Could not create EK certificate locally on Ubuntu 22.04

eemax commented 2 years ago

Could not create EK certificate locally on Ubuntu 22.04. Recreated by trying to create a new VM in QEMU/KVM.

Desktop:

OS: Ubuntu 22.04

Versions of relevant components

swtpm: 0.7.3
libtpms: libtpms-dev 0.10.0 libtpms0 0.10.0
openssl: 3.0.2
gnutls: 3.7.3

Log files

Starting vTPM manufacturing as swtpm:swtpm @ Sat 11 Jun 2022 09:17:06 PM CEST
Successfully created RSA 2048 EK with handle 0x81010001.
  Invoking /usr/bin/swtpm_localca --type ek --ek c5dd909738289afcf6abbc407a39103e0b0fce88fb41a7564d56c132a7be2d347028648a51bc7c324702a7bb465c67ce66eac37310ca19a17bc63ac4dfae2b899f7976494b1ae588623312ad3ad7f8f464dc2e41cdd946e4f59a489ce55b1808b0b2d8353476bf7d940c71e9f356714a61afb6b625ddc7e7762524ba697bc878d52893140540b3a453866bd61e8ee031f55dbd3cdb217b3362c198434a17a3f8ef06f76e4b184b8b4866e4bc6dec387a17bb5c041b52eb1e988169ab0487a27a4a6b96b966b013c42f2d600532558cef8b31da0d3d88a62a0f40455f0056713b7de96401db7485249cac179f53d32f7a275aea66a0334303afb0c1ef68da2b97 --dir /tmp/swtpm_setup.certs.J7BXN1 --logfile /var/log/swtpm/libvirt/qemu/win10-swtpm.log --vmid win10:3bafd8b8-1f0e-41f2-b386-2dd0c7bbb26c --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Could not create EK certificate locally
Could not import signing key : The requested data were not available.

swtpm_localca exit with status 1: 
An error occurred. Authoring the TPM state failed.
Error getting next filename: No child processes
Ending vTPM manufacturing @ Sat 11 Jun 2022 09:17:06 PM CEST

stefanberger commented 2 years ago

I cannot recreate the issue. Please check.

root@5879f2f5bd18:/# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04 LTS"

root@32e0feeb6875:/swtpm# dpkg --list | grep openssl
ii  libgnutls-openssl27:amd64   3.7.3-4ubuntu1                          amd64        GNU TLS library - OpenSSL wrapper
ii  openssl                     3.0.2-0ubuntu1.2                        amd64        Secure Sockets Layer toolkit - cryptographic utility
ii  python3-openssl             21.0.0-1                                all          Python 3 wrapper around the OpenSSL library

root@32e0feeb6875:/swtpm# dpkg --list | grep gnutls
ii  gnutls-bin                  3.7.3-4ubuntu1                          amd64        GNU TLS library - commandline utilities
ii  libcurl3-gnutls:amd64       7.81.0-1ubuntu1.2                       amd64        easy-to-use client-side URL transfer library (GnuTLS flavour)
ii  libgnutls-dane0:amd64       3.7.3-4ubuntu1                          amd64        GNU TLS library - DANE security support
ii  libgnutls-openssl27:amd64   3.7.3-4ubuntu1                          amd64        GNU TLS library - OpenSSL wrapper
ii  libgnutls28-dev:amd64       3.7.3-4ubuntu1                          amd64        GNU TLS library - development files
ii  libgnutls30:amd64           3.7.3-4ubuntu1                          amd64        GNU TLS library - main runtime library
ii  libgnutlsxx28:amd64         3.7.3-4ubuntu1                          amd64        GNU TLS library - C++ runtime library

root@32e0feeb6875:/swtpm# swtpm --version
TPM emulator version 0.7.3, Copyright (c) 2014-2021 IBM Corp.

root@32e0feeb6875:/swtpm# swtpm_setup --tpmstate . --tpm2 --create-ek-cert --create-platform-cert
Starting vTPM manufacturing as root:root @ Sun 12 Jun 2022 03:12:40 AM UTC
TPM is listening on Unix socket.
Successfully created RSA 2048 EK with handle 0x81010001.
  Invoking /usr/bin/swtpm_localca --type ek --ek d6a47d0e2b3fa7edf908c8245fd1d5cdee71df94c5516f1a204d14350def9dfc9357a9073ff736bf07a6b0dec691f927662c72f79486b986d5225295f9eea505483b5de3be3dd1774fb7eef0fb86c5f3775c7f12afc6a720d7d787e7b944790386a95412dbd7a0550a394f7aa030937aceafcca2deebae52255299f08fb5ee0f039d4c5f6702eb2fa565ab0ad26041b94a7c01c9bc697f945ccf4231cb7548727591a2b13539eb100074ff8a7302d171525c338bf162ed2086b491acfe1c10ea07e39ccdd37e4b2bc9a545a8affb06518f1edc5b4e99d784f45275f0f14196b12551064625ce6cb6d27712565a843a1f1e50f70dc111beb04cb6dd4f6c928395 --dir /tmp/swtpm_setup.certs.6S0GN1 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
swtpm_localca: Successfully created EK certificate locally.
  Invoking /usr/bin/swtpm_localca --type platform --ek d6a47d0e2b3fa7edf908c8245fd1d5cdee71df94c5516f1a204d14350def9dfc9357a9073ff736bf07a6b0dec691f927662c72f79486b986d5225295f9eea505483b5de3be3dd1774fb7eef0fb86c5f3775c7f12afc6a720d7d787e7b944790386a95412dbd7a0550a394f7aa030937aceafcca2deebae52255299f08fb5ee0f039d4c5f6702eb2fa565ab0ad26041b94a7c01c9bc697f945ccf4231cb7548727591a2b13539eb100074ff8a7302d171525c338bf162ed2086b491acfe1c10ea07e39ccdd37e4b2bc9a545a8affb06518f1edc5b4e99d784f45275f0f14196b12551064625ce6cb6d27712565a843a1f1e50f70dc111beb04cb6dd4f6c928395 --dir /tmp/swtpm_setup.certs.6S0GN1 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
swtpm_localca: Successfully created platform certificate locally.
Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate.
Successfully created NVRAM area 0x1c08000 for platform certificate.
Successfully created ECC EK with handle 0x81010016.
  Invoking /usr/bin/swtpm_localca --type ek --ek x=d0ba3ebf3210631877edc47b9e6f574198cee84291fc70c96eacd817a588b57a161e7bfc6893cce6fa087ebd14f65b7b,y=2432984c3316da5cc741f6d504d58d45fd4b7d10057c0b391dc38b9937c001ad626b5352be35829635cb86f2927de43b,id=secp384r1 --dir /tmp/swtpm_setup.certs.6S0GN1 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
swtpm_localca: Successfully created EK certificate locally.
Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
Successfully activated PCR banks sha256 among sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Sun 12 Jun 2022 03:12:40 AM UTC

root@e4008f96479b:/swtpm# ls -l /var/lib/swtpm-localca/
total 28
-rw-r--r--. 1 root root    1 Jun 12 02:49 certserial
-rw-r--r--. 1 root root 1505 Jun 12 02:49 issuercert.pem
-rw-r-----. 1 root root 8177 Jun 12 02:49 signkey.pem
-rw-r--r--. 1 root root 1468 Jun 12 02:49 swtpm-localca-rootca-cert.pem
-rw-r-----. 1 root root 8170 Jun 12 02:49 swtpm-localca-rootca-privkey.pem

root@e4008f96479b:/swtpm# make check -j32
Making check in include
[...]
============================================================================
Testsuite summary for swtpm 0.7.3
============================================================================
# TOTAL: 69
# PASS:  57
# SKIP:  12
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================

eemax commented 2 years ago

Something messed up with my system. OS reinstalled fixed it.

stefanberger / swtpm

Could not create EK certificate locally on Ubuntu 22.04 #705