[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
Test PPA: https://launchpad.net/~paride/+archive/ubuntu/strongswan ** Summary changed: - Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... + Strongswan doesn't support TPM 2.0 through the TSS2 interface -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan doesn't support TPM 2.0 through the TSS2 interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
The FFe is for this MP: https://code.launchpad.net/~paride/ubuntu/+source/strongswan/+git/strongswan/+merge/408738 I requested a review from ubuntu-release, as I think it's a nice way to approve (or disapprove!) the FFe. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
** Merge proposal linked: https://code.launchpad.net/~paride/ubuntu/+source/strongswan/+git/strongswan/+merge/408738 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
My MR against the Debian packaging got merged: https://salsa.debian.org/debian/strongswan/-/commit/b062db8d85e1502010cd45bc2beb5fbd67912cab so this will be fixed in Debian unstable with the next upload and in Ubuntu with the merges that will follow. However I'd like to see this land in Impish, so I'm requesting a FFe [1]. This is actually borderline between a bugfix (for which we wouldn't need a FFe) and a new feature. It's a bugfix because in the libstrongswan- extra-plugins package description we write: Also included is the libtpmtss library adding support for TPM plugin (https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin) but without a TSS implementation the plugin can't do anything useful. OTOH adding tss2 support enables new code sections which were previously disabled, and requires a new dependency, so to some extent this is a new feature. The "new feature" bits are however confined in a module (libtpmtss.so, provided by libstrongswan-extra-plugins), which is basically useless without also enabling a TSS implementation. This should be a safe case not only for a FFe but also for a SRU. For the moment this is a FFe for Impish. If accepted we'll evaluate what to do with the stable releases. [1] https://wiki.ubuntu.com/FreezeExceptionProcess [2] https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
As ideally we'd like to have this change land in Debian I filed a Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994396 and opened a MR against the Debian packaging: https://salsa.debian.org/debian/strongswan/-/merge_requests/11/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
** Bug watch added: Debian Bug tracker #994396 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994396 ** Also affects: strongswan (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994396 Importance: Unknown Status: Unknown ** Changed in: strongswan (Ubuntu) Status: Incomplete => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
> Note: I can't see the libtss2-esys runtime dependency that Tobias mentioned. @Tobias: is this expected, or am I missing some other flag? Yes, that's correct. The configure script checks for both tss2-sys and tss2-esys, but eventually, only tss2-sys is used (possible that Andreas intended to switch to the latter at some point, but that's currently not the case). > What do you think? I totally agree. As I mentioned before, support for TPM 1.2 in strongSwan is basically limited to remote attestation, but since the plugins required for that are currently not shipped, enabling support for it would be pointless. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
** Changed in: strongswan (Ubuntu) Status: Triaged => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
Hi, I built strongswan 5.9.1-1 with --enable-tss-trousers (extra Build-Dep: libtspi-dev) and --enable-tss-tss2 (extra B-D: libtss2-dev). The package built fine, the resulting libstrongswan-extra-plugins binary package has two extra dependencies: - libtss2-sys1 - libtspi1 (not in main) Note: I can't see the libtss2-esys runtime dependency that Tobias mentioned. @Tobias: is this expected, or am I missing some other flag? Before moving forward in this direction I have a question. AIUI --enable-tss-trousers enables TPM1.2, while --enable-tss-tss2 enables TPM2, which is what --enable-tpm needs to do anything useful. Do you think it makes sense to only enable TPM2 (--enable-tss-tss2), without TPM1.2 (--enable-tss-trousers)? This would be my proposal, as it has some advantages over enabling both: 1. TPM2 has been around for several years now, and improves on TPM1.2 in many ways. Nobody really complained of lack of TPM1.2 support before this bug was filed. 2. libtspi1 is not in main, so enabling TPM1.2 will require at least a MIR, increasing the overall maintenance work. 3. Supporting only TPM2 will save us from deprecating TPM1.2 support one day, with all the burden that such deprecations generate both on the maintainers side and users side. This is my main point. 4. We can always enable TPM1.2 later if we change our mind. What do you think? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
FYI bin:libtss2-esys0 from src:tpm2-tss is at least already in main in Focal. In later releases it is libtss2-esys-3.0.2-0 (also in main) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
> However this is not something like a separate module: support for TSS2 is builtin in the strongswan tools. Correct, it's just part of libtpmtss. > I didn't check but I imagine this requires a libtss2-* runtime dep. Yes, libtss2-esys0 will be required (libtss2-esys-3.0.2-0 for Hirsute and Impish). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
** Changed in: strongswan (Ubuntu) Assignee: (unassigned) => Paride Legovini (paride) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
Some more info for evaluating this: * The Impish package builds fine by adding --enable-tss-tss2 in d/rules and adding libtss2-dev to Build-Depends. * libtss2-dev is in main in >=Focal. * The configure flag enables some well-scoped sections of code via #ifdefs. However this is not something like a separate module: support for TSS2 is builtin in the strongswan tools. * I didn't check but I imagine this requires a libtss2-* runtime dep. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
> The stable Ubuntu releases are "feature frozen", which means that it is unlikely TSS2 will be enabled in Focal (exceptions are possible, but a very compelling reason is needed). Is it a new feature, though? Couldn't it be considered a necessary fix to actually make the already shipped tpm plugin (and the tpm_extendpcr command) functional? > Did TSS2 work before with Ubuntu's strongswan package? (I doubt so, as additional build-deps are needed, admittedly I'm not very familiar with the package.) As you say, it requires an additional dependency. However, while strongSwan supports tpm2-tss 1.x, the version shipped in Ubuntu bionic was too old. So before a 2.x version was included, it couldn't have worked (looks like Debian didn't include tpm2-tss at all before 2.1.0 was shipped with buster). Support for TPM 2.0 was added with strongSwan 5.5.0, based on tpm2-tss 1.x (> 1.0). The tpm plugin was originally released with strongSwan 5.5.2. In Debian, the plugin was not enabled until 5.6.1, packaged for testing before the buster release. Unfortunately, there was no configure check that enforced enabling tss-tss2 (I've added one now), which would have failed back then as support for tpm2-tss 2.x was only added with with 5.7.0. However, Debian buster eventually included strongSwan 5.7.2 and, as mentioned above, tpm2-tss 2.1.0, so that would have worked. But since the plugin was already enabled successfully months before, nobody apparently considered enabling tss-tss2, even if the plugin was non- functional. So it took nearly 4 years since the plugin was first enabled for somebody to actually try to use it and fail. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
I need to jump into this one... Right now, a number of our projects are dependent on the Focal LTS release. These projects cannot wait for 22.04 as they will go to market over the course of the next several months. These same projects make heavy use of TPM 2.0. They do use the TSS 2.0 components which _are currently_ available in Focal. Strongswan has had TSS 2.0 support for quite awhile, and Strongswan is key to making our projects successful. I can say that I've put the --enable-tss-tss2 into our local Focal build and have been successfully running Strongswan with TSS 2.0 support. I'm uncomfortable with having a local build as it's just another entity to remember to manage across the lifetime of our products. This functionality needs to be put into Focal. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
Thanks Tobias for the additional information. I think that enabling TSS2 in Ubuntu is something we want to do, however I there are a few things to consider: 1. The stable Ubuntu releases are "feature frozen", which means that it is unlikely TSS2 will be enabled in Focal (exceptions are possible, but a very compelling reason is needed). However you mentioned that the strongswan Focal configuration *elides* --enable-tss-tss2. Looking at the packaging file I don't think we're disabling or removing that flag from anywhere. Did TSS2 work before with Ubuntu's strongswan package? (I doubt so, as additional build-deps are needed, admittedly I'm not very familiar with the package.) 2. TSS2 doesn't look enabled in the current Ubuntu development release (Impish). That would normally be the right place to enable a new feature, however the devel release is already in feature freeze. This means that target for enabling TSS2 would be the Ubuntu 22.04 release (modulo [1]). 3. Ideally this change should land in Debian, which as far as I can tell is also missing support for TSS2. Ubuntu would then inherit the change with the next syncs/merges. Debian is out of the freeze, so this is a good moment for proposing the change. Should the change not land in Debian in time for 22.04 we can enable TSS2 in Ubuntu. What do you think of this plan? [1] https://wiki.ubuntu.com/FreezeExceptionProcess -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
> what is --enable-tpm option exactly? It's a plugin in libtpmtss that implements interfaces to provide certificates, private keys and random numbers from a TPM 2.0 to the IKE daemon. > Does it work without --enable-tss-trousers and --enable-tss-tss2? No, it requires a TSS implementation, in particular, a TSS 2.0 implementation (I saw that it basically does nothing without a TPM 2.0). The only one currently available, enabled via --enable-tss-tss2, uses the libraries provided by tpm2-tss. The TSS 1 implementation (enabled via --enable-tss-trousers, which wraps TrouSerS) is only needed for other features, e.g. remote attestation (see e.g. [1]), when using a TPM 1.2. But those are currently not enabled in the Ubuntu build. [1] https://wiki.strongswan.org/projects/strongswan/wiki/PTS-IMC -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
Thanks for taking the time to file this bug and trying to make Ubuntu better. From the upstream documentation: ''' --enable-tpm enable plugin to access persistent RSA and ECDSA private keys bound to Trusted Platform Module 2.0 [ no ]. Since 5.5.2. ''' The --enable-tpm option was used to build the Focal package, so from what I understood it has the ability to access persistent keys bound to TPM 2.0. To enable the TSS2 library, we would need to add a new build dependency on libtss2 according to upstream documentation. I am not sure if the SRU team would accept this kind of change in a stable release. @Tobias, what is --enable-tpm option exactly? Does it work without --enable-tss-trousers and --enable-tss-tss2? ** Changed in: strongswan (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1940079] Re: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface...
--enable-tss-trousers is missing too, so TPM 1.2 support isn't available either. Which makes enabling the tpm plugin completely useless. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940079 Title: Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1940079/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
