From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Fri, 26 Sep 2025 22:54:02 +0000 (+0100)
Subject: vmspawn: try to set up swtpm state for 4K RSA keys support
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dbcbe4aa0488ce130d574ef1a6d457045eac0bbb;p=thirdparty%2Fsystemd.git

vmspawn: try to set up swtpm state for 4K RSA keys support

The next version of swtpm will support RSA4096, but it needs to be called
with a new parameter in order to do so. Try with it first, and if
execution fails, fallback to running without it.

This is especially needed for OBS builds, as the signing key is RSA4096
and cannot be changed by users, so the generated UKIs have RSA4096 signatures
for the pcrsig sections, and swtpm refuses them without the new support.
---

diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c
index fb2580bf13a..6ea203752ec 100644
--- a/src/vmspawn/vmspawn.c
+++ b/src/vmspawn/vmspawn.c
@@ -1183,7 +1183,15 @@ static int start_tpm(
         if (r < 0)
                 return log_error_errno(r, "Failed to find swtpm_setup binary: %m");
 
-        _cleanup_strv_free_ char **argv = strv_new(swtpm_setup, "--tpm-state", state_dir, "--tpm2", "--pcr-banks", "sha256", "--not-overwrite");
+        /* Try passing --profile-name default-v2 first, in order to support RSA4096 pcrsig keys, which was
+         * added in 0.11. */
+        _cleanup_strv_free_ char **argv = strv_new(
+                        swtpm_setup,
+                        "--tpm-state", state_dir,
+                        "--tpm2",
+                        "--pcr-banks", "sha256",
+                        "--not-overwrite",
+                        "--profile-name", "default-v2");
         if (!argv)
                 return log_oom();
 
@@ -1194,6 +1202,22 @@ static int start_tpm(
                 log_error_errno(errno, "Failed to execute '%s': %m", argv[0]);
                 _exit(EXIT_FAILURE);
         }
+        if (r == -EPROTO) {
+                /* If swtpm_setup fails, try again removing the default-v2 profile, as it might be an older
+                 * version. */
+                strv_remove(argv, "--profile-name");
+                strv_remove(argv, "default-v2");
+
+                r = safe_fork("(swtpm-setup)", FORK_CLOSE_ALL_FDS|FORK_LOG|FORK_WAIT, NULL);
+                if (r == 0) {
+                        /* Child */
+                        execvp(argv[0], argv);
+                        log_error_errno(errno, "Failed to execute '%s': %m", argv[0]);
+                        _exit(EXIT_FAILURE);
+                }
+        }
+        if (r < 0)
+                return log_error_errno(r, "Failed to run swtpm_setup: %m");
 
         strv_free(argv);
         argv = strv_new(sd_socket_activate, "--listen", listen_address, swtpm, "socket", "--tpm2", "--tpmstate");