Closed 7flying closed 1 year ago
weird
are the credentials "correct" tho?
They look OK to me:
Active: true
Protocol Version: 101
Device Info:
Device GUID: ce27e34f-a23e-0593-9489-6d91bf8dcec3
Rendezvous Info:
- [(DevicePort, [25, 31, 146]), (IPAddress, [68, 192, 168, 122, 180]), (OwnerPort, [25, 31, 146]), (Protocol, [1])]
- [(DevicePort, [25, 31, 146]), (IPAddress, [80, 254, 128, 0, 0, 0, 0, 0, 0, 151, 226, 23, 22, 106, 168, 136, 186]), (OwnerPort, [25, 31, 146]), (Protocol, [1])]
Public key hash: 576f9815c6e3d8f46d8c9385eb58446a3b4dc258429b1931dc95cddbd8d6b0c81384bc3fb48a98dae965621019d4df58 (Sha384)
HMAC and signing key:
HMAC key: <secret>
Signing key: <secret>
manufacturing-server.yml
for reference:
session_store_driver:
Directory:
path: /home/fedora/fido-device-onboard-rs/aio-dir/stores/manufacturing_sessions
ownership_voucher_store_driver:
Directory:
path: /home/fedora/fido-device-onboard-rs/aio-dir/stores/owner_vouchers
public_key_store_driver:
Directory:
path: /home/fedora/fido-device-onboard-rs/aio-dir/stores/manufacturer_keys
bind: 0.0.0.0:8080
protocols:
plain_di: false
diun:
mfg_string_type: SerialNumber
key_type: SECP384R1
allowed_key_storage_types:
- Tpm
- FileSystem
key_path: /home/fedora/fido-device-onboard-rs/aio-dir/keys/diun_key.der
cert_path: /home/fedora/fido-device-onboard-rs/aio-dir/keys/diun_cert.pem
rendezvous_info:
- deviceport: 8082
ip_address: 192.168.122.180
ownerport: 8082
protocol: http
- deviceport: 8082
ip_address: fe80::97e2:1716:6aa8:88ba
ownerport: 8082
protocol: http
manufacturing:
manufacturer_cert_path: /home/fedora/fido-device-onboard-rs/aio-dir/keys/manufacturer_cert.pem
device_cert_ca_private_key: /home/fedora/fido-device-onboard-rs/aio-dir/keys/device_ca_key.der
device_cert_ca_chain: /home/fedora/fido-device-onboard-rs/aio-dir/keys/device_ca_cert.pem
owner_cert_path: /home/fedora/fido-device-onboard-rs/aio-dir/keys/owner_cert.pem
manufacturer_private_key: /home/fedora/fido-device-onboard-rs/aio-dir/keys/manufacturer_key.der
If we isolate the lines of code that cause the error:
let tcti_conf = tss_esapi::tcti_ldr::TctiNameConf::Tabrmd(Default::default());
let _tss_context =
tss_esapi::Context::new(tcti_conf).context("Error initializing the TPM context")?;
we get:
ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
Error: Error initializing the TPM context
Caused by:
0: response code not recognized
1: response code not recognized
2: Response code value: 0xa0015
when we have the following RPMs installed (same error on Fedora 37 and Fedora 38):
# fedora 37
tpm2-tools-5.4-1.fc37.x86_64
tpm2-tss-3.2.2-1.fc37.x86_64
tpm2-tss-devel-3.2.2-1.fc37.x86_64
# fedora 38
tpm2-tss-4.0.1-3.fc38.x86_64
tpm2-tools-5.5-3.fc38.x86_64
tpm2-tss-devel-4.0.1-3.fc38.x86_64
If I install tpm2-abrmd-devel
either in Fedora 37 or Fedora 38, I have another error message:
** (process:64465): WARNING **: 14:52:50.869: Failed to create connection with service: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name com.intel.tss2.Tabrmd was not provided by any .service files
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: tabrmd
ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
Error: Error initializing the TPM context
Caused by:
0: response code not recognized
1: response code not recognized
2: Response code value: 0xa0008
Fedora 37 versions:
tpm2-abrmd-2.4.1-2.fc37.x86_64
tpm2-abrmd-devel-2.4.1-2.fc37.x86_64
Fedora 38 versions:
tpm2-abrmd-3.0.0-2.fc38.x86_64
tpm2-abrmd-devel-3.0.0-2.fc38.x86_64
Opened an issue at the C source repo: https://github.com/tpm2-software/tpm2-tss/issues/2663
CC @puiterwijk for awareness, I'm a bit lost with the TPM stuff and this might be an obvious issue to you :sweat_smile:
Reported downstream, too - https://bugzilla.redhat.com/show_bug.cgi?id=2223779
We should be using the kernel RM (resource manager) not tpm2-abrmd for reference.
We seem to be using abrmd instead of the kernel RM (https://github.com/fedora-iot/fido-device-onboard-rs/blob/aea44d3bb13900777d05f784ce93612f1ba1be78/manufacturing-client/src/main.rs#L591) as the fallback when no configuration file is provided, so we need to change that.
From the main branch, running the
manufacturing-client
as root on Fedora 38:But,
device-credentials
are correctly generated.