Issues with TPM platform cert setup

skye · June 10, 2026, 6:47pm

I’m having trouble using the new TPM platform cert feature in 7.1.

$ incus config get instances.tpm.platform_cert
-----BEGIN CERTIFICATE-----
MIIBjDCCATOgAwIBAgIUD0ayUKYdRlCHaXIzzSTWIDX0L4owCgYIKoZIzj0EAwMw
HDEaMBgGA1UEAwwRSW5jdXMgVFBNIHNpZ25pbmcwHhcNMjYwNTIzMDEyODMyWhcN
MzYwNTIwMDEyODMyWjAcMRowGAYDVQQDDBFJbmN1cyBUUE0gc2lnbmluZzBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABHeorFI2aDNnjcmKgaXKJgwmQFdPEUwVFbze
9PBYRc+157TE7WGNxfjK/x9K6/c/oo91cP7wMfhSuvtLfbVG7d+jUzBRMB0GA1Ud
DgQWBBTCr1gVrRuPVC54BoneUqnQpIUfaDAfBgNVHSMEGDAWgBTCr1gVrRuPVC54
BoneUqnQpIUfaDAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMDA0cAMEQCIFJo
oJ/mWxv69XLDdOMUpvmGu1INjo8cBQh9KqIgnYUYAiA/JXgYEp0u9DCpge9Eifc/
R3QrMmCl71nW2Lz4kZOqhw==
-----END CERTIFICATE-----
$ incus config get instances.tpm.platform_key
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIMdKhntzfFiQqaBZGo8IvtK16AetkUIYVbhgimeX57aAoAoGCCqGSM49
AwEHoUQDQgAEd6isUjZoM2eNyYqBpcomDCZAV08RTBUVvN708FhFz7XntMTtYY3F
+Mr/H0rr9z+ij3Vw/vAx+FK6+0t9tUbt3w==
-----END EC PRIVATE KEY-----
$ incus create images:debian/13 v1 --vm
Creating v1
$ incus config device add v1 tpm tpm
Device tpm added to v1
$ incus start v1
Error: Failed to start device "tpm": Failed provisioning TPM: Failed to run: swtpm_setup --tpm2 --tpmstate /var/lib/incus/virtual-machines/v1/tpm.tpm --create-ek-cert --create-platform-cert --lock-nvram --config /tmp/incus-tpm-setup-156138873/swtpm_setup.conf: exit status 1 (swtpm_localca exit with status 1: Could not create EK certificate locally
Serial number is invalid.


An error occurred. Authoring the TPM state failed.
Error getting next filename: No child processes)
Try `incus info --show-log v1` for more info
$ incus info --show-log v1
Name: v1
Description: 
Status: STOPPED
Type: virtual-machine
Architecture: x86_64
Created: 2026/06/10 13:46 CDT
Last Used: 1969/12/31 18:00 CST
Error: open /var/lib/incus/logs/v1/qemu.log: no such file or directory

I’m on IncusOS, perhaps that’s causing some issues.

stgraber · June 12, 2026, 7:13pm

I’m taking a look into this one now

stgraber · June 12, 2026, 8:04pm

What I found so far is that the Zabbly Incus package is missing swtpm_cert. IncusOS ships its own version of it but is a different version than the rest of the swtpm tools.

I’m now fixing the Zabbly packages to actually contain swtpm_cert (in daily first). Then I’ll make sure this all works fine on a system that doesn’t have any other swtpm present. If it does, I’ll then move with pushing this to stable and into an IncusOS build where we can see if things behave or if we need to take some steps to hide the system swtpm instance.

stgraber · June 13, 2026, 1:34am

The fix in daily seems to work, at least on a non-IncusOS system. I’ve pushed it into the stable packaging now so the next IncusOS stable build should pick that up.

skye · June 13, 2026, 6:22pm

Thanks for taking a look!
Also, definitely cool that IncusOS’s reproducibility makes this easier to debug.