gnupg + TPM 2.0 support request
sergio borghese
sergio.borghese at gmail.com
Sat Dec 9 14:12:38 CET 2023
Hello Everyone,
I would like to protect my pgp keys using the TPM2 installed on my laptop
I was hence reading this article:
https://gnupg.org/blog/20210315-using-tpm-with-gnupg-2.3.html
but I'm not able to get the `card-no: TPM-Protected` attribute for my key
so I guess something is going wrong and the key is not being protected
using the TPM
I opened a support request also here:
https://crypto.stackexchange.com/questions/108897/cannot-protect-gpg-key-using-tpm2-on-ubuntu-22-04
Please find below the info on what I did
I'm trying to protect a GPG key using the TPM2 available on my laptop, but
I'm not having any success. Probably I'm doing something wrong, but I
cannot figure out what this is.
My system is running `Ubuntu 22.04`
Here what I did:
## Verify TPM2 is available and enabled in my Linux system:
- check tpm hw is detected at boot time:
```
$ dmesg | grep -i tpm
[ 0.327325] kernel: tpm_tis STM0125:00: 2.0 TPM (device-id 0x0, rev-id
78)
```
- check tpm devices are available and have the correct owners:
```
$ ls -l /dev/tpm*
crw-rw---- 1 tss tss 10, 224 nov 27 07:42 /dev/tpm0
crw-rw---- 1 tss tss 253, 65536 nov 27 07:42 /dev/tpmrm0
```
- my user is member of the `tss` group
- installed the following packages:
```
clevis-tpm2
libnatpmp1
libtss2-tcti-swtpm0
tpm-udev
tpm2-abrmd
tpm2-openssl
tpm2-tools
libtpm2-pkcs11-tools
libtpm2-pkcs11-1
```
- loaded the tpm module:
```
$ modprobe tpm_tis_spi
$ lsmod | grep tpm
tpm_tis_spi 20480 0
```
- check the tpm broker is up and running
```
root at NR054-UB:/lib/modules/6.2.0-37-generic# systemctl status tpm2-abrmd
● tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon
Loaded: loaded (/lib/systemd/system/tpm2-abrmd.service; enabled;
vendor preset: enabled)
Active: active (running) since Mon 2023-11-27 07:42:29 CET; 4 days ago
Main PID: 1086 (tpm2-abrmd)
Tasks: 6 (limit: 18082)
Memory: 1.4M
CPU: 9.563s
CGroup: /system.slice/tpm2-abrmd.service
└─1086 /usr/sbin/tpm2-abrmd
```
I built gpg version `2.4` (as the default gpg version on `ubuntu 22.04` is
`2.2`)
and set the env variable `GNUPGHOME=~/gpg2.tmp/` to use a "clean" keyring
```
$ gpg2 --version
gpg (GnuPG) 2.4.3
libgcrypt 1.10.2
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/<my-username>/gpg2.tmp
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB
```
## Try to protect a test gpg key using TPM
So far so good. As I got no relevant error or warning in setting up all the
previous steps, I continued following the example from:
[1] https://gnupg.org/blog/20210315-using-tpm-with-gnupg-2.3.html
[2] https://www.monperrus.net/martin/7-things-to-do-with-your-TPM-on-Linux
- started the tpm2daemon:
```
tpm2daemon --log-file ~/gpg2.tmp/tpm2daemon.log --daemon --debug-level 1000
```
BUT, when I try move the key to the TPM I do not get the
` card-no: TPM-Protected ` attribute to the key
```
$ /opt/gpg24/bin/gpg2 --edit-key tpm.test at test.com
gpg (GnuPG) 2.4.3; Copyright (C) 2023 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa2048/2E0718AD3A17F52E
created: 2023-12-02 expires: 2026-12-01 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). tpm.test at test.com
gpg> keytotpm
Really move the primary key? (y/N) y
sec rsa2048/2E0718AD3A17F52E
created: 2023-12-02 expires: 2026-12-01 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). tpm.test at test.com
```
What I'm I doing wrong? Any hint on how to debug this?
Ciao e grazie
Sergio
--
preferisco ammazzare il tempo,
preferisco sparare cazzate,
preferisco fare esplodere una moda,
preferisco morire d'amore.
(Caparezza)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20231209/c2ca25e0/attachment.html>
More information about the Gnupg-users
mailing list