I asked about this on IRC but didn't get a reply yet so figured I'd ask here as easier to reference. A lot of uses of libvirt with QEMU don't involve TPMs at all, I'm not convinced this needs to be an unconditional dependency. It's a bit annoying to have to go enabling USE=tools for gnutls (which isn't default-on) because of it everywhere libvirt is installed. Is there some other solution that was considered here? If there's no good alternative, it's fine, but wondering if we can do a bit better here.
Let's fix the swtpm package: - add USE=openssl variant - set default to USE=-gnutls and USE=-openssl That way it should be a minimal dependency not requiring setting use flags for a plain installation.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cd5108f577a44c494d630197f0b67b92c5f85235 commit cd5108f577a44c494d630197f0b67b92c5f85235 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2023-07-06 17:27:02 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2023-07-06 17:28:35 +0000 app-crypt/swtpm: add USE=+openssl as default crypto provider Bug: https://bugs.gentoo.org/909754 Signed-off-by: Matthias Maier <tamiko@gentoo.org> app-crypt/swtpm/metadata.xml | 2 + app-crypt/swtpm/swtpm-0.8.0-r1.ebuild | 75 +++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+)
Sorry for late reply, but I'm on vacation. Given that at least Windows started to require TPM (and my rough guess for desktop use of virtualization is gaming on Windows) we should at least produce an elog message/warning for libvirt when useflags are not met. That would be on par with bug Sam linked earlier. NB any Linux guest that would like to use swtpm would also need those useflags. This only strengthens my huntch about producing an elog message, at least. Alternatively, swtpm dependency could be made conditional for libvirt, but then I'd again vote for depending on swtpm with the right of useflags that enable swtpm_setup and allow it to set up tpm storage. Strictly speaking, libvirt doesn't need swtpm_setup if corresponding per-doman TPM storage exists on VM startup, but I believe that's almost never the case for new VMs (and existing VMs were new once too). I can propose a patch once I'm back, unless somebody beats me to it.
Hi Michal, no worries :-) Sam and I discussed on IRC and we concluded that the dependency overhead with (fixed) swtpm is small enough that we can just depend on it. The original issue was the fact that swtpm defaulted to USE=+gnutls that pulled in a non-standard dependency on gnutls requiring a user to manually set use flags. I think that depending on app-crypt/swtpm unconditionally is in the same spirit as us already depending on firmware unconditionally - I don't think there is much gained in having too fine-grained USE flag control over this. Not for: % qsize swtpm libtasn1 app-crypt/swtpm: 40 files, 24 non-files, 1.1M dev-libs/libtasn1: 62 files, 17 non-files, 578.3K in comparison to (for example on my system with debug symbols): % qsize edk2-ovmf ipxe seabios sgabios qemu sys-firmware/edk2-ovmf: 9 files, 7 non-files, 6.2M sys-firmware/ipxe: 19 files, 7 non-files, 4.4M sys-firmware/seabios: 7 files, 4 non-files, 489.0K sys-firmware/sgabios: 1 files, 3 non-files, 4.0K app-emulation/qemu: 954 files (936 unique), 109 non-files, 2.6G
I'm confused. RDEPEND has > openssl? ( > dev-libs/libtasn1:= > dev-libs/openssl > ) > [...] > dev-libs/openssl:0= econf args: > --with-openssl \ > [...] > $(use_with openssl) \ It looks like we have IUSE=openssl now, but also openssl is still unconditionally enabled and required. Just not paying attention... or what?
Also... > app-crypt/swtpm: change default provider to openssl, ensure clean dependency resolution I'm not seeing that there's a choice between openssl and gnutls. gnutls in configure.ac enables WITH_GNUTLS. Other than enabling some tests, the only thing this appears to controls is > if WITH_GNUTLS > bin_PROGRAMS += \ > swtpm_cert > endif in src/swtpm_cert/Makefile.am. Please take a look at the build system.
(In reply to Matt Turner from comment #5) > I'm confused. Not just you. > Just not paying attention... or what? :-D
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3586b3e6796a5c2121e83960c70d66b84fcfdf6a commit 3586b3e6796a5c2121e83960c70d66b84fcfdf6a Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2023-07-29 03:43:08 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2023-07-29 03:46:23 +0000 app-crypt/swtpm: remove erroneous USE=openssl, remove USE=gnutls - openssl is an unconditional dependency - gnutls was only ever used for running some tests Let us remove all of the stray use flag choices and depend on openssl unconditionally. Thanks to Matt Turner for pointing this out. Bug: https://bugs.gentoo.org/909754 Signed-off-by: Matthias Maier <tamiko@gentoo.org> .../swtpm/{swtpm-0.8.0-r1.ebuild => swtpm-0.8.0-r2.ebuild} | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e470d198cc9fe863a54e392fb7e8bf963b5be5e9 commit e470d198cc9fe863a54e392fb7e8bf963b5be5e9 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2023-09-14 15:04:21 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2023-09-14 15:05:50 +0000 app-crypt/swtpm: add back support for swtpm_cert, improve description Bug: https://bugs.gentoo.org/909754 Closes: https://bugs.gentoo.org/913586 Signed-off-by: Matthias Maier <tamiko@gentoo.org> app-crypt/swtpm/metadata.xml | 2 +- app-crypt/swtpm/{swtpm-0.8.0.ebuild => swtpm-0.8.0-r1.ebuild} | 5 +++-- app-crypt/swtpm/{swtpm-0.8.1.ebuild => swtpm-0.8.1-r1.ebuild} | 7 ++++++- 3 files changed, 10 insertions(+), 4 deletions(-)
I think https://github.com/gentoo/gentoo/pull/32704 might've been a better approach?
I did an assessment of the various packages that depend on swtpm. It turns out only app-emulation/libvirt[qemu] requires it. The other packages don't need it. I created a new PR, https://github.com/gentoo/gentoo/pull/32788 that makes app-emulation/libvirt[qemu] depend on app-crpyt/swtpm[gnutls], and fixes the test process on app-crypt/libsecret and app-crypt/tpm2-openssl to not require it.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=385cf751b98496cf4e297b0f1cbf3e1ba9e26d80 commit 385cf751b98496cf4e297b0f1cbf3e1ba9e26d80 Author: Christopher Byrne <salah.coronya@gmail.com> AuthorDate: 2023-09-16 15:51:13 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2023-09-16 15:54:02 +0000 app-crypt/swtpm: Add gnutls dependency back for swtpm_cert RDEPEND=net-libs/gnutls[tools,pkcs11] is essentiallly required for app-crypt/swtpm. New vTPMs cannot be provisioned without it, and upstream expects gnutls to have PKCS11 support: https://github.com/stefanberger/swtpm/issues/477 . Closes: https://github.com/gentoo/gentoo/pull/32704 Closes: https://bugs.gentoo.org/913586 Bug: https://bugs.gentoo.org/909754 Signed-off-by: Christopher Byrne <salah.coronya@gmail.com> Signed-off-by: Matthias Maier <tamiko@gentoo.org> app-crypt/swtpm/metadata.xml | 1 - ...swtpm-0.8.0-r1.ebuild => swtpm-0.8.0-r2.ebuild} | 22 ++++++++++++---------- ...swtpm-0.8.1-r1.ebuild => swtpm-0.8.1-r2.ebuild} | 22 ++++++++++++---------- 3 files changed, 24 insertions(+), 21 deletions(-)
(In reply to Christopher Byrne from comment #11) > I did an assessment of the various packages that depend on swtpm. It turns > out only app-emulation/libvirt[qemu] requires it. The other packages don't > need it. I created a new PR, https://github.com/gentoo/gentoo/pull/32788 > that makes app-emulation/libvirt[qemu] depend on app-crpyt/swtpm[gnutls], > and fixes the test process on app-crypt/libsecret and app-crypt/tpm2-openssl > to not require it. Agreed and applied. Thanks for fixing it! :-) (In reply to Sam James from comment #10) > I think https://github.com/gentoo/gentoo/pull/32704 might've been a better > approach? We now went full circle and I have applied PR 32704. I am sorry for the noise this all created.
For reference, quoting myself from 2021 (which I completely forgot about): commit de5afd6794251f04a2848f67acec7e8950bfa386 Author: Matthias Maier <tamiko@gentoo.org> Date: Fri Jun 25 22:56:02 2021 -0500 app-crypt/swtpm: add virtualization project, set USE=+gnutls swtpm is an optional runtime dependency of app-emulation/qemu and app-emulation/libvirt. With the latest development (Windows 11 requiring tpm support) tpm emulation becomes increasingly important. This commit * adds the virtualization project as maintainer to be CC'ed on bugs relating to app-crypt/swtpm * changes USE=+gnutls to automatically build swtpm_cert which is required by libvirt to function properly Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Matthias Maier <tamiko@gentoo.org> @sam: What about we simply change the use flag in gnutls to USE=+tools and close this chapter?
