[RFC v2 0/5] TPM support for gpg
James Bottomley
James.Bottomley at HansenPartnership.com
Sat Mar 10 23:50:00 CET 2018
On Sat, 2018-03-10 at 13:03 +0100, Werner Koch wrote:
> On Mon, 5 Mar 2018 20:12, James.Bottomley at HansenPartnership.com
> said:
>
> >
> > Since the last posting, I've tidied up a few things and added
> > support for Elliptic Curve keys (as a separate patch, currently,
> > but it could be rolled into the base).
>
> Thanks for the patches. I pushed them to a new tpm-work branch.
Great, thanks!
> As of now it is required that libtss0-dev is installed. Debian
> Stetch does not have it but it is easy to install from Sid.
Actually, libtss-dev, but yes. However, there's a problem with that
package (which is why it hasn't migrated from unstable) and it turns
out the person who maintains it has left IBM, so I can't get it fixed.
I think what's going to happen is that IBM will submit a new one with
the ibm prefix, largely because Intel is trying to submit a tss package
as well. I was hoping to get these two merged (the Intel one lacks the
crypto pieces which are necessary for gpg key handling, so simply
adding the IBM one seemed like a good solution) but it looks
increasingly less likely that will happen, so separate namespaces seems
a better approach.
> There are no real configure checks right now but I added an #error
> to explain what is going wrong if you try to build without this
> dependency. I have not tested the new code myself.
How about the below for a stab at gating the configure on the presence
of the TPM library.
> Before this goes into master or a 2.3 release, I would like to move
> the entire TPM access code out to a separate daemon much like
> scdaemon works. Maybe it is even possible to get rid of the
> dlopening, but the major thing is that this code and its dependency
> on OpenSSL gets out of gpg-agent.
I should have removed the direct openssl dependency with the shift to
gcrypt AES handling. However, I'll look at doing a separate daemon.
It certainly should be simple enough.
> James: The 3 new files are missing the copyright blurbs, can you
> please send a patch to add them? I would not mind if you can
> directly add an SPDX-License-Identifier: GPL-3.0+
> line (GPL-2.0+ if you prefer).
Sure thing. SPX should work. I'll keep them at GPL-2.0+ just in case
I (or anyone else) need to cut and paste into a GPL-2.0 project.
James
---
From cc7a25e6b41b7da07970e7ca5f57129244a8214b Mon Sep 17 00:00:00 2001
From: James Bottomley <James.Bottomley at HansenPartnership.com>
Date: Tue, 6 Mar 2018 15:02:43 -0800
Subject: [PATCH] configure: Make TPM2 support conditional
This adds a configure stanza to check for the necessary libtss to
support TPM functions. If found, the library functions will be
dynamically loaded, meaning that a system built with TPM2 support will
still execute correctly (obviously minus TPM2 support) if installed
without libtss being present.
Signed-off-by: James Bottomley <James.Bottomley at HansenPartnership.com>
---
agent/Makefile.am | 7 +++++--
agent/agent.h | 26 ++++++++++++++++++++++++++
configure.ac | 11 +++++++++++
3 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/agent/Makefile.am b/agent/Makefile.am
index 1b8ac508f..c92c0ad06 100644
--- a/agent/Makefile.am
+++ b/agent/Makefile.am
@@ -51,12 +51,15 @@ gpg_agent_SOURCES = \
protect.c \
trustlist.c \
divert-scd.c \
- divert-tpm2.c \
- tpm2.c \
cvt-openpgp.c cvt-openpgp.h \
call-scd.c \
learncard.c
+if HAVE_LIBTSS
+gpg_agent_SOURCES += tpm2.c \
+ divert-tpm2.c
+endif
+
common_libs = $(libcommon)
commonpth_libs = $(libcommonpth)
if HAVE_W32CE_SYSTEM
diff --git a/agent/agent.h b/agent/agent.h
index 0ff487a59..dd6d6cb24 100644
--- a/agent/agent.h
+++ b/agent/agent.h
@@ -534,6 +534,7 @@ gpg_error_t agent_marktrusted (ctrl_t ctrl, const char *name,
void agent_reload_trustlist (void);
/*-- divert-tpm2.c --*/
+#ifdef HAVE_LIBTSS
int divert_tpm2_pksign (ctrl_t ctrl, const char *desc_text,
const unsigned char *digest, size_t digestlen, int algo,
const unsigned char *shadow_info, unsigned char **r_sig,
@@ -544,6 +545,31 @@ int divert_tpm2_pkdecrypt (ctrl_t ctrl, const char *desc_text,
char **r_buf, size_t *r_len, int *r_padding);
int divert_tpm2_writekey (ctrl_t ctrl, const unsigned char *grip,
gcry_sexp_t s_skey);
+#else
+static inline int divert_tpm2_pksign (ctrl_t ctrl, const char *desc_text,
+ const unsigned char *digest,
+ size_t digestlen, int algo,
+ const unsigned char *shadow_info,
+ unsigned char **r_sig,
+ size_t *r_siglen)
+{
+ return -EINVAL;
+}
+static inline int divert_tpm2_pkdecrypt (ctrl_t ctrl, const char *desc_text,
+ const unsigned char *cipher,
+ const unsigned char *shadow_info,
+ char **r_buf, size_t *r_len,
+ int *r_padding)
+{
+ return -EINVAL;
+}
+static inline int divert_tpm2_writekey (ctrl_t ctrl, const unsigned char *grip,
+ gcry_sexp_t s_skey)
+{
+ return -EINVAL;
+}
+#endif
+
/*-- divert-scd.c --*/
diff --git a/configure.ac b/configure.ac
index 7522b6922..6df4d0a57 100644
--- a/configure.ac
+++ b/configure.ac
@@ -100,6 +100,7 @@ have_gnutls=no
have_sqlite=no
have_npth=no
have_libusb=no
+have_libtss=no
have_system_resolver=no
gnupg_have_ldap="n/a"
@@ -1590,6 +1591,15 @@ AC_SUBST(NETLIBS)
AC_SUBST(W32SOCKLIBS)
#
+# TPM libtss library .. don't compile TPM support if we don't have it
+#
+AC_CHECK_LIB(tss, TSS_Create, [have_libtss=yes])
+if test "$have_libtss" = yes; then
+ AC_DEFINE(HAVE_LIBTSS, 1, [Defined if we have TPM2 support library])
+fi
+AM_CONDITIONAL(HAVE_LIBTSS, test "$have_libtss" = yes)
+
+#
# Setup gcc specific options
#
USE_C99_CFLAGS=
@@ -2072,6 +2082,7 @@ echo "
TLS support: $use_tls_library
TOFU support: $use_tofu
Tor support: $show_tor_support
+ TPM support: $have_libtss
"
if test x"$use_regex" != xyes ; then
echo "
--
2.12.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180310/874ab88a/attachment.sig>
More information about the Gnupg-devel
mailing list