tpm2-openssl icon indicating copy to clipboard operation
tpm2-openssl copied to clipboard
verified publisher icon tpm2-software

No official Fedora package

Open hoinmic opened this issue 2 years ago • 24 comments

Currently, tpm2-openssl is not an official Fedora package. In my opinion, this package is essential for a modern distribution.

@beldmit @sahanaprasad07 I do not understand the procedure or the process. What needs to be done / who needs to be triggered to make this an official fedora package?

A current specification already exists: https://pagure.io/tpm2-openssl/branches?branchname=main

hoinmic avatar Apr 27 '23 13:04 hoinmic

https://docs.fedoraproject.org/en-US/package-maintainers/New_Package_Process_for_New_Contributors/ - hope this helps

beldmit avatar Apr 27 '23 13:04 beldmit

@beldmit Thank you very much. It seems that a review was started over 20 months ago and never finished. But a month ago, the new specification https://pagure.io/tpm2-openssl/branches?branchname=main was written by another person.

I guess the question now is how can the process be started again?

hoinmic avatar Apr 27 '23 14:04 hoinmic

Do you have a bug number at your disposal?

beldmit avatar Apr 27 '23 14:04 beldmit

Do you have a bug number at your disposal?

There is https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2144589, but it's "only" 6 months old.

gotthardp avatar Apr 27 '23 14:04 gotthardp

@afreof You wrote the new specification. Do you have a different bug number or is the original Bug 2144589 the official one?

hoinmic avatar Apr 27 '23 14:04 hoinmic

Yes, there is bug 2144589. I tried to summarize my understanding of this issue here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2144589#c3.

The issue is that Fedora currently comes with openssl-3.x and tpm2-tss-engines packages. Is there a use case where the two packages can work together? I guess Fedora should have replaced the tpm2-tss-engines package by the new tpm2-openssl package with the update from openssl-1.x to openssl-3.x.

@beldmit

  • Do you agree that shipping openssl3 + tpm2-tss-engines should be considered a bug?
  • How can this be fixed? I tried to contribute with a copr and a pagure repo to make the packaging reproducible for testing and discussing. What else could be done?

afreof avatar Apr 27 '23 16:04 afreof

We didn't compile Fedora with no-engine, so they would work. But it would be much better to add a provider package and deprecate the engines one.

beldmit avatar Apr 28 '23 14:04 beldmit

@afreof Hi, could you address the comments from https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2144589#c2 if not done already? You can submit the package for review, we will review it. Thanks!

sahanaprasad07 avatar May 02 '23 17:05 sahanaprasad07

https://github.com/tpm2-software/tpm2-openssl/pull/68 shows all the details which would need to be fixed to get a build without warnings when compiled with Fedora's compiler flags.

Most likely this would introduce errors that would actually worsen the code instead of improving it. But I hope it is helpful in some way anyway.

afreof avatar May 02 '23 22:05 afreof

@afreof, thank you, I improved your fixes a bit, so now they fix (hopefully all) the warnings without worsening the code ;-)

@hoinmic, I made a release 1.2.0-rc1, which should make testing of the package easier.

gotthardp avatar May 03 '23 11:05 gotthardp

@gotthardp Thank you very much. That's much better than what I quickly tried.

Status:

  • [x] All warnings are fixed (Fedora 38)
  • [x] The git repo at https://pagure.io/tpm2-openssl is now up to date
  • [x] New builds are available at https://copr.fedorainfracloud.org/coprs/afreof/tpm2-openssl/
  • [ ] Run tests on Fedora (what the CI pipeline does)
  • [ ] Get familiar with the package maintainership of Fedora

afreof avatar May 04 '23 18:05 afreof

@afreof concerning the tests: the most difficult is to get TPM running. The rest is just make check. Do you know how the environment shall be setup?

gotthardp avatar May 04 '23 18:05 gotthardp

@gotthardp I am also trying to form and test the new version. Am I correct in assuming that an emulated tpm (e.g. ibmtpm) should be used for the tests and tpm2-abrmd should be switched to the emulated TPM?

hoinmic avatar May 04 '23 19:05 hoinmic

@hoinmic Fedora has the swtpm package. That worked for me when I was debugging the FC38 issue. I cannot remember I needed the abrmd or not. Try without it first.

gotthardp avatar May 04 '23 19:05 gotthardp

I tried to do what the pipeline of this git repo does: https://github.com/tpm2-software/tpm2-openssl/compare/master...afreof:tpm2-openssl:run-tests-locally

Some tests failed.

make[3]: Entering directory '/build/tpm2-openssl-1.2.0-rc1-2-gca5a07b/_build/sub'
PASS: test/list.sh
PASS: test/rand.sh
PASS: test/rsa_genrsa_check.sh
PASS: test/rsa_genpkey_sign.sh
PASS: test/rsa_genpkey_sign_rawin.sh
FAIL: test/rsa_genpkey_auth_parent.sh
FAIL: test/rsa_createak_auth.sh
FAIL: test/rsa_createak_sign_object.sh
FAIL: test/rsa_createak_sign_handle.sh
FAIL: test/rsa_create_decrypt.sh
PASS: test/rsa_genpkey_x509_cert.sh
FAIL: test/rsa_genpkey_x509_cmp.sh
PASS: test/rsa_genpkey_x509_cms.sh
PASS: test/rsa_genpkey_tls_server.sh
FAIL: test/rsa_createak_x509_csr.sh
PASS: test/rsapss_genpkey_sign_rawin.sh
FAIL: test/rsapss_createak_tls_server.sh
PASS: test/rsa_pki/rsa_pki.sh
PASS: test/ec_genpkey_check.sh
PASS: test/ec_genpkey_parameters.sh
PASS: test/ec_genpkey_x509_cms.sh
FAIL: test/ecdsa_genpkey_sign_auth.sh
PASS: test/ecdsa_genpkey_sign_rawin.sh
FAIL: test/ecdsa_createak_sign_handle.sh
PASS: test/ecdh_genpkey_keyexch.sh
FAIL: test/ecdh_create_keyexch_index.sh
FAIL: test/ec_createak_x509_cert.sh
FAIL: test/ec_createak_x509_csr_auth.sh
FAIL: test/ec_createak_x509_cms.sh
FAIL: test/ec_createak_x509_index.sh
FAIL: test/ec_genpkey_tls_server.sh
FAIL: test/ec_pki/ec_pki.sh
PASS: test/store_x509_index.sh
PASS: test/store_errors.sh
PASS: test/selftest
============================================================================
Testsuite summary for tpm2-openssl 1.2.0-rc1-2-gca5a07b
============================================================================
# TOTAL: 35
# PASS:  18
# SKIP:  0
# XFAIL: 0
# FAIL:  17
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
Please report to https://github.com/tpm2-software/tpm2-openssl/issues
============================================================================

I was not sure if the make install is required. To test it I started with containerization because I try to not install stuff with sudo on my machine. But so far the same tests are failing.

One example:

cat test/rsa_genpkey_auth_parent.log 
Starting /build/test/rsa_genpkey_auth_parent.sh
+ echo -n abcde12345abcde12345
+ tpm2_createprimary -G rsa -g sha256 -p123 -c parent.ctx
name-alg:
  value: sha256
  raw: 0xb
attributes:
  value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt
  raw: 0x30072
type:
  value: rsa
  raw: 0x1
exponent: 65537
bits: 2048
scheme:
  value: null
  raw: 0x10
scheme-halg:
  value: (null)
  raw: 0x0
sym-alg:
  value: aes
  raw: 0x6
sym-mode:
  value: cfb
  raw: 0x43
sym-keybits: 128
rsa: 9a696f7512105f8cc3c5a929dc0168d91784f383faaefd61862606836bd548ae9deb57cbe3fac6730678931b69c468f3794a31643e4d2d5eafd146523efa790340b554764b1e412ec6ddd5c1f6ff4d621c379eaa03a939bc19ba3982e790501aa76266f0f01163ea44e25ddd2deefa5f1f6ec6b46f814146a49a7652c9b7b9195d0b78c2943fa3761b0cea2a22b1e5c80a72c12403b9f8d24b04dd68a8be3355d619b21033a338a10023fc18fd52b0023920236f202c7232e506a0d33472e78a7bc27d726c56be5af125a6263c443dfc4c48b4865c9e0be0877c5a85b7603cad9cb33329e2a6be146469cda37d35211df38d8976f9225f3a54de24965d340d05
++ tpm2_evictcontrol -c parent.ctx
++ cut -d ' ' -f 2
++ head -n 1
+ HANDLE=0x81000000
+ TPM2OPENSSL_PARENT_AUTH=789
+ openssl genpkey -provider tpm2 -algorithm RSA -out testkey.priv -pkeyopt parent:0x81000000 -pkeyopt parent-auth:123 -pkeyopt user-auth:abc -pkeyopt bits:1024
genpkey: Error setting parent:0x81000000 parameter:
403CF088637F0000:error:03000093:digital envelope routines:default_fixup_args:command not supported:crypto/evp/ctrl_params_translate.c:580:[action:2, state:4] name=parent, value=0x81000000
FAIL test/rsa_genpkey_auth_parent.sh (exit status: 1)

afreof avatar May 04 '23 22:05 afreof

The command not supported was shown when the providers got wrong on fedora. Could you try adding the usual propquery?

gotthardp avatar May 04 '23 22:05 gotthardp

I have tested the pull request https://github.com/tpm2-software/tpm2-openssl/pull/69 from @afreof . It works perfectly for me.

hoinmic avatar May 08 '23 13:05 hoinmic

I think after the build process and tests are running fine in fedora 38 and now everything is on the master branch, we can continue well with this issue after the release of version 1.2.0.

hoinmic avatar Jun 01 '23 16:06 hoinmic

Would it make sense to declare the current state as 1.2.0? Or is there still a reason for the RC state?

afreof avatar Sep 01 '23 15:09 afreof

@afreof, @hoinmic, I released 1.2.0 few days ago.

gotthardp avatar Oct 16 '23 07:10 gotthardp

@gotthardp I am not able to find the public gpg key to verify the sources as per https://fedoraproject.org/wiki/PackagingDrafts:GPGSignatures#Source_file_verification.

Could you perhaps give me a hint or a public key to proceed?

afreof avatar Dec 08 '23 11:12 afreof

@afreof It should be available on GPG servers. Or please try https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0x6329cfcb6be6fd76

gotthardp avatar Dec 08 '23 16:12 gotthardp

Thank you, with this key it works.

afreof avatar Dec 09 '23 11:12 afreof

This is now solved: https://packages.fedoraproject.org/pkgs/tpm2-openssl/tpm2-openssl/index.html

afreof avatar Apr 25 '24 15:04 afreof