Track upstream tpm2-tools versions and handling

[lukehinds]

So we are now often hitting issues with non backward compat changes upstream.

At the moment we check for certain commands being available, but we are going to need to be more specific, for example

keylime/keylime/tpm2.py

Lines 428 to 432 in 1cf9add

	if legacy_tools:
	retDict = self.__run("tpm2_takeownership -c", raiseOnError=False)
	retDict = self.__run("tpm2_takeownership -o %s -e %s"%(owner_pw, owner_pw), raiseOnError=False)
	else:
	retDict = self.__run("tpm2_changeauth -o %s -e %s"%(owner_pw, owner_pw), raiseOnError=False)

The above will break on 4.0 now, as -o is no longer present as an arg:

tpm2_changeauth -c owner newpass
              tpm2_changeauth -c endorsement newpass
              tpm2_changeauth -c lockout newpass

I recommend we instead grab the version string, as follows:

tpm2_getrandom --version                                                             
    tool="tpm2_getrandom" version="3.2.0" tctis="dynamic" tcti-default=tabrmd dlclose=enabled

We can then build a matrix of command syntax to use, and hopefull upstream will stop renaming args and depreciating commands so frequently.

We also need to have a table showing tools support (like we did for the OS versions for the installer).

[issue-label-bot]

Issue-Label Bot is automatically applying the label feature_request to this issue, with a confidence of 0.86. Please mark this comment with 👍 or 👎 to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

[jetwhiz]

Would it be better to target the tpm2-tools 4.x branch instead of master, that way we're targeting something more stable than their master branch (which often pushes API-breaking changes)?

I expect 4.x is stable now that it is an official release.

[lukehinds]

Hi @jetwhiz , would 4.0 be the same as 4.x?

These are the current versions:

Dist	tools-version
Fedora 30	3.2.0
Fedora 31	3.2.0
Fedora 32	4.0-1
CentOS 8	3.1.1
RHEL 8	3.1.1
Ubuntu 18	2.1.0

I am happy to go with whatever you feel is the better approach and gives us good coverage. Please go ahead and make recommendations as you have a better handle on this then me.

4.0 is the version now in Fedora rawhide / 32 which is where Keylime packaging will initially land.

I have some code now to really allow us to home in on specific releases or using <= or >= using distutils.version.LooseVersion and distutils.version.StrictVersion

[jetwhiz]

It looks like they don't even have a 4.X branch yet, so I assume they're just using master as the staging area for 4.X for now.

[github-actions]

🎉 This issue has been resolved in version 4.0.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀