Installation process on host fails if host has a TPM 2.0

[mrcdb]

The dependency on tpm-tools, hence on trousers, generates an error when installing the dependencies required to build and install swtpm on a host machine equipped with TPM 2.0. The tcsd daemon (belonging to TSS 1.2) starts with the following error:

invoke-rc.d: initscript trousers, action "start" failed.
● trousers.service - LSB: starts tcsd
   Loaded: loaded (/etc/init.d/trousers; generated)
   Active: failed (Result: exit-code) since Wed 2018-11-07 14:41:14 UTC; 6ms ago
     Docs: man:systemd-sysv-generator(8)
  Process: 690 ExecStart=/etc/init.d/trousers start (code=exited, status=137)

Starting LSB: starts tcsd...
* Starting Trusted Computing daemon tcsd
/etc/init.d/trousers: 32: [: /dev/tpm0: unexpected operator
      ...fail!
trousers.service: Control process exited, code=exited status=137
trousers.service: Failed with result 'exit-code'.
Failed to start LSB: starts tcsd.
dpkg: error processing package trousers (--configure):
 installed trousers package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of tpm-tools:
 tpm-tools depends on trousers; however:
  Package trousers is not configured yet.

dpkg: error processing package tpm-tools (--configure):
 dependency problems - leaving unconfigured
No apport report written because the error message indicates its a followup error from a previous failure.
                                                                                                          Errors were encountered while processing:
 trousers
 tpm-tools

Is tpm-tools required in the build and installation of swtpm or only when instantiating a vTPM 1.2? Can I skip this dependency with no problem?

[mrcdb]

I see that tpm-tools is a dependency for swtpm-tools project. Can I skip the compilation of this project (I think it would still be unusable if I virtualise only TPM 2.0 devices, right?).

[stefanberger]

swtpm-tools is a dependency for virtualization, i.e., it's needed by libvirt. But it depends on what you are trying to do. If you want to create a vTPM 2.0 you are fine without tpm-tools and tcsd. If you want to create a vTPM 1.2 and create certificates for it and have them written into its NVRAM locations, then you need tcsd.

The tcsd package should not start the daemon or first check whether a TPM 1.2 is available and only start it then -- at least for the purpose of using it with swtpm. This can be done fairly easily by opening /dev/tpm0 using bash and sending a command and seeing what is coming back...

[mrcdb]

The tcsd package should not start the daemon or first check whether a TPM 1.2 is available and only start it then -- at least for the purpose of using it with swtpm. This can be done fairly easily using by opening /dev/tpm0 using bash and sending a command and seeing what is coming back...

I agree with your point, but on my host (Ubuntu 18.04.1 LTS) as soon as I run apt install tpm-tools the tcsd daemon is automatically started as part of the installation process.

[stefanberger]

Solutions for you would be to either locally modify the dependencies or ignore the configuration error. The more long-term solution is to file a bug report with Ubuntu and tell them to not start the tcsd daemon automatically if there's no TPM 1.2 on the system. I can do the latter.

[mrcdb]

A workaround for the moment would be to mask the trousers service before it is installed by tpm-tools. This can be done as follows (as the service is not yet installed):

# ln -s /dev/null /etc/systemd/system/trousers.service

A subsequent call to apt install tpm-tools succeeds on a TPM 2.0 equipped host now.

[stefanberger]

I filed the following bug now with Debian: https://bugs.launchpad.net/ubuntu/+source/trousers/+bug/1802133

I certainly hope that they will react.

[mrcdb]

Fine. The issue can be closed now.