Comment 10 for bug 1968131

# clean
$ sudo apt remove --purge swtpm swtpm-tools
$ sudo rm -rf /var/lib/libvirt/swtpm /var/lib/swtpm-localca /var/log/swtpm

# re-create a clean env by re-installing swtpm
$ sudo apt install swtpm swtpm-tools

# Status after install
$ sudo ls -laF /var/lib/libvirt/swtpm /var/lib/swtpm-localca /var/log/swtpm /run/libvirt/qemu/swtpm
ls: cannot access '/var/lib/libvirt/swtpm': No such file or directory
ls: cannot access '/var/log/swtpm': No such file or directory
/run/libvirt/qemu/swtpm:
total 0
drwxrwx--- 2 libvirt-qemu swtpm 40 Apr 7 10:33 ./
drwxr-xr-x 5 root root 140 Apr 7 10:33 ../

/var/lib/swtpm-localca:
total 8
drwxr-x--- 2 swtpm root 4096 Apr 7 10:48 ./
drwxr-xr-x 43 root root 4096 Apr 7 10:48 ../

# then failing a start of a VM with swtpm configured
$ virsh start testguest --console

# File/Dir status after this
$ sudo ls -laF /var/lib/libvirt/swtpm /var/lib/swtpm-localca /var/log/swtpm /run/libvirt/qemu/swtpm /var/log/swtpm/libvirt/qemu /var/log/swtpm/libvirt
/run/libvirt/qemu/swtpm:
total 0
drwxrwx--- 2 libvirt-qemu swtpm 40 Apr 7 10:33 ./
drwxr-xr-x 5 root root 140 Apr 7 10:33 ../

/var/lib/libvirt/swtpm:
total 8
drwx--x--x 2 root root 4096 Apr 7 10:50 ./
drwxr-xr-x 8 root root 4096 Apr 7 10:50 ../

/var/lib/swtpm-localca:
total 20
drwxr-x--- 2 swtpm root 4096 Apr 7 10:50 ./
drwxr-xr-x 43 root root 4096 Apr 7 10:48 ../
-rwxr-xr-x 1 swtpm swtpm 0 Apr 7 10:50 .lock.swtpm-localca*
-rw-r--r-- 1 swtpm swtpm 0 Apr 7 10:50 index.txt
-rw-r--r-- 1 swtpm swtpm 3 Apr 7 10:50 serial
-rw-r--r-- 1 swtpm swtpm 1468 Apr 7 10:50 swtpm-localca-rootca-cert.pem
-rw-r----- 1 swtpm swtpm 2455 Apr 7 10:50 swtpm-localca-rootca-privkey.pem

/var/log/swtpm:
total 12
drwx--x--x 3 root root 4096 Apr 7 10:50 ./
drwxrwxr-x 10 root syslog 4096 Apr 7 10:50 ../
drwx--x--x 3 root root 4096 Apr 7 10:50 libvirt/

/var/log/swtpm/libvirt:
total 12
drwx--x--x 3 root root 4096 Apr 7 10:50 ./
drwx--x--x 3 root root 4096 Apr 7 10:50 ../
drwx-wx--- 2 swtpm swtpm 4096 Apr 7 10:50 qemu/

/var/log/swtpm/libvirt/qemu:
total 12
drwx-wx--- 2 swtpm swtpm 4096 Apr 7 10:50 ./
drwx--x--x 3 root root 4096 Apr 7 10:50 ../
-rw-r--r-- 1 swtpm swtpm 1730 Apr 7 10:50 testguest-swtpm.log

---

After this failed try - since the guest is abandoned we have some differences for a retry

- /var/lib/libvirt/swtpm/202a34a9-2ee2-4826-b206-c249f535be90/tpm2 no more exists
- /var/log/swtpm/libvirt/qemu/testguest-swtpm.log can't be written

$ sudo rm -rf /tmp/test2
$ mkdir /tmp/test2
$ sudo chown swtpm:swtpm /tmp/test2
$ sudo -u swtpm /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek b2e69cdcfc19832f9d174ef4c3af14cf9843efed4e986f35d011a4ac0af4a84adf93a24937bf00da5519272a1f722ae3aa33b8efbe44b3bcde8ac2cf781302801643791f379eab400482f0c4b8a9aba1676eb7b0ae45792d39746a82164c247d4d348aecba70025d74f7025d2e1896743617396337f6221bd81429c3498069056635f9ddf288fe32d9759fa6a825665e56d819b5657f5ce828e72db17e6073cf4e4c7f9dfd8ea18eebae28e9cffa6ff406d03a8a15e48a3f5acd7a3cca7d64b9aef250cc40a301132d466f346843f9a3e084bf9e19fe48b31d2512f39ddd6bc324d22db77dad619158efa5680ff4816c7fc645014e6fa03fb11ede6bc720bbd7 --dir /tmp/test --logfile /tmp/test/testguest-swtpm.log --vmid testguest:202a34a9-2ee2-4826-b206-c249f535be90 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options

$ echo $?
1
$ cat /tmp/test/testguest-swtpm.log
Creating root CA and a local CA's signing key and issuer cert.
Could not create root-CA:Can't load ./.rnd into RNG
40D7E55E677F0000:error:12000079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:106:Filename=./.rnd
Cannot write random bytes:
40D7E55E677F0000:error:12000079:random number generator:RAND_write_file:Cannot open file:../crypto/rand/randfile.c:240:Filename=./.rnd

Error creating local CA's signing key and cert.

That is kind of the same error, so it really is the user/group and some permissions.
This way we can repro it outside of libvirt, track which access exactly fails and debug/fix it.