search

Azure / iot-identity-service

Source of the Azure IoT Identity Service and related services.
MIT License
37 stars 45 forks source link

Stop vendoring TPM2 libraries for RHEL 9 #589

Open huguesBouvier opened 4 months ago

huguesBouvier commented 4 months ago

We observed in a customer issue that the DPS-TPM workflow doesn't work on RHEL 9:

Feb 20 17:34:01 icm2 aziot-tpmd[65443]: 2024-02-20T17:34:01Z [INFO] - <-- GET /get_tpm_keys?api-version=2020-09-01 {"host": "tpmd.sock"}
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: 2024-02-20T17:34:01Z [INFO] - --> 200 {"content-type": "application/json"}
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: 2024-02-20T17:34:01Z [INFO] - <-- POST /import_auth_key?api-version=2020-09-01 {"content-type": "application/json", "host": "tpmd.sock", "content-length": "1306"}
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:327:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) EVP_PKEY_new_mac_key
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001)
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: ERROR:esys:src/tss2-esys/esys_iutil.c:1244:iesys_compute_hmac() HMAC error ErrorCode (0x00070001)
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: ERROR:esys:src/tss2-esys/esys_iutil.c:1354:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001)
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: ERROR:esys:src/tss2-esys/api/Esys_ActivateCredential.c:212:Esys_ActivateCredential_Async() Error in computation of auth values ErrorCode (0x00070001)
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: ERROR:esys:src/tss2-esys/api/Esys_ActivateCredential.c:82:Esys_ActivateCredential() Error in async function ErrorCode (0x00070001)
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: 2024-02-20T17:34:01Z [ERR!] - !!! internal error
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: 2024-02-20T17:34:01Z [ERR!] - !!! caused by: could not import auth key
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: 2024-02-20T17:34:01Z [ERR!] - !!! caused by: esapi:Catch all for all errors not otherwise specified
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: 2024-02-20T17:34:01Z [INFO] - --> 500 {"content-type": "application/json"}
Feb 20 17:34:01 icm2 aziot-identityd[66569]: 2024-02-20T17:34:01Z [ERR!] - Failed to provision with IoT Hub, and no valid device backup was found: DPS client error
Feb 20 17:34:01 icm2 aziot-identityd[66569]: 2024-02-20T17:34:01Z [ERR!] - service encountered an error
Feb 20 17:34:01 icm2 aziot-identityd[66569]: 2024-02-20T17:34:01Z [ERR!] - caused by: DPS client error
Feb 20 17:34:01 icm2 aziot-identityd[66569]: 2024-02-20T17:34:01Z [ERR!] - caused by: internal error

We confirmed that removing the vendored libraries and having tpmd use the distro libraries made it work.

arsing commented 4 months ago

Package build fails because we need to include tpm2-tss-devel in the list of dnf install'd packages too. But that by itself is also not sufficient because tpm2-tss-devel doesn't actually exist in the UBI 9 repos. Hugues and I are following up internally.