Static builds of libtpms
v0.7.7 and swtpm
v0.5.2 for Debian Bullseye.
- libtpms:
--prefix=/usr --enable-static --with-tpm2 --with-openssl
- swtpm:
--prefix=/usr --enable-static --with-seccomp
/usr
prefix is neccessary so that everything works with the bundled AppArmor profile: /etc/apparmor.d/abstractions/libvirt-qemu
.
apt install virt-manager
does not provide a functioning TPM2 out of the box. This repository rectifies the issue.
- Save yourself time and download pre-compiled binaries from the Releases section.
make install
both.- Install the Python modules system-wide:
./swtpm-0.5.2/src/swtpm_setup/
./swtpm-0.5.2/samples/
If you stumble upon "permission denied" errors - enable log level 3+ in /etc/libvirt/libvirtd.conf
and trace where it fails.
On the host running pre-release version of the Bullseye:
- Linux 5.10.26-1
- virt-manager 3.2.0-3
- libvirt0 7.0.0-3
Querying TPM from inside the VM:
$ tpm2_pcrread | head -12
sha1:
0 : 0xBF2BA644D7415ED4A24C50B2A795BA58DCE9FA32
1 : 0x4FCBBCA9EC6A78AD7510516E445A7E6BEE3B020D
2 : 0xE68C21DC48C4EA61626A5D309CD3A3518F5D9EAA
3 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
4 : 0x42E626C470E1E0DF350EDFB42268A270FB8E4AF7
5 : 0xEC36E74A3ACF557CE8CAE2DE373731C6153A7F39
6 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
7 : 0x518BD167271FBB64589C61E43D8C0165861431D8
8 : 0xCEBC47EEB27FD591D7B1D18B03754194FAA56866
9 : 0xE31C7D6093B9903E2EA04434AE6F28972ECB4D7B
10: 0x0000000000000000000000000000000000000000
- Double-check PCRs behaviour on your particular system.
- You might want to bind PCR8 instead of PCR6 (have a read).
- Therefore,
clevis luks bind -d /dev/vda3 tpm2 '{"pcr_ids":"0,1,2,3,5,7,8,9"}'
. - Don't even try to seal against >8 PCRs.