vmspawn: try to set up swtpm state for 4K RSA keys support

The next version of swtpm will support RSA4096, but it needs to be called with a new parameter in order to do so. Try with it first, and if execution fails, fallback to running without it. This is especially needed for OBS builds, as the signing key is RSA4096 and cannot be changed by users, so the generated UKIs have RSA4096 signatures for the pcrsig sections, and swtpm refuses them without the new support.
2025-10-06 00:13:24 +02:00 · 2025-09-26 23:54:02 +01:00
parent fb10ffc4f4
commit dbcbe4aa04
1 changed files with 25 additions and 1 deletions
--- a/src/vmspawn/vmspawn.c
+++ b/src/vmspawn/vmspawn.c
@@ -1183,7 +1183,15 @@ static int start_tpm(
        if (r < 0)
                return log_error_errno(r, "Failed to find swtpm_setup binary: %m");

-        _cleanup_strv_free_ char **argv = strv_new(swtpm_setup, "--tpm-state", state_dir, "--tpm2", "--pcr-banks", "sha256", "--not-overwrite");
+        /* Try passing --profile-name default-v2 first, in order to support RSA4096 pcrsig keys, which was
+         * added in 0.11. */
+        _cleanup_strv_free_ char **argv = strv_new(
+                        swtpm_setup,
+                        "--tpm-state", state_dir,
+                        "--tpm2",
+                        "--pcr-banks", "sha256",
+                        "--not-overwrite",
+                        "--profile-name", "default-v2");
        if (!argv)
                return log_oom();

@@ -1194,6 +1202,22 @@ static int start_tpm(
                log_error_errno(errno, "Failed to execute '%s': %m", argv[0]);
                _exit(EXIT_FAILURE);
        }
+        if (r == -EPROTO) {
+                /* If swtpm_setup fails, try again removing the default-v2 profile, as it might be an older
+                 * version. */
+                strv_remove(argv, "--profile-name");
+                strv_remove(argv, "default-v2");
+
+                r = safe_fork("(swtpm-setup)", FORK_CLOSE_ALL_FDS|FORK_LOG|FORK_WAIT, NULL);
+                if (r == 0) {
+                        /* Child */
+                        execvp(argv[0], argv);
+                        log_error_errno(errno, "Failed to execute '%s': %m", argv[0]);
+                        _exit(EXIT_FAILURE);
+                }
+        }
+        if (r < 0)
+                return log_error_errno(r, "Failed to run swtpm_setup: %m");

        strv_free(argv);
        argv = strv_new(sd_socket_activate, "--listen", listen_address, swtpm, "socket", "--tpm2", "--tpmstate");