Home
Welcome to the swtpm wiki! 
The goal of the swtpm project is to provide a TPM emulator (TPM 1.2 & TPM 2) that can be integrated into virtualized environments, such as virtual machines and containers. So far it has been integrated into QEMU and as a prototype into RunC (PR).
Swtpm builds on top of libtpms that provides the TPM 1.2 and TPM 2 emulation.
Since the swtpm is fully implemented in software its security is not as strong as that of a hardware TPM. When the swtpm process is running, process ownership governs who can peek into the process and find secrets there, by hooking gdb to it for example. The persistent state the swtpm keeps is written into files and those are protected by file ownership and file access permission flags. Whoever can access those files can extract its secrets. To protect the state, a user can use a secret to encrypt the state, which will make it more difficult for an administrator to extract secrets from the swtpm's state files but does not prevent the administrator from peeking into the running swtpm process. Running the swtpm in a shielded environment using a technology like Intel's SGX, or AMD's SME, can likely help address this issue.
# Install dependencies using dnf (RHEL, Fedora)
sudo dnf -y install libtasn1-devel tpm-tools expect socat python3-twisted fuse-devel glib2-devel gnutls-devel gnutls-utils gnutls
./autogen.sh --with-openssl --prefix=/usr
make -j4
# Depending on how many CPUs you have, choose the -j parameter
# carefully for the next command. The tests work on Raspberry PI 2
# for example but only if run with '-j1', otherwise timeouts may
# occur.
make -j4 check
sudo make install
This requires that libtpms has also been compiled for 32bit.
PKG_CONFIG_PATH=/usr/lib/pkgconfig/ CFLAGS="-m32" ./autogen.sh --with-openssl --prefix=/usr --libdir=/lib
make clean
make -j4
make -j4 check
sudo make install
./autogen.sh --with-openssl --prefix=/usr --with-tss-user=<your username> --with-tss-group=None
make -j4
make -j4 check
make install
./autogen.sh --with-openssl --prefix=/usr --without-cuse --with-tss-user=root --with-tss-group=wheel
gmake -j 4
# the following solves lazy linking problem...
sudo gmake install
gmake check
sudo gmake install
# Not familiar with this platform...; libtpms was installed into /User/adminuser/lib
brew install socat gawk gnutls [...]
brew tap discoteq/discoteq
brew install flock
LDFLAGS="-L/usr/local/opt/openssl/lib -L/Users/adminuser/lib" CFLAGS="-I/usr/local/opt/openssl/include -I/Users/adminuser/include -O2" CC=gcc PKG_CONFIG_PATH=/Users/adminuser/lib/pkgconfig/ ./autogen.sh --prefix=/Users/adminuser/ --with-openssl --with-tss-user=adminuser --with-tss-group=adminuser
make -j4
make -j4 check
mkdir -p ~/rpmbuild/SOURCES
./autogen.sh --with-openssl --prefix=/usr
make dist
cp swtpm-0.?.?.tar.gz ~/rpmbuild/SOURCES
rpmbuild -ba dist/swtpm.spec --define "crypto_subsystem openssl"
# At this point libtpms library and development packages should be installed.
# There should be no libtpms installed in /lib or /lib64 since this may create problems
# when dh_shlibdeps tries to determine package dependencies
sudo apt-get -y install libfuse-dev libglib2.0-dev libgmp-dev expect libtasn1-dev socat tpm-tools python3-twisted gnutls-dev gnutls-bin
dpkg-buildpackage -us -uc -j4