Comment 6 for bug 1940079

> The stable Ubuntu releases are "feature frozen", which means that it is unlikely TSS2 will be enabled in Focal (exceptions are possible, but a very compelling reason is needed).

Is it a new feature, though? Couldn't it be considered a necessary fix to actually make the already shipped tpm plugin (and the tpm_extendpcr command) functional?

> Did TSS2 work before with Ubuntu's strongswan package? (I doubt so, as additional build-deps are needed, admittedly I'm not very familiar with the package.)

As you say, it requires an additional dependency. However, while strongSwan supports tpm2-tss 1.x, the version shipped in Ubuntu bionic was too old. So before a 2.x version was included, it couldn't have worked (looks like Debian didn't include tpm2-tss at all before 2.1.0 was shipped with buster).

Support for TPM 2.0 was added with strongSwan 5.5.0, based on tpm2-tss 1.x (> 1.0). The tpm plugin was originally released with strongSwan 5.5.2. In Debian, the plugin was not enabled until 5.6.1, packaged for testing before the buster release. Unfortunately, there was no configure check that enforced enabling tss-tss2 (I've added one now), which would have failed back then as support for tpm2-tss 2.x was only added with with 5.7.0. However, Debian buster eventually included strongSwan 5.7.2 and, as mentioned above, tpm2-tss 2.1.0, so that would have worked. But since the plugin was already enabled successfully months before, nobody apparently considered enabling tss-tss2, even if the plugin was non-functional. So it took nearly 4 years since the plugin was first enabled for somebody to actually try to use it and fail.