Attempting to use 'mkosi vm' to start an OS image in a virtual machine fails at the TMP setup step due to the policy in /etc/apparmor.d/usr.bin.swtpm from the swtpm package, which allows swtpm to run only in a small subset of directories. mkosi attempts to setup in /work/tmp, which is not included, leading to: swtpm: SWTPM_NVRAM_StoreData: Error (fatal) opening /work/tmp/mkosi-swtpm-cgx_pynd/TMP2-00.permall for write failed, Permission denied swtpm: SWTPM_NVRAM_Lock_Dir: Could not open lockfile: Permission denied Could not receive response to CMD_GET_INFO from swtpm: Connection reset by peer Could not get active profile. An error occurred. Authoring the TPM state failed. Error getting next filename: Connection reset by peer ‣ "swtpm_setup --tpm-state /work/tmp/mkosi-swtpm-cgx_pynd --tpm2 --pcr-banks sha256 --config /dev/null --profile-name=custom --profile-remove-disabled=check" returned non-zero exit code 1. Regards, Simon