无法在 Ubuntu 22.04 上使用 TPM2 保护 GPG 密钥

我正在尝试使用笔记本电脑上的 TPM2 保护 GPG 密钥，但没有成功。可能是我做错了什么，但我不知道这是什么。我的系统正在运行Ubuntu 22.04

这是我所做的：

验证 TPM2 在我的 Linux 系统中可用且已启用：

• 检查启动时是否检测到 tpm hw：

$ dmesg | grep -i tpm 
[    0.327325] kernel: tpm_tis STM0125:00: 2.0 TPM (device-id 0x0, rev-id 78)

• 检查 tpm 设备是否可用并且具有正确的所有者：

$ ls -l /dev/tpm*
crw-rw---- 1 tss tss  10,   224 nov 27 07:42 /dev/tpm0
crw-rw---- 1 tss tss  253, 65536 nov 27 07:42 /dev/tpmrm0

• 我的用户是该tss组的成员

• 安装了以下软件包：

clevis-tpm2
libnatpmp1
libtss2-tcti-swtpm0
tpm-udev
tpm2-abrmd
tpm2-openssl
tpm2-tools
libtpm2-pkcs11-tools
libtpm2-pkcs11-1 

• 加载tpm模块：

$ modprobe tpm_tis_spi
$ lsmod | grep tpm
tpm_tis_spi            20480  0

• 检查 tpm 代理是否已启动并正在运行

root@NR054-UB:/lib/modules/6.2.0-37-generic# systemctl status tpm2-abrmd
● tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon
     Loaded: loaded (/lib/systemd/system/tpm2-abrmd.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-11-27 07:42:29 CET; 4 days ago
   Main PID: 1086 (tpm2-abrmd)
      Tasks: 6 (limit: 18082)
     Memory: 1.4M
        CPU: 9.563s
     CGroup: /system.slice/tpm2-abrmd.service
             └─1086 /usr/sbin/tpm2-abrmd

我构建了 gpg 版本2.4（因为默认的 gpg 版本ubuntu 22.04是2.2），并将环境变量设置GNUPGHOME=~/gpg2.tmp/为使用“干净”的密钥环

$ gpg2 --version
gpg (GnuPG) 2.4.3
libgcrypt 1.10.2
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/<my-username>/gpg2.tmp
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB

• 这是我的gpgconf输出：gpg 2.4已安装在/opt/gpg24避免覆盖当前gpg 2.2默认安装下

$ gpgconf 
gpg:OpenPGP:/opt/gpg24/bin/gpg2
gpgsm:S/MIME:/opt/gpg24/bin/gpgsm
keyboxd:Public Keys:/opt/gpg24/libexec/keyboxd
gpg-agent:Private Keys:/opt/gpg24/bin/gpg-agent
scdaemon:Smartcards:/opt/gpg24/libexec/scdaemon
tpm2daemon:TPM:/opt/gpg24/libexec/tpm2daemon
dirmngr:Network:/opt/gpg24/bin/dirmngr
pinentry:Passphrase Entry:/opt/gpg24/bin/pinentry

尝试使用 TPM 保护测试 gpg 密钥

到目前为止一切顺利。由于我在设置所有前面的步骤时没有收到相关错误或警告，因此我继续按照以下示例操作：

[1]https://gnupg.org/blog/20210315-using-tpm-with-gnupg-2.3.html

[2]https://www.monperrus.net/martin/7-things-to-do-with-your-TPM-on-Linux

• 启动了 tpm2daemon：

tpm2daemon --log-file ~/gpg2.tmp/tpm2daemon.log --daemon --debug-level 1000

但是，当我尝试将密钥移至 TPM 时，我没有获得 card-no: TPM-Protected密钥的属性

$ /opt/gpg24/bin/gpg2 --edit-key [email protected] 
gpg (GnuPG) 2.4.3; Copyright (C) 2023 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/2E0718AD3A17F52E
     created: 2023-12-02  expires: 2026-12-01  usage: SC  
     trust: ultimate      validity: ultimate
[ultimate] (1). [email protected]

gpg> keytotpm
Really move the primary key? (y/N) y
                                    
sec  rsa2048/2E0718AD3A17F52E
     created: 2023-12-02  expires: 2026-12-01  usage: SC  
     trust: ultimate      validity: ultimate
[ultimate] (1). [email protected]

我做错了什么？有什么关于如何调试的提示吗？