Strongswan doesn't support TPM 2.0 through the TSS2 interface

--enable-tss-trousers is missing too, so TPM 1.2 support isn't available either. Which makes enabling the tpm plugin completely useless.

Thanks for taking the time to file this bug and trying to make Ubuntu better.

From the upstream documentation:

'''
--enable-tpm

enable plugin to access persistent RSA and ECDSA private keys bound to Trusted Platform Module 2.0 [ no ]. Since 5.5.2.
'''

The --enable-tpm option was used to build the Focal package, so from what I understood it has the ability to access persistent keys bound to TPM 2.0. To enable the TSS2 library, we would need to add a new build dependency on libtss2 according to upstream documentation. I am not sure if the SRU team would accept this kind of change in a stable release.

@Tobias, what is --enable-tpm option exactly? Does it work without --enable-tss-trousers and --enable-tss-tss2?

> what is --enable-tpm option exactly?

It's a plugin in libtpmtss that implements interfaces to provide certificates, private keys and random numbers from a TPM 2.0 to the IKE daemon.

> Does it work without --enable-tss-trousers and --enable-tss-tss2?

No, it requires a TSS implementation, in particular, a TSS 2.0 implementation (I saw that it basically does nothing without a TPM 2.0). The only one currently available, enabled via --enable-tss-tss2, uses the libraries provided by tpm2-tss.

The TSS 1 implementation (enabled via --enable-tss-trousers, which wraps TrouSerS) is only needed for other features, e.g. remote attestation (see e.g. [1]), when using a TPM 1.2. But those are currently not enabled in the Ubuntu build.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/PTS-IMC

Thanks Tobias for the additional information. I think that enabling TSS2 in Ubuntu is something we want to do, however I there are a few things to consider:

1. The stable Ubuntu releases are "feature frozen", which means that it is unlikely TSS2 will be enabled in Focal (exceptions are possible, but a very compelling reason is needed). However you mentioned that the strongswan Focal configuration *elides* --enable-tss-tss2. Looking at the packaging file I don't think we're disabling or removing that flag from anywhere. Did TSS2 work before with Ubuntu's strongswan package? (I doubt so, as additional build-deps are needed, admittedly I'm not very familiar with the package.)

2. TSS2 doesn't look enabled in the current Ubuntu development release (Impish). That would normally be the right place to enable a new feature, however the devel release is already in feature freeze. This means that target for enabling TSS2 would be the Ubuntu 22.04 release (modulo [1]).

3. Ideally this change should land in Debian, which as far as I can tell is also missing support for TSS2. Ubuntu would then inherit the change with the next syncs/merges. Debian is out of the freeze, so this is a good moment for proposing the change. Should the change not land in Debian in time for 22.04 we can enable TSS2 in Ubuntu.

What do you think of this plan?

[1] https://wiki.ubuntu.com/FreezeExceptionProcess

I need to jump into this one...

Right now, a number of our projects are dependent on the Focal LTS release. These projects cannot wait for 22.04 as they will go to market over the course of the next several months. These same projects make heavy use of TPM 2.0. They do use the TSS 2.0 components which _are currently_ available in Focal. Strongswan has had TSS 2.0 support for quite awhile, and Strongswan is key to making our projects successful.

I can say that I've put the --enable-tss-tss2 into our local Focal build and have been successfully running Strongswan with TSS 2.0 support. I'm uncomfortable with having a local build as it's just another entity to remember to manage across the lifetime of our products. This functionality needs to be enabled in Focal.

Thanks.

> The stable Ubuntu releases are "feature frozen", which means that it is unlikely TSS2 will be enabled in Focal (exceptions are possible, but a very compelling reason is needed).

Is it a new feature, though? Couldn't it be considered a necessary fix to actually make the already shipped tpm plugin (and the tpm_extendpcr command) functional?

> Did TSS2 work before with Ubuntu's strongswan package? (I doubt so, as additional build-deps are needed, admittedly I'm not very familiar with the package.)

As you say, it requires an additional dependency. However, while strongSwan supports tpm2-tss 1.x, the version shipped in Ubuntu bionic was too old. So before a 2.x version was included, it couldn't have worked (looks like Debian didn't include tpm2-tss at all before 2.1.0 was shipped with buster).

Support for TPM 2.0 was added with strongSwan 5.5.0, based on tpm2-tss 1.x (> 1.0). The tpm plugin was originally released with strongSwan 5.5.2. In Debian, the plugin was not enabled until 5.6.1, packaged for testing before the buster release. Unfortunately, there was no configure check that enforced enabling tss-tss2 (I've added one now), which would have failed back then as support for tpm2-tss 2.x was only added with with 5.7.0. However, Debian buster eventually included strongSwan 5.7.2 and, as mentioned above, tpm2-tss 2.1.0, so that would have worked. But since the plugin was already enabled successfully months before, nobody apparently considered enabling tss-tss2, even if the plugin was non-functional. So it took nearly 4 years since the plugin was first enabled for somebody to actually try to use it and fail.

Some more info for evaluating this:

 * The Impish package builds fine by adding --enable-tss-tss2 in d/rules and adding libtss2-dev to Build-Depends.
 * libtss2-dev is in main in >=Focal.
 * The configure flag enables some well-scoped sections of code via #ifdefs. However this is not something like a separate module: support for TSS2 is builtin in the strongswan tools.
 * I didn't check but I imagine this requires a libtss2-* runtime dep.

> However this is not something like a separate module: support for TSS2 is builtin in the strongswan tools.

Correct, it's just part of libtpmtss.

> I didn't check but I imagine this requires a libtss2-* runtime dep.

Yes, libtss2-esys0 will be required (libtss2-esys-3.0.2-0 for Hirsute and Impish).

FYI bin:libtss2-esys0 from src:tpm2-tss is at least already in main in Focal.
In later releases it is libtss2-esys-3.0.2-0 (also in main)

Hi,

I built strongswan 5.9.1-1 with --enable-tss-trousers (extra Build-Dep: libtspi-dev) and --enable-tss-tss2 (extra B-D: libtss2-dev). The package built fine, the resulting libstrongswan-extra-plugins binary package has two extra dependencies:

 - libtss2-sys1
 - libtspi1 (not in main)

Note: I can't see the libtss2-esys runtime dependency that Tobias mentioned. @Tobias: is this expected, or am I missing some other flag?

Before moving forward in this direction I have a question. AIUI --enable-tss-trousers enables TPM1.2, while --enable-tss-tss2 enables TPM2, which is what --enable-tpm needs to do anything useful.

Do you think it makes sense to only enable TPM2 (--enable-tss-tss2), without TPM1.2 (--enable-tss-trousers)? This would be my proposal, as it has some advantages over enabling both:

1. TPM2 has been around for several years now, and improves on TPM1.2 in many ways. Nobody really complained of lack of TPM1.2 support before this bug was filed.
2. libtspi1 is not in main, so enabling TPM1.2 will require at least a MIR, increasing the overall maintenance work.
3. Supporting only TPM2 will save us from deprecating TPM1.2 support one day, with all the burden that such deprecations generate both on the maintainers side and users side. This is my main point.
4. We can always enable TPM1.2 later if we change our mind.

What do you think?

> Note: I can't see the libtss2-esys runtime dependency that Tobias mentioned. @Tobias: is this expected, or am I missing some other flag?

Yes, that's correct. The configure script checks for both tss2-sys and tss2-esys, but eventually, only tss2-sys is used (possible that Andreas intended to switch to the latter at some point, but that's currently not the case).

> What do you think?

I totally agree. As I mentioned before, support for TPM 1.2 in strongSwan is basically limited to remote attestation, but since the plugins required for that are currently not shipped, enabling support for it would be pointless.

As ideally we'd like to have this change land in Debian I filed a Debian bug:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994396

and opened a MR against the Debian packaging:

https://salsa.debian.org/debian/strongswan/-/merge_requests/11/

My MR against the Debian packaging got merged:

https://salsa.debian.org/debian/strongswan/-/commit/b062db8d85e1502010cd45bc2beb5fbd67912cab

so this will be fixed in Debian unstable with the next upload and in Ubuntu with the merges that will follow. However I'd like to see this land in Impish, so I'm requesting a FFe [1].

This is actually borderline between a bugfix (for which we wouldn't need a FFe) and a new feature. It's a bugfix because in the libstrongswan-extra-plugins package description we write:

  Also included is the libtpmtss library adding support for TPM plugin
  (https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin)

but without a TSS implementation the plugin can't do anything useful. OTOH adding tss2 support enables new code sections which were previously disabled, and requires a new dependency, so to some extent this is a new feature.

The "new feature" bits are however confined in a module (libtpmtss.so, provided by libstrongswan-extra-plugins), which is basically useless without also enabling a TSS implementation. This should be a safe case not only for a FFe but also for a SRU.

For the moment this is a FFe for Impish. If accepted we'll evaluate what to do with the stable releases.

[1] https://wiki.ubuntu.com/FreezeExceptionProcess
[2] https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases

The FFe is for this MP:

https://code.launchpad.net/~paride/ubuntu/+source/strongswan/+git/strongswan/+merge/408738

I requested a review from ubuntu-release, as I think it's a nice way to approve (or disapprove!) the FFe.

Test PPA: https://launchpad.net/~paride/+archive/ubuntu/strongswan

Ok for feature freeze, to enable this self-contained feature.

Thanks!

Uploading strongswan using ftp to ubuntu (host: upload.ubuntu.com; directory: /ubuntu)
Uploading strongswan_5.9.1-1ubuntu3.dsc
Uploading strongswan_5.9.1-1ubuntu3.debian.tar.xz
Uploading strongswan_5.9.1-1ubuntu3_source.buildinfo
Uploading strongswan_5.9.1-1ubuntu3_source.changes

This bug was fixed in the package strongswan - 5.9.1-1ubuntu3

---------------
strongswan (5.9.1-1ubuntu3) impish; urgency=medium

  * Compile the tpm plugin against the tpm2 software stack (tss2)
    (Debian packaging cherry-pick, LP: #1940079)
    - d/rules: add the --enable-tss-tss2 configure flag
    - d/control: add Build-Depends: libtss2-dev

 -- Paride Legovini <email address hidden> Thu, 16 Sep 2021 11:40:38 +0200

Now that this is Fix Released in Impish, I'll twist this bug again and make it into a SRU bug, targeting Focal and Hirsute. I'll make a case summarizing the discussion above for the SRU team.

I uploaded the packages I plan to submit for the Focal/Hirsute SRU to this PPA:

https://launchpad.net/~paride/+archive/ubuntu/strongswan

They look good and sane to me, however I'll proceed with the SRU process only after they have been tested on a setup actually using the TPM2 bits.

@Jim: would it be possible for you to test them? You have the required setup and you already have local Focal builds of the package. Testing should easy: add the PPA and install the strongswan packages you need from there. If there's anything unclear let me know. Thanks in advance!

Waiting for feedback on the PPA packages I'm marking the SRU tasks as Incomplete.

Paride,

Thank you for all your diligence. I will try to provide focal testing results by early next week.

Jim

Hi Paride,

I added your Focal PPA and installed the various strongswan packages on my client machine: strongswan, strongswan-swanctl, libstrongswan-extra-plugins, libstrongswan-standard-plugins, and strongswan-pki. I am able to confirm the ability to read TPM nvram keys and certificates successfully using the pki tool. I am also able to confirm successfully being able to complete an ipsec connection from my client machine via those same TPM-based credentials.

Thumbs up from me!

Jim

Thanks for testing! I uploaded the packages to Focal and Hirsute, now it's up to the SRU team to review the case and update/reject the change. If the packages get accepted they'll end up in the -proposed pockets and will need a final verification to finally land in -updates.

Hello Jim, or anyone else affected,

Accepted strongswan into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/strongswan/5.8.2-1ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Jim, or anyone else affected,

Accepted strongswan into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/strongswan/5.9.1-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

@Jim: could you please verify the packages once again, this time from focal-proposed, like you did in comment 22? The packages are identical to the ones you already verified, but this time it's on the "real" ones that will be copied to focal-updates once verified.

I'll do the "light" verification on the packages (link to libtss2).

Thanks!

On my Focal ipsec client machine, I added the following PPA:

deb http://archive.ubuntu.com/ubuntu/ focal-proposed restricted main multiverse universe

I installed various strongswan packages:

charon-systemd/focal-proposed,now 5.8.2-1ubuntu3.2 amd64 [installed]
libstrongswan-extra-plugins/focal-proposed,now 5.8.2-1ubuntu3.2 amd64 [installed]
libstrongswan-standard-plugins/focal-proposed,now 5.8.2-1ubuntu3.2 amd64 [installed]
libstrongswan/focal-proposed,now 5.8.2-1ubuntu3.2 amd64 [installed,automatic]
strongswan-libcharon/focal-proposed,now 5.8.2-1ubuntu3.2 amd64 [installed,automatic]
strongswan-pki/focal-proposed,now 5.8.2-1ubuntu3.2 amd64 [installed]
strongswan-swanctl/focal-proposed,now 5.8.2-1ubuntu3.2 amd64 [installed,automatic]

I can confirm the ability to read TPM NVRAM keys and certificates successfully using the pki tool.

I am also able to confirm successfully being able to complete an ipsec connection from my client machine via those same TPM-based credentials to my ipsec server.

This bug was fixed in the package strongswan - 5.8.2-1ubuntu3.2

---------------
strongswan (5.8.2-1ubuntu3.2) focal; urgency=medium

  * Compile the tpm plugin against the tpm2 software stack (tss2)
    (Debian packaging cherry-pick, LP: #1940079)
    - d/rules: add the --enable-tss-tss2 configure flag
    - d/control: add Build-Depends: libtss2-dev

 -- Paride Legovini <email address hidden> Fri, 17 Sep 2021 10:48:56 +0200

The verification of the Stable Release Update for strongswan has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package strongswan - 5.9.1-1ubuntu1.1

---------------
strongswan (5.9.1-1ubuntu1.1) hirsute; urgency=medium

  * Compile the tpm plugin against the tpm2 software stack (tss2)
    (Debian packaging cherry-pick, LP: #1940079)
    - d/rules: add the --enable-tss-tss2 configure flag
    - d/control: add Build-Depends: libtss2-dev

 -- Paride Legovini <email address hidden> Fri, 17 Sep 2021 12:15:40 +0200