#1132183 mkosi: 'mkosi vm' unusable due to swtpm apparmor policy

Package:
swtpm
Source:
swtpm
Description:
Libtpms-based TPM emulator
Submitter:
Simon Pilkington
Date:
2026-05-13 02:49:04 UTC
Severity:
normal
Tags:
#1132183#5
Date:
2026-03-29 07:36:41 UTC
From:
To:
Attempting to use 'mkosi vm' to start an OS image in a virtual machine fails at
the TMP setup step due to the policy in /etc/apparmor.d/usr.bin.swtpm from the
swtpm package, which allows swtpm to run only in a small subset of directories.
mkosi attempts to setup in /work/tmp, which is not included, leading to:

swtpm: SWTPM_NVRAM_StoreData: Error (fatal) opening /work/tmp/mkosi-swtpm-cgx_pynd/TMP2-00.permall for write failed, Permission denied
swtpm: SWTPM_NVRAM_Lock_Dir: Could not open lockfile: Permission denied
Could not receive response to CMD_GET_INFO from swtpm: Connection reset by peer
Could not get active profile.
An error occurred. Authoring the TPM state failed.
Error getting next filename: Connection reset by peer
‣ "swtpm_setup --tpm-state /work/tmp/mkosi-swtpm-cgx_pynd --tpm2 --pcr-banks sha256 --config /dev/null --profile-name=custom --profile-remove-disabled=check" returned non-zero exit code 1.

Regards,
Simon