Today I tried to add an emulated TPM to a qemu VM. As a preparation, I emerged app-crypt/swtpm, The VM did not work, failed to power on. The referred logfile showed error messages, which led me to missing use flag net-libs/gnutls[tools] and then app-crypt/swtpm[gnutls]. This took some hours of investigation for me, which I feel was not necessary. No hints on g.o wiki or elsewhere on the internet. Basically I expect a better dependency management from libvirt which is offering the emulated tpm support. I propose to add a new local useflag "swtpm" which adds RDEPEND=" ... swtpm? ( net-libs/gnutls[tools] ) ... " to prevent other users making the same bad experience.
It goes against policy[1] to have USE for optional runtime-only dependencies (bare rare exceptions). Usually these are handled by simple ebuild warnings (like with optfeature.eclass). Not very familiar with swtpm myself but sounds questionable what should handle this. Qemu can use swtpm without libvirt, so does it really make sense for libvirt to handle this? Have to consider most people don't use this too, so maybe swtpm itself could mention something (like warn if gnutls is disabled, and/or make gnutls default enabled)? Or maybe you'd like to document it on the wiki? app-crypt/swtpm[gnutls] already depends on net-libs/gnutls[tools], so USE=gnutls on swtpm seems like the point of interest rather than add gnutls[tools] on another package. [1] https://projects.gentoo.org/qa/policy-guide/dependencies.html#pg0001
I mostly disagree with the argument that something does not need to be fixed because it is rarely used. That's something I never seen here at gentoo.... The argument that qemu uses swtpm itself does also not apply because when you do NOT use libvirt for this, you are on your own preparing the key storage stuff, and its your own responsibility failing at this point. Libvirt prepares all this keystore stuff for the user and fails if swtpm is merged other than app-crypt/swtpm[gnutls]. I do not insist on exactly my proposed solution, I just want a better user experience than I have received. Thats - just as a side note - something I see often gets lost in technical discussions here at gentoo in general. Having that documented here in bugzilla maybe enough documentation for the next user who has the same problem (thats what I often do - look into bugzilla while thinking "this must be a problem someone else must had before...")
(In reply to Martin Dummer from comment #2) > I mostly disagree with the argument that something does not need to be fixed > because it is rarely used. I did not say that, I implied it would preferable to be fixed in a more targeted way, e.g. something swtpm users will see rather than the average libvirt user.
(In reply to Martin Dummer from comment #2) > Libvirt prepares all this keystore stuff for the user and fails if swtpm is > merged other than app-crypt/swtpm[gnutls]. I see, as I said I'm not very familiar with it and trying to determine where to direct this bug. Simply adding a optfeature line to libvirt could be an option still, unless @Salah is interested in doing something from swtpm's end.
The gnutls tools are required to provision the TPM (for TPM 1.2, generate the EK, and lock NVRAM; for 2.0 generate the EK certificate NVRAM entries) There's a couple of ways I could fix this: 1) The least intrusive way is to print out an notice (einfo?) at the end of app-crypt/swtpm install that app-emulation/libvirt needs swtpm[gnutls] to initially provision the TPM 2) The most intrusive way to drop the optional gnutls flag and just require it outright. However this may be too intrusive for people who are using swtpm just to test the tpm utilities. 3) The in-between method is add +gnutls to IUSE for app-crypt/swtpm and do 1) if its off
This sounds like a good candidate to add to the libvirt readme and/or print a warning in the pkg_postinst() phase of the app-emulation/libvirt ebuild. Does someone want to give this a try and create a short patch?
commit de5afd6794251f04a2848f67acec7e8950bfa386 (HEAD -> master, origin/master, origin/HEAD) Author: Matthias Maier <tamiko@gentoo.org> Date: Fri Jun 25 22:56:02 2021 -0500 app-crypt/swtpm: add virtualization project, set USE=+gnutls swtpm is an optional runtime dependency of app-emulation/qemu and app-emulation/libvirt. With the latest development (Windows 11 requiring tpm support) tpm emulation becomes increasingly important. This commit * adds the virtualization project as maintainer to be CC'ed on bugs relating to app-crypt/swtpm * changes USE=+gnutls to automatically build swtpm_cert which is required by libvirt to function properly Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Matthias Maier <tamiko@gentoo.org>
(In reply to Matthias Maier from comment #7) > swtpm is an optional runtime dependency of app-emulation/qemu and > app-emulation/libvirt. With the latest development (Windows 11 requiring > tpm support) tpm emulation becomes increasingly important. This commit > for a working emulated TPM see also #798777
Reevaluating the situation I think it makes a lot of sense to unconditionally add app-crypt/swtpm as an RDEPEND in the near future (similarly to our firmware rdepends). Waiting for #798753
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90e269a62dbd1cfec2c4c108ede1ab0db350169a commit 90e269a62dbd1cfec2c4c108ede1ab0db350169a Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2021-06-27 17:19:00 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2021-06-27 17:29:21 +0000 dev-libs/libtpms: add virtualization project Add virtualization project to the list of maintainers to better track app-emulation/qemu firmware dependencies. In preparation of adding app-crypt/swtpm as unconditional RDEPEND to app-emulation/qemu. Bug: https://bugs.gentoo.org/776751 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Matthias Maier <tamiko@gentoo.org> dev-libs/libtpms/metadata.xml | 4 ++++ 1 file changed, 4 insertions(+)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4fa9735e3f445c8455e05aeee2ddd98445381e6a commit 4fa9735e3f445c8455e05aeee2ddd98445381e6a Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2023-06-18 01:38:48 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2023-06-18 01:54:05 +0000 app-emulation/libvirt: add 9.4.0 Closes: https://bugs.gentoo.org/776751 Signed-off-by: Matthias Maier <tamiko@gentoo.org> app-emulation/libvirt/Manifest | 2 + app-emulation/libvirt/libvirt-9.4.0.ebuild | 363 +++++++++++++++++++++++++++++ 2 files changed, 365 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f484ab4ed03a9943450263bef34d61d49aa3a29b commit f484ab4ed03a9943450263bef34d61d49aa3a29b Author: Michal Privoznik <michal.privoznik@gmail.com> AuthorDate: 2023-07-11 06:57:29 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-07-12 09:16:03 +0000 app-emulation/libvirt: Add app-crypt/swtpm dependency to the live ebuild The swtpm dependency was added earlier (in 4fa9735e3f44) but only for app-emulation/libvirt-9.4.0. The live ebuild was missed. Bug: https://bugs.gentoo.org/776751 Signed-off-by: Michal Privoznik <michal.privoznik@gmail.com> Signed-off-by: Sam James <sam@gentoo.org> app-emulation/libvirt/libvirt-9999.ebuild | 1 + 1 file changed, 1 insertion(+)
