How do I run my Windows dual-boot drive in a virtual box?
I have two NVME boot drives, one with Bazzite and one with Windows. My goal with this question is to boot into Bazzite natively, and then run my actual Windows drive within a virtual box so that I don't have to reboot to use Excel.
I intend to keep the Windows drive fully intact and bootable, and for changes in the virtual box to reflect when I boot into Windows. If virtualization is pretending that Windows is installed, then I want to pretend to pretend that Windows is installed.
While I've been made aware that yes this is possible, I am a little lost setting it up and have had a hard time finding information catered to the Atomic platform let alone Bazzite. Any help would be greatly appreciated.
Thus far I have run
ujust setup-virtualization and have selected all the options and rebooted, I can confirm virtualization is active, because the Virtual Machine Manager flatpak is able to connect to qemu:///system216 Replies
@HikariKnight I've been told to tag you since you're the neighborhood friendly virtualization expert š
1) Make sure IOMMU is available:
sudo dmesg | grep -e IOMMU
It will say something like "performance counters supported, detected AMD/Intel IOMMU"
sudo isn't working
for some reason???
did it ask you for password?
That terminal was idle for so long that sudo timed out but never re-asked for password so it would just auto-fail lol, I opened a new term and got this
perfect
so IOMMU is wroking
2) Install VFIO driver
Already did that
Perfect
3) Identify the NVME drive you want to passthrough
sudo lspci | grep -i nvmeLike my post says, ran
ujust setup-virtualization and clicked on everythingRun
sudo lspci | grep -i nvme and post it here
make sure to post the one here that has the Windows install
make ABSOLUTE sure its the windows install one
although its unlikely it will even work if you accidentally choose the wrong one, but it's better safe than sorrySo what I've reached at this point is running
ls -l /dev/disk/by-id and then plugging in the desired disk to the field for "Import existing OS", i get an error message that makes me believe that virt-manager might not have the necessary privileges
Basically we want to isolate the Windows NVMe drive from being loaded by the kernel
That's just import
you want a live windows install on a real disk
right?
Yeah
then its absolute best to get IOMMU working
and pass the NVMe drive through
this will also lead to best performance
unless you want to also access the NVMe drive in Linux, but I'm assuming not???
Right so is that something I do from virt-manager or do I use a cli for that
use cli for the coming steps
virt manager is for last
we first want to isolate the drive for passthrough
sudo find /sys/kernel/iommu_groups/
Can you post the output of this here?
its lengthy
sorry comamnd is wrong
Type
sudo find /sys/kernel/iommu_groups/
without the type
Also need the output of sudo lspci | grep -i nvmethere you go perfect
now also output of
sudo lspci | grep -i nvmelspci is not installed on bazzite but I know the drive by id
what is the drive id?
specifically the IOMMU ID
not the mounted /dev/
that I dont know, I'm just saying I know the /dev/disk/by-id if that helps us find the IOMMU id
lspci should be on bazzite
you sure you're typing it correctly?
Naw problem was I ran it in my distrobox term and not my main window lul
lspci lists pci devices
yeah ik
oh lol
you'll probably get at least two id's
because you ahve two NVMe drives
you need to tell me which one is the windows NVMe
problem is that just lists the device manufacturer name and not a unique id
it does
all the way at the start
I'm going to need to get mount information for these because both windows and linux use the exact same model of nvme
but one has 3 parts and one has 4, that's how I tell them apart
we need to figure out which device is in whice IOMMU group
if they're both in the same IOMMU group, passthrough ain't gonna work
but it looks like you're safe
sudo blkidThey are seperate entries one is 5:0 and one is 1:0
this is the command you need
blkid has no output
you have to do
its been a while for me sorry but its
do
lspci -v
make sure you're not in distroboxalready did that, it doesnt provide any differentiating info except that one device is in group 14 and one in 15. I know the UUIDs from lsblk tho, is there anywhere that cross-references the IOMMU groups with actually unique information?
there you go, so we know they're separate groups at least
because other than the IOMMU groups, lspci does not provide unique indentifying information for these drives
@Ygypt you can just check using file manager which is the bazzite install
dolphin or whatever it is in gnome again
Upon reboot, will these devices be put into the same groups
let alone the same IDs
@Ygypt do
sudo lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT,UUID
and post output here
also sudo lspci -vI've already indentified the drive I need it's IOMMU is 5:0 in group 15, what's next
I want to try if it will work without binding it to the VFIO first
make sure device is not mounted at boot
Open
virt-manager
Manual install
Choose Windows 10/11 whatever you're using
Add memory and CPU
Don't touch storage at all
when you make the VM choose customize configuration before install
Then when you open the VM there will be a pop up to add hardware to the VM
Then Add PCI host device select the Windows NVMe drive
Click "apply" and then begin installation.
It should just boot to Windows at that point
If this works then no extra setup required @YgyptOk so one i just want to point out,
Don't touch storage at all when you make the VM choose customize configuration before install Then when you open the VM there will be a pop up to add hardware to the VM Then Add PCI host device select the Windows NVMe drivethis is all i needed to know as far as steps go, you shoulda told me this in the first place brother more importantly, I cant actually create a machine even witohut storage the error on the second image appears no matter what. Like i said before, i think virt-manager is having trouble connecting to the virtualization daemon
I believe this flatpak has permission issues
Would you reccomend layering virt-manager
No
Are you sure you selected Add $USER to libvirt group?
and then rebooted?
Yup
in
ujust setup-virtualization
Reboot again just to be sureLike I said in my post:
Thus far I have run ujust setup-virtualization and have selected all the options and rebooted
layering virt manager ain't gonna do anything since this is a file access issue
Can you type
sudo ls /var/log/libvirt/thats unnecessary
does this even exist
It does
systemctl status virtlogdThere's an active daemon running
this has to do with the kvmfr module
you chose that option too?
this is for looking glass
virt-manager even recognizes that and automatically connected to qemu/kvm
like i said
looking glass is so you can gpu passthrough on the same screen
without atatching a screen directly to the passed through gpu
There were 3 options and I selected them all
3 options?
there should be 5
with uninstall options
or 6 even
are you sure you didn't uninstall?
lmao
two of them are just for disabling
yes
correct
there are 3 installation options
and i did them all
sudo restorecon -r /var/log/libvirt
try again
afterIt still throws the error
@HikariKnight help
Let me do some digging. If I can find anything I'll continue helping. If not we're going to have to wait for Hikari
It's probably an SELinux thing
I found a similar issue already:
https://discord.com/channels/1072614816579063828/1326992075740155976
I'm just going to wait for hikari because I've spent the last hour for one meaningful step, which I do appreciate, but all that jumping around in the terminal was for information I already had on-hand
Sorry for that. I was under the assumption you needed to add the NVMe drive to the VFIO driver. It might still be needed, so the information is not entirely useless.
The issue here is likely SELinux as well as the other user (see: https://discord.com/channels/1072614816579063828/1326992075740155976) and I can't really help you with that. I have zero experience in messing with SELinux.
The issue you're having right now has nothing to do with booting your Windows drive directly, but a more general QEMU problem, so I've been led on a red herring. š
Well no I did need these instructions so I appreciate that, but yeah right now my roadblock is the fact that virt-manager is refusing to create machines
Hikari also has more experience in passing through PCI devices, so if it doesn't work after this issue is resolved, he'll be able to help you a lot quicker than I can
ls-iommu --help soooo much betterhttps://github.com/winapps-org/winapps/blob/main/docs/libvirt.md
this has information specifically regarding bazzite which is cool (yes my end goal is to also export the apps) ill report back if this works
GitHub
winapps/docs/libvirt.md at main Ā· winapps-org/winapps
Run Windows apps such as Microsoft Office/Adobe in Linux (Ubuntu/Fedora) and GNOME/KDE as if they were a part of the native OS, including Nautilus integration. Hard fork of https://github.com/Fmst...
it suggests adding the user to the group
kvm which ujust setup-virtulization does not doThis is such a much worse experience than just GPU passthrough if you have a 2nd gpu
And if I have a single GPU..?
what are your specs?
because in some cases you can pass the iGPU just fine
Your sentence is a little nebulous, are you suggesting it's easier or harder with a second gpu
easier, because you'll have full DirectDraw GPU acceleration
its going to be a million times smoother
right on well i only have one so thats out of the question
Your CPU has no integrated GPU?
no
okay that is out of the question
Well don't expect any hardware acceleration then
but the issue right now is that you can't create a VM at all
because of SELinux probably
cant hardware accelerate with a single gpu? does the vm need total control
We will just focus on the SSD and fixing the log as selinux messed that up
its only going to be for ms office anyways, if i wanted graphics id just reboot into windows
We do not support single GPU passthrough because it's a pain in the ass that needs to be specifically tuned to your environment and system.
Plus it will kill your Linux login session and applications and once you return you get back to the login
Not worth us supporting
right on no biggie
@HikariKnight so easier to just dual boot at that point š
right like i said if i need any real performance ill just reboot
Ok so if you're going to be using VM and rebooting to windows you will mess up your license for windows super quick, so much so you will be denied from fixing it
@Kyle Gospo wanna do the honors?
Reminder: no piracy discussions
See you in a week
Next one is permanent
NOTE: do not help Ygypt with using virtualization for his windows install
anyways @CheckYourFax did you look at our
ls-iommu?Yes. It's a million times better
thank you, the bash script (which i hated) was an inspiration for it
i wish i knew how to make the argument handling better though
so i didnt have to write (works with xyz) on many of them
I had a question: DO you NEED to add an NVMe to VFIO for it to be passed to the VM?
you can just pass the whole block device as a raw image and that will work fine as long as you dont have it mounted on the host ever when the VM is running
I suppose you could do it through a virtual SATA bus but I feel like that would be incredibly slow
Yes that makes sense. Otherwise its instant corruption
install virtio driver, add dummy disk and set it to virtio to kickstart the driver
switch to virtio block bus or virtio-scsi
then remove dummy disk
no virtio required if you do it the IOMMU way right?
true
and pass the actual device
but its a bit of a taller ask since now youre asking for the gpu AND nvme to be alone in iommu groups
but it IS possible?
Because if it is I want to try it on my arch desktop
in theory it should, its just a pcie device
why you think i got the nvme option in ls-iommu š
https://github.com/hikariknight/ls-iommu if you want the bin
GitHub
GitHub - HikariKnight/ls-iommu: A tool to list devices in iommu gro...
A tool to list devices in iommu groups, useful for setting up VFIO - HikariKnight/ls-iommu
you made this whole thing? damn this is insane
look at that, so much better than that silly little bash script people use š
also unlike the bash script, the iommu groups are SORTED
like actually sorted
technically you could put the NVMe and the GPU in the same iommu group and pass it through at the same time?
How feasible is this?
Oh wait you got the problem with them both needing to already be in the same group
you dont contol the iommu groups
at best you can use the hacky ACS patch and pray it separates them better (we have it included, until people run into issues caused by it)
look at this though š
need to grab something you need for the passthrough, it will grab the crap you need š
and yes i made the whole thing, damn proud of it too. had some help from my friend in australia when i was stuck as it was my "teach myself golang" project
yeah but if you have two devices that are exactly the same model, that can be annoying. A quick way of seeing which device is on which /dev/ mount point would be nice
what is the easiest way?
that you can compare with the IOMMU lists
just so its easier to help someone in the future
if you have 2 gpus like that, youre cooked here on atomic since it would require you to add a custom script to initramfs, cant do that without a custom image going forward
for nvmes just passing the block device (the whole device one, not one of the partitions) is enough and make sure you never mount it when the vm is running and that its not mounted when the vm is running
Okay, that makes sense. And then you just do RAW while making VM and choose the disk right?
or no storage device whatsoever?
yup
Okay. Awesome.
raw = just like a device block
its the same thing you get if you dd a disk into a file
that way you would still need the VirtIO driver for better performance
right?
yes its not perfect but you will get at least with gen3 drives in my experience like 80-90% of the performance
2 sec let me just fire up crystaldiskmark on my vm
just to doublecheck
but its certainly playable
I definitely want to try passing through the NVMe (a 960 evo) together with the GTX 1080 on my arch desktop. It's a 6600K with VT-d enabled.
The IOMMU groups are on this platform not ideal so it might just not be possible
on newer platforms seems like its way easier to get it done because almost everything has its own group
not always
asrock is still best in class when it comes to passthrough support
This is good to know. Thanks.
do you know which models are usually best?
the fact that asrock is owned by acer is kinda funny though considering acer is a mixed bag when it comes to laptops and desktops š
on the amd side all the X chipsets
you might get the firmware ACS patch in B chipsets from them but often they do not have space to include it there last i talked to someone from asrock
oh they have ACS patches from themselves?
That's some customer support right there
that's not horrible
random 4k write is kinda oof
but
its enough to be snappy
keep in mind this is a crappy nvme i aquired from a laptop that got run over by a tractor
a laptop that got run over by a tractor?
like literally?
:huh:
yes
its a miracle its still straight
well the current ujust for setup-virtualization is not perfect
first thing you're greeted with after reboot is that the daemon is not running
the one that i had to bend out from a hp laptop where the ssd screw came factory stripped is more bent
:dispair:
there is literally a service that should fix this....
is that not in the script by default?
and keep it on when you upgrade between fedora versions
script enables it
part of enable virtualization
not any of the other settings right? so far ive only done enable virtualization on my lgo
i just wanna test the problems people are having, and this is a device where ive never enabled it yet
nope enable virtualization enables a service that makes sure libvirt stays enabled after fedora releases
bazzite-libvirtd-setup.service
this one
yep
when i re-execute the script it says symlinks it
and then "libvirtd will be enabled at next reboot"
yep
let me check journald
something ain't right
it checks if libvirtd is running, if it isnt it enables the service
yeah its not starting on boot after reboot for some reason
on bazzite-deck
it disables itself after its done
it was our way to enable libvirtd when you had to layer everything
thats why we made it
so we could enable libvirt without having to do the awkward
ok its installed but not enabled, reboot and rerun this step
when you only enable virtualization there's no extra kargs right?
or should there be?
nope
oh wait
nvm there is 2
these should show on rpm-ostree?
status
stop win10 from bluescreening by disabling msr or whatever its called
and then disable logging that it ignored the signal (so your journal and dmesg isnt spammed)
yeah no it did do some kargs as it was staging deployment
kvm.ignore_msrs=1 kvm.report_ignored_msrs=0 these to it does
first one prevents windows10 (and newer) vms from bluescreening when they do msrs calls
2nd one tells the kernel to not report ignored msrs calls
since it will spam like 4-5 every second almostsomething isn't right the libvirtd service is running but virtmanager detects nothing
wait let me post logs
why it worked fine in the old method and doesn't now is weird
works for everyone else š¤·
ā libvirtd.service - libvirt legacy monolithic daemon
Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; preset: disabled)
Drop-In: /usr/lib/systemd/system/service.d
āā10-timeout-abort.conf, 50-keep-warm.conf
Active: inactive (dead) since Sun 2025-01-12 03:33:00 CET; 1min 37s ago
Duration: 2min 93ms
Invocation: 8f6f0938bbc34c1287c648a651b9bb24
TriggeredBy: ā libvirtd.socket
ā libvirtd-ro.socket
ā libvirtd-admin.socket
Docs: man:libvirtd(8)
https://libvirt.org/
Process: 3093 ExecStart=/usr/sbin/libvirtd $LIBVIRTD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 3093 (code=exited, status=0/SUCCESS)
Tasks: 2 (limit: 32768)
Memory: 48.5M (peak: 66.5M)
CPU: 731ms
CGroup: /system.slice/libvirtd.service
āā3281 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp->
āā3283 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp->
Jan 12 03:31:01 legiongo dnsmasq-dhcp[3281]: DHCP, sockets bound exclusively to interface virbr0
Jan 12 03:31:01 legiongo dnsmasq[3281]: reading /etc/resolv.conf
Jan 12 03:31:01 legiongo dnsmasq[3281]: using nameserver 127.0.0.53#53
Jan 12 03:31:01 legiongo dnsmasq[3281]: read /etc/hosts - 8 names
Jan 12 03:31:01 legiongo dnsmasq[3281]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 names
Jan 12 03:31:01 legiongo dnsmasq-dhcp[3281]: read /var/lib/libvirt/dnsmasq/default.hostsfile
Jan 12 03:33:00 legiongo systemd[1]: libvirtd.service: Deactivated successfully.
Jan 12 03:33:00 legiongo systemd[1]: libvirtd.service: Unit process 3281 (dnsmasq) remains running after unit >
Jan 12 03:33:00 legiongo systemd[1]: libvirtd.service: Unit process 3283 (dnsmasq) remains running after unit >
Jan 12 03:33:00 legiongo systemd[1]: libvirtd.service: Consumed 731ms CPU time, 66.5M memory peak.
libvirt: The virtualization API
libvirt, virtualization, virtualization API
Ah yeah no I forgot you have to manually add the connection
I think I know the issue people are having
they're installing all the stuff without knowing what they're doing
Yeah now I'm having the same issue with no access to home folder.
Unable to complete install: 'internal error: process exited while connecting to monitor: 2025-01-12T02:43:28.476438Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/var/home/bazzite/Downloads/en-us_windows_11_consumer_editions_version_23h2_updated_dec_2024_x64_dvd_2e075bad.iso","node-name":"libvirt-1-storage","read-only":true}: Could not open '/var/home/bazzite/Downloads/en-us_windows_11_consumer_editions_version_23h2_updated_dec_2024_x64_dvd_2e075bad.iso': Permission denied'
Traceback (most recent call last):
File "/app/share/virt-manager/virtManager/asyncjob.py", line 71, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/app/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install
installer.start_install(guest, meter=meter)
File "/app/share/virt-manager/virtinst/install/installer.py", line 726, in start_install
domain = self._create_guest(
^^^^^^^^^^^^^^^^^^^
File "/app/share/virt-manager/virtinst/install/installer.py", line 667, in _create_guest
domain = self.conn.createXML(initial_xml or final_xml, 0)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/lib/python3.12/site-packages/libvirt.py", line 4545, in createXML
raise libvirtError('virDomainCreateXML() failed')
libvirt.libvirtError: internal error: process exited while connecting to monitor: 2025-01-12T02:43:28.476438Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/var/home/bazzite/Downloads/en-us_windows_11_consumer_editions_version_23h2_updated_dec_2024_x64_dvd_2e075bad.iso","node-name":"libvirt-1-storage","read-only":true}: Could not open '/var/home/bazzite/Downloads/en-us_windows_11_consumer_editions_version_23h2_updated_dec_2024_x64_dvd_2e075bad.iso': Permission deniedsudo setfacl -m u:qemu:rx $HOMEUnable to complete install: 'internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/win11-swtpm.log' for details.'
There we go, the TPM problemdoes
/var/lib/swtpm-localca exist?
if it does then send me the log it madeyes
sec
swtpm at /usr/bin/swtpm does not support TPM 2
That's a big F
with passthrough I get this:
Unable to complete install: 'internal error: QEMU unexpectedly closed the monitor (vm='win11'): 2025-01-12T02:55:09.125756Z qemu-system-x86_64: Requested buffer size of 3968 is smaller than host TPM's fixed buffer size of 4096'just added it emulated, works for me????
Fedora Discussion
TPM Does Not Work Virt-Manager Fedora 40
I confirm the issue in system mode, but it works fine for me in session mode: virt-manager -c qemu:///session qemu:///system vs qemu:///session | Cole Robinson Update: Unable to create new virt-manager vm with software TPM on Fedora 40 - #48 by vgaetera
this is an issue with SELinux
are we using an older version of swtpm package?
i dont have any selinux rules for swtpm that i made though š¤
its because it has to do with newly installed systems
whens the last time you reinstalled?
2023
š¤£
that explains it š
new bugs are fun
theres an issue creating selinux rules with swtpm-selinux
so i need to somehow manually fix this?
Maybe unstable fixes the issue?
who knows?
no idea š¤
dont really have the possibility to reinstall constantly here
I'm getting insanely high amounts of sealerts
when i try to make the VM
so it is SELinux
fuuuun
do you know what is complaining
you can make manual rules fairly easy
rpc-virtqemud
its multiple things let me dig through
just adjust that and you can make modules with rules for each
semodulesorry its late š
no sealerts anymore but still the same tpm error
F
back to digging that fedora forum
type=AVC msg=audit(01/12/2025 04:19:30.579:1179) : avc: denied { execute } for pid=15067 comm=rpc-virtqemud name=qemu dev="nvme0n1p3" ino=476259 scontext=system_u:system_r:virtqemud_t:s0 tcontext=unconfined_u:object_r:virt_etc_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(01/12/2025 04:19:30.595:1182) : avc: denied { relabelfrom } for pid=15069 comm=rpc-virtqemud name=domain-3-win11 dev="nvme0n1p3" ino=328223 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(01/12/2025 04:19:30.639:1183) : avc: denied { remove_name } for pid=10426 comm=rpc-virtqemud name=domain-3-win11 dev="nvme0n1p3" ino=328223 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(01/12/2025 04:19:33.258:1194) : avc: denied { execute } for pid=15111 comm=rpm name=rpm-ostree dev="nvme0n1p3" ino=176158 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=0
----
type=AVC msg=audit(01/12/2025 04:19:33.258:1195) : avc: denied { execute } for pid=15111 comm=rpm name=rpm-ostree dev="nvme0n1p3" ino=176158 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=0
----
type=AVC msg=audit(01/12/2025 04:19:33.258:1196) : avc: denied { execute } for pid=15111 comm=rpm name=rpm-ostree dev="nvme0n1p3" ino=176158 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=0
Getting this
when making VM
swtpm at /usr/bin/swtpm does not support TPM 2
swtpm at /usr/bin/swtpm does not support TPM 2
swtpm at /usr/bin/swtpm does not support TPM 2
swtpm at /usr/bin/swtpm does not support TPM 2
swtpm at /usr/bin/swtpm does not support TPM 2
swtpm at /usr/bin/swtpm does not support TPM 2
I still get this
Workaround for now:
Remove TPM from hardware->BypassTPM in setup.
through a regeditonly thing i can found is a proxmox post where libtpms was broken and you had to remove it to fix swtpm with tpm2
but that was 2023 and proxmox is debian based :clueless:
I can find some topics about swtpm on Fedora project forums, but they have all been fixed waaay before f41 was out
but its all selinux and these selinux things have been fixed now
no more alerts
so its not selinux
im at a loss
and sleepy xD
this is all the journald stuff that shows after trying to make it
No worries. Have a good night o7
So i tried making a TPM cert myself manually using swtpm_setup
and that generates a more specific error
the problem is swptpm_localca
Okay never mind
I forgot sudo
it works fine if done with sudo
have you done anything like running vms as the qemu user session or changed the VM user to not be qemu? only other thing i can think of
What I honestly think the problem is is that when swtpm_setup is executed by virt-manager, it is not using the --tpm2 argument
or it IS an access issue with swtpm_localca
thats why i asked if you had modified what user that libvirt uses for vms
since someone did that change to make "i want to use iso from home to work š "
nope
also
swtpm is ran as tss:tss
not qemu
yeah i was just thinking on some weird interaction where "no your user is not allowed to run swtpm_setup in this context it is only allowed for X"
kind of how apparmor works in some situations iirc
It's not an issue of TPM version
Tried creating a TPM 1.2 device and now it gives "does not support TPM 1.2"
whole swtpm is broken
š
hmm
i wonder
layer virt-manager
see if its a flatpak issue if you never had virt-manager layered
i doubt its related but worth checking i guess
drwxr-xr-x. 1 tss tss 230 Jan 12 03:43 .
drwxr-xr-x. 1 root root 812 Jan 12 02:39 ..
-rw-r--r--. 1 tss tss 20 Jan 12 04:57 certserial
-rw-r--r--. 1 tss tss 1505 Jan 12 03:43 issuercert.pem
-rwxr-xr-x. 1 tss tss 0 Jan 12 03:43 .lock.swtpm-localca
-rw-r-----. 1 tss tss 8170 Jan 12 03:43 signkey.pem
-rw-r--r--. 1 tss tss 1468 Jan 12 03:43 swtpm-localca-rootca-cert.pem
-rw-r-----. 1 tss tss 8177 Jan 12 03:43 swtpm-localca-rootca-privkey.pem
this correct right?
I'm gonna try layer
Nope, doesn't work
all correct
well darn, was worth a shot
setting SELinux to permissive fixed it
so its 100% SELinux
sudo setenforce 0
but why there's not a more specific alert is strange
How do I figure out what part of SELinux is causing the issue?
hmm
the moment i put
sudo setenforce 1 it breaks againsudo restorecon -R /var/blah/whatever
just dont run it on / as it wont work
maybe its needed for the dumb swtpm folderI don't know where the path would be
It doesn't tell you
the localca directory for swtpm i would guess
im more baffled it doesnt make selinux log entries
there is one
when i manually did an sealert -a on the audit.log
recent one
is it any useful
had to do with qemu at least
but only "relabel" on the virtual hard disk
didn't seem too useful
oh well im going back to bed
alright man, im going to continue the search
good night
Tried all of this. Nothing works except making SELinux permissive
I'm done going down this rabbit hole for now: Just make VM and then set SELinux back to enforcing
ĀÆ\_(ć)_/ĀÆ
once the TPM is created there's no issue
yo im back so my solution was to scrap the whole idea and just did winapps thru podman, all the stuff im working on is in a cloud account anyways. i DID get virt-manager to work on a fresh iso by enabling tpm passthrough, i think i had to change the dropdown (to default iirc) incase anyones still struggling with virt-manager.
my honest reccomendation tho is to use podman it Just Works