Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 776751 - app-emulation/libvirt add app-crypt/swtpm as firmware RDEPEND
Summary: app-emulation/libvirt add app-crypt/swtpm as firmware RDEPEND
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Matthias Maier
URL:
Whiteboard:
Keywords:
Depends on: 798753 798777
Blocks:
  Show dependency tree
 
Reported: 2021-03-16 21:21 UTC by Martin Dummer
Modified: 2022-04-19 20:17 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Dummer 2021-03-16 21:21:45 UTC
Today I tried to add an emulated TPM to a qemu VM.

As a preparation, I emerged app-crypt/swtpm, 

The VM did not work, failed to power on. The referred logfile showed error messages, which led me to missing use flag net-libs/gnutls[tools] and then app-crypt/swtpm[gnutls].

This took some hours of investigation for me, which I feel was not necessary. No hints on g.o wiki or elsewhere on the internet.

Basically I expect a better dependency management from libvirt which is offering the emulated tpm support.

I propose to add a new local useflag "swtpm" which adds

RDEPEND="
  ...
  swtpm? ( net-libs/gnutls[tools] )
  ...
"

to prevent other users making the same bad experience.
Comment 1 Ionen Wolkens gentoo-dev 2021-03-16 21:52:13 UTC
It goes against policy[1] to have USE for optional runtime-only dependencies (bare rare exceptions). Usually these are handled by simple ebuild warnings (like with optfeature.eclass).

Not very familiar with swtpm myself but sounds questionable what should handle this. Qemu can use swtpm without libvirt, so does it really make sense for libvirt to handle this?

Have to consider most people don't use this too, so maybe swtpm itself could mention something (like warn if gnutls is disabled, and/or make gnutls default enabled)? Or maybe you'd like to document it on the wiki?

app-crypt/swtpm[gnutls] already depends on net-libs/gnutls[tools], so USE=gnutls on swtpm seems like the point of interest rather than add gnutls[tools] on another package.

[1] https://projects.gentoo.org/qa/policy-guide/dependencies.html#pg0001
Comment 2 Martin Dummer 2021-03-16 23:24:04 UTC
I mostly disagree with the argument that something does not need to be fixed because it is rarely used. That's something I never seen here at gentoo....

The argument that qemu uses swtpm itself does also not apply because when you do NOT use libvirt for this, you are on your own preparing the key storage stuff, and its your own responsibility failing at this point.
Libvirt prepares all this keystore stuff for the user and fails if swtpm is merged other than app-crypt/swtpm[gnutls].

I do not insist on exactly my proposed solution, I just want a better user experience than I have received. Thats - just as a side note - something I see often gets lost in technical discussions here at gentoo in general.

Having that documented here in bugzilla maybe enough documentation for the next user who has the same problem (thats what I often do - look into bugzilla while thinking "this must be a problem someone else must had before...")
Comment 3 Ionen Wolkens gentoo-dev 2021-03-16 23:41:08 UTC
(In reply to Martin Dummer from comment #2)
> I mostly disagree with the argument that something does not need to be fixed
> because it is rarely used.
I did not say that, I implied it would preferable to be fixed in a more targeted way, e.g. something swtpm users will see rather than the average libvirt user.
Comment 4 Ionen Wolkens gentoo-dev 2021-03-17 00:15:09 UTC
(In reply to Martin Dummer from comment #2)
> Libvirt prepares all this keystore stuff for the user and fails if swtpm is
> merged other than app-crypt/swtpm[gnutls].
I see, as I said I'm not very familiar with it and trying to determine where to direct this bug. Simply adding a optfeature line to libvirt could be an option still, unless @Salah is interested in doing something from swtpm's end.
Comment 5 Christopher Byrne 2021-03-17 01:56:36 UTC
The gnutls tools are required to provision the TPM (for TPM 1.2, generate the EK, and lock NVRAM; for 2.0 generate the EK certificate NVRAM entries)

There's a couple of ways I could fix this:

1) The least intrusive way is to print out an notice (einfo?) at the end of app-crypt/swtpm install that app-emulation/libvirt needs swtpm[gnutls] to initially provision the TPM

2) The most intrusive way to drop the optional gnutls flag and just require it outright. However this may be too intrusive for people who are using swtpm just to test the tpm utilities.

3) The in-between method is add +gnutls to IUSE for app-crypt/swtpm and do 1) if its off
Comment 6 Matthias Maier gentoo-dev 2021-04-04 17:55:18 UTC
This sounds like a good candidate to add to the libvirt readme and/or print a warning in the pkg_postinst() phase of the app-emulation/libvirt ebuild.
Does someone want to give this a try and create a short patch?
Comment 7 Matthias Maier gentoo-dev 2021-06-26 03:57:08 UTC
commit de5afd6794251f04a2848f67acec7e8950bfa386 (HEAD -> master, origin/master, origin/HEAD)
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Fri Jun 25 22:56:02 2021 -0500

    app-crypt/swtpm: add virtualization project, set USE=+gnutls
    
    swtpm is an optional runtime dependency of app-emulation/qemu and
    app-emulation/libvirt. With the latest development (Windows 11 requiring
    tpm support) tpm emulation becomes increasingly important. This commit
    
     * adds the virtualization project as maintainer to be CC'ed on bugs
       relating to app-crypt/swtpm
    
     * changes USE=+gnutls to automatically build swtpm_cert which is
       required by libvirt to function properly
    
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>
Comment 8 Martin Dummer 2021-06-26 11:59:44 UTC
(In reply to Matthias Maier from comment #7)
>     swtpm is an optional runtime dependency of app-emulation/qemu and
>     app-emulation/libvirt. With the latest development (Windows 11 requiring
>     tpm support) tpm emulation becomes increasingly important. This commit
>     

for a working emulated TPM see also #798777
Comment 9 Matthias Maier gentoo-dev 2021-06-27 17:21:45 UTC
Reevaluating the situation I think it makes a lot of sense to unconditionally add app-crypt/swtpm as an RDEPEND in the near future (similarly to our firmware rdepends). Waiting for #798753
Comment 10 Larry the Git Cow gentoo-dev 2021-06-27 17:29:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90e269a62dbd1cfec2c4c108ede1ab0db350169a

commit 90e269a62dbd1cfec2c4c108ede1ab0db350169a
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2021-06-27 17:19:00 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2021-06-27 17:29:21 +0000

    dev-libs/libtpms: add virtualization project
    
    Add virtualization project to the list of maintainers to better track
    app-emulation/qemu firmware dependencies.
    
    In preparation of adding app-crypt/swtpm as unconditional RDEPEND to
    app-emulation/qemu.
    
    Bug: https://bugs.gentoo.org/776751
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 dev-libs/libtpms/metadata.xml | 4 ++++
 1 file changed, 4 insertions(+)