Ubuntu
tpm2-tss package

Bug #1983160
Comment #5

Comment 5 for bug 1983160

Revision history for this message

Ivan Kapelyukhin (ikapelyukhin) wrote on 2022-09-02:

@racb, /usr/local does apply: libtpm2-pkcs11 package is available only for Jammy. On Focal users are building it from source. The bug was fixed in libtss2-esys0, it's being installed from the package.

Here's the revised test plan:

1. Create an instance with vTPM:

gcloud compute instances create ivan-test \
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-policy=TERMINATE \
--image-project=ubuntu-os-pro-cloud \
--image-family=ubuntu-pro-2004-lts \
--service-account GCE_SERVICE_ACCOUNT \
--shielded-integrity-monitoring \
--shielded-secure-boot

2. [Optionally, depending on what we are testing] Enable FIPS:

sudo ua auto-attach
sudo ua enable fips
sudo reboot

3. Build `tpm2-pkcs11` from source:

sudo apt-get update
sudo apt install -y \
    build-essential git \
    autoconf automake doxygen libtool \
    libcurl4-openssl-dev libdbus-1-dev libgcrypt-dev \
    libglib2.0-dev libjson-c-dev libsqlite3-dev libssl-dev \
    python3-cryptography python3-pyasn1-modules python3-yaml \
    uuid-dev libyaml-dev tpm2-tools libtss2-dev

mkdir -p ~/src
cd ~/src

wget https://github.com/autoconf-archive/autoconf-archive/archive/v2019.01.06.tar.gz
wget https://github.com/tpm2-software/tpm2-pkcs11/releases/download/1.7.0/tpm2-pkcs11-1.7.0.tar.gz

tar xf v2019.01.06.tar.gz
tar xf tpm2-pkcs11-1.7.0.tar.gz

cd ~/src/tpm2-pkcs11-1.7.0/tools
sudo python3 setup.py install

cp -R ~/src/autoconf-archive-2019.01.06/m4 ~/src/tpm2-pkcs11-1.7.0/
cd ~/src/tpm2-pkcs11-1.7.0/
./configure
make "-j$(nproc)"
sudo make install

4. Setup the SSH key with `libtpm2_pkcs11`:

sudo usermod -a -G tss $USER
exec sudo su -l $USER
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --label=ssh --userpin=MySecretPassword --sopin=MyRecoveryPassword
tpm2_ptool addkey --label=ssh --userpin=MySecretPassword --algorithm=rsa2048
ssh-keygen -D /usr/local/lib/libtpm2_pkcs11.so 2>/dev/null | sudo tee -a /root/.ssh/authorized_keys

5. Try to use it:

ssh -I /usr/local/lib/libtpm2_pkcs11.so root@localhost

6. Enable proposed repos:

sudo tee "/etc/apt/sources.list.d/proposed.list" <<EOF
deb http://archive.ubuntu.com/ubuntu focal-proposed main restricted universe
EOF

sudo apt-get update
sudo apt-get install libtss2-esys0

7. Try to use the SSH key again:

ssh -I /usr/local/lib/libtpm2_pkcs11.so root@localhost

Here's the revised test plan:

1. Create an instance with vTPM:

2. [Optionally, depending on what we are testing] Enable FIPS:

sudo ua auto-attach
sudo ua enable fips
sudo reboot

3. Build `tpm2-pkcs11` from source:

mkdir -p ~/src
cd ~/src

wget https://github.com/autoconf-archive/autoconf-archive/archive/v2019.01.06.tar.gz
wget https://github.com/tpm2-software/tpm2-pkcs11/releases/download/1.7.0/tpm2-pkcs11-1.7.0.tar.gz

tar xf v2019.01.06.tar.gz
tar xf tpm2-pkcs11-1.7.0.tar.gz

cd ~/src/tpm2-pkcs11-1.7.0/tools
sudo python3 setup.py install

cp -R ~/src/autoconf-archive-2019.01.06/m4 ~/src/tpm2-pkcs11-1.7.0/
cd ~/src/tpm2-pkcs11-1.7.0/
./configure
make "-j$(nproc)"
sudo make install

4. Setup the SSH key with `libtpm2_pkcs11`:

5. Try to use it:

ssh -I /usr/local/lib/libtpm2_pkcs11.so root@localhost

6. Enable proposed repos:

sudo tee "/etc/apt/sources.list.d/proposed.list" <<EOF
deb http://archive.ubuntu.com/ubuntu focal-proposed main restricted universe
EOF

sudo apt-get update
sudo apt-get install libtss2-esys0

7. Try to use the SSH key again:

ssh -I /usr/local/lib/libtpm2_pkcs11.so root@localhost

Ubuntutpm2-tss package

Comment 5 for bug 1983160

Ubuntu
tpm2-tss package