Open and Resolved Issues

Open Issues

• Windows BitLocker requesting recovery password after upgrade of QEMU from 5.1 to 5.2: unlikely an issue related to swtpm or libtpms in the reported case but may be related to changes in PCR values due to measurements; also see this page here

• The tcsd (TrouSerS) package fails to install on Ubuntu on a system where /dev/tpm0 is a TPM 2; it works fine if /dev/tpm0 is missing due to no TPM on the system; To have the issue resolved, the following bug report has been filed with Debian/Ubuntu: https://bugs.launchpad.net/ubuntu/+source/trousers/+bug/1802133

  • We need tcsd as part of swtpm-tools to be able to support virtualizing a TPM 1.2
  • Also see issue 88: https://github.com/stefanberger/swtpm/issues/88

• tpmtool is not packaged by Ubuntu as part of GnuTLS package

  • Using the host's TPM 1.2 as a CA will not work

Resolved Issues

• Signing with pkcs11 keys does not finish / work and when running p11-tool --list-tokens as a non-root user we get pop up windows to authenticate with PC/SC daemon. The easiest solution seems to be to turn the PC/SC daemon off: sudo systemctl disable pcsdc; sudo systemctl stop pcsdc

• On some distros the starting of a VM with an attached vTPM 1.2 does not work even though tcsd is installed; this is (often) related to how tcsd is configured and what ownership requirements it has on the tcsd config file (check: tcsd -c /tmp/foo -f) and requires ./configure [] --with-tss-user=<user> --with-tss-group=<group> to use the proper user and group that tcsd expected along with similar configuration of libvirt (/etc/libvirt/qemu.conf swtpm_user and swtpm_group entries); the bugs in swtpm_setup were fixed in libtpms >0.3.2; swtpm_setup >= 0.4 does not use tcsd anymore

• The Ubuntu 16.04 and 20.04 x86_64 (not ppc64le, arm*, i386, s390) PPA build servers fail the test suite due to 'bad system call' errors by 'swtpm'. This is likely due to the seccomp profile or the seccomp libary. The solution there is to run the test suite using SWTPM_TEST_SECCOMP_OPT="--seccomp action=none" make -j4 check VERBOSE=1

• Older versions of the TPM 1.2 NVRAM tpm-tools are not working correctly, which results in failures in the test_parameters test case Test 15. The bug has been fixed in recent versions of the tpm-tools package.

• Some versions of the gnutls tools (gnutls-utils-3.6.3-2.fc28.x86_64) cannot read ECC public keys, which causes a failure of the test_tpm2_swtpm_cert_ecc test case. This has been fixed in gnutls (Bug Report).

• Older versions of the Intel and IBM TSS 2 cannot deal with more than 3 PCR banks, even though only 2 banks are enabled. The reason is that the TSS stacks did not support TPM 2 messages reporting about more than 3 PCR banks. Both TSS 2 stacks have been extended to support this, though. The Intel TSS 2 on Fedora (f28: tpm-tools-3.0.4-1, f26: tpm2-tools-2.1.1-1, tpm2-tss-1.2.0-1) doesn't seem to have this problem.

• Gnutls 3.6.5 starts supporting --srk-well-known in tpmtool, otherwise it is impossible to create a key if the TPM 1.2 has the well known password of 20 zero bytes.