Libvirt's swtpm configuration

Libvirt is configured to use the tss:tss user and group for running swtpm_setup and swtpm.

If the tss:tss user and group do not exist on your system, you may want to create them, or similar ones, using the following commands:

getent group tss || sudo groupadd tss
getent passwd tss || sudo useradd -g tss tss

The directory and file permissions for the local CA should be set like this:

#> ls -l /var/lib/ | grep swtpm-localca
drwxr-x---.  2 tss     root    4096 Sep  2 08:00 swtpm-localca
#> sudo ls -l /var/lib/swtpm-localca
total 28
-rw-r--r--. 1 tss root    1 Sep  2 08:00 certserial
-rw-r--r--. 1 tss root 1505 Sep  2 08:00 issuercert.pem
-rw-r-----. 1 tss root 8177 Sep  2 08:00 signkey.pem
-rw-r--r--. 1 tss root 1468 Sep  2 08:00 swtpm-localca-rootca-cert.pem
-rw-r-----. 1 tss root 8177 Sep  2 08:00 swtpm-localca-rootca-privkey.pem

If necessary, you may want to adjust the directory and file ownership and permissions of the local CA by running the following commands. Make sure the private key files signkey.pem and swtpm-localca-rootca-privkek.pem are not accessible to everyone.

sudo chown -R tss:root /var/lib/swtpm-localca/
sudo chmod 600 /var/lib/swtpm-localca/*
sudo chmod 644 /var/lib/swtpm-localca/certserial /var/lib/swtpm-localca/issuercert.pem /var/lib/swtpm-localca/swtpm-localca-rootca-privkey.pem

The libvirt configuration file /etc/libvirt/qemu.conf can be adjusted to the user and group under which swtpm_setup and swtpm are run:

[...]
# User for the swtpm TPM Emulator
#
# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
# and uses
#
# swtpm_user = "tss"
# swtpm_group = "tss"
[...]

Since swtpm-0.4.0 setpm_setup does not use the TCSD for setting up a TPM 1.2 anymore. Therefore, as long as file ownership permissions for the local CA (see above) are appropriately set, any user and group can be used for swtpm_user and swtpm_group. An example would be qemu:qemu. swtpm_user should NEVER be set to root.