| 2021-08-16 12:52:47 |
Jim Sievert |
bug |
|
|
added bug |
| 2021-08-16 13:14:36 |
Jim Sievert |
summary |
Strongswan in Focal doesn't support TPM 2.0... |
Strongswan in Focal doesn't support TPM 2.0 through TSS2 interface... |
|
| 2021-08-16 13:15:00 |
Jim Sievert |
description |
The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is effectively unavailable. |
The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is unavailable through the TSS2 interface. |
|
| 2021-08-16 13:15:18 |
Jim Sievert |
summary |
Strongswan in Focal doesn't support TPM 2.0 through TSS2 interface... |
Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... |
|
| 2021-08-17 18:59:10 |
Lucas Kanashiro |
strongswan (Ubuntu): status |
New |
Triaged |
|
| 2021-08-17 18:59:23 |
Lucas Kanashiro |
bug |
|
|
added subscriber Ubuntu Server |
| 2021-08-20 09:12:04 |
Paride Legovini |
bug |
|
|
added subscriber Paride Legovini |
| 2021-08-20 13:08:54 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
| 2021-08-20 14:34:48 |
Paride Legovini |
strongswan (Ubuntu): assignee |
|
Paride Legovini (paride) |
|
| 2021-09-14 16:46:16 |
Paride Legovini |
strongswan (Ubuntu): status |
Triaged |
Incomplete |
|
| 2021-09-15 14:03:10 |
Paride Legovini |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994396 |
|
| 2021-09-15 14:03:10 |
Paride Legovini |
bug task added |
|
strongswan (Debian) |
|
| 2021-09-15 14:03:19 |
Paride Legovini |
strongswan (Ubuntu): status |
Incomplete |
Triaged |
|
| 2021-09-16 11:52:41 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paride/ubuntu/+source/strongswan/+git/strongswan/+merge/408738 |
|
| 2021-09-16 11:53:51 |
Paride Legovini |
bug |
|
|
added subscriber Ubuntu Release Team |
| 2021-09-16 12:19:25 |
Paride Legovini |
summary |
Strongswan in Focal doesn't support TPM 2.0 through the TSS2 interface... |
Strongswan doesn't support TPM 2.0 through the TSS2 interface |
|
| 2021-09-16 19:33:41 |
Launchpad Janitor |
strongswan (Ubuntu): status |
Triaged |
Fix Released |
|
| 2021-09-17 09:54:58 |
Paride Legovini |
description |
The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is unavailable through the TSS2 interface. |
[Impact]
[Test Case]
We can check that libtpmtss (installed by: libstrongswan-extra-plugins) links against libtss2. For example with the proposed change in Focal we have:
$ ldd /usr/lib/ipsec/libtpmtss.so | grep tss
libtss2-sys.so.0 => /lib/x86_64-linux-gnu/libtss2-sys.so.0
libtss2-mu.so.0 => /lib/x86_64-linux-gnu/libtss2-mu.so.0
and similar in Hirsute. Those are not present in the library provided by the package currently in the archive.
A direct verification requires a full IPsec+TPM2 setup to verify that the TPM2 actually work with the proposed package.
[Where problems could occur]
[Development Fix]
Cherry-pick of a Debian packaging commit, so we'll cleanly drop the delta with the next merge from Debian.
[Stable Fix]
Same as the Development Fix (same commit, cherry-picked).
[Original Description]
The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is unavailable through the TSS2 interface. |
|
| 2021-09-17 09:58:27 |
Paride Legovini |
description |
[Impact]
[Test Case]
We can check that libtpmtss (installed by: libstrongswan-extra-plugins) links against libtss2. For example with the proposed change in Focal we have:
$ ldd /usr/lib/ipsec/libtpmtss.so | grep tss
libtss2-sys.so.0 => /lib/x86_64-linux-gnu/libtss2-sys.so.0
libtss2-mu.so.0 => /lib/x86_64-linux-gnu/libtss2-mu.so.0
and similar in Hirsute. Those are not present in the library provided by the package currently in the archive.
A direct verification requires a full IPsec+TPM2 setup to verify that the TPM2 actually work with the proposed package.
[Where problems could occur]
[Development Fix]
Cherry-pick of a Debian packaging commit, so we'll cleanly drop the delta with the next merge from Debian.
[Stable Fix]
Same as the Development Fix (same commit, cherry-picked).
[Original Description]
The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is unavailable through the TSS2 interface. |
[Impact]
This is actually borderline between a bugfix and a new feature. It's a bugfix because in the libstrongswan-extra-plugins package description we write:
Also included is the libtpmtss library adding support for TPM plugin
(https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin)
but without a TSS (= TPM Software Stack) implementation the plugin can't do anything useful. OTOH adding tss2 support enables new code sections which were previously disabled, and requires a new dependency, so to some extent this is a new feature.
The "new feature" bits are however confined to a library (libtpmtss.so, provided by libstrongswan-extra-plugins), which is basically useless without also enabling a TSS implementation. I think this may fall under the "we sometimes want to introduce new features" SRU safe case, per:
https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases
[Test Case]
We can check that libtpmtss links against libtss2. For example with the proposed change in Focal we have:
$ ldd /usr/lib/ipsec/libtpmtss.so | grep tss
libtss2-sys.so.0 => /lib/x86_64-linux-gnu/libtss2-sys.so.0
libtss2-mu.so.0 => /lib/x86_64-linux-gnu/libtss2-mu.so.0
and similar in Hirsute. Those are not present in the library provided by the package currently in the archive.
A direct verification requires a full IPsec+TPM2 setup to verify that the TPM2 actually work with the proposed package.
[Where problems could occur]
[Development Fix]
Cherry-pick of a Debian packaging commit, so we'll cleanly drop the delta with the next merge from Debian.
[Stable Fix]
Same as the Development Fix (same commit, cherry-picked).
[Original Description]
The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is unavailable through the TSS2 interface. |
|
| 2021-09-17 10:11:27 |
Paride Legovini |
description |
[Impact]
This is actually borderline between a bugfix and a new feature. It's a bugfix because in the libstrongswan-extra-plugins package description we write:
Also included is the libtpmtss library adding support for TPM plugin
(https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin)
but without a TSS (= TPM Software Stack) implementation the plugin can't do anything useful. OTOH adding tss2 support enables new code sections which were previously disabled, and requires a new dependency, so to some extent this is a new feature.
The "new feature" bits are however confined to a library (libtpmtss.so, provided by libstrongswan-extra-plugins), which is basically useless without also enabling a TSS implementation. I think this may fall under the "we sometimes want to introduce new features" SRU safe case, per:
https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases
[Test Case]
We can check that libtpmtss links against libtss2. For example with the proposed change in Focal we have:
$ ldd /usr/lib/ipsec/libtpmtss.so | grep tss
libtss2-sys.so.0 => /lib/x86_64-linux-gnu/libtss2-sys.so.0
libtss2-mu.so.0 => /lib/x86_64-linux-gnu/libtss2-mu.so.0
and similar in Hirsute. Those are not present in the library provided by the package currently in the archive.
A direct verification requires a full IPsec+TPM2 setup to verify that the TPM2 actually work with the proposed package.
[Where problems could occur]
[Development Fix]
Cherry-pick of a Debian packaging commit, so we'll cleanly drop the delta with the next merge from Debian.
[Stable Fix]
Same as the Development Fix (same commit, cherry-picked).
[Original Description]
The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is unavailable through the TSS2 interface. |
[Impact]
This is actually borderline between a bugfix and a new feature. It's a bugfix because in the libstrongswan-extra-plugins package description we write:
Also included is the libtpmtss library adding support for TPM plugin
(https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin)
but without a TSS (= TPM Software Stack) implementation the plugin can't do anything useful. OTOH adding tss2 support enables new code sections which were previously disabled, and requires a new dependency, so to some extent this is a new feature.
The "new feature" bits are however confined to a library (libtpmtss.so, provided by libstrongswan-extra-plugins), which is basically useless without also enabling a TSS implementation. I think this may fall under the "we sometimes want to introduce new features" SRU safe case, per:
https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases
[Test Case]
We can check that libtpmtss links against libtss2. For example with the proposed change in Focal we have:
$ ldd /usr/lib/ipsec/libtpmtss.so | grep tss
libtss2-sys.so.0 => /lib/x86_64-linux-gnu/libtss2-sys.so.0
libtss2-mu.so.0 => /lib/x86_64-linux-gnu/libtss2-mu.so.0
and similar in Hirsute. Those are not present in the library provided by the package currently in the archive.
A direct verification requires a full IPsec+TPM2 setup to verify that the TPM2 actually work with the proposed package.
Test PPA: https://launchpad.net/~paride/+archive/ubuntu/strongswan
[Where problems could occur]
Given that libtpmtss is already basically nonfunctional without a TSS implementation, the proposed change can't really break it. However I still can imaging a situation where:
- The TPM plugin is installed but misconfigured, or there are issues with the TPM;
- The issues doesn't really cause any harm, as without a TSS implementation it can't attempt to do any TPM operation.
- The fixed package allows it to do TPM operation, exposing the misconfiguration/issues and possibly braking a working setup.
This is a general, high-level description of a possible issue I can't think of, as I don't really have practical experience with this kind of setup.
[Development Fix]
Cherry-pick of a Debian packaging commit, so we'll cleanly drop the delta with the next merge from Debian.
[Stable Fix]
Same as the Development Fix (same commit, cherry-picked).
[Original Description]
The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is unavailable through the TSS2 interface. |
|
| 2021-09-17 10:18:15 |
Paride Legovini |
nominated for series |
|
Ubuntu Hirsute |
|
| 2021-09-17 10:18:15 |
Paride Legovini |
bug task added |
|
strongswan (Ubuntu Hirsute) |
|
| 2021-09-17 10:18:15 |
Paride Legovini |
nominated for series |
|
Ubuntu Focal |
|
| 2021-09-17 10:18:15 |
Paride Legovini |
bug task added |
|
strongswan (Ubuntu Focal) |
|
| 2021-09-17 10:18:22 |
Paride Legovini |
strongswan (Ubuntu Focal): assignee |
|
Paride Legovini (paride) |
|
| 2021-09-17 10:18:24 |
Paride Legovini |
strongswan (Ubuntu Hirsute): assignee |
|
Paride Legovini (paride) |
|
| 2021-09-17 10:20:01 |
Paride Legovini |
strongswan (Ubuntu Focal): status |
New |
In Progress |
|
| 2021-09-17 10:20:05 |
Paride Legovini |
strongswan (Ubuntu Hirsute): status |
New |
In Progress |
|
| 2021-09-17 11:11:41 |
Paride Legovini |
strongswan (Ubuntu Focal): status |
In Progress |
Incomplete |
|
| 2021-09-17 11:11:44 |
Paride Legovini |
strongswan (Ubuntu Hirsute): status |
In Progress |
Incomplete |
|
| 2021-09-17 11:12:43 |
Paride Legovini |
removed subscriber Ubuntu Release Team |
|
|
|
| 2021-09-17 20:01:05 |
Bug Watch Updater |
strongswan (Debian): status |
Unknown |
New |
|
| 2021-09-21 09:27:46 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paride/ubuntu/+source/strongswan/+git/strongswan/+merge/408927 |
|
| 2021-09-21 09:28:08 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paride/ubuntu/+source/strongswan/+git/strongswan/+merge/408928 |
|
| 2021-09-21 09:28:38 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paride/ubuntu/+source/strongswan/+git/strongswan/+merge/408929 |
|
| 2021-09-21 09:33:19 |
Paride Legovini |
description |
[Impact]
This is actually borderline between a bugfix and a new feature. It's a bugfix because in the libstrongswan-extra-plugins package description we write:
Also included is the libtpmtss library adding support for TPM plugin
(https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin)
but without a TSS (= TPM Software Stack) implementation the plugin can't do anything useful. OTOH adding tss2 support enables new code sections which were previously disabled, and requires a new dependency, so to some extent this is a new feature.
The "new feature" bits are however confined to a library (libtpmtss.so, provided by libstrongswan-extra-plugins), which is basically useless without also enabling a TSS implementation. I think this may fall under the "we sometimes want to introduce new features" SRU safe case, per:
https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases
[Test Case]
We can check that libtpmtss links against libtss2. For example with the proposed change in Focal we have:
$ ldd /usr/lib/ipsec/libtpmtss.so | grep tss
libtss2-sys.so.0 => /lib/x86_64-linux-gnu/libtss2-sys.so.0
libtss2-mu.so.0 => /lib/x86_64-linux-gnu/libtss2-mu.so.0
and similar in Hirsute. Those are not present in the library provided by the package currently in the archive.
A direct verification requires a full IPsec+TPM2 setup to verify that the TPM2 actually work with the proposed package.
Test PPA: https://launchpad.net/~paride/+archive/ubuntu/strongswan
[Where problems could occur]
Given that libtpmtss is already basically nonfunctional without a TSS implementation, the proposed change can't really break it. However I still can imaging a situation where:
- The TPM plugin is installed but misconfigured, or there are issues with the TPM;
- The issues doesn't really cause any harm, as without a TSS implementation it can't attempt to do any TPM operation.
- The fixed package allows it to do TPM operation, exposing the misconfiguration/issues and possibly braking a working setup.
This is a general, high-level description of a possible issue I can't think of, as I don't really have practical experience with this kind of setup.
[Development Fix]
Cherry-pick of a Debian packaging commit, so we'll cleanly drop the delta with the next merge from Debian.
[Stable Fix]
Same as the Development Fix (same commit, cherry-picked).
[Original Description]
The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is unavailable through the TSS2 interface. |
[Impact]
This is actually borderline between a bugfix and a new feature. It's a bugfix because in the libstrongswan-extra-plugins package description we write:
Also included is the libtpmtss library adding support for TPM plugin
(https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin)
but without a TSS (= TPM Software Stack) implementation the plugin can't do anything useful. OTOH adding tss2 support enables new code sections which were previously disabled, and requires a new dependency, so to some extent this is a new feature.
The "new feature" bits are however confined to a library (libtpmtss.so, provided by libstrongswan-extra-plugins), which is basically useless without also enabling a TSS implementation. I think this may fall under the "we sometimes want to introduce new features" SRU safe case, per:
https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases
[Test Case]
We can check that libtpmtss links against libtss2. For example with the proposed change in Focal we have:
$ ldd /usr/lib/ipsec/libtpmtss.so | grep tss
libtss2-sys.so.0 => /lib/x86_64-linux-gnu/libtss2-sys.so.0
libtss2-mu.so.0 => /lib/x86_64-linux-gnu/libtss2-mu.so.0
and similar in Hirsute. Those are not present in the library provided by the package currently in the archive.
A direct verification requires a full IPsec+TPM2 setup to verify that the TPM2 actually work with the proposed package.
Test PPA: https://launchpad.net/~paride/+archive/ubuntu/strongswan
[Where problems could occur]
Given that libtpmtss is already basically nonfunctional without a TSS implementation, the proposed change can't really break it. However I still can imaging a situation where:
- The TPM plugin is installed but misconfigured, or there are issues with the TPM;
- The issues doesn't really cause any harm, as without a TSS implementation it can't attempt to do any TPM operation;
- The fixed package allows it to do TPM operation, exposing the misconfiguration/issues and possibly braking a working setup.
[Development Fix]
Cherry-pick of a Debian packaging commit, so we'll cleanly drop the delta with the next merge from Debian.
[Stable Fix]
Same as the Development Fix (same commit, cherry-picked).
[Original Description]
The Strongswan 5.8.2 (5.8.2-1ubuntu3) for Focal configuration elides the --enable-tss-tss2 option. Without this option, TPM 2.0 is unavailable through the TSS2 interface. |
|
| 2021-09-21 10:17:07 |
Paride Legovini |
strongswan (Ubuntu Focal): status |
Incomplete |
In Progress |
|
| 2021-09-21 10:17:10 |
Paride Legovini |
strongswan (Ubuntu Hirsute): status |
Incomplete |
In Progress |
|
| 2021-09-29 04:09:00 |
Chris Halse Rogers |
strongswan (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2021-09-29 04:09:03 |
Chris Halse Rogers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2021-09-29 04:09:06 |
Chris Halse Rogers |
bug |
|
|
added subscriber SRU Verification |
| 2021-09-29 04:09:12 |
Chris Halse Rogers |
tags |
|
verification-needed verification-needed-focal |
|
| 2021-09-29 04:20:39 |
Chris Halse Rogers |
strongswan (Ubuntu Hirsute): status |
In Progress |
Fix Committed |
|
| 2021-09-29 04:20:50 |
Chris Halse Rogers |
tags |
verification-needed verification-needed-focal |
verification-needed verification-needed-focal verification-needed-hirsute |
|
| 2021-09-29 13:18:15 |
Paride Legovini |
tags |
verification-needed verification-needed-focal verification-needed-hirsute |
verification-done-focal verification-needed verification-needed-hirsute |
|
| 2021-09-29 13:41:28 |
Paride Legovini |
tags |
verification-done-focal verification-needed verification-needed-hirsute |
verification-done verification-done-focal verification-done-hirsute |
|
| 2021-10-06 16:21:03 |
Launchpad Janitor |
strongswan (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2021-10-06 16:21:11 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2021-10-06 16:21:33 |
Launchpad Janitor |
strongswan (Ubuntu Hirsute): status |
Fix Committed |
Fix Released |
|
| 2021-10-21 22:40:56 |
Bug Watch Updater |
strongswan (Debian): status |
New |
Fix Released |
|
