search

AndreasFuchsTPM / cryptsetup-tpm-incubator

An extension to cryptsetup/LUKS that enables use of the TPM 2.0 via tpm2-tss
8 stars 2 forks source link

cryptsetup luksAddKey failed #1

Open irn73 opened 6 years ago

irn73 commented 6 years ago

Hi,

I'm trying to run the command cryptsetup luksAddKey --tpmnew=0x1bffffd --tpmpcr=0,1,2,3,5,7 /dev/sda3

I get the following error:

WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: yes ERROR:esys:src/tss2-esys/esys_context.c:68:Esys_Initialize() Initialize default tcti. ErrorCode (0x00070005) Error initializing ESYS: 00070005

I'm using CentOS 7.5 with TPM2 HW installed. I'm using LUKS on /dev/sda/3:

cryptsetup luksDump /dev/sda3 LUKS header information for /dev/sda3

Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha256 Payload offset: 4096 MK bits: 512 MK digest: 38 63 22 c5 44 c7 00 5f c0 8d be 40 f3 e9 f7 27 61 ce 8d 34 MK salt: f7 bd 4b 7e 20 23 25 37 8e 3f 3e 8e 72 1c d0 77 c4 0c 34 61 da 49 0e 0c 56 5c cd f1 39 01 a9 19 MK iterations: 9250 UUID: f411f696-68b8-465f-8193-76ebb37e99ef

Key Slot 0: ENABLED Iterations: 89759 Salt: 3e da d2 5c 2c f6 5c b8 07 0b 7f 18 f0 b5 a4 50 68 5f 47 8f 29 6f f5 f9 a6 4c a4 e9 d2 a3 f9 97 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED

Any ideas?

AndreasFuchsTPM commented 5 years ago

It seems like you cannot connect to the TPM. Do the tpm2-tools programs work on your system ?

What's the user/group of /dev/tpmrm0 or /dev/tpm0 ? Are you a member of this group ? Does running it under sudo solve the issue ?

irn73 commented 5 years ago

Hi Andreas,

Sorry for the delay, I missed your reply. I have made some progress since my last post. Now, I get the following warnings when I try to run the command sudo cryptsetup luksAddKey --tpmnew=0x1bffffd --tpmpcr=0,1,2,3,5,7 /dev/sda3:

WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-default.so WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-tabrmd.so

I have downloaded and compiled tpm2-tss. I have configured cryptsetup-tpm-incubator as following: ./configure --prefix=/usr --libdir=/lib/x86_64-linux-gnu --sbindir=/sbin --mandir=/usr/share/man --enable-libargon2 --enable-shared --enable-cryptsetup-reencrypt --enable-tpm

The operation works only once. When I try to run the command sudo cryptsetup luksAddKey... once again it fails:

WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-default.so

WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-tabrmd.so

WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:335:Esys_NV_DefineSpace_Finish() Received TPM Error

ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:120:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x0000014c)

Why do I get this error when running the second time? Why do I get the warnings? Is it normal behavior?

Thanks, Ido

AndreasFuchsTPM commented 5 years ago

The Warnings are normal given your setup with using /dev/tpm directly.

The error means that the NV slot inside the TPM is already defined. Probably from an earlier attempt ? Have a look using tpm2_nvlist and then release it using tpm2_nvrelease.

A word fo caution, I'm in the process of rewriting this thing completely. So expect an update soon...

irn73 commented 5 years ago

Thanks, I will wait for the next release

AndreasFuchsTPM commented 5 years ago

@irn73 Next release is here or on gitlab. See https://gitlab.com/cryptsetup/cryptsetup/merge_requests/51 If you like to test it out...