aziot-tpmd fails with iotedge/iot-identity-service 1.4

mlilien commented 2 years ago

my /etc/aziot/config.toml is configured with

[tpm]
tcti = "device:/dev/tpmrm0"

failure log of aziot-tpmd is:

Aug 31 07:34:06 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:06Z [INFO] - Starting service...
Aug 31 07:34:06 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:06Z [INFO] - Version - dev build
Aug 31 07:34:07 raspberrypi4-64 aziot-tpmd[2031]: WARNING:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_ReadPublic.c:320:Esys_ReadPublic_Finish() Received TPM Error
Aug 31 07:34:07 raspberrypi4-64 aziot-tpmd[2031]: ERROR:esys:../tpm2-tss-3.2.0/src/tss2-esys/esys_tr.c:230:Esys_TR_FromTPMPublic_Finish() Error ReadPublic ErrorCode (0x0000018b)
Aug 31 07:34:07 raspberrypi4-64 aziot-tpmd[2031]: ERROR:esys:../tpm2-tss-3.2.0/src/tss2-esys/esys_tr.c:320:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x0000018b)
Aug 31 07:34:07 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:07Z [INFO] - Starting server...
Aug 31 07:34:07 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:07Z [INFO] - <-- GET /get_tpm_keys?api-version=2020-09-01 {"host": "tpmd.sock"}
Aug 31 07:34:07 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:07Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 31 07:34:07 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:07Z [INFO] - <-- POST /import_auth_key?api-version=2020-09-01 {"content-type": "application/json", "host": "tpmd.sock", "content-length": "1178"}
Aug 31 07:34:08 raspberrypi4-64 aziot-tpmd[2031]: WARNING:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_EvictControl.c:330:Esys_EvictControl_Finish() Received TPM Error
Aug 31 07:34:08 raspberrypi4-64 aziot-tpmd[2031]: ERROR:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_EvictControl.c:114:Esys_EvictControl() Esys Finish ErrorCode (0x0000014c)
Aug 31 07:34:08 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:08Z [ERR!] - !!! internal error
Aug 31 07:34:08 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:08Z [ERR!] - !!! caused by: could not import auth key
Aug 31 07:34:08 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:08Z [ERR!] - !!! caused by: tpm:error(2.0): NV Index or persistent object already defined
Aug 31 07:34:08 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:08Z [INFO] - --> 500 {"content-type": "application/json"}
Aug 31 07:34:13 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:13Z [INFO] - <-- GET /get_tpm_keys?api-version=2020-09-01 {"host": "tpmd.sock"}
Aug 31 07:34:13 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:13Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 31 07:34:13 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:13Z [INFO] - <-- POST /import_auth_key?api-version=2020-09-01 {"content-type": "application/json", "host": "tpmd.sock", "content-length": "1178"}
Aug 31 07:34:14 raspberrypi4-64 aziot-tpmd[2031]: WARNING:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_EvictControl.c:330:Esys_EvictControl_Finish() Received TPM Error
Aug 31 07:34:14 raspberrypi4-64 aziot-tpmd[2031]: ERROR:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_EvictControl.c:114:Esys_EvictControl() Esys Finish ErrorCode (0x0000014c)
Aug 31 07:34:14 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:14Z [ERR!] - !!! internal error
Aug 31 07:34:14 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:14Z [ERR!] - !!! caused by: could not import auth key
Aug 31 07:34:14 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:14Z [ERR!] - !!! caused by: tpm:error(2.0): NV Index or persistent object already defined
Aug 31 07:34:14 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:14Z [INFO] - --> 500 {"content-type": "application/json"}
Aug 31 07:34:19 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:19Z [INFO] - <-- GET /get_tpm_keys?api-version=2020-09-01 {"host": "tpmd.sock"}
Aug 31 07:34:19 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:19Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 31 07:34:20 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:20Z [INFO] - <-- POST /import_auth_key?api-version=2020-09-01 {"content-type": "application/json", "host": "tpmd.sock", "content-length": "1178"}
Aug 31 07:34:21 raspberrypi4-64 aziot-tpmd[2031]: WARNING:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_EvictControl.c:330:Esys_EvictControl_Finish() Received TPM Error
Aug 31 07:34:21 raspberrypi4-64 aziot-tpmd[2031]: ERROR:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_EvictControl.c:114:Esys_EvictControl() Esys Finish ErrorCode (0x0000014c)
Aug 31 07:34:21 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:21Z [ERR!] - !!! internal error
Aug 31 07:34:21 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:21Z [ERR!] - !!! caused by: could not import auth key
Aug 31 07:34:21 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:21Z [ERR!] - !!! caused by: tpm:error(2.0): NV Index or persistent object already defined
Aug 31 07:34:21 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:21Z [INFO] - --> 500 {"content-type": "application/json"}
Aug 31 07:34:26 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:26Z [INFO] - <-- GET /get_tpm_keys?api-version=2020-09-01 {"host": "tpmd.sock"}
Aug 31 07:34:26 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:26Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 31 07:34:26 raspberrypi4-64 aziot-tpmd[2031]: 2022-08-31T07:34:26Z [INFO] - <-- POST /import_auth_key?api-version=2020-09-01 {"content-type": "application/json", "host": "tpmd.sock", "content-length": "1178"}
Aug 31 07:34:27 raspberrypi4-64 systemd[1]: Stopping Azure IoT TPM Service...
Aug 31 07:34:27 raspberrypi4-64 systemd[1]: aziot-tpmd.service: Deactivated successfully.
Aug 31 07:34:27 raspberrypi4-64 systemd[1]: Stopped Azure IoT TPM Service.
[root@raspberrypi4-64 ics-dm]#

available persistent handles:

[root@raspberrypi4-64 ics-dm]# export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
[root@raspberrypi4-64 ics-dm]# tpm2_getcap handles-persistent
- 0x81001000
- 0x81010001

mlilien commented 2 years ago

is that correct?: https://github.com/Azure/iot-identity-service/blob/c281b76772f16d7389fd6b25872c2119e539eab8/tpm/aziot-tpmd/src/lib.rs#L259

as far as i understand you want to store to tss_minimal::handle::PERSISTENT_OBJECT_BASE + config.shared.auth_key_index ?

arsing commented 2 years ago

@onalante-msft ?

onalante-msft commented 2 years ago

Resolution at #451. My apologies about the inconvenience.

mlilien commented 2 years ago

@arsing @onalante-msft

with the new default auth_key_index from #451 i get the following errors:

Sep 01 05:12:03 raspberrypi4-64 systemd[1]: Started Azure IoT TPM Service.
Sep 01 05:12:03 raspberrypi4-64 aziot-tpmd[626]: 2022-09-01T05:12:03Z [INFO] - Starting service...
Sep 01 05:12:03 raspberrypi4-64 aziot-tpmd[626]: 2022-09-01T05:12:03Z [INFO] - Version - dev build
Sep 01 05:12:03 raspberrypi4-64 aziot-tpmd[626]: 2022-09-01T05:12:03Z [INFO] - Starting server...
Sep 01 05:12:44 raspberrypi4-64 aziot-tpmd[626]: 2022-09-01T05:12:44Z [INFO] - <-- POST /sign_with_auth_key?api-version=2020-09-01 {"content-type": "application/json", "host": "tpmd.sock", "content-length": "103"}
Sep 01 05:12:44 raspberrypi4-64 aziot-tpmd[626]: WARNING:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_HMAC.c:300:Esys_HMAC_Finish() Received TPM Error
Sep 01 05:12:44 raspberrypi4-64 aziot-tpmd[626]: ERROR:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_HMAC.c:100:Esys_HMAC() Esys Finish ErrorCode (0x0000018a)
Sep 01 05:12:44 raspberrypi4-64 aziot-tpmd[626]: [[0;1;31m[[0;1;39m[[0;1;31m2022-09-01T05:12:44Z [ERR!] - !!! internal error[[0m
Sep 01 05:12:44 raspberrypi4-64 aziot-tpmd[626]: [[0;1;31m[[0;1;39m[[0;1;31m2022-09-01T05:12:44Z [ERR!] - !!! caused by: could not sign with auth key[[0m
Sep 01 05:12:44 raspberrypi4-64 aziot-tpmd[626]: [[0;1;31m[[0;1;39m[[0;1;31m2022-09-01T05:12:44Z [ERR!] - !!! caused by: tpm:handle(1):the type of the value is not appropriate for the use[[0m
Sep 01 05:12:44 raspberrypi4-64 aziot-tpmd[626]: 2022-09-01T05:12:44Z [INFO] - --> 500 {"content-type": "application/json"}
Sep 01 05:12:44 raspberrypi4-64 aziot-tpmd[626]: 2022-09-01T05:12:44Z [INFO] - <-- GET /get_tpm_keys?api-version=2020-09-01 {"host": "tpmd.sock"}
Sep 01 05:12:44 raspberrypi4-64 aziot-tpmd[626]: 2022-09-01T05:12:44Z [INFO] - --> 200 {"content-type": "application/json"}
Sep 01 05:12:45 raspberrypi4-64 aziot-tpmd[626]: 2022-09-01T05:12:45Z [INFO] - <-- POST /import_auth_key?api-version=2020-09-01 {"content-type": "application/json", "host": "tpmd.sock", "content-length": "1178"}
Sep 01 05:12:45 raspberrypi4-64 aziot-tpmd[626]: WARNING:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_ActivateCredential.c:321:Esys_ActivateCredential_Finish() Received TPM Error
Sep 01 05:12:45 raspberrypi4-64 aziot-tpmd[626]: ERROR:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_ActivateCredential.c:105:Esys_ActivateCredential() Esys Finish ErrorCode (0x0000018b)
Sep 01 05:12:45 raspberrypi4-64 aziot-tpmd[626]: [[0;1;31m[[0;1;39m[[0;1;31m2022-09-01T05:12:45Z [ERR!] - !!! internal error[[0m
Sep 01 05:12:45 raspberrypi4-64 aziot-tpmd[626]: [[0;1;31m[[0;1;39m[[0;1;31m2022-09-01T05:12:45Z [ERR!] - !!! caused by: could not import auth key[[0m
Sep 01 05:12:45 raspberrypi4-64 aziot-tpmd[626]: [[0;1;31m[[0;1;39m[[0;1;31m2022-09-01T05:12:45Z [ERR!] - !!! caused by: tpm:handle(1):the handle is not correct for the use[[0m
Sep 01 05:12:45 raspberrypi4-64 aziot-tpmd[626]: 2022-09-01T05:12:45Z [INFO] - --> 500 {"content-type": "application/json"}
Sep 01 05:12:50 raspberrypi4-64 aziot-tpmd[626]: 2022-09-01T05:12:50Z [INFO] - <-- POST /sign_with_auth_key?api-version=2020-09-01 {"content-type": "application/json", "host": "tpmd.sock", "content-length": "103"}
Sep 01 05:12:50 raspberrypi4-64 aziot-tpmd[626]: WARNING:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_HMAC.c:300:Esys_HMAC_Finish() Received TPM Error
Sep 01 05:12:50 raspberrypi4-64 aziot-tpmd[626]: ERROR:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_HMAC.c:100:Esys_HMAC() Esys Finish ErrorCode (0x00000184)
Sep 01 05:12:50 raspberrypi4-64 aziot-tpmd[626]: [[0;1;31m[[0;1;39m[[0;1;31m2022-09-01T05:12:50Z [ERR!] - !!! internal error[[0m
Sep 01 05:12:50 raspberrypi4-64 aziot-tpmd[626]: [[0;1;31m[[0;1;39m[[0;1;31m2022-09-01T05:12:50Z [ERR!] - !!! caused by: could not sign with auth key[[0m
Sep 01 05:12:50 raspberrypi4-64 aziot-tpmd[626]: [[0;1;31m[[0;1;39m[[0;1;31m2022-09-01T05:12:50Z [ERR!] - !!! caused by: tpm:handle(1):value is out of range or is not correct for the context[[0m
Sep 01 05:12:50 raspberrypi4-64 aziot-tpmd[626]: 2022-09-01T05:12:50Z [INFO] - --> 500 {"content-type": "application/json"}
Sep 01 05:12:50 raspberrypi4-64 aziot-tpmd[626]: 2022-09-01T05:12:50Z [INFO] - <-- GET /get_tpm_keys?api-version=2020-09-01 {"host": "tpmd.sock"}
Sep 01 05:12:50 raspberrypi4-64 aziot-tpmd[626]: WARNING:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_ReadPublic.c:320:Esys_ReadPublic_Finish() Received TPM Error
Sep 01 05:12:50 raspberrypi4-64 aziot-tpmd[626]: ERROR:esys:../tpm2-tss-3.2.0/src/tss2-esys/api/Esys_ReadPublic.c:104:Esys_ReadPublic() Esys Finish ErrorCode (0x0000018b)
Sep 01 05:12:50 raspberrypi4-64 aziot-tpmd[626]: [[0;1;31m[[0;1;39m[[0;1;31m2022-09-01T05:12:50Z [ERR!] - !!! internal error[[0m
Sep 01 05:12:50 raspberrypi4-64 aziot-tpmd[626]: [[0;1;31m[[0;1;39m[[0;1;31m2022-09-01T05:12:50Z [ERR!] - !!! caused by: could not get TPM keys[[0m
Sep 01 05:12:50 raspberrypi4-64 aziot-tpmd[626]: [[0;1;31m[[0;1;39m[[0;1;31m2022-09-01T05:12:50Z [ERR!] - !!! caused by: tpm:handle(1):the handle is not correct for the use[[0m
Sep 01 05:12:50 raspberrypi4-64 aziot-tpmd[626]: 2022-09-01T05:12:50Z [INFO] - --> 500 {"content-type": "application/json"}
Sep 01 05:12:55 raspberrypi4-64 aziot-tpmd[626]: 2022-09-01T05:12:55Z [INFO] - <-- POST /sign_with_auth_key?api-version=2020-09-01 {"content-type": "application/json", "host": "tpmd.sock", "content-length": "103"}
...

isn't the new default PERSISTENT_OBJECT_BASE + default_ak_index() == STORAGE_ROOT_KEY and therefore i get the errors above?

if i configure auth_key_index = 0x00_10_10 in config.toml it works.

onalante-msft commented 2 years ago

Yes, the storage root key is also incorrect. It should be PERSISTENT_OBJECT_BASE + 0x00_00_01 [^1]. The default authentication key index should also be reverted to PERSISTENT_OBJECT_BASE + 0x00_01_00.

[^1]: https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf Table 2

onalante-msft commented 2 years ago

@mlilien I ran tests with a VM, but could you also try the current main with your device?

mlilien commented 2 years ago

it works, thank you (tested with 1.4 + 451.diff + 454.diff).

Azure / iot-identity-service

aziot-tpmd fails with iotedge/iot-identity-service 1.4 #450