app-crypt/swtpm 0.8.0-r2 and later have dropped the gnutls USE flag, which means that it no longer builds swtpm_cert, which is essential for creating certificates for the TPM without the EK private key. It's possible of course to create certificates through other workflows, but none of them are anywhere near as convenient. Reproducible: Always This change was a result of https://bugs.gentoo.org/909754
Looking at what packages in portage are using swtpm for, its probably better the dependency on gnutls be unconditional. Without swtpm_cert, its impossible to provision a TPM. The primary consumer, app-emulation/libvirt needs to provision new vTPMs, and other packages use it for tests and need the vTPM provisioned for that.. I see no program that would not require swtpm[gnutls]. swtpm_cert spawns certtool (and thus needs "tools") and upstream expects PKCS11 support to be present in gnutls: https://github.com/stefanberger/swtpm/issues/477 .
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e470d198cc9fe863a54e392fb7e8bf963b5be5e9 commit e470d198cc9fe863a54e392fb7e8bf963b5be5e9 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2023-09-14 15:04:21 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2023-09-14 15:05:50 +0000 app-crypt/swtpm: add back support for swtpm_cert, improve description Bug: https://bugs.gentoo.org/909754 Closes: https://bugs.gentoo.org/913586 Signed-off-by: Matthias Maier <tamiko@gentoo.org> app-crypt/swtpm/metadata.xml | 2 +- app-crypt/swtpm/{swtpm-0.8.0.ebuild => swtpm-0.8.0-r1.ebuild} | 5 +++-- app-crypt/swtpm/{swtpm-0.8.1.ebuild => swtpm-0.8.1-r1.ebuild} | 7 ++++++- 3 files changed, 10 insertions(+), 4 deletions(-)
I think https://github.com/gentoo/gentoo/pull/32704 may have been a better approach.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=385cf751b98496cf4e297b0f1cbf3e1ba9e26d80 commit 385cf751b98496cf4e297b0f1cbf3e1ba9e26d80 Author: Christopher Byrne <salah.coronya@gmail.com> AuthorDate: 2023-09-16 15:51:13 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2023-09-16 15:54:02 +0000 app-crypt/swtpm: Add gnutls dependency back for swtpm_cert RDEPEND=net-libs/gnutls[tools,pkcs11] is essentiallly required for app-crypt/swtpm. New vTPMs cannot be provisioned without it, and upstream expects gnutls to have PKCS11 support: https://github.com/stefanberger/swtpm/issues/477 . Closes: https://github.com/gentoo/gentoo/pull/32704 Closes: https://bugs.gentoo.org/913586 Bug: https://bugs.gentoo.org/909754 Signed-off-by: Christopher Byrne <salah.coronya@gmail.com> Signed-off-by: Matthias Maier <tamiko@gentoo.org> app-crypt/swtpm/metadata.xml | 1 - ...swtpm-0.8.0-r1.ebuild => swtpm-0.8.0-r2.ebuild} | 22 ++++++++++++---------- ...swtpm-0.8.1-r1.ebuild => swtpm-0.8.1-r2.ebuild} | 22 ++++++++++++---------- 3 files changed, 24 insertions(+), 21 deletions(-)
Just to be clear - it is possible to provision a TPM without swtpm_cert. It is a convenient tool but it is not a required tool (as stated in the original ticket).
(In reply to Nick Bastin from comment #5) > Just to be clear - it is possible to provision a TPM without swtpm_cert. It > is a convenient tool but it is not a required tool (as stated in the > original ticket). Yes, this is correct. We could have worded the commit and justification a bit more carefully. For the time being we have settled on simply building swtpm_cert unconditionally. We will make USE=+tools the default for gnutls which hopefully closes this chapter.
