Closed kuldeepmarker-eaton closed 2 years ago
jforissier
commented
2 years ago Hello @kuldeepmarker-eaton,
I suspect tee-supplicant is not yet running when the kernel tries to open a session to the fTPM TA, and therefore the TA cannot be loaded from the root fs. I also think TEEC_OUT_OF_MEMORY is misleading; OP-TEE is probably trying to allocate some buffer with the help of tee-supplicant at that point.
kuldeepmarker-eaton
commented
2 years ago HI @jforissier,
Thanks for your quick reply, I can see that tee-supplicant is running from the logs but ftpm_tee_probe is happening first and then the tee-supplicant service is starting. So how can I handle this scenario.
E/LD: init_elf:437 sys_open_ta_bin(bc50d971-d4c9-42c4-82cb-343fb7f37896) E/TC:? 0 ldelf_init_with_ldelf:126 ldelf failed with res: 0xffff000c [ 48.107710] ftpm-tee tpm@0: ftpm_tee_probe: tee_client_open_session failed, err=ffff000c [ 48.114748] ftpm-tee: probe of tpm@0 failed with error -22 [ 48.135054] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43430/1 wl0: Feb 16 2020 22:39:24 version 7.45.98.97 (r724416 CY) FWID 01-bf41ed64 [ 48.193890] Bluetooth: hci0: BCM4343WA1 37.4MHz Murata Type-1DX BT4.2-0093 [ 48.199576] Bluetooth: hci0: BCM43430A1 (001.002.009) build 0395 [ 48.624940] cs42l51 0-004a: Cirrus Logic CS42L51, Revision: 01 [ OK ] Started udev Wait for Complete Device Initialization. [ 48.957457] RESIZE-HELPER START [ 49.328585] RESIZE-HELPER: Using systemd-growfs [ 49.367124] EXT4-fs (mmcblk0p6): resizing filesystem from 190584 to 190584 blocks [ OK ] Created slice system-systemd\x2dbacklight.slice. [ OK ] Created slice system-weston.slice. [ 49.458556] EXT4-fs (mmcblk0p4): resizing filesystem from 65536 to 65536 blocks [ OK ] Listening on Load/Save RF …itch Status /dev/rfkill Watch. [ 49.478579] EXT4-fs (mmcblk0p5): resizing filesystem from 16384 to 16384 blocks [ 49.496316] EXT4-fs (mmcblk0p7): resizing filesystem from 723964 to 723966 blocks [ 49.507448] EXT4-fs (mmcblk0p7): resized filesystem to 723966 [ OK ] Started Hardware RNG Entropy Gatherer Daemon. Starting Load/Save Screen …of backlight:5a000000.dsi.0... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Load/Save Screen B…s of backlight:5a000000.dsi.0. [ 50.495618] Filesystem Size Used Avail Use% Mounted on [ 50.495618] devtmpfs 130M 0 130M 0% /dev [ 50.495618] /dev/mmcblk0p6 683M 464M 173M 73% / [ 50.495618] tmpfs 196M 0 196M 0% /dev/shm [ 50.495618] tmpfs 196M 8.6M 187M 5% /run [ 50.495618] tmpfs 196M 0 196M 0% /sys/fs/cgroup [ 50.495618] tmpfs 196M 12K 196M 1% /tmp [ 50.495618] /dev/mmcblk0p4 56M 15M 38M 28% /boot [ 50.495618] /dev/mmcblk0p5 14M 6.8M 6.2M 53% /vendor [ 50.495618] /dev/mmcblk0p7 659M 40M 580M 7% /usr/local [ 50.495618] tmpfs 196M 0 196M 0% /var/volatile [ 50.555621] RESIZE-HELPER FINISH [ OK ] Started Resize root filesy…m to fit available disk space. [ OK ] Reached target Local File Systems. Starting Rebuild Dynamic Linker Cache... Starting Create Volatile Files and Directories... [ OK ] Started Create Volatile Files and Directories. Starting Run pending postinsts... Starting Rebuild Journal Catalog... Starting Network Time Synchronization... Starting Update UTMP about System Boot/Shutdown... [ OK ] Started Update UTMP about System Boot/Shutdown. [ OK ] Started Rebuild Journal Catalog. [ OK ] Started Network Time Synchronization. [ OK ] Reached target System Time Set. [ OK ] Reached target System Time Synchronized. [ OK ] Started Run pending postinsts. [ OK ] Started Rebuild Dynamic Linker Cache. Starting Update is Completed... [ OK ] Started Update is Completed. [ OK ] Reached target System Initialization. [ OK ] Started Daily apt download activities. [ OK ] Started Daily Cleanup of Temporary Directories. [ OK ] Reached target Timers. [ OK ] Listening on Avahi mDNS/DNS-SD Stack Activation Socket. [ OK ] Listening on D-Bus System Message Bus Socket. [ OK ] Listening on dropbear.socket. [ OK ] Reached target Sockets. [ OK ] Reached target Basic System. Starting Save/Restore Sound Card State... Starting Bluetooth service... [ OK ] Started Kernel Logging Service. [ OK ] Started System Logging Service. [ OK ] Started D-Bus System Message Bus. Starting IPv6 Packet Filtering Framework... Starting IPv4 Packet Filtering Framework... Starting Netdata, Real-time performance monitoring... Starting Login Service... [ OK ] Started TEE Supplicant. Starting Enable USB Ethernet gadget... [ OK ] Started Save/Restore Sound Card State. [ OK ] Started IPv6 Packet Filtering Framework.
jforissier
commented
2 years ago On the platform I am currently working on (RockPi4B):
CFG_REE_FS=n CFG_RPMB_FS=y) and tee-supplicant is started by the initramfs. This way the fTPM TA can access secure storage before the root filesystem is mounted.kuldeepmarker-eaton
commented
2 years ago Thanks @jforissier for your inputs so do you think I have to be concerned here. And also I wanted to know how did you tested fTPM TA using OPTEE client API.
jforissier
commented
2 years ago Thanks @jforissier for your inputs so do you think I have to be concerned here.
Well it depends on what you expect I suppose ;-)
And also I wanted to know how did you tested fTPM TA using OPTEE client API.
I don't know the details about the fTPM, but AFAIK the TA is called by the Linux TPM driver. On my board I consider that all is well when I see no error message on boot and the following command prints out some measurements:
$ sudo tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurementsHI @jforissier ,
I have appended tpm2 as a feature in my distro and after the flashing the image on board I am not seeing tpm2_eventlog in my /usr/bin folder. Any idea what am I missing here. Below is the list of tpm2 commands in my /usr/bin folder. Also I am not seeing tpm0 entry in /sys/kernel/security/. As a result of this I am not able to test fTPM TA.
root@stm32mp1:~# ls /usr/bin/ | grep "tpm" tpm2_activatecredential tpm2_certify tpm2_certifycreation tpm2_changeauth tpm2_changeeps tpm2_changepps tpm2_checkquote tpm2_clear tpm2_clearcontrol tpm2_clockrateadjust tpm2_create tpm2_createak tpm2_createek tpm2_createpolicy tpm2_createprimary tpm2_dictionarylockout tpm2_duplicate tpm2_encryptdecrypt tpm2_evictcontrol tpm2_flushcontext tpm2_getcap tpm2_getekcertificate tpm2_getrandom tpm2_gettestresult tpm2_gettime tpm2_hash tpm2_hierarchycontrol tpm2_hmac tpm2_import tpm2_incrementalselftest tpm2_load tpm2_loadexternal tpm2_makecredential tpm2_nvcertify tpm2_nvdefine tpm2_nvextend tpm2_nvincrement tpm2_nvread tpm2_nvreadlock tpm2_nvreadpublic tpm2_nvsetbits tpm2_nvundefine tpm2_nvwrite tpm2_nvwritelock tpm2_pcrallocate tpm2_pcrevent tpm2_pcrextend tpm2_pcrread tpm2_pcrreset tpm2_policyauthorize tpm2_policyauthorizenv tpm2_policyauthvalue tpm2_policycommandcode tpm2_policycountertimer tpm2_policyduplicationselect tpm2_policylocality tpm2_policynamehash tpm2_policynv tpm2_policynvwritten tpm2_policyor tpm2_policypassword tpm2_policypcr tpm2_policyrestart tpm2_policysecret tpm2_policysigned tpm2_policytemplate tpm2_policyticket tpm2_print tpm2_quote tpm2_rc_decode tpm2_readclock tpm2_readpublic tpm2_rsadecrypt tpm2_rsaencrypt tpm2_selftest tpm2_send tpm2_setclock tpm2_setprimarypolicy tpm2_shutdown tpm2_sign tpm2_startauthsession tpm2_startup tpm2_stirrandom tpm2_testparms tpm2_unseal tpm2_verifysignature tpm_server
github-actions[bot]
commented
2 years ago This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.
HI, I am trying to execute fTPM as a TA in OPTEE. I have build the fTPM as a TA using a yocto recipe. I am using OPENSTLINUX distro and my boad is stm32mp157f-dk2. I have configured the kernel config to enable TPM_FTPM_TEE driver and also the fTPM TA is getting build and I can see it in /lib/optee_armtz folder. I have also modified the device tree for the board to create an entry for tpm@0. When I boot the board I am getting below logs where in the TEE_CLIENT_OPEN_SESSION failed.
[ 35.656290] Bluetooth: hci0: BCM43430A1 'brcm/BCM43430A1.hcd' Patch [ 35.724523] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7' [ 35.900595] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43430-sdio for chip BCM43430/1 [ 36.179999] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43430-sdio for chip BCM43430/1 [ 36.290162] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43430/1 wl0: Feb 16 2020 22:39:24 version 7.45.98.97 (r724416 CY) FWID 01-bf41ed64 [ 36.324120] Bluetooth: hci0: BCM4343WA1 37.4MHz Murata Type-1DX BT4.2-0093 [ 36.329791] Bluetooth: hci0: BCM43430A1 (001.002.009) build 0395 E/LD: init_elf:437 sys_open_ta_bin(bc50d971-d4c9-42c4-82cb-343fb7f37896) E/TC:? 0 ldelf_init_with_ldelf:126 ldelf failed with res: 0xffff000c [ 36.409300] ftpm-tee tpm@0: ftpm_tee_probe: tee_client_open_session failed, err=ffff000c [ 36.416048] ftpm-tee: probe of tpm@0 failed with error -22 [ 36.783842] cs42l51 0-004a: Cirrus Logic CS42L51, Revision: 01
I have checked the return code and it says that TEEC_OUT_OF_MEMORY. I have configured the size of #define CFG_TZDRAM_SIZE 0x01e00000. So could you please help me out here.