[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
** Changed in: strongswan (Debian) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
This bug was fixed in the package strongswan - 5.9.1-1ubuntu1.1 --- strongswan (5.9.1-1ubuntu1.1) hirsute; urgency=medium * Compile the tpm plugin against the tpm2 software stack (tss2) (Debian packaging cherry-pick, LP: #1940079) - d/rules: add the --enable-tss-tss2 configure flag - d/control: add Build-Depends: libtss2-dev -- Paride Legovini Fri, 17 Sep 2021 12:15:40 +0200 ** Changed in: strongswan (Ubuntu Hirsute) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
This bug was fixed in the package strongswan - 5.8.2-1ubuntu3.2 --- strongswan (5.8.2-1ubuntu3.2) focal; urgency=medium * Compile the tpm plugin against the tpm2 software stack (tss2) (Debian packaging cherry-pick, LP: #1940079) - d/rules: add the --enable-tss-tss2 configure flag - d/control: add Build-Depends: libtss2-dev -- Paride Legovini Fri, 17 Sep 2021 10:48:56 +0200 ** Changed in: strongswan (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
** Tags removed: verification-needed verification-needed-hirsute ** Tags added: verification-done verification-done-hirsute -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
On my Focal ipsec client machine, I added the following PPA: deb http://archive.ubuntu.com/ubuntu/ focal-proposed restricted main multiverse universe I installed various strongswan packages: charon-systemd/focal-proposed,now 5.8.2-1ubuntu3.2 amd64 [installed] libstrongswan-extra-plugins/focal-proposed,now 5.8.2-1ubuntu3.2 amd64 [installed] libstrongswan-standard-plugins/focal-proposed,now 5.8.2-1ubuntu3.2 amd64 [installed] libstrongswan/focal-proposed,now 5.8.2-1ubuntu3.2 amd64 [installed,automatic] strongswan-libcharon/focal-proposed,now 5.8.2-1ubuntu3.2 amd64 [installed,automatic] strongswan-pki/focal-proposed,now 5.8.2-1ubuntu3.2 amd64 [installed] strongswan-swanctl/focal-proposed,now 5.8.2-1ubuntu3.2 amd64 [installed,automatic] I can confirm the ability to read TPM NVRAM keys and certificates successfully using the pki tool. I am also able to confirm successfully being able to complete an ipsec connection from my client machine via those same TPM-based credentials to my ipsec server. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
@Jim: could you please verify the packages once again, this time from focal-proposed, like you did in comment 22? The packages are identical to the ones you already verified, but this time it's on the "real" ones that will be copied to focal-updates once verified. I'll do the "light" verification on the packages (link to libtss2). Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
Hello Jim, or anyone else affected, Accepted strongswan into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/strongswan/5.9.1-1ubuntu1.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: strongswan (Ubuntu Hirsute) Status: In Progress => Fix Committed ** Tags added: verification-needed-hirsute -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
Hello Jim, or anyone else affected, Accepted strongswan into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/strongswan/5.8.2-1ubuntu3.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: strongswan (Ubuntu Focal) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
Thanks for testing! I uploaded the packages to Focal and Hirsute, now it's up to the SRU team to review the case and update/reject the change. If the packages get accepted they'll end up in the -proposed pockets and will need a final verification to finally land in -updates. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
** Changed in: strongswan (Ubuntu Focal) Status: Incomplete => In Progress ** Changed in: strongswan (Ubuntu Hirsute) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
** Description changed: [Impact] This is actually borderline between a bugfix and a new feature. It's a bugfix because in the libstrongswan-extra-plugins package description we write: Also included is the libtpmtss library adding support for TPM plugin (https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin) but without a TSS (= TPM Software Stack) implementation the plugin can't do anything useful. OTOH adding tss2 support enables new code sections which were previously disabled, and requires a new dependency, so to some extent this is a new feature. The "new feature" bits are however confined to a library (libtpmtss.so, provided by libstrongswan-extra-plugins), which is basically useless without also enabling a TSS implementation. I think this may fall under the "we sometimes want to introduce new features" SRU safe case, per: https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases [Test Case] We can check that libtpmtss links against libtss2. For example with the proposed change in Focal we have: $ ldd /usr/lib/ipsec/libtpmtss.so | grep tss libtss2-sys.so.0 => /lib/x86_64-linux-gnu/libtss2-sys.so.0 libtss2-mu.so.0 => /lib/x86_64-linux-gnu/libtss2-mu.so.0 and similar in Hirsute. Those are not present in the library provided by the package currently in the archive. A direct verification requires a full IPsec+TPM2 setup to verify that the TPM2 actually work with the proposed package. Test PPA: https://launchpad.net/~paride/+archive/ubuntu/strongswan [Where problems could occur] Given that libtpmtss is already basically nonfunctional without a TSS implementation, the proposed change can't really break it. However I still can imaging a situation where: - The TPM plugin is installed but misconfigured, or there are issues with the TPM; - - The issues doesn't really cause any harm, as without a TSS implementation it can't attempt to do any TPM operation. + - The issues doesn't really cause any harm, as without a TSS implementation it can't attempt to do any TPM operation; - The fixed package allows it to do TPM operation, exposing the misconfiguration/issues and possibly braking a working setup. - - This is a general, high-level description of a possible issue I can't - think of, as I don't really have practical experience with this kind of - setup. [Development Fix] Cherry-pick of a Debian packaging commit, so we'll cleanly drop the delta with the next merge from Debian. [Stable Fix] Same as the Development Fix (same commit, cherry-picked). [Original Description] The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is unavailable through the TSS2 interface. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
** Merge proposal linked: https://code.launchpad.net/~paride/ubuntu/+source/strongswan/+git/strongswan/+merge/408927 ** Merge proposal linked: https://code.launchpad.net/~paride/ubuntu/+source/strongswan/+git/strongswan/+merge/408928 ** Merge proposal linked: https://code.launchpad.net/~paride/ubuntu/+source/strongswan/+git/strongswan/+merge/408929 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
Hi Paride, I added your Focal PPA and installed the various strongswan packages on my client machine: strongswan, strongswan-swanctl, libstrongswan-extra- plugins, libstrongswan-standard-plugins, and strongswan-pki. I am able to confirm the ability to read TPM nvram keys and certificates successfully using the pki tool. I am also able to confirm successfully being able to complete an ipsec connection from my client machine via those same TPM-based credentials. Thumbs up from me! Jim -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
** Changed in: strongswan (Debian) Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
Paride, Thank you for all your diligence. I will try to provide focal testing results by early next week. Jim -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
I uploaded the packages I plan to submit for the Focal/Hirsute SRU to this PPA: https://launchpad.net/~paride/+archive/ubuntu/strongswan They look good and sane to me, however I'll proceed with the SRU process only after they have been tested on a setup actually using the TPM2 bits. @Jim: would it be possible for you to test them? You have the required setup and you already have local Focal builds of the package. Testing should easy: add the PPA and install the strongswan packages you need from there. If there's anything unclear let me know. Thanks in advance! Waiting for feedback on the PPA packages I'm marking the SRU tasks as Incomplete. ** Changed in: strongswan (Ubuntu Focal) Status: In Progress => Incomplete ** Changed in: strongswan (Ubuntu Hirsute) Status: In Progress => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
** Also affects: strongswan (Ubuntu Hirsute) Importance: Undecided Status: New ** Also affects: strongswan (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: strongswan (Ubuntu Focal) Assignee: (unassigned) => Paride Legovini (paride) ** Changed in: strongswan (Ubuntu Hirsute) Assignee: (unassigned) => Paride Legovini (paride) ** Changed in: strongswan (Ubuntu Focal) Status: New => In Progress ** Changed in: strongswan (Ubuntu Hirsute) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
** Description changed: [Impact] This is actually borderline between a bugfix and a new feature. It's a bugfix because in the libstrongswan-extra-plugins package description we write: - Also included is the libtpmtss library adding support for TPM plugin - (https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin) + Also included is the libtpmtss library adding support for TPM plugin + (https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin) but without a TSS (= TPM Software Stack) implementation the plugin can't do anything useful. OTOH adding tss2 support enables new code sections which were previously disabled, and requires a new dependency, so to some extent this is a new feature. The "new feature" bits are however confined to a library (libtpmtss.so, provided by libstrongswan-extra-plugins), which is basically useless without also enabling a TSS implementation. I think this may fall under the "we sometimes want to introduce new features" SRU safe case, per: https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases [Test Case] We can check that libtpmtss links against libtss2. For example with the proposed change in Focal we have: $ ldd /usr/lib/ipsec/libtpmtss.so | grep tss libtss2-sys.so.0 => /lib/x86_64-linux-gnu/libtss2-sys.so.0 libtss2-mu.so.0 => /lib/x86_64-linux-gnu/libtss2-mu.so.0 and similar in Hirsute. Those are not present in the library provided by the package currently in the archive. A direct verification requires a full IPsec+TPM2 setup to verify that the TPM2 actually work with the proposed package. + Test PPA: https://launchpad.net/~paride/+archive/ubuntu/strongswan + [Where problems could occur] + + Given that libtpmtss is already basically nonfunctional without a TSS + implementation, the proposed change can't really break it. However I + still can imaging a situation where: + + - The TPM plugin is installed but misconfigured, or there are issues with the TPM; + - The issues doesn't really cause any harm, as without a TSS implementation it can't attempt to do any TPM operation. + - The fixed package allows it to do TPM operation, exposing the misconfiguration/issues and possibly braking a working setup. + + This is a general, high-level description of a possible issue I can't + think of, as I don't really have practical experience with this kind of + setup. [Development Fix] Cherry-pick of a Debian packaging commit, so we'll cleanly drop the delta with the next merge from Debian. [Stable Fix] Same as the Development Fix (same commit, cherry-picked). [Original Description] The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is unavailable through the TSS2 interface. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
** Description changed: + [Impact] + + [Test Case] + + We can check that libtpmtss (installed by: libstrongswan-extra-plugins) + links against libtss2. For example with the proposed change in Focal we + have: + + $ ldd /usr/lib/ipsec/libtpmtss.so | grep tss + libtss2-sys.so.0 => /lib/x86_64-linux-gnu/libtss2-sys.so.0 + libtss2-mu.so.0 => /lib/x86_64-linux-gnu/libtss2-mu.so.0 + + and similar in Hirsute. Those are not present in the library provided by + the package currently in the archive. + + A direct verification requires a full IPsec+TPM2 setup to verify that + the TPM2 actually work with the proposed package. + + [Where problems could occur] + + + [Development Fix] + + Cherry-pick of a Debian packaging commit, so we'll cleanly drop the + delta with the next merge from Debian. + + [Stable Fix] + + Same as the Development Fix (same commit, cherry-picked). + + [Original Description] + The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is unavailable through the TSS2 interface. ** Description changed: [Impact] + + This is actually borderline between a bugfix and a new feature. It's a + bugfix because in the libstrongswan-extra-plugins package description we + write: + + Also included is the libtpmtss library adding support for TPM plugin + (https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin) + + but without a TSS (= TPM Software Stack) implementation the plugin can't + do anything useful. OTOH adding tss2 support enables new code sections + which were previously disabled, and requires a new dependency, so to + some extent this is a new feature. + + The "new feature" bits are however confined to a library (libtpmtss.so, + provided by libstrongswan-extra-plugins), which is basically useless + without also enabling a TSS implementation. I think this may fall under + the "we sometimes want to introduce new features" SRU safe case, per: + + https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases [Test Case] - We can check that libtpmtss (installed by: libstrongswan-extra-plugins) - links against libtss2. For example with the proposed change in Focal we - have: + We can check that libtpmtss links against libtss2. For example with the + proposed change in Focal we have: $ ldd /usr/lib/ipsec/libtpmtss.so | grep tss - libtss2-sys.so.0 => /lib/x86_64-linux-gnu/libtss2-sys.so.0 - libtss2-mu.so.0 => /lib/x86_64-linux-gnu/libtss2-mu.so.0 + libtss2-sys.so.0 => /lib/x86_64-linux-gnu/libtss2-sys.so.0 + libtss2-mu.so.0 => /lib/x86_64-linux-gnu/libtss2-mu.so.0 and similar in Hirsute. Those are not present in the library provided by the package currently in the archive. A direct verification requires a full IPsec+TPM2 setup to verify that the TPM2 actually work with the proposed package. [Where problems could occur] - [Development Fix] Cherry-pick of a Debian packaging commit, so we'll cleanly drop the delta with the next merge from Debian. [Stable Fix] Same as the Development Fix (same commit, cherry-picked). [Original Description] The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is unavailable through the TSS2 interface. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
Now that this is Fix Released in Impish, I'll twist this bug again and make it into a SRU bug, targeting Focal and Hirsute. I'll make a case summarizing the discussion above for the SRU team. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
This bug was fixed in the package strongswan - 5.9.1-1ubuntu3 --- strongswan (5.9.1-1ubuntu3) impish; urgency=medium * Compile the tpm plugin against the tpm2 software stack (tss2) (Debian packaging cherry-pick, LP: #1940079) - d/rules: add the --enable-tss-tss2 configure flag - d/control: add Build-Depends: libtss2-dev -- Paride Legovini Thu, 16 Sep 2021 11:40:38 +0200 ** Changed in: strongswan (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
Thanks! Uploading strongswan using ftp to ubuntu (host: upload.ubuntu.com; directory: /ubuntu) Uploading strongswan_5.9.1-1ubuntu3.dsc Uploading strongswan_5.9.1-1ubuntu3.debian.tar.xz Uploading strongswan_5.9.1-1ubuntu3_source.buildinfo Uploading strongswan_5.9.1-1ubuntu3_source.changes -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan doesn't support TPM 2.0 through the TSS2 interface
Ok for feature freeze, to enable this self-contained feature. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
