Inside of qemuTPMEmulatorBuildCommand() there are two calls to qemuTPMSetupEncryption() which simply ignore returned error. This is suboptimal because then we rely on swtpm binary reporting a generic error (something among invalid arguments) while an error reported by qemuTPMSetupEncryption() is more specific. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; --- src/qemu/qemu_tpm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 15ee7db757..502a77b5b3 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -635,7 +635,12 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm, } pwdfile_fd = qemuTPMSetupEncryption(tpm->data.emulator.secretuuid, cmd); + if (pwdfile_fd < 0) + goto error; + migpwdfile_fd = qemuTPMSetupEncryption(tpm->data.emulator.secretuuid, cmd); + if (migpwdfile_fd < 0) + goto error; virCommandAddArg(cmd, "--key"); virCommandAddArgFormat(cmd, "pwdfd=%d,mode=aes-256-cbc", pwdfile_fd); -- 2.37.4