gnupg + TPM 2.0 support request

sergio borghese sergio.borghese at gmail.com
Sun Dec 10 16:55:48 CET 2023 

Hello everyone,

still trying to debug the interaction between my custom built gpg 2.4 and
the tpm
I manage to enable the gpg-agent log file and set the debug level to 5
(advanced) according to:

https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html#option-_002d_002dhomedir

Actually what I see when I run the `keytotpm` is:

```
2023-12-10 16:42:44 gpg-agent[357268] DBG: chan_10 <- KEYTOTPM
FDEE0860BCFCE24C29738F1ADBF42D4C7D95516B
2023-12-10 16:42:44 gpg-agent[357268] starting a new PIN Entry
2023-12-10 16:42:44 gpg-agent[357268] DBG: connection to PIN entry
established
2023-12-10 16:42:44 gpg-agent[357268] DBG: chan_10 -> INQUIRE
PINENTRY_LAUNCHED 357865 curses 1.2.1 /dev/pts/3 xterm-256color :0
20620/590201106/5 590201106/590200513 0
2023-12-10 16:42:44 gpg-agent[357268] DBG: chan_10 <- END
2023-12-10 16:42:49 gpg-agent[357268] no running
/opt/gpg24/libexec/tpm2daemon daemon - starting it
2023-12-10 16:42:49 gpg-agent[357268] DBG: chan_11 <- OK GNU Privacy
Guard's TPM2 server ready
2023-12-10 16:42:49 gpg-agent[357268] first connection to daemon
/opt/gpg24/libexec/tpm2daemon established
2023-12-10 16:42:49 gpg-agent[357268] DBG: chan_11 -> GETINFO socket_name
2023-12-10 16:42:49 gpg-agent[357268] DBG: chan_11 <- ERR 268435731 Unknown
IPC command <TPM2d>
2023-12-10 16:42:49 gpg-agent[357268] DBG: chan_11 -> OPTION event-signal=12
2023-12-10 16:42:49 gpg-agent[357268] DBG: chan_11 <- OK
2023-12-10 16:42:49 gpg-agent[357268] DBG: chan_11 -> IMPORT
2023-12-10 16:42:49 gpg-agent[357268] DBG: chan_11 <- INQUIRE KEYDATA
2023-12-10 16:42:49 gpg-agent[357268] DBG: chan_11 -> [ 44 20 28 31 31 3a
70 72 69 76 61 74 65 2d 6b 65 ...(982 byte(s) skipped) ]
2023-12-10 16:42:49 gpg-agent[357268] DBG: chan_11 -> [ 44 20 c8 dc 76 ef
16 58 03 a0 29 29 29 00 ]
2023-12-10 16:42:49 gpg-agent[357268] DBG: chan_11 -> END
2023-12-10 16:42:49 gpg-agent[357268] DBG: chan_11 <- INQUIRE NEEDPIN
Please enter the TPM Authorization passphrase for the key.
2023-12-10 16:42:49 gpg-agent[357268] starting a new PIN Entry
2023-12-10 16:42:49 gpg-agent[357268] DBG: connection to PIN entry
established
2023-12-10 16:42:49 gpg-agent[357268] DBG: chan_10 -> INQUIRE
PINENTRY_LAUNCHED 357872 curses 1.2.1 /dev/pts/3 xterm-256color :0
20620/590201106/5 590201106/590200513 0
2023-12-10 16:42:49 gpg-agent[357268] DBG: chan_10 <- END
2023-12-10 16:42:51 gpg-agent[357268] starting a new PIN Entry
2023-12-10 16:42:51 gpg-agent[357268] DBG: connection to PIN entry
established
2023-12-10 16:42:51 gpg-agent[357268] DBG: chan_10 -> INQUIRE
PINENTRY_LAUNCHED 357874 curses 1.2.1 /dev/pts/3 xterm-256color :0
20620/590201106/5 590201106/590200513 0
2023-12-10 16:42:51 gpg-agent[357268] DBG: chan_10 <- END
2023-12-10 16:42:52 gpg-agent[357268] starting a new PIN Entry
2023-12-10 16:42:52 gpg-agent[357268] DBG: connection to PIN entry
established
2023-12-10 16:42:52 gpg-agent[357268] DBG: chan_10 -> INQUIRE
PINENTRY_LAUNCHED 357876 curses 1.2.1 /dev/pts/3 xterm-256color :0
20620/590201106/5 590201106/590200513 0
2023-12-10 16:42:52 gpg-agent[357268] DBG: chan_10 <- END
2023-12-10 16:42:55 gpg-agent[357268] DBG: chan_11 -> D pippero
2023-12-10 16:42:55 gpg-agent[357268] DBG: chan_11 -> END
2023-12-10 16:42:55 gpg-agent[357268] DBG: chan_11 <- [ 44 20 28 31 30 3a
31 30 37 33 37 34 31 38 32 35 ...(524 byte(s) skipped) ]
2023-12-10 16:42:55 gpg-agent[357268] DBG: chan_11 <- OK
2023-12-10 16:42:55 gpg-agent[357268] updating regular key file
'/home/netresults.wintranet/borghese/gpg2.tmp/private-keys-v1.d/FDEE0860BCFCE24C29738F1ADBF42D4C7D95516B.key'
by a shadow key inhibited
2023-12-10 16:42:55 gpg-agent[357268] DBG: chan_10 -> OK
2023-12-10 16:42:55 gpg-agent[357268] DBG: chan_10 <- KEYINFO
FDEE0860BCFCE24C29738F1ADBF42D4C7D95516B
2023-12-10 16:42:55 gpg-agent[357268] DBG: chan_12 -> KEYINFO --list
2023-12-10 16:42:55 gpg-agent[357268] DBG: chan_12 <- OK
2023-12-10 16:42:55 gpg-agent[357268] DBG: chan_10 -> S KEYINFO
FDEE0860BCFCE24C29738F1ADBF42D4C7D95516B D - - - P - - -
2023-12-10 16:42:55 gpg-agent[357268] DBG: chan_10 -> OK
```

What seems interesting to me are the following log entries:

```
2023-12-10 16:46:24 gpg-agent[358316] DBG: chan_11 <- ERR 268435731 Unknown
IPC command <TPM2d>
```
and
```
2023-12-10 16:46:30 gpg-agent[358316] updating regular key file
'/home/netresults.wintranet/borghese/gpg2.tmp/private-keys-v1.d/FDEE0860BCFCE24C29738F1ADBF42D4C7D95516B.key'
by a shadow key inhibited
```

Does anyone know what the above error means exactly and how to solve it?

Ciao e grazie
Sergio


On Sun, Dec 10, 2023 at 1:04 AM sergio borghese <sergio.borghese at gmail.com>
wrote:

> Hi Stephan,
>
> You are right actually, but I built gnupg 2.4 from the source code. I'm
> using the correct binary and also assured the gpg-agent used is the one
> built from version 2.4
>
> The strange thing is that I get no error when editing the key and use the
> command keytotpm, but the key is not sealed
>
> Ciao e grazie
> Sergio
>
>
> On Sat 9 Dec 2023, 15:16 Stephan Verbücheln via Gnupg-users, <
> gnupg-users at gnupg.org> wrote:
>
>> As far as I am aware, Debian and Ubuntu still have GnuPG 2.2 which does
>> not have that feature yet.
>>
>> Regards
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> https://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>

-- 
preferisco ammazzare il tempo,
preferisco sparare cazzate,
preferisco fare esplodere una moda,
preferisco morire d'amore.
(Caparezza)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20231210/74d0fa68/attachment.html>

More information about the Gnupg-users mailing list