Failed to open device file /dev/tpm0: Device or resource busy

[forx617]

Problem fixed in the issue #65 seems to be reappeared.

I'm using:

• ARM platform linux based with a running real /dev/tpm0 device (kernel driver tpm_tis)
• last released tpm2-tss stack : 2.0.0 release
• last commit for tpm2-pk11 : 2343865

Created a persistent tpm key:

tpm2_listpersistent

persistent-handle[0]:0x81000000 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt

Then the following fail:

ssh-keygen -D /usr/lib/pkcs11/libtpm2-pk11.so

ERROR:tcti:src/tss2-tcti/tcti-device.c:281:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: Device or resource busy C_OpenSession failed: 5 cannot read public key from pkcs11

[forx617]

Is there a solution for this problem?

[irtimmer]

According to the output of ssh-keygen, libtpm2-pk11 is configured to directly access /dev/tpm0, while the user is not allowed to access it or another process already has access to the tpm2 (like the tpm2 abrmd daemon)

[forx617]

I haven't any user process accessing to the /dev/tpm0, only the "tpm_tis" linux kernel module. I'm not using the tpm2-abrmd daemon.

This is my configuration for libtpm2-pk11:

_#Type can be device/socket/tabrmd type device

Hostname to connect when using socket

hostname localhost

Port number of TPM socket to connect to

port 2321

Device to use as TPM

device /dev/tpm0

Sign using encrypt in case TPM doesn't support hash format

For example SSH use SHA512 which isn't supported by all TPM's

Enabling this option requires key's to be encryption keys instead of signing only keys

sign-using-encrypt true

Set login_required in case keys are protected by a password

Notice currently only a single password for all keys is supported

Depending on the TPM settings, providing wrong passwords can lead to a lockout

login-required false_

What could be the problem?

[forx617]

Update (with debug enabled): _

#/usr/local/bin/tpm2_listpersistent persistent-handle[0]:0x81000000 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt #/usr/local/bin/tpm2_readpublic -H 0x81000000 name: 000bb892c97e114eec1b9cd0e603e99cf9884942c02aa2e3f62e68428003b125ef96 qualified name: 000bfccbb940299e74f0277d38f14afdec8b70cb3669e6c8d944fc257c4edc7d0dc9 algorithm: value: sha256 raw: 0xb attributes: value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt raw: 0x30072 type: value: rsa raw: 0x1 rsa: b4f053fdd79965da70349d035ce30ae9ce46dfc09083568e8c1a413aa3b6bfe4ce836e11a2e34ab19c37ec9bc9fffa3615cd956615dd43c1c5c877cc8883de3a0cae008d55e75b22b316e3bb872827 #/usr/local/bin/tpm2_startup -v tool="/usr/local/bin/tpm2_startup" version="R_1.5-2-gc16bbf5-dirty" tctis="dynamic" tcti-default=device dlclose=enabled #ssh-keygen -D /usr/lib/pkcs11/libtpm2-pk11.so 2018-10-03 07:30:35 [tpm-pk11] C_GetInfo 2018-10-03 07:30:35 [tpm-pk11] C_GetSlotList: present = true 2018-10-03 07:30:35 [tpm-pk11] C_GetSlotList: present = true 2018-10-03 07:30:35 [tpm-pk11] C_GetTokenInfo: id = 4660 2018-10-03 07:30:35 [tpm-pk11] C_OpenSession: id = 4660, flags = 6 ERROR:tcti:src/tss2-tcti/tcti-device.c:281:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: Device or resource busy C_OpenSession failed: 5 2018-10-03 07:30:35 [tpm-pk11] C_Finalize cannot read public key from pkcs11

_

As said in my old post i haven't any user process accessing to the /dev/tpm0, access broker tpm2-tabrmd is not installed and tpm2-tss stack used is the release 2.0.0.

Any suggestion is appreciated.

BR

[irtimmer]

I almost forgot, but as pkcs11 allows multiple sessions in different threads, for each session a new connection to the tpm is opened beside the global connection to receive some basic information about the TPM. Therefore a resource manager is required, like abrmd or the one included in recent kernel versions (untested). Can probably be solved by adding a mutex to allow requests from different threads, but there are currently no plans to implement it.

[mushiwords]

restart tpm2-abrmd solve my problem~ service restart tpm2-abrmd