[Pkg-swan-devel] Bug#994396: Bug#994396: strongswan: Please enable TPM2 via --enable-tss-tss2

[Yves-Alexis Perez]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, 2021-09-15 at 15:53 +0200, Paride Legovini wrote:
> The Debian strongswan package doesn't currently have any TPM support,
> even if d/rules calls ./configure --enable-tpm, as actually enabling TPM
> requires a TSS (Tpm Software Stack) implementation. To enable TPM2 we
> need TSS2, which is enabled via --enable-tss-tss2 (which requires an
> additional build-dep: libtss2-dev).
> 
> Please consider adding those to the strongswan packaging.
> 
> Note: this still doesn't enable TPM1.2, for which --enable-tss-trousers
> is required. My suggestion is to avoid enabling it, and strongswan
> upstream Tobias Brunner agrees, see the discussion in the Ubuntu bug
> I linked.

Hi Paride,

thanks for the bug report and merge request. As said on that MR, it makes
sense to me since we already enable the TPM plugin, I'm just a bit confused
that it's an empty shell by default.

I'm not especially a huge fan of the remote attestation parts (the various
bits are really complex), but just having access to private keys sealed in the
TPM does look interesting to me.

I've set the flag to merge the request if the CI pipeline suceeds. Thanks!

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmFCAX4ACgkQ3rYcyPpX
RFvyTggAxDgvoJNgK1aLrB/1FNQ8eYPcMKPt0l8deyfxRtFjSlrwMW8UOBJlnqkd
LuAeUd5tNLlvPIHCHazmSR8cyTIUDDcXc6+tzieuYrcetx6F9Ji8yUiz/AhhU1xY
UMmRXjl0MnYpuSASagw2txBlycNmCAB8NauBh5c34lp4Z9thzc7mtMw+scYuJBWD
4m2ZTQ6aX8PPvGQoYTt60IosqBWu9pDZAWF4DPBc/zbx0X45+Vn5bgkX2juZfTgv
33B0XylYbKKJde/WSLvb9x2XwkOLws0DpG18a+GUL5LfwRARx++8SyCxjOK8wJg8
+39lBvAcFMyrYBQYN+NMEPcJy4QIPw==
=IkBR
-----END PGP SIGNATURE-----