tpm_comm_linux.c bypasses tpm2-abrmd on some Linux installations

[alexeyzolotarev]

Hello there,

We've seen issues where certain applications, such as iotedge daemon, or tpm_device_provision tool from azure-iot-sdk-c that rely on azure-utpm-c library start to work unstable when tpm2-abrmd running, giving out various errors originating from the azure-utpm-c library.

When attempting to run tpm_device_provision tool from azure-iot-sdk-c that uses utpm as a dependency, we saw the following behavior:

• when tpm2-abrmd is installed but is NOT running that tool works fine
• when tpm2-abrmd is running, the tool starts to fail but is expected to work.

This is caused by the load_abrmd function from the tpm_comm_linux.c that attempts to dlopen the shared library defined in the TPM_TABRMD_USERMODE_RESOURCE_MGR variable as libtss2-tcti-tabrmd.so, (but not as libtss2.tcti-tabrmd.so.0 as it is done for other defines in the same source file).

In our system the tpm2-abrmd installs that file with .so.0 and .so.0.0.0 but not as *.so file, so this causes the failure of dlopen to find the file and as a result the load_abrmd function in azure-utpm-c library falls back to the direct access to /dev/tpm0. The in-kernel resource manager might not be available in kernels earlier than 4.12, so for those systems no TPM resource manager is used at all and the tools fail because of non synchronized shared access to the /dev/tpm0. This conflicts with tpm2-abrmd daemon that shoudl be exclusively accessing the device.

While a workaround was found to create a libtss2-tcti-tabrmd.so symlink which fixed the dlopen issue and thus used the tpm2-tabrmd resource manager, the generic behavior on some systems where those symlinks are missing or could not be created and that tpm2-tabrmd resource manager not being used at all, causing issues of shared access to /dev/tpm0, as the tpm2-abrmd daemon already using the device.

So possible fix in this library could be to also check the name libtss2-tcti-tabrmd.so.0 along with the libtss2-tcti-tabrmd.so so that not to miss the installed and running tpm2-tabrmd resource manager.

applications affected:

• everything that accesses TPM using latest azure-iot-sdk-c
  • iotedge daemon (1.0.8.3)

condition of failure

• running tpm2-abrmd and
• libtss2-tcti-tabrmd.so missing (installed as libtss2-tcti-tabrmd.so.0 or with .so.0.0.0 extension)
• no kernel support for in-built TPM resource manager, /dev/tpmrm0 - kernels earlier 412
• a tool built with azure-iot-sdk-c that attemps to access TPM

[CIPop]

libtss2-tcti-tabrmd.so missing (installed as libtss2-tcti-tabrmd.so.0 or with .so.0.0.0 extension)

This might be the issue.

We recommend the following setup: https://github.com/Azure/azure-iot-sdk-c/blob/main/provisioning_client/devdoc/using_provisioning_client.md#tpm-resource-manager