[MIR] tpm2-tss

"It's no longer an optional support, but a required dependency to build fwupd now.
https://github.com/fwupd/fwupd/commit/1b5f1da2028189d5f743ea7e6ea5c45ebc09e4b8"

Most likely, but did you check if it also ends up as a runtime dependency?
Because if it is not then no MIR would be needed.
If it does add a runtime dependency, please update the bug to state so.

Furthermore the report is a bit "light" on content.
I'd (and I expect all fellow MIR reviewers as well) if you could add some more.
I usually use this template: https://git.launchpad.net/~paelzer/+git/MIR/tree/MIR-template-file.txt which is based on the entries in the Wiki.
And the most important part is not to remove all entries that do not apply, but to state that they don't apply. That way a reviewer has much more info, e.g. the empty entry on [Dependencies] above, does this mean it has none, does it mean you'll add them later, ...

Finally since we are in Eoan FF, this is for 20.04 right, or is this super-urgent?

@Christian,

Thanks for your notes. I will review that template and add more detail where I can and update the status back to New when I'm done.

As for the timing on this; it is for FF. My experience with MIR in the past was them taking a while so I wanted to make sure I got this in early so there was plenty of time to land it in FF as fwupd 1.3.x will go into FF.

[Summary]
It looks rather good in general, but there are a few things that should be
improved/resolved before promoting this:
- the package needs a bug subscribing Team
- please update to 2.1.4 or 2.3.1 before we promote it
  - also ensure that it will be updated regularly in the future
- please add proper symbols tracking via a .symbols file
- please help to resolve Debian bug 918973
- in any case the package needs a security review
  - we can add you to the security review queue now, but for the MIR ack
    please resolve the above

[Duplication]
OK:
Upstream switched from the optional universe tools tpm2-abrmd/tpm2-tools to the
hard dependency to this package.
From just the description it seems similar to IBM TSS2
(http://ibmswtpm.sourceforge.net/ibmtss2.html).
But on one hand that is not in Main either and it seems that tpm2-tss is what
upstream projects select.
There are a few reverse deps to tpm2-tss but non to the IBM TSS2 atm.
The projects seem to know and coexist e.g. IBM-TSS2 simulator is used to test
tpm2-tss.
The short answer to this is, that there is no other equivalent functionality
in main yet.

[Embedded sources and static linking]
OK:
- no embedded libraries
- no static linking
- no go code

[Security]
OK:
- no past CVEs in tpm2-tss itself but e.g. CVE-2017-7524 in related tools
- runs no daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not opens a port
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

Reasons to consider it security critical:
- it doesn't parses "data formats" but data on API calls which is the same
- it doesn't really processes arbitrary web content - but the scope in which
  this came up is fwupd which means it will be part of processing content
  (for updates). And since that content is downloaded it is to some extend
  processing web content.
- while it doesn't deal with system auth with more FIDO2 coming up and the
  TPM being the core of that it might still be important.
- Furthermore the whole purpose of this lib is to deal with the TPM which is
  by default security relevant.

[Common blockers]
- builds fine currently (no FTBFS)
- unit tests are present which run at build time
- code isn't translatable, but also not end user facing
- no python code, so no special checks for that

Need to be resolved:
- no bug subscriber yet

[Packaging red flags]
OK:
- no Ubuntu delta
- debian/watch is present
- current maintainers are not MOTUs
- no massive Lintian warnings
- d/rules is small and clean
- d/control has no Built-Using
- does not use golang
- all sub-dependencies are in main libc6, libgcrypt20 and adduser

Should be resolved:
- updates are not slow or sporadic, but on the old version
- The current release is not packaged
  2.1.0 October 2018
  There is 2.3.1 most recent of August 2019
  or at least 2.1.4 of May 28 (stable fixed for 2.1)
- It's a library, but lacks symbol tracking

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no Incautious use of malloc/sprintf (that I'd have seen)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (only in Dock...

And finally, you said the deadline is Feature Freeze, I hope/expect you meant that of Ubuntu 20.04 as the one for 19.10 already passed and given the todos I identified seems out of reach even for a feature freeze exception :-)

@ebarretto from ~ubuntu-security previously reviewed tpm2-tss internally - so am pasting that review here for completeness:

I've reviewed tpm2-tss 2.1.0-4 as checked into disco.
This shouldn't be considered a full audit but rather a quick gauge of
maintainability.

tpm2-tss is TCG's (Trusted Computing Group) implementation of TPM2 Software
Stack (TSS2).

    No CVE history
    Build-Depends:
        autoconf
        autoconf-archive
        debhelper
        docbook-xsl
        libcmocka-dev
        libgcrypt20-dev
        libtool
        pkg-config
        xsltproc

    postinst file on libtss2-udev_2.1.0-4_iall/DEBIAN/postinst
    No post/prm rm for libtss2-udev
    No postinst and post/pre rm for libtss2-dev and libtss2-esys0

    No init scripts
    No systemd services
    No DBus services
    No setuid
    No binaries in PATH
    No sudo fragments

    Udev rule in libtss2-udev:

    # tpm devices can only be accessed by the tss user but the tss
    # group members can access tpmrm devices
    KERNEL=="tpm[0-9]*", MODE="0660", OWNER="tss"
    KERNEL=="tpmrm[0-9]*", MODE="0660", OWNER="tss", GROUP="tss"

    Test suite under test/. vTPM needed to run it, shouldn't be run against an
    actual TPM.
    test/unit/ - run during build
    test/helper, test/integration and test/tpmclient also available.

    No cron jobs

    Some warnings but nothing to worry

    dpkg-scanpackages: warning: Packages in archive but missing from override file:
    dpkg-scanpackages: warning: sbuild-build-depends-core-dummy
    dpkg-scanpackages: warning: Packages in archive but missing from override file:
    dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-tpm2-tss-dummy
    dpkg-source: warning: extracting unsigned source package (tpm2-tss_2.1.0-4.dsc)
    Makefile-test.am:66: warning: variable 'ESYSCRY_LDFLAGS' is defined but no program or
    configure: WARNING: unrecognized options: --disable-maintainer-mode
    configure: WARNING: doxygen not found - will not generate any doxygen documentation
    configure: WARNING: unrecognized options: --disable-maintainer-mode
    debian/resourcemgr.xml:62: warning: failed to load external entity "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"
    debian/tpmclient.xml:62: warning: failed to load external entity "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"
    debian/tpmtest.xml:62: warning: failed to load external entity "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"
    # ERROR: 0
    libtool: warning: relinking 'src/tss2-tcti/libtss2-tcti-device.la'
    libtool: warning: relinking 'src/tss2-tcti/libtss2-tcti-mssim.la'
    libtool: warning: relinking 'src/tss2-sys/libtss2-sys.la'
    libtool: warning: relinking 'src/tss2-esys/libtss2-esys.la'
    libtool: warning: remember to run 'libtool --finish /usr/lib/x86_64-linux-gnu'
    dpkg-gencontrol: warning: Depends field of package libtss2-dev: substitution variable ${shlibs:Depends} used, but is not defined
    dpkg-scanpackages: warning: Packages in archive but missing from override file:
    dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-lintian-dummy sbuild-build-...

Christian,

Ff I realize was confusing. I meant FF release not feature freeze. Sorry!

Perfect Mario, the timing for FF-release should be good :-)
Thanks for the clarification.

And it seems on the security review you had a shortcut since this was already reviewed internally.
That leaves just the open points that I asked for on the MIR review.
Do you know if you can work on resolving these to make 20.04?

P.S. Per [1] I'll set the bug to incomplete reflecting that we wait on packaging changes to be in place.

[1]: https://wiki.ubuntu.com/MIRTeam#Process_states

I would suspect that's no problem, but @cyphermox is actually maintainer in Debian, so I think he should comment if those are doable :)

Yes, those probably should be addressed. I don't necessarily do all the work on these packages though; but I might have time next week to look at them, and prepare a proper new release (with the testing that should go with). Mario, let's see if we can block out just a bit of time to do this?

Sure, if you stage something in a PPA or so I can do some tests.

@cyphermox,

Ping on this? fwupd 1.3.2 will sync to Ubuntu during focal cycle and this MIR will become more important.

fwupd 1.3.2-5 is in focal proposed now and won't be able to migrate until this MIR is finished.

CC @paulliu

I know that you had an ITP bug filed (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940807) for tpm-udev for fixing https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918973.
Can you please upload https://salsa.debian.org/debian/tpm-udev to finish it up?

This MIR is blocked on that.

It appears tpm-udev was now accepted into unstable.

https://tracker.debian.org/pkg/tpm-udev

As of tpm2-tss 2.3.1-2 all reported issues above should be resolved.

Brian subscribed the foundations-bugs team now

Former list of things that should be improved/resolved before promoting this:
- the package needs a bug subscribing Team
  => I checked foundations-bugs is subscribed as mentioned, thanks
- please update to 2.1.4 or 2.3.1 before we promote it
  => we have 2.3.1-2, thanks! although it only is in -proposed for now
  => you have a s390x FTFBS left to fix I guess
  - also ensure that it will be updated regularly in the future
    => well this part we can't check in advance :-)
- please add proper symbols tracking via a .symbols file
  => done, thanks
- please help to resolve Debian bug 918973
  => done and extra fixes in tpm-udev, great
- in any case the package needs a security review
  => was done before as agreed

Yeah, aside from the surely known s390x build issue (the upload is just one day old and I guess you are aware) this LGTM now.

=> MIR Team ack.

Note: The AAs might want to see this build error fixed before promoting I guess.

Thanks to everyone for all the cleanups to make this a good main package!

P.S. it already wants to be pulled in by fwupd, so per [1] the right state is fix committed for now.

[1]: https://wiki.ubuntu.com/MIRTeam#Process_states

FYI: They usually spot it in component mismatches, but once the build errors are resolved you could subscribe archive-admins here.

> Note: The AAs might want to see this build error fixed before promoting I guess.

The s390x build error solution is waiting to be merged upstream (https://github.com/tpm2-software/tpm2-tss/pull/1549) and then will be included.

s390x build problem is fixed and the new version migrated from proposed into release pocket.

Thanks for the update Mario,
so this should now be as ready as it can be for an AA to promote it I guess

libtss2-esys0 promoted now

FYI related bug 1852347 approved as well