swtpm_setup didn't fall back trying to use a built-in profile when no $sourcename.json is found #1007
Description
Describe the bug
In libvirt.org, for tpm profile it says:
"swtpm_setup will search for a profile with the given name with appended .json suffix in a configurable local and then in a distro directory. If none could be found in either, it will fall back trying to use a built-in one."
https://libvirt.org/formatdomain.html#tpm-device
But per my test, it didn't fall back to use a built-in profile when no $name.json is found.
Required: To Reproduce (without these steps your issue may be deleted)
- Prepare vm with vtpm and 2 test.json files in local dir or distro dir:
<tpm model="tpm-crb">
<backend type="emulator" version="2.0">
<profile source="test"/>
</backend>
</tpm>
# cat /etc/swtpm/profiles/test.json
{
"Name": "custom:mytest",
"Algorithms":"rsa,rsa-min-size=1024,tdes,tdes-min-size=128,sha1,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,sha512,null,rsassa,rsaes,rsapss,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,ecmqv,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-nist,ecc-bn,ecc-sm2-p256,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb"
}
# cat /usr/share/swtpm/profiles/test.json
{
"Name": "custom:indistro",
"Algorithms":"rsa,rsa-min-size=1024,tdes,tdes-min-size=128,sha1,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,sha512,null,rsassa,rsaes,rsapss,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,ecmqv,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-nist,ecc-bn,ecc-sm2-p256,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb"
- start vm, check it will use profile in local dir first(which name="custom:mytest"). - As expected.
# virsh start fc40
Domain 'fc40' started
<tpm model="tpm-crb">
<backend type="emulator" version="2.0">
<profile source="test" name="custom:mytest"/>
</backend>
<alias name="tpm0"/>
</tpm>
The swtpm_setup options used in virtqemud(libvirtd) log is:
2025-04-22 10:00:32.941+0000: 302871: debug : virCommandRunAsync:2653 : About to run /usr/bin/swtpm_setup --tpm2 --tpm-state /var/lib/libvirt/swtpm/4aaa52f0-b897-4fd0-bdc7-871a978d9fa6/tpm2 --vmid fc40:4aaa52f0-b897-4fd0-bdc7-871a978d9fa6 --logfile /var/log/swtpm/libvirt/qemu/fc40-swtpm.log --createek --create-ek-cert --create-platform-cert --lock-nvram --not-overwrite --profile-name test
- hide the local profile, redefine and start vm, it will use the distro one(name="custom:indistro"). As expected.
# mv /etc/swtpm/profiles/test.json /etc/swtpm/profiles/hidetest.json
(virsh destroy fc40; virsh undefine fc40 –nvram; virsh define fc40-autosearch.xml)
# virsh start fc40
Domain 'fc40' started
# virsh dumpxml fc40 --xpath //tpm
<tpm model="tpm-crb">
<backend type="emulator" version="2.0">
<profile source="test" name="custom:indistro"/>
</backend>
<alias name="tpm0"/>
</tpm>
- hide the distro too, it reports error instead of using a builtin profile(default?null?custom?).
# mv /usr/share/swtpm/profiles/test.json /usr/share/swtpm/profiles/hidetest.json
(virsh destroy fc40; virsh undefine fc40 –nvram; virsh define fc40-autosearch.xml)
# virsh start fc40
error: Failed to start domain 'fc40'
error: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/fc40-swtpm.log' for details.
# cat /var/log/swtpm/libvirt/qemu/fc40-swtpm.log
swtpm does not support a profile with name 'test'
Expected behavior
Use a builtin profile(default/null/custom) as libvirt.org described, or modify sentences in libvirt.org.
Or did I misunderstand something?
Desktop (please complete the following information):
- OS: Fedora
- Version: Rawhide-20250411.n.0
Versions of relevant components
- swtpm: 0.10.0-11.fc43.x86_64
- libtpms: 0.10.0-3.fc42.x86_64
- openssl: 3.5.0-2.fc43.x86_64
- gnutls: 3.8.9-5.fc43.x86_64
- libvirt: 11.2.0-1.fc43.x86_64
- qemu-kvm: 9.2.2-2.fc43.x86_64
Log files
# cat /var/log/swtpm/libvirt/qemu/fc40-swtpm.log
swtpm does not support a profile with name 'test'
Additional context
Add any other context about the problem here.