fdo-rs / fido-device-onboard-rs

An implementation of the FIDO Device Onboard (FDO) spec written in Rust.
BSD 3-Clause "New" or "Revised" License
62 stars 34 forks source link

Error with `tss_esapi`: Failed to instantiate TCTI #531

Closed 7flying closed 1 year ago

7flying commented 1 year ago

From the main branch, running the manufacturing-clientas root on Fedora 38:

MANUFACTURING_SERVER_URL=http://192.168.122.180:8080 \
USE_PLAIN_FI=false \
DIUN_PUB_KEY_INSECURE=true \
./target/debug/fdo-manufacturing-client 
 2023-07-11T11:45:37.372Z INFO  fdo_manufacturing_client > No usable device credential located, performing Device Onboarding
 2023-07-11T11:45:37.402Z INFO  fdo_manufacturing_client > Performing DIUN
ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
 2023-07-11T11:45:37.418Z ERROR tss_esapi::tcti_ldr      > Error when creating a TCTI context: response code not recognized

But, device-credentials are correctly generated.

runcom commented 1 year ago

weird

runcom commented 1 year ago

are the credentials "correct" tho?

7flying commented 1 year ago

They look OK to me:

Active: true
Protocol Version: 101
Device Info: 
Device GUID: ce27e34f-a23e-0593-9489-6d91bf8dcec3
Rendezvous Info:
    - [(DevicePort, [25, 31, 146]), (IPAddress, [68, 192, 168, 122, 180]), (OwnerPort, [25, 31, 146]), (Protocol, [1])]
    - [(DevicePort, [25, 31, 146]), (IPAddress, [80, 254, 128, 0, 0, 0, 0, 0, 0, 151, 226, 23, 22, 106, 168, 136, 186]), (OwnerPort, [25, 31, 146]), (Protocol, [1])]
Public key hash: 576f9815c6e3d8f46d8c9385eb58446a3b4dc258429b1931dc95cddbd8d6b0c81384bc3fb48a98dae965621019d4df58 (Sha384)
HMAC and signing key:
    HMAC key: <secret>
    Signing key: <secret>

manufacturing-server.yml for reference:

session_store_driver:
  Directory:
    path: /home/fedora/fido-device-onboard-rs/aio-dir/stores/manufacturing_sessions
ownership_voucher_store_driver:
  Directory:
    path: /home/fedora/fido-device-onboard-rs/aio-dir/stores/owner_vouchers
public_key_store_driver:
  Directory:
    path: /home/fedora/fido-device-onboard-rs/aio-dir/stores/manufacturer_keys
bind: 0.0.0.0:8080
protocols:
  plain_di: false
  diun:
    mfg_string_type: SerialNumber
    key_type: SECP384R1
    allowed_key_storage_types:
    - Tpm
    - FileSystem
    key_path: /home/fedora/fido-device-onboard-rs/aio-dir/keys/diun_key.der
    cert_path: /home/fedora/fido-device-onboard-rs/aio-dir/keys/diun_cert.pem
rendezvous_info:
- deviceport: 8082
  ip_address: 192.168.122.180
  ownerport: 8082
  protocol: http
- deviceport: 8082
  ip_address: fe80::97e2:1716:6aa8:88ba
  ownerport: 8082
  protocol: http
manufacturing:
  manufacturer_cert_path: /home/fedora/fido-device-onboard-rs/aio-dir/keys/manufacturer_cert.pem
  device_cert_ca_private_key: /home/fedora/fido-device-onboard-rs/aio-dir/keys/device_ca_key.der
  device_cert_ca_chain: /home/fedora/fido-device-onboard-rs/aio-dir/keys/device_ca_cert.pem
  owner_cert_path: /home/fedora/fido-device-onboard-rs/aio-dir/keys/owner_cert.pem
  manufacturer_private_key: /home/fedora/fido-device-onboard-rs/aio-dir/keys/manufacturer_key.der
7flying commented 1 year ago

If we isolate the lines of code that cause the error:

 let tcti_conf = tss_esapi::tcti_ldr::TctiNameConf::Tabrmd(Default::default());
 let _tss_context =
        tss_esapi::Context::new(tcti_conf).context("Error initializing the TPM context")?;

we get:

ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
Error: Error initializing the TPM context

Caused by:
    0: response code not recognized
    1: response code not recognized
    2: Response code value: 0xa0015

when we have the following RPMs installed (same error on Fedora 37 and Fedora 38):

# fedora 37
tpm2-tools-5.4-1.fc37.x86_64
tpm2-tss-3.2.2-1.fc37.x86_64
tpm2-tss-devel-3.2.2-1.fc37.x86_64

# fedora 38
tpm2-tss-4.0.1-3.fc38.x86_64
tpm2-tools-5.5-3.fc38.x86_64
tpm2-tss-devel-4.0.1-3.fc38.x86_64

If I install tpm2-abrmd-devel either in Fedora 37 or Fedora 38, I have another error message:

** (process:64465): WARNING **: 14:52:50.869: Failed to create connection with service: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name com.intel.tss2.Tabrmd was not provided by any .service files
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: tabrmd 
ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
Error: Error initializing the TPM context

Caused by:
    0: response code not recognized
    1: response code not recognized
    2: Response code value: 0xa0008

Fedora 37 versions:

tpm2-abrmd-2.4.1-2.fc37.x86_64
tpm2-abrmd-devel-2.4.1-2.fc37.x86_64

Fedora 38 versions:

tpm2-abrmd-3.0.0-2.fc38.x86_64
tpm2-abrmd-devel-3.0.0-2.fc38.x86_64
7flying commented 1 year ago

Opened an issue at the C source repo: https://github.com/tpm2-software/tpm2-tss/issues/2663

7flying commented 1 year ago

CC @puiterwijk for awareness, I'm a bit lost with the TPM stuff and this might be an obvious issue to you :sweat_smile:

miabbott commented 1 year ago

Reported downstream, too - https://bugzilla.redhat.com/show_bug.cgi?id=2223779

nullr0ute commented 1 year ago

We should be using the kernel RM (resource manager) not tpm2-abrmd for reference.

7flying commented 1 year ago

We seem to be using abrmd instead of the kernel RM (https://github.com/fedora-iot/fido-device-onboard-rs/blob/aea44d3bb13900777d05f784ce93612f1ba1be78/manufacturing-client/src/main.rs#L591) as the fallback when no configuration file is provided, so we need to change that.