-
Notifications
You must be signed in to change notification settings - Fork 145
Open and Resolved Issues
Stefan Berger edited this page Jun 16, 2020
·
23 revisions
- tpm2_createprimary of Fedora 28 (tpm2-tools-3.0.5) cannot handle the larger contexts/packets returned when creating a primary key and will crash when libtpms 0.8.0 (with 3072 bit RSA key support) is used; Clevis/Tang automated LUKS boots will also fail because of this
- Ubuntu 16.04 build server for PPA fails the test suite due to 'bad systemcall' errors by
swtpm. This is likely due to the seccomp profile. Unfortunately I cannot recreate the error on my 16.04 systems to see which syscall is causing this. - The tcsd (TrouSerS) package fails to install on Ubuntu on a system where
/dev/tpm0is a TPM 2; it works fine if /dev/tpm0 is missing due to no TPM on the system; To have the issue resolved, the following bug report has been filed with Debian/Ubuntu: https://bugs.launchpad.net/ubuntu/+source/trousers/+bug/1802133- We need tcsd as part of swtpm-tools to be able to support virtualizing a TPM 1.2
- Also see issue 88: https://github.com/stefanberger/swtpm/issues/88
-
tpmtoolis not packaged by Ubuntu as part of GnuTLS package- Using the host's TPM 1.2 as a CA will not work
- The Ubuntu 16.04 and 20.04 x86_64 (not ppc64le, arm*, i386, s390) PPA build servers fail the test suite due to 'bad system call' errors by 'swtpm'. This is likely due to the seccomp profile or the seccomp libary. The solution there is to run the test suite using
SWTPM_TEST_SECCOMP_OPT="--seccomp action=none" make -j4 check VERBOSE=1 - Older versions of the TPM 1.2 NVRAM tpm-tools are not working correctly, which results in failures in the
test_parameterstest case Test 15. The bug has been fixed in recent versions of the tpm-tools package. - Some versions of the gnutls tools (gnutls-utils-3.6.3-2.fc28.x86_64) cannot read ECC public keys, which causes a failure of the
test_tpm2_swtpm_cert_ecctest case. This has been fixed in gnutls (Bug Report). - Older versions of the Intel and IBM TSS 2 cannot deal with more than 3 PCR banks, even though only 2 banks are enabled. The reason is that the TSS stacks did not support TPM 2 messages reporting about more than 3 PCR banks. Both TSS 2 stacks have been extended to support this, though. The Intel TSS 2 on Fedora (f28: tpm-tools-3.0.4-1, f26: tpm2-tools-2.1.1-1, tpm2-tss-1.2.0-1) doesn't seem to have this problem.
- Gnutls 3.6.5 starts supporting --srk-well-known in tpmtool, otherwise it is impossible to create a key if the TPM 1.2 has the well known password of 20 zero bytes.