search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.43k stars 13.63k forks source link

tpm2-tools: tss2_provision tries to write to /nix/store/ #192771

Open erdnaxe opened 1 year ago

erdnaxe commented 1 year ago

Describe the bug

tss2_provision is unable to create keystore policy directories, and fails to init the on-disk keystore.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Run nix-shell -p tpm2-tools --run tss2_provision
  2. Observe that the provision fail.

Expected behavior

I would expect the keystore to be provisioned from my TPM, without any error messages.

Screenshots

[nix-shell:~]$ tss2_provision
WARNING:fapi:src/tss2-fapi/ifapi_io.c:339:ifapi_io_check_create_dir() Directory /nix/store/kxm3gzg8fz2r25z94pzbah5zf1knbk0v-tpm2-tss-3.2.0/var/lib/tpm2-tss/system/keystore/policy does not exist, creating
ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:1053:create_dirs() mkdir not possible: -1 /nix/store/kxm3gzg8fz2r25z94pzbah5zf1knbk0v-tpm2-tss-3.2.0/var/lib/tpm2-tss/system/keystore/policy
ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:1080:ifapi_create_dirs() ErrorCode (0x0006000b) Create directories for /nix/store/kxm3gzg8fz2r25z94pzbah5zf1knbk0v-tpm2-tss-3.2.0/var/lib/tpm2-tss/system/keystore/policy
ERROR:fapi:src/tss2-fapi/ifapi_io.c:342:ifapi_io_check_create_dir() ErrorCode (0x0006000b) Directory /nix/store/kxm3gzg8fz2r25z94pzbah5zf1knbk0v-tpm2-tss-3.2.0/var/lib/tpm2-tss/system/keystore/policy can't be created.
ERROR:fapi:src/tss2-fapi/ifapi_policy_store.c:115:ifapi_policy_store_initialize() ErrorCode (0x0006000b) Policy directory /nix/store/kxm3gzg8fz2r25z94pzbah5zf1knbk0v-tpm2-tss-3.2.0/var/lib/tpm2-tss/system/keystore/policy can't be created.
ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:212:Fapi_Initialize_Finish() ErrorCode (0x0006000b) Keystore could not be initialized.
Fapi_Initialize(0x6000B) - fapi:A parameter has a bad value

Additional context

These error message are also showed when using OpenSSH with the PKCS11 provider, see https://nixos.wiki/wiki/TPM.

Notify maintainers

@delroth

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.68, NixOS, 22.05 (Quokka), 22.05.3180.9bdbbaa634a`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.8.1`
 - channels(root): `"home-manager-22.05.tar.gz, nixos-22.05, nixos-hardware, nixos-unstable"`
 - channels(erdnaxe): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
accelbread commented 1 year ago

I have found a workaround for this.

The tss2 utils are using /nix/store/...-tpm2-tss-3.2.0/etc/tpm2-tss/fapi-config.json for its config. This can be overridden with the TSS2_FAPICONF environment variable.

To fix the issue, set the TSS2_FAPICONF environment variable to the path to a copy of the aforementioned config file, but with "nix/store/...-tpm2-tss-3.2.0" stripped from the values of the "system_dir" and "log_dir" keys (note that "profile_dir" should keep the store path).

The package should be fixed so that it's config file works out of the box, though for now this workaround works.

accelbread commented 1 year ago

I have a nixos module to apply the workaround here: https://github.com/accelbread/config-flake/blob/7d23c5b9ecb560ebb10b6df3f2006db224a704a6/nix/nixosModules/tpm2-tss-fapi.nix

k1gen commented 1 month ago

can the fix for this be upstreamed? I have the same problem