this also. IIRC the RPATH is not getting set. This is only noticeable when using ./configure --prefix=... with a prefix other than /usr.

I did this. Yes!

[stefanberger]

add-apt-repository ppa:smoser/swtpm

That's not my ppa. My ppa is here: https://launchpad.net/~stefanberger

[paul-ororke]

Bingo!

I just installed from the correct repos and everything "just works". I am currently installing my first Windows 11 guest on libvirt.

Thank you for your patience - not to mention your excellent work on making that available.

Paul

[stefanberger]

Ok, I let you close the issue then.

[paul-ororke]

Problem solved. Thank you for your patience.