From e46726cf131aa9f6094ed306d936e3a1313df8f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?=
 <66256922+daniel-weisse@users.noreply.github.com>
Date: Fri, 11 Apr 2025 14:09:37 +0200
Subject: [PATCH] mini-constellation: pin swtpm to v0.8.2 (#3756)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* mini-constellation: pin swtpm to v0.8.2
* containers: update libvirtd_base image

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
---
 bazel/toolchains/container_images.bzl |  2 +-
 nix/container/libvirtd_base.nix       | 14 ++++++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/bazel/toolchains/container_images.bzl b/bazel/toolchains/container_images.bzl
index f73b2f769..1c405484f 100644
--- a/bazel/toolchains/container_images.bzl
+++ b/bazel/toolchains/container_images.bzl
@@ -16,6 +16,6 @@ def containter_image_deps():
     )
     oci_pull(
         name = "libvirtd_base",
-        digest = "sha256:10bc5281807d06e333f363dd27ccc8159884d706a6d738d6f54a925c483bdce3",
+        digest = "sha256:f23e0f587860c841adde25b1b4f0d99aa4fbce1c92b01b5b46ab5fa35980a135",
         image = "ghcr.io/edgelesssys/constellation/libvirtd-base",
     )
diff --git a/nix/container/libvirtd_base.nix b/nix/container/libvirtd_base.nix
index 5ebaf3e91..f58a2366a 100644
--- a/nix/container/libvirtd_base.nix
+++ b/nix/container/libvirtd_base.nix
@@ -62,12 +62,22 @@ let
   '';
   startScript = pkgsLinux.writeShellApplication {
     name = "start.sh";
-    runtimeInputs = with pkgsLinux; [
+    runtimeInputs = let nixpkgs24_11 = import "${pkgs.fetchFromGitHub {
+      # Pinned release which contains swtpm v0.8.2
+      # Newer versions of NixOS package swtpm v0.10.0 with https://github.com/stefanberger/swtpm/pull/896
+      # This release breaks MiniConstellation since either libvirt, or the Terraform libvirt provider
+      # tries to apply the TPM config twice, resulting in an error during the setup phase
+      owner = "NixOS";
+      repo = "nixpkgs";
+      tag = "24.11";
+      hash = "sha256-CqCX4JG7UiHvkrBTpYC3wcEurvbtTADLbo3Ns2CEoL8=";
+    }}"{system = "x86_64-linux";}; in
+    with pkgsLinux; [
       shadow
       coreutils
       libvirt
       qemu
-      swtpm
+      nixpkgs24_11.swtpm
     ];
     text = ''
       set -euo pipefail