Bug#1132183: mkosi: 'mkosi vm' unusable due to swtpm apparmor policy

Simon Pilkington simonp.git at mailbox.org
Sun Mar 29 08:36:41 BST 2026 

Package: mkosi
Version: 26-2
Severity: normal
X-Debbugs-Cc: simonp.git at mailbox.org

Attempting to use 'mkosi vm' to start an OS image in a virtual machine fails at
the TMP setup step due to the policy in /etc/apparmor.d/usr.bin.swtpm from the
swtpm package, which allows swtpm to run only in a small subset of directories.
mkosi attempts to setup in /work/tmp, which is not included, leading to:

swtpm: SWTPM_NVRAM_StoreData: Error (fatal) opening /work/tmp/mkosi-swtpm-cgx_pynd/TMP2-00.permall for write failed, Permission denied
swtpm: SWTPM_NVRAM_Lock_Dir: Could not open lockfile: Permission denied
Could not receive response to CMD_GET_INFO from swtpm: Connection reset by peer
Could not get active profile.
An error occurred. Authoring the TPM state failed.
Error getting next filename: Connection reset by peer
‣ "swtpm_setup --tpm-state /work/tmp/mkosi-swtpm-cgx_pynd --tpm2 --pcr-banks sha256 --config /dev/null --profile-name=custom --profile-remove-disabled=check" returned non-zero exit code 1.

Regards,
Simon

-- System Information:
Debian Release: forky/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'buildd-unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.19.9+deb14-amd64-simonp (SMP w/32 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mkosi depends on:
ii apt 3.1.16
ii apt-utils 3.1.16
ii btrfs-progs 6.17.1-1
ii cpio 2.15+dfsg-2.1
ii cryptsetup-bin 2:2.8.4-1
ii debian-archive-keyring 2025.1
ii dosfstools 4.2-1.2
ii e2fsprogs 1.47.4-1
ii efitools 1.9.2-5
ii erofs-utils 1.9.1-1
ii fdisk 2.41.3-4
ii gnupg 2.4.9-4
ii jq 1.8.1-4+b1
ii kmod 34.2-2+b1
ii mtools 4.0.49-1
ii openssl 3.6.1-3
ii pesign 116-8.1
ii python3 3.13.9-3
ii python3-cryptography 46.0.6-1
ii python3-pefile 2024.8.26-2.1
ii squashfs-tools 1:4.7.5-1
ii systemd 260.1-1
ii systemd-boot-efi 260.1-1
ii systemd-boot-tools 260.1-1
ii systemd-container 260.1-1
ii systemd-repart 260.1-1
ii systemd-ukify 260.1-1
ii tpm2-tools 5.7-1
ii xz-utils 5.8.2-2
ii zstd 1.5.7+dfsg-3+b1

Versions of packages mkosi recommends:
pn archlinux-keyring <none>
ii debian-archive-keyring 2025.1
pn distribution-gpg-keys <none>
pn dnf <none>
ii ipxe-qemu 2.0.0+dfsg-2
ii ovmf 2025.11-4
pn pacman-package-manager <none>
pn qemu-system <none>
ii systemd-timesyncd 260.1-1
pn ubuntu-keyring <none>
ii uidmap 1:4.19.3-1
ii virtiofsd 1.13.2-6
pn zypper <none>

mkosi suggests no packages.

-- no debconf information

More information about the Pkg-systemd-maintainers mailing list