Strongswan doesn't support TPM 2.0 through the TSS2 interface
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongswan (Debian) |
Fix Released
|
Unknown
|
|||
strongswan (Ubuntu) |
Fix Released
|
Undecided
|
Paride Legovini | ||
Focal |
Fix Released
|
Undecided
|
Paride Legovini | ||
Hirsute |
Fix Released
|
Undecided
|
Paride Legovini |
Bug Description
[Impact]
This is actually borderline between a bugfix and a new feature. It's a bugfix because in the libstrongswan-
Also included is the libtpmtss library adding support for TPM plugin
(https:/
but without a TSS (= TPM Software Stack) implementation the plugin can't do anything useful. OTOH adding tss2 support enables new code sections which were previously disabled, and requires a new dependency, so to some extent this is a new feature.
The "new feature" bits are however confined to a library (libtpmtss.so, provided by libstrongswan-
https:/
[Test Case]
We can check that libtpmtss links against libtss2. For example with the proposed change in Focal we have:
$ ldd /usr/lib/
libtss2-
libtss2-mu.so.0 => /lib/x86_
and similar in Hirsute. Those are not present in the library provided by the package currently in the archive.
A direct verification requires a full IPsec+TPM2 setup to verify that the TPM2 actually work with the proposed package.
Test PPA: https:/
[Where problems could occur]
Given that libtpmtss is already basically nonfunctional without a TSS implementation, the proposed change can't really break it. However I still can imaging a situation where:
- The TPM plugin is installed but misconfigured, or there are issues with the TPM;
- The issues doesn't really cause any harm, as without a TSS implementation it can't attempt to do any TPM operation;
- The fixed package allows it to do TPM operation, exposing the misconfiguratio
[Development Fix]
Cherry-pick of a Debian packaging commit, so we'll cleanly drop the delta with the next merge from Debian.
[Stable Fix]
Same as the Development Fix (same commit, cherry-picked).
[Original Description]
The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is unavailable through the TSS2 interface.
Related branches
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 41 lines (+11/-0)3 files modifieddebian/changelog (+9/-0)
debian/control (+1/-0)
debian/rules (+1/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 41 lines (+11/-0)3 files modifieddebian/changelog (+9/-0)
debian/control (+1/-0)
debian/rules (+1/-0)
- Christian Ehrhardt : Pending requested
- Canonical Server: Pending requested
-
Diff: 529 lines (+411/-2) (has conflicts)9 files modifieddebian/changelog (+19/-0)
debian/control (+61/-2)
debian/libcharon-extra-plugins.maintscript (+11/-0)
debian/patches/lp-1879692-1.patch (+75/-0)
debian/patches/lp-1879692-2.patch (+50/-0)
debian/patches/lp-1879692-3.patch (+37/-0)
debian/patches/lp-1879692-4.patch (+42/-0)
debian/patches/lp-1879692-5.patch (+111/-0)
debian/patches/series (+5/-0)
- Christian Ehrhardt (community): Approve
- Ubuntu Release Team: Pending requested
- Ubuntu Server Developers: Pending requested
-
Diff: 41 lines (+11/-0)3 files modifieddebian/changelog (+9/-0)
debian/control (+1/-0)
debian/rules (+1/-0)
summary: |
- Strongswan in Focal doesn't support TPM 2.0... + Strongswan in Focal doesn't support TPM 2.0 through TSS2 interface... |
description: | updated |
summary: |
- Strongswan in Focal doesn't support TPM 2.0 through TSS2 interface... + Strongswan in Focal doesn't support TPM 2.0 through the TSS2 + interface... |
Changed in strongswan (Ubuntu): | |
assignee: | nobody → Paride Legovini (paride) |
Changed in strongswan (Ubuntu): | |
status: | Triaged → Incomplete |
Changed in strongswan (Ubuntu): | |
status: | Incomplete → Triaged |
description: | updated |
description: | updated |
description: | updated |
Changed in strongswan (Ubuntu Focal): | |
assignee: | nobody → Paride Legovini (paride) |
Changed in strongswan (Ubuntu Hirsute): | |
assignee: | nobody → Paride Legovini (paride) |
Changed in strongswan (Ubuntu Focal): | |
status: | New → In Progress |
Changed in strongswan (Ubuntu Hirsute): | |
status: | New → In Progress |
Changed in strongswan (Debian): | |
status: | Unknown → New |
description: | updated |
Changed in strongswan (Ubuntu Focal): | |
status: | Incomplete → In Progress |
Changed in strongswan (Ubuntu Hirsute): | |
status: | Incomplete → In Progress |
tags: |
added: verification-done-focal removed: verification-needed-focal |
tags: |
added: verification-done verification-done-hirsute removed: verification-needed verification-needed-hirsute |
Changed in strongswan (Debian): | |
status: | New → Fix Released |
--enable- tss-trousers is missing too, so TPM 1.2 support isn't available either. Which makes enabling the tpm plugin completely useless.