gnupg + TPM 2.0 support request

sergio borghese sergio.borghese at gmail.com
Sat Dec 9 14:12:38 CET 2023 

Hello Everyone,

I would like to protect my pgp keys using the TPM2 installed on my laptop
I was hence reading this article:

https://gnupg.org/blog/20210315-using-tpm-with-gnupg-2.3.html

but I'm not able to get the  `card-no: TPM-Protected` attribute for my key
so I guess something is going wrong and the key is not being protected
using the TPM

I opened a support request also here:
https://crypto.stackexchange.com/questions/108897/cannot-protect-gpg-key-using-tpm2-on-ubuntu-22-04

Please find below the info on what I did

I'm trying to protect a GPG key using the TPM2 available on my laptop, but
I'm not having any success. Probably I'm doing something wrong, but I
cannot figure out what this is.
My system is running `Ubuntu 22.04`

Here what I did:

## Verify TPM2 is available and enabled in my Linux system:
- check tpm hw is detected at boot time:
```
$ dmesg | grep -i tpm
[    0.327325] kernel: tpm_tis STM0125:00: 2.0 TPM (device-id 0x0, rev-id
78)
```
- check tpm devices are available and have the correct owners:
```
$ ls -l /dev/tpm*
crw-rw---- 1 tss tss  10,   224 nov 27 07:42 /dev/tpm0
crw-rw---- 1 tss tss  253, 65536 nov 27 07:42 /dev/tpmrm0
```
- my user is member of the `tss` group

- installed the following packages:
```
clevis-tpm2
libnatpmp1
libtss2-tcti-swtpm0
tpm-udev
tpm2-abrmd
tpm2-openssl
tpm2-tools
libtpm2-pkcs11-tools
libtpm2-pkcs11-1
```

- loaded the tpm module:
```
$ modprobe tpm_tis_spi
$ lsmod | grep tpm
tpm_tis_spi            20480  0
```

- check the tpm broker is up and running
```
root at NR054-UB:/lib/modules/6.2.0-37-generic# systemctl status tpm2-abrmd
● tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon
     Loaded: loaded (/lib/systemd/system/tpm2-abrmd.service; enabled;
vendor preset: enabled)
     Active: active (running) since Mon 2023-11-27 07:42:29 CET; 4 days ago
   Main PID: 1086 (tpm2-abrmd)
      Tasks: 6 (limit: 18082)
     Memory: 1.4M
        CPU: 9.563s
     CGroup: /system.slice/tpm2-abrmd.service
             └─1086 /usr/sbin/tpm2-abrmd
```

I built gpg version `2.4` (as the default gpg version on `ubuntu 22.04` is
`2.2`)
and set the env variable `GNUPGHOME=~/gpg2.tmp/` to use a "clean" keyring
```
$ gpg2 --version
gpg (GnuPG) 2.4.3
libgcrypt 1.10.2
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/<my-username>/gpg2.tmp
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB
```

## Try to protect a test gpg key using TPM

So far so good. As I got no relevant error or warning in setting up all the
previous steps, I continued following the example from:

[1] https://gnupg.org/blog/20210315-using-tpm-with-gnupg-2.3.html

[2] https://www.monperrus.net/martin/7-things-to-do-with-your-TPM-on-Linux

- started the tpm2daemon:
```
tpm2daemon --log-file ~/gpg2.tmp/tpm2daemon.log --daemon --debug-level 1000
```

BUT, when I try move the key to the TPM I do not get the
` card-no: TPM-Protected ` attribute to the key

```
$ /opt/gpg24/bin/gpg2 --edit-key tpm.test at test.com
gpg (GnuPG) 2.4.3; Copyright (C) 2023 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/2E0718AD3A17F52E
     created: 2023-12-02  expires: 2026-12-01  usage: SC
     trust: ultimate      validity: ultimate
[ultimate] (1). tpm.test at test.com

gpg> keytotpm
Really move the primary key? (y/N) y

sec  rsa2048/2E0718AD3A17F52E
     created: 2023-12-02  expires: 2026-12-01  usage: SC
     trust: ultimate      validity: ultimate
[ultimate] (1). tpm.test at test.com
```

What I'm I doing wrong? Any hint on how to debug this?

Ciao e grazie
Sergio


-- 
preferisco ammazzare il tempo,
preferisco sparare cazzate,
preferisco fare esplodere una moda,
preferisco morire d'amore.
(Caparezza)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20231209/c2ca25e0/attachment.html>

More information about the Gnupg-users mailing list