TPM2 luks-seal, out of memory for object contexts

[sourceXORapprentice]

Dell Optiplex 5050 with TPM2 is providing this TPM error "out of memory for object contexts" at luks-seal. Not sure what could be wrong or where to turn, did a TPM clear prior to running it. Any suggestions on troubleshooting commands?

It seems like the TPM is available:

[osresearch]

that's unfortunate. we are making assumptions about how many resources are available for the various TPM operations and seem to have guessed wrongly. we do a tpm2_flushall just before the sealing: https://github.com/osresearch/safeboot/blob/master/sbin/safeboot#L722

maybe we need an additional one between the tpm2 create and tpm2 load at https://github.com/osresearch/safeboot/blob/master/sbin/safeboot#L741

[sourceXORapprentice]

Interesting that sounds likely, hopefully the TPM on this machine isn't too limited. Was also wondering if there's a means to provision more memory to the TPM but don't know where to look if it's set by the kernel, a driver, the firmware, or a hardware limitation. Dell also originally released this machine with TPM1.2 but then upgraded it to TPM2 so there may be implementation limitations. I will be away from the machine a few days but will try patching it there with a tpm2_flushall and report back.

[osresearch]

Unfortunately it it is a hardware constraint, not something that the kernel or firmware can allocate more memory for. The TCG allows tpm2 to have very limited memory and their idea is that there is a kernel resource allocator that handles freeing resources. We're running in a raw mode, which means we have to keep track of how many things are available (I'm not sure if we even have a way to query it), and as a result sometimes run into this sort of issue.

[sourceXORapprentice]

Thanks! That ran as expected, no more TPM errors. PR #160 for it. I tested using the umbernhard fork with fixes in PR #151 because I couldn't seem to get the current master branch working due to #153.