[PATCH v3 0/5] Add TPM2 support to gnupg 2.3

James Bottomley James.Bottomley at HansenPartnership.com
Wed Mar 10 19:04:06 CET 2021

On Wed, 2021-03-10 at 15:06 +0100, Werner Koch wrote:
> Hi James,
> > This is a set of patches adding TPM support to gnupg-2.3
> Thanks for the patches.  I was already considering when to add your
> old patches.  So these reworked patches really came in time for a new
> beta. Thanks.

You're welcome.

> >   tpm2d: Add tpm2daemon code
> >   agent: Add new shadow key type and functions to call tpm2daemon
> >   g10: add new command keytotpm to convert a private key to TPM
> > format
> >   tpm2d: add tests for the tpm2daemon
> I applied all these patches with a few minor changes.  However, I
> have not yet tested anything, just made sure that it builds fine.

Unfortunately debian doesn't package a software TPM ... I don't know
why, most other distributions do.  I have one here in deb format:


> The tests duplicate quite some some code but I guess we better live
> with this until we could rework the test framework.  header blurbs
> are missing but there is an SPDX line thus this should be okay.

Yes, there's also doc missing, but I thought we could add that after
the fact if you agree to the keytotpm command.  It's basically just
that to convert an existing key to TPM format.  After that everything
should just work (except once the key is converted it can't be
unconverted and it will stop operating if you lose your TPM or clear

> >   Add Support for the Intel TSS
> I am not sure about this one and whether this needs to be applied
> right now.  My installed libtss-dev version is the 2 years old 1045-
> 1.2.

It doesn't need to be applied immediately.  Your libtss-dev is an IBM
version number and the above patches, without this one, should work
with every IBM TSS however old.

For the Intel TSS on debian you need libtss2-dev from the tpm2-tss
source package.  The version on stable is too old (2.1.0) but the
version in testing will work (3.0.3).

> The files in tpm2d/ are missing the usual header blurb.  I assume
> they are all meant to be GPL-3.

Yes, that was the intention ... I always forget header files, sorry.

>   I attach a patch adding them.  Would you mind to sign this off and
> send a fixed patch?  In fact I am not sure were you use the code too
> and thus a different license version might be desired.

I copied the code with modifications from a different project which is
under LGPL:


But I own copyright in all the base files I've added to your repo, so
I'm happy for them to remain under GPLv3 going forward.  Since they had
to be modified to support gcrypt, I don't think there's much direct
reuse outside of the GPLv3 licence.

I am contemplating helping gnutls add TPM2 support using the same
framework, but their crypto system will require different modifications
of the base files.

> The whole gpg with TPM thing sounds interesting.  I took quite a
> while to add this to master since you first showed be it at some

> Sorry.

Well, stuff takes a while, thanks for adding it.  Since it was always
targetted at 2.3, there's no real delay anyway.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20210310/7f5017b1/attachment.sig>

More information about the Gnupg-devel mailing list