[PATCH GnuPG 8/9] tests: tpm2d: Set TPM2TOOLS_TCTI if we're using SWTPM

James Bottomley James.Bottomley at HansenPartnership.com
Sun Jun 25 17:41:01 CEST 2023 

On Fri, 2023-06-23 at 17:08 -0400, James Bottomley via Gnupg-devel
wrote:
> On Fri, 2023-06-23 at 13:48 -0400, James Bottomley via Gnupg-devel
> wrote:
> [...]
> > I'd suggest trying to get the Intel TSS working with ibmswtpm2
> > based tests first and then trying to extend to swtpm (so you know
> > the problem is in the swtpm connection layer).
> 
> Actually, I have this working now as well (using patches 1-3 from
> yourseries and the latest fix I posted) with all tests passing, so I
> can confirm your problem is something in the swtpm setup.

Sorry for the delay, but this has been quite a saga.  I've fixed the
Leap builds of swtpm 0.8.0 so I could check it:

https://build.opensuse.org/package/show/home:jejb1:Tumbleweed/swtpm

Then I tried to plug it back into openssl_tpm2_engine (which was the
master for the current gpg test rig).  When I finally got this working,
I remember why I abandoned swtpm in the first place (before the
openSUSE builds stopped working): it's failing several tests in my
suite, all to do with elliptic curves.  This time around I actually dug
into these and determined that several of the failures are openssl
related: it has a strange idea of how you sign certificates with curves
of under 256 bits.  Apparently swtpm enables P-192 and Brainpool 224,
which no other TPM I've ever seen does, but these curves trigger the
openssl failure.  The final EC failure looks to be internal to swtpm
itself: it can't handle curves that are parametrised rather than named.
However, although this last may be fatal for openssl_tpm2_engine, it's
not a problem for gnupg because it doesn't ever use parametrised
curves.

So the final fix is to drop this patch in favour of the one below (the
connection setting in intel-tss.h is overriding your environment
variable) and all the tests actually pass.

However, I really think for testing you should be using ibmswtpm2

https://github.com/kgoldman/ibmswtpm2

It is a faithful port of the MS standard TPM2 reference implementation

https://github.com/microsoft/ms-tpm-20-ref

it only enables TCG mandated curves and it works for parametrised EC
curves. Swtpm seems to have deviated significantly from the reference
implementation which is why it's having the problems I outlined ... I'm
sure it will get fixed eventually, but a test suite needs a reliable
base to run on top of, which is why it should be using the reference
implementation.

Regards,

James

---

diff --git a/tpm2d/intel-tss.h b/tpm2d/intel-tss.h
index 615f81e2f..53da5cee2 100644
--- a/tpm2d/intel-tss.h
+++ b/tpm2d/intel-tss.h
@@ -285,9 +285,15 @@ TSS_Create(TSS_CONTEXT **tssContext)
    */
   if (intType)
     {
-      if (strcmp("socsim", intType) == 0) {
-	tctildr = "mssim";
-      }
+      if (strcmp("socsim", intType) == 0)
+	{
+	  char *swtpm = getenv("SWTPM");
+
+	  if (!swtpm || strlen(swtpm) == 0)
+	    tctildr = "mssim";
+	  else
+	    tctildr = "swtpm";
+	}
       else if (strcmp("dev", intType) == 0)
 	{
 	  tctildr = "device";

More information about the Gnupg-devel mailing list