Page MenuHomePhabricator

Testing tpm2-pkcs11with KVM vTPM 2.0
Open, NormalPublic

Description

KVM supports emulated TPM2 hardware and the version in Bullseye gains the ability to encrypt its secrets [0]. tpm2-pk11 [1] is a program that allows protecting OpenSSH and firefox private keys using the TPM. If the package finds a new upstream maintainer we can test it in Debian stable-next with the virtual TPM hardware.

Debian maintainers will move to tpm2-pkcs11 [3]

[0] http://forums.whonix.org/t/kvm-virtual-tpm-aka-the-universal-smartcard/8244

[1] https://github.com/irtimmer/tpm2-pk11

[2] https://github.com/irtimmer/tpm2-pk11/wiki

[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941951#10


EDIT:

The above package depends on gnupg-pkcs11-scd which is available in Debian.

https://packages.debian.org/source/stable/gnupg-pkcs11-scd


https://packages.debian.org/buster/simple-tpm-pk11

only works for TPM 1.2


Opened a RFP for this package which fulfills this ticket in case someone upstream picks it up. https://bugs.debian.org/941951


The upstream TPM2 project is looking at consolidating the multiple code projects out there into an upstream implementation superseding the projects above.

https://github.com/tpm2-software/tpm2-tools/issues/518

https://github.com/tpm2-software/tpm2-pkcs11

Details

Impact
Normal

Event Timeline

HulaHoop triaged this task as Normal priority.Oct 4 2019, 4:22 PM
HulaHoop created this task.
HulaHoop updated the task description. (Show Details)Oct 4 2019, 4:33 PM
HulaHoop updated the task description. (Show Details)Oct 4 2019, 6:06 PM
HulaHoop added a comment.EditedOct 5 2019, 5:10 PM

TPM hw not working. Troubleshooting thread:

https://www.redhat.com/archives/libvirt-users/2019-October/msg00006.html


Turns out it isn;t packaged for Debian yet. Opened a RFP: https://bugs.debian.org/941939

HulaHoop updated the task description. (Show Details)Oct 7 2019, 9:28 PM
HulaHoop updated the task description. (Show Details)Oct 7 2019, 9:40 PM
HulaHoop updated the task description. (Show Details)Oct 7 2019, 11:13 PM
HulaHoop updated the task description. (Show Details)Oct 7 2019, 11:29 PM

Already packaged in Debian but is currently orphaned and needs a maintainer accoridng to its ex-maintainer:

https://tracker.debian.org/pkg/tpm2-pk11

HulaHoop renamed this task from Packaging for tpm2-pk11 to Testing tpm2-pk11 with KVM vTPM 2.0.Oct 10 2019, 3:49 PM
HulaHoop claimed this task.
HulaHoop updated the task description. (Show Details)
HulaHoop removed a project: packaging.
HulaHoop renamed this task from Testing tpm2-pk11 with KVM vTPM 2.0 to Testing tpm2-pkcs11with KVM vTPM 2.0.Oct 10 2019, 3:54 PM
HulaHoop updated the task description. (Show Details)