@racb, /usr/local does apply: libtpm2-pkcs11 package is available only for Jammy. On Focal users are building it from source. The bug was fixed in libtss2-esys0, it's being installed from the package.
Here's the revised test plan:
1. Create an instance with vTPM:
gcloud compute instances create ivan-test \ --machine-type "n2d-standard-2" \ --zone "europe-west1-d" \ --maintenance-policy=TERMINATE \ --image-project=ubuntu-os-pro-cloud \ --image-family=ubuntu-pro-2004-lts \ --service-account GCE_SERVICE_ACCOUNT \ --shielded-integrity-monitoring \ --shielded-secure-boot
2. [Optionally, depending on what we are testing] Enable FIPS:
sudo ua auto-attach sudo ua enable fips sudo reboot
3. Build `tpm2-pkcs11` from source:
sudo apt-get update sudo apt install -y \ build-essential git \ autoconf automake doxygen libtool \ libcurl4-openssl-dev libdbus-1-dev libgcrypt-dev \ libglib2.0-dev libjson-c-dev libsqlite3-dev libssl-dev \ python3-cryptography python3-pyasn1-modules python3-yaml \ uuid-dev libyaml-dev tpm2-tools libtss2-dev
mkdir -p ~/src cd ~/src
wget https://github.com/autoconf-archive/autoconf-archive/archive/v2019.01.06.tar.gz wget https://github.com/tpm2-software/tpm2-pkcs11/releases/download/1.7.0/tpm2-pkcs11-1.7.0.tar.gz
tar xf v2019.01.06.tar.gz tar xf tpm2-pkcs11-1.7.0.tar.gz
cd ~/src/tpm2-pkcs11-1.7.0/tools sudo python3 setup.py install
cp -R ~/src/autoconf-archive-2019.01.06/m4 ~/src/tpm2-pkcs11-1.7.0/ cd ~/src/tpm2-pkcs11-1.7.0/ ./configure make "-j$(nproc)" sudo make install
4. Setup the SSH key with `libtpm2_pkcs11`:
sudo usermod -a -G tss $USER exec sudo su -l $USER tpm2_ptool init tpm2_ptool addtoken --pid=1 --label=ssh --userpin=MySecretPassword --sopin=MyRecoveryPassword tpm2_ptool addkey --label=ssh --userpin=MySecretPassword --algorithm=rsa2048 ssh-keygen -D /usr/local/lib/libtpm2_pkcs11.so 2>/dev/null | sudo tee -a /root/.ssh/authorized_keys
5. Try to use it:
ssh -I /usr/local/lib/libtpm2_pkcs11.so root@localhost
6. Enable proposed repos:
sudo tee "/etc/apt/sources.list.d/proposed.list" <<EOF deb http://archive.ubuntu.com/ubuntu focal-proposed main restricted universe EOF
sudo apt-get update sudo apt-get install libtss2-esys0
7. Try to use the SSH key again:
@racb, /usr/local does apply: libtpm2-pkcs11 package is available only for Jammy. On Focal users are building it from source. The bug was fixed in libtss2-esys0, it's being installed from the package.
Here's the revised test plan:
1. Create an instance with vTPM:
gcloud compute instances create ivan-test \ policy= TERMINATE \ project= ubuntu- os-pro- cloud \ family= ubuntu- pro-2004- lts \ integrity- monitoring \ secure- boot
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-
--image-
--image-
--service-account GCE_SERVICE_ACCOUNT \
--shielded-
--shielded-
2. [Optionally, depending on what we are testing] Enable FIPS:
sudo ua auto-attach
sudo ua enable fips
sudo reboot
3. Build `tpm2-pkcs11` from source:
sudo apt-get update openssl- dev libdbus-1-dev libgcrypt-dev \ cryptography python3- pyasn1- modules python3-yaml \
sudo apt install -y \
build-essential git \
autoconf automake doxygen libtool \
libcurl4-
libglib2.0-dev libjson-c-dev libsqlite3-dev libssl-dev \
python3-
uuid-dev libyaml-dev tpm2-tools libtss2-dev
mkdir -p ~/src
cd ~/src
wget https:/ /github. com/autoconf- archive/ autoconf- archive/ archive/ v2019.01. 06.tar. gz /github. com/tpm2- software/ tpm2-pkcs11/ releases/ download/ 1.7.0/tpm2- pkcs11- 1.7.0.tar. gz
wget https:/
tar xf v2019.01.06.tar.gz 1.7.0.tar. gz
tar xf tpm2-pkcs11-
cd ~/src/tpm2- pkcs11- 1.7.0/tools
sudo python3 setup.py install
cp -R ~/src/autoconf- archive- 2019.01. 06/m4 ~/src/tpm2- pkcs11- 1.7.0/ pkcs11- 1.7.0/
cd ~/src/tpm2-
./configure
make "-j$(nproc)"
sudo make install
4. Setup the SSH key with `libtpm2_pkcs11`:
sudo usermod -a -G tss $USER MySecretPasswor d --sopin= MyRecoveryPassw ord MySecretPasswor d --algorithm=rsa2048 lib/libtpm2_ pkcs11. so 2>/dev/null | sudo tee -a /root/. ssh/authorized_ keys
exec sudo su -l $USER
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --label=ssh --userpin=
tpm2_ptool addkey --label=ssh --userpin=
ssh-keygen -D /usr/local/
5. Try to use it:
ssh -I /usr/local/ lib/libtpm2_ pkcs11. so root@localhost
6. Enable proposed repos:
sudo tee "/etc/apt/ sources. list.d/ proposed. list" <<EOF archive. ubuntu. com/ubuntu focal-proposed main restricted universe
deb http://
EOF
sudo apt-get update
sudo apt-get install libtss2-esys0
7. Try to use the SSH key again:
ssh -I /usr/local/ lib/libtpm2_ pkcs11. so root@localhost