I want to use WebAuthn based authentication in Firefox on Ubuntu 24.04 without a hardware TPM or a separate hardware "security key" (e.g. yubikey).
When it works I would expect a page like this to show a green check next to support for platform authenticators, and for browsers to stop prompting for a "security key".
I started looking into a software stack that simulates a virtual TPM using swtpm and eventually something that would interface with FIDO in the browser.
I found some tutorials including this, this, and this. Here's what I tried:
sudo mkdir /tmp/mytpm2
sudo chown tss:root /tmp/mytpm2
sudo swtpm_setup --tpmstate /tmp/mytpm2 --create-ek-cert --create-platform-cert --tpm2
sudo swtpm socket --tpmstate dir=/tmp/mytpm2 --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init,startup-clear &
#Since I don't have a resource manager set up and tpm2-getrandom uses /dev/tpmrm0:
export TPM2TOOLS_TCTI="device:/dev/tpm0"
# To check things are working:
sudo -E tpm2_getrandom --hex 8
which gives errors starting with:
ERROR:tcti:src/tss2-tcti/tcti-device.c:504:Tss2_Tcti_Device_Init() timeout waiting for response from fd 3
ERROR:sys:src/tss2-sys/api/Tss2_Sys_Execute.c:117:Tss2_Sys_ExecuteFinish() Unsupported device. The device is a TPM 1.2
despite using swtpm with --tpm2.
This is where I got stuck. I think that next I need a resource manager like tpm2-abrmd to connect the tpmstate file (/tmp/mytpm2) to /dev/tpm0, but sudo service start tpm2-abrmd; sudo service tpm2-abrmd status shows the same errors as tpm2_getrandom. The manpage for tpm2-abrmd has an example for "Have daemon use swtpm TPM2 Simulator tcti library", but running those commands in the background doesn't seem to affect tpm2_getrandom.
I am looking for answers that provide a walkthrough of the shell commands needed to get a virtual TPM working in Linux and visible to the browser. I would also appreciate corrections to any misunderstandings demonstrated in my question. I realize that this setup would likely have security flaws compared to a hardware TPM. Thanks!
As Tim already noted, there is a very wide gap between "a TPM" and "a FIDO authenticator". The TPM module only does broadly similar things to a FIDO token but in completely different ways.
For one, a TPM is not a HID device and doesn't speak CTAP, so it wouldn't be recognized by browsers as a "fake" USB authenticator directly. Instead, each browser would need to specifically implement a platform authenticator using the Linux TPM API (alongside the HID API). Currently no browsers do so on Linux.
(A virtual TPM would generally be redundant for this, anyway – it necessarily has to store keys in software, and the platform authenticator could just as well do the same thing directly, like Windows Hello already does for example.)
The rust-u2f project implements a fake HID device which uses software key storage to implement a FIDO1 "U2F" authenticator – not FIDO2, and not a platform authenticator but rather a fake hardware authenticator – but it may do the job anyway.
The xdg-credentials-portal project aims to implement a backend for FIDO2 platform authenticator for apps to use on Linux (in the style of Windows Hello API), but as far as I know, no browsers integrate with it yet.