Bug 2102628

Summary: Missing TPM2 Support in GnuPG
Product: [Fedora] Fedora Reporter: Maxime Ripard <maxime.ripard>
Component: gnupg2Assignee: Jakub Jelen <jjelen>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 36CC: bcl, crypto-team, jjelen, tm
Target Milestone: ---Flags: fedora-admin-xmlrpc: mirror+
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-01 07:37:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Maxime Ripard 2022-06-30 11:51:24 UTC 
Description of problem:

Since GnuPG 2.3, it has support to store the keys in a TPM 2.0 using the keytotpm command.

See https://gnupg.org/blog/20210315-using-tpm-with-gnupg-2.3.html

It relies on a daemon (tpm2d/tpm2daemon) that isn't in the package currently. The keytotpm option is though, resulting in an opaque error when one tries to add a key to the TPM.

Version-Release number of selected component (if applicable):

Fedora 36, 

How reproducible:

100% reproducible

Steps to Reproduce:
1. Create a key eligible for the TPM

gpg --quick-generate-key "A User <au>" rsa2048

2. Add the key to the TPM

gpg --edit-key au
Secret key is available.

sec  rsa2048/9C7BF16E77997502
     created: 2021-03-12  expires: 2023-03-12  usage: SC
     trust: ultimate      validity: ultimate
[ultimate] (1). A User <au>

gpg> keytotpm
Really move the primary key? (y/N) y

Actual results:

keytotpm reports "error from TPM: Not supported". The key isn't added to the TPM.

Expected results:

keytotpm works, the key is added to the TPM.

Additional info:

Judging from the package build log here:
https://kojipkgs.fedoraproject.org//packages/gnupg2/2.3.6/1.fc36/data/logs/x86_64/build.log

The TPM support is indeed disabled:

        GnuPG v2.3.6 has been configured as follows:
        Revision:  3a8164e69  (14977)
        Platform:  GNU/Linux (x86_64-redhat-linux-gnu)
        OpenPGP:   yes
        S/MIME:    yes
        Agent:     yes
        Smartcard: yes (without internal CCID driver)
        TPM:       no
...
        Default tpm2daemon: (default)

It apparently requires tss2-devel at build time.
Comment 1 Jakub Jelen 2022-07-01 07:37:36 UTC 

*** This bug has been marked as a duplicate of bug 2089075 ***