pando85 · pando85 · Dec 29, 2025 · Dec 18, 2025
diff --git a/Cargo.toml b/Cargo.toml
@@ -34,7 +34,6 @@ serde_json = "1.0"
 libc = "0.2"
 nix = { version = "0.27", features = ["resource"] }
 notify-rust = "4.11"
-tss-esapi = "7.6.0"
 aes-gcm = "0.10"
 rand = "0.8"
 ctrlc = "3.4"

diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -11,7 +11,8 @@
 **System Dependencies:**
 
 - `libudev-dev` - Required for UHID device access
-- `libtss2-dev` - TPM 2.0 TSS libraries (includes tss2-esys, tss2-tctildr, tss2-mu)
+- `libtss2-dev` - TPM 2.0 TSS libraries (includes tss2-esys, tss2-tctildr, tss2-mu) for `tpm`
+  feature.
 
 **Ubuntu/Debian:**
 

diff --git a/Makefile b/Makefile
@@ -52,20 +52,19 @@ lint-fix: fmt clippy-fix ## run all linting with automatic fixes
 .PHONY: test
 test:	## run tests
 test: lint
-	cargo test
+	cargo test --all-features
 
 .PHONY: test-e2e
 test-e2e:	## run E2E tests (automatically manages authenticator)
-	cargo test -- --test-threads=1 --ignored
+	cargo test --all-features -- --test-threads=1 --ignored
 
 .PHONY: test-e2e-local
 test-e2e-local:	## run E2E tests for local backend only
-	cargo test --test e2e_webauthn local -- --test-threads=1 --ignored
+	cargo test --all-features --test e2e_webauthn local -- --test-threads=1 --ignored
 
 .PHONY: test-e2e-pass
 test-e2e-pass:	## run E2E tests for password-store backend only
-	cargo test --test e2e_webauthn pass -- --test-threads=1 --ignored
-
+	cargo test --all-features --test e2e_webauthn pass -- --test-threads=1 --ignored
 .PHONY: test-e2e-tpm
 test-e2e-tpm:	## run E2E tests for TPM backend only (requires swtpm)
 	cargo test --test e2e_webauthn tpm -- --test-threads=1 --ignored

diff --git a/cmd/passless/Cargo.toml b/cmd/passless/Cargo.toml
@@ -14,6 +14,10 @@ version.workspace = true
 name = "passless"
 path = "src/main.rs"
 
+[features]
+default = []
+tpm = ["passless-core/tpm", "tss-esapi"]
+
 [dependencies]
 passless-core.workspace = true
 soft-fido2.workspace = true
@@ -29,18 +33,18 @@ serde_json.workspace = true
 libc.workspace = true
 nix.workspace = true
 notify-rust.workspace = true
-tss-esapi.workspace = true
 aes-gcm.workspace = true
 rand.workspace = true
 ctrlc.workspace = true
 clap.workspace = true
 zeroize.workspace = true
 hex.workspace = true
+shadow-rs.workspace = true
 hmac = "0.12"
 rpassword = "7.3"
 atty = "0.2"
 serde_bytes = "0.11.19"
-shadow-rs.workspace = true
+tss-esapi = { version = "7.6.0", optional = true }
 
 [dev-dependencies]
 base64 = "0.22"

diff --git a/cmd/passless/src/main.rs b/cmd/passless/src/main.rs
@@ -20,7 +20,9 @@ use commands::custom::{register_standard_credential_mgmt, register_yubikey_crede
 use env_logger::{Builder, Env};
 use log::{debug, error, info, warn};
 use shadow_rs::shadow;
-use storage::{CredentialStorage, LocalStorageAdapter, PassStorageAdapter, TpmStorageAdapter};
+#[cfg(feature = "tpm")]
+use storage::TpmStorageAdapter;
+use storage::{CredentialStorage, LocalStorageAdapter, PassStorageAdapter};
 
 shadow!(build);
 
@@ -323,6 +325,7 @@ fn run() -> Result<()> {
             let service = AuthenticatorService::new(storage, security_config)?;
             run_with_service(service, uhid, shutdown)
         }
+        #[cfg(feature = "tpm")]
         BackendConfig::Tpm { path, tcti } => {
             let storage = TpmStorageAdapter::new(path.into(), Some(tcti))?;
             let service = AuthenticatorService::new(storage, security_config)?;

diff --git a/cmd/passless/src/storage/mod.rs b/cmd/passless/src/storage/mod.rs
@@ -6,13 +6,15 @@ pub mod credential;
 pub mod index;
 pub mod local;
 pub mod pass;
+#[cfg(feature = "tpm")]
 pub mod tpm;
 
 // Internal credential type with controlled serialization
 #[allow(unused_imports)]
 pub(crate) use credential::Credential;
 pub use local::LocalStorageAdapter;
 pub use pass::PassStorageAdapter;
+#[cfg(feature = "tpm")]
 pub use tpm::TpmStorageAdapter;
 
 use soft_fido2::Result;

diff --git a/passless-core/Cargo.toml b/passless-core/Cargo.toml
@@ -6,6 +6,10 @@ edition.workspace = true
 license-file.workspace = true
 version.workspace = true
 
+[features]
+default = []
+tpm = []
+
 [dependencies]
 clap.workspace = true
 clap-serde-derive.workspace = true

diff --git a/passless-core/src/config.rs b/passless-core/src/config.rs
@@ -98,6 +98,7 @@ pub fn tpm_path() -> String {
 }
 
 /// TPM backend configuration
+#[cfg(feature = "tpm")]
 #[derive(ClapSerde, Debug, Clone, Serialize, Deserialize, ConfigDoc)]
 #[group(id = "tpm-backend-config")]
 pub struct TpmBackendConfig {
@@ -255,6 +256,7 @@ pub struct AppConfig {
     pub pass: PassBackendConfig,
 
     /// TPM backend configuration
+    #[cfg(feature = "tpm")]
     #[clap_serde]
     #[serde(default)]
     #[command(flatten)]
@@ -284,6 +286,7 @@ pub enum BackendConfig {
         path: String,
         gpg_backend: String,
     },
+    #[cfg(feature = "tpm")]
     Tpm {
         path: String,
         tcti: String,
@@ -331,6 +334,7 @@ impl AppConfig {
                 path: self.pass.path.clone(),
                 gpg_backend: self.pass.gpg_backend.clone(),
             }),
+            #[cfg(feature = "tpm")]
             "tpm" => Ok(BackendConfig::Tpm {
                 path: self.tpm.path.clone(),
                 tcti: self.tpm.tcti.clone(),