Reviewing https://src.fedoraproject.org/rpms/gnupg2/tree/f36 and Koji build logs, I see that Fedora versions of gnupg2 are built without TPM/TSS2 support. Please consider enabling TPM/TSS2 support in the builds. Thank you.
I think there was no reason for this. It was just not updated because nobody probably asked for that before. I think just adding the tpm2-tss-devel into build requires will make it working, but let me give it a try if there will show up some unexpected issues.
OK, the reason might be that the tests with tpm2 fail for me. They also fail in the mock and in rawhide: ``` Making check in tpm2dtests make[2]: Entering directory '/builddir/build/BUILD/gnupg-2.3.6/tests/tpm2dtests' LC_ALL=C EXEEXT= PATH="../gpgscm:/builddir/.local/bin:/builddir/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin" abs_top_srcdir="/builddir/build/BUILD/gnupg-2.3.6" objdir="/builddir/build/BUILD/gnupg-2.3.6" TPMSERVER="" SWTPM="/bin/swtpm" SWTPM_IOCTL="" GNUPG_BUILD_ROOT="/builddir/build/BUILD/gnupg-2.3.6/tests" GPGSCM_PATH="/builddir/build/BUILD/gnupg-2.3.6/tests/gpgscm" /builddir/build/BUILD/gnupg-2.3.6/tests/gpgscm/gpgscm \ /builddir/build/BUILD/gnupg-2.3.6/tests/tpm2dtests/run-tests.scm gpgscm: error running '/builddir/build/BUILD/gnupg-2.3.6/tests/tools/gpgconf': probably not installed (wait-process "/builddir/build/BUILD/gnupg-2.3.6/tests/tools/gpgconf" 49511 #t): Configuration error 0: ffi.scm:39: (throw (get-output-string args') message) 1: ffi.scm:30: (ffi-fail name args (strerror (car result))) 2: <unknown>:1: (ffi-apply "wait-process" _-wait-process a) 3: tests.scm:103: (wait-process (car what) (:pid h) #t) 4: tests.scm:126: (call-with-io command input-string) 5: defs.scm:148: (call-popen `(,(tool-hardcoded 'gpgconf) ,@args) input) 6: defs.scm:146: (gpg-conf' "" args) 7: #<CLOSURE> 8: defs.scm:186: (apply gpg-conf '(--list-components)) FAIL: tests/openpgp/setup.scm ``` I did not have time to look into that (the scm tests are still quite a black box for me) in more detail, but if you wan to investigate it further, I used the following change to the spec file so far: ``` +# tpm2 support +BuildRequires: tpm2-tss-devel +BuildRequires: tpm2-tools +BuildRequires: swtpm +BuildRequires: tss2 +# for tests +BuildRequires: openssh-clients ```
Jakub, thanks for starting the investigation. I'll see what I can find from a build perspective as well.
Jakub, I only includes: # tpm2 support BuildRequires: tpm2-tss-devel and the build completed locally with success. I'll want to review build logs futher and dig a bit more to see if TPM support actually works with the local build.
Thank you for checking. AFAIK the rest of the dependencies are needed for the tests that are executed during the build (the tests will be skipped if the dependencies are missing). It might need some adjustments for Fedora, but I would like to avoid skipping tests for this functionality if possible.
*** Bug 2102628 has been marked as a duplicate of this bug. ***
There is two competing TPM2 stacks, one by Intel (tpm2-tss), the other by IBM (tss2). My understanding is that the original author of the TPM2 support for GnuPG worked primarily with IBM's stack, it might be worth a shot to try the tests with tss2-devel instead?
It does not look like making difference. The problem is mentioned above and if I see right, it is looking for `gpgconf` in wrong location in tests, but I was not able to decipher why so far. So far I found only that the tests/tpm2dtests/setup.scm file is missing from the release tarball.
Opened https://dev.gnupg.org/T6052
It looks like it has been fixed upstream, is there anything holding this back? I've tried to run the tests myself to help, by setting up a container, but I can't seem to get a working configuration, it's probably missing a dependency somewhere but it's not clear which: ``` FROM fedora:36 RUN dnf -y install \ ImageMagick \ autoconf \ automake \ bzip2 \ gcc \ gettext \ git \ glibc-gconv-extra \ libassuan-devel \ libgcrypt-devel \ libgpg-error-devel \ libksba-devel \ npth-devel \ texinfo \ # tpm2-tools \ # tpm2-tss-devel \ tss2-devel \ transfig RUN git clone git://git.gnupg.org/gnupg.git /root/gnupg WORKDIR /root/gnupg RUN ./autogen.sh RUN ./configure --enable-maintainer-mode --enable-all-tests RUN make -j $(nproc) install ```
Tried the same several times, but it still did not work for me even after applying all the upstream patches related to this. I think you need also swtpm to run the tpm2d tests. I just did the same with: ``` FROM fedora:latest RUN dnf -y install \ ImageMagick \ autoconf \ automake \ bzip2 bzip2-devel \ curl-devel \ docbook-utils \ gcc \ gettext \ git \ glibc-gconv-extra \ libassuan-devel \ libgcrypt-devel \ libgpg-error-devel \ libksba-devel \ openldap-devel \ pcsc-lite-libs \ readline-devel ncurses-devel \ npth-devel \ zlib-devel \ gnutls-devel \ sqlite-devel \ fuse \ make \ openssh-clients \ texinfo \ tpm2-tools \ tpm2-tss-devel \ tss2-devel \ tss2 \ swtpm \ transfig RUN git clone git://git.gnupg.org/gnupg.git /root/gnupg WORKDIR /root/gnupg RUN ./autogen.sh RUN ./configure --enable-maintainer-mode --enable-all-tests RUN make -j $(nproc) RUN make -j $(nproc) check RUN make -j $(nproc) install ``` And I am still getting the same errors as before with wrong path, but I was not able to figure out why: ``` make[2]: Entering directory '/root/gnupg/tests/tpm2dtests' LC_ALL=C EXEEXT= PATH="../gpgscm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" abs_top_srcdir="/root/gnupg" objdir="/root/gnupg" TPMSERVER="" SWTPM="/bin/swtpm" SWTPM_IOCTL="" GNUPG_BUILD_ROOT="/root/gnupg/tests" GNUPG_IN_TEST_SUITE=fact GPGSCM_PATH="/root/gnupg/tests/gpgscm" /root/gnupg/tests/gpgscm/gpgscm \ /root/gnupg/tests/tpm2dtests/run-tests.scm gpgscm: error running '/root/gnupg/tests/tools/gpgconf': probably not installed (wait-process "/root/gnupg/tests/tools/gpgconf" 16279 #t): Configuration error 0: ffi.scm:39: (throw (get-output-string args') message) 1: ffi.scm:30: (ffi-fail name args (strerror (car result))) 2: <unknown>:1: (ffi-apply "wait-process" _-wait-process a) 3: tests.scm:103: (wait-process (car what) (:pid h) #t) 4: tests.scm:126: (call-with-io command input-string) 5: defs.scm:148: (call-popen `(,(tool-hardcoded 'gpgconf) ,@args) input) 6: defs.scm:146: (gpg-conf' "" args) 7: #<CLOSURE> 8: defs.scm:186: (apply gpg-conf '(--list-components)) FAIL: tests/openpgp/setup.scm Setup failed. ``` Further testing, or ideas would be welcomed.
Thanks, I get the same result here, which is to be expected I guess :) I've had some issues in the past with make install needing to be run before make check, but that didn't fix it either. Looking a bit more into it, the path to gpgconf seems suspicious. Indeed, the path to /root/gnupg/tests/tools/gpgconf doesn't exist, but /root/gnupg/tools/gpgconf does. It looks like it's a relative path issue, but I haven't been able to figure out where exactly. It might be worth reporting upstream?
Updated the issue https://dev.gnupg.org/T6052 Thanks for double-checking its not only me doing something stupid.
I gave it a try again this morning, and it doesn't have the missing gpgconf error anymore, but has a new one: make[2]: Entering directory '/root/gnupg/tests/tpm2dtests' LC_ALL=C EXEEXT= PATH="../gpgscm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" abs_top_srcdir="/root/gnupg" objdir="/root/gnupg" TPMSERVER="" SWTPM="/bin/swtpm" SWTPM_IOCTL="" GNUPG_BUILD_ROOT="/root/gnupg/tests" GNUPG_IN_TEST_SUITE=fact GPGSCM_PATH="/root/gnupg/tests/gpgscm" /root/gnupg/tests/gpgscm/gpgscm \ /root/gnupg/tests/tpm2dtests/run-tests.scm /root/gnupg/tests/tpm2dtests/run-tests.scm:30: not enough arguments, missing: (path . args) 0: run-tests.scm:30: ((*colon-hook* 'scm test) #f (path-join "tests" "tpm2dtests" "setup.scm") (in-srcdir "tests" "tpm2dtests" "setup.scm")) make[2]: Leaving directory '/root/gnupg/tests/tpm2dtests' make[2]: *** [Makefile:644: xcheck] Error 1 make[1]: Leaving directory '/root/gnupg/tests' make[1]: *** [Makefile:515: check-recursive] Error 1 make: *** [Makefile:628: check-recursive] Error 1 Error: building at STEP "RUN make -j $(nproc) check": while running runtime: exit status 2
So looking at the tests and some of the config bits and playing with this a bit the following is enough to build the support. We want to use the Intel tpm2 stack as that's what the vast majority of the rest of Fedora uses and it saves extra deps: =============== diff --git a/gnupg2.spec b/gnupg2.spec index f59f619..d2ff924 100644 --- a/gnupg2.spec +++ b/gnupg2.spec @@ -61,8 +61,10 @@ BuildRequires: sqlite-devel BuildRequires: fuse BuildRequires: make BuildRequires: systemd-rpm-macros +BuildRequires: tpm2-tss-devel # for tests BuildRequires: openssh-clients +BuildRequires: swtpm Requires: libgcrypt >= 1.9.1 Requires: libgpg-error >= 1.46 @@ -140,6 +142,7 @@ sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/scdaemon.c --disable-rpath \ --enable-g13 \ --disable-ccid-driver \ + --with-tss=autodetect \ --enable-large-secmem # need scratch gpg database for tests =============== And to actually run the tests the configure (see configure.ac) we need to define either TPMSERVER or SWTPM and TSSSTARTUP, I think in koji the later will be easier. Without that defined so it can run up a swtpm for testing it seems to just skip it all. AM_CONDITIONAL(TEST_LIBTSS, test -n "$TPMSERVER" || test -n "$SWTPM" && test -n "$TSSSTARTUP") There's an example of running up swtpm in the rust tss-esapi library: https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/tests/all-fedora.sh
Peter, do you want to submit a PR for this? I unfortunately do not have much experience with the tpm yet.
*** Bug 2165266 has been marked as a duplicate of this bug. ***
(In reply to Jakub Jelen from comment #16) > Peter, do you want to submit a PR for this? I unfortunately do not have much > experience with the tpm yet. ATM I don't have time to deal with what's needed for the swtpm setup bits but happy to review a PR. Or I can leave it in my backlog.
I've made a scratch build with Peter's patch on comment #15 in case someone wants to give it a try: https://koji.fedoraproject.org/koji/taskinfo?taskID=98800393
(In reply to Javier Martinez Canillas from comment #19) > I've made a scratch build with Peter's patch on comment #15 in case someone > wants to give it a try: > > https://koji.fedoraproject.org/koji/taskinfo?taskID=98800393 Can you open a PR so we can talk about specific changes? The tpm2 tests are still not running though, which is the main problem from the beginnig: ``` Making check in tpm2d make[1]: Entering directory '/builddir/build/BUILD/gnupg-2.4.0/tpm2d' make[1]: Nothing to be done for 'check'. ```
I had a test of the package Javier built, and I'm still getting a "Not supported" error when running keytotpm (but I might have missed a step)
So I've spent a bit more time on this, and the "Not supported" Error I was reporting previously was due to a permission issue: the user I was running gpg with wasn't part of the tss group. Fixing the permissions makes keytotpm work properly. I've also fixed the issues we were seeing with Jakub (both the gpgconf issue reported upstream and the "not enough arguments" one I was seeing). There was some other issues involved, and I believe I've fixed most of them. However, the tests still fail for some reason. I'm actually wondering if gpg is actually talking to swtpm, but I'm not entirely sure how to debug that further. I've pushed my current work here: https://github.com/mripard/gnupg/commits/tpm-wip And sent a draft PR here: https://src.fedoraproject.org/rpms/gnupg2/pull-request/17
The tpm2 support was enabled in the lats build in rawhide: https://koji.fedoraproject.org/koji/buildinfo?buildID=2207710 Testing and feedback welcomed! For the testsuite, thanks Maxime for the work done in the PR. It looks like it runs ok, except for some hiccups we hope we will be able to resolve soon.
The TPM2 support should be now available in rawhide for some time. The testing does not work and it is yet to be fixed, hopefully with next (or the one after that) upstream release.