Closed pscheie closed 6 years ago
flihp
commented
6 years ago Can you provide some version info @pscheie? Knowing if you're working from the master branches or from a release is a big part of debugging this stuff since master has seen some significant changes especially w/r/t the TCTIs.
From what you've posted it looks like the tabrmd is working fine. The issue looks more likely to be about getting the tools to talk to it but this is just a guess w/o more data.
martinezjavier
commented
6 years ago @pscheie also as a guess, it sounds as if your tools are trying to use the device TCTI and wasn't build with support for the abrmd TCTI.
Could you please execute any tool with the -v option, that should display the supported tctis in latest versions. Also, can you try stop the tpm2-abrmd an then try execute the tools again. What I think that happens is that your tools can't access the tpm because the tpm2-abrmd is accessing it (driver returns -EBUSY).
pscheie
commented
6 years ago Yes, I should have provided version numbers; sorry about the omission. tpm2-abrmd is version 1.2.0, tpm2-tools is version 3.0.3, and tpm2-tss is version 1.3.0. So, it appears abrmd is a little behind, tools is still current with, and tss is behind, the latest respective releases.
Running 'tpm2_pcrlist -v' produces 'tool="tpm2_pcrlist" version="" tctis="socket,device", with the same result whether tpm2-abrmd is running or not.
Where can I read more about the tctis? I'm not really understanding it.
martinezjavier
commented
6 years ago Running 'tpm2_pcrlist -v' produces 'tool="tpm2_pcrlist" version="" tctis="socket,device", with the same result whether tpm2-abrmd is running or not.
So this confirms my guess, look how you have tctis="socket,device" while you should have tctis="socket,device,tabrmd". So the problem is that your tpm2-tools need to be built after tpm2-abrmd, since tpm2-abrmd project contains the TCTI abrmd library to access the tpm2-abrmd.
pscheie
commented
6 years ago Thanks @martinezjavier. That explains why it can't talk to the abrmd. But then why can't tpm2_pcrlist talk to the TPM directly? That is, if abrmd is not running and therefore not blocking access to the TPM, shouldn't tpm2_pcrlist be able to connect directly to the TPM?
martinezjavier
commented
6 years ago @pscheie that depends whether you are running the process with a user that has access to the TPM chardev. Can you please look at the ownership and permission bits for /dev/tpm* ?
pscheie
commented
6 years ago For some reason, I have two device files: /dev/tpm0 and /dev/tpm1. I had neither until I added the tpm_tis.force=1 kernel parameter, and then both appeared. They're both owned by tss:tss, and /dev/tpm0 has permissions 666 while /dev/tpm1 has 600. I tried changing tpm1 to 666 but I still get the same 'failed to intialize tcti context: 0x1' error from tpm2_pcrlist.
pscheie
commented
6 years ago Okay, I added "DEPENDS += tpm-abrmd" to my bbappend file for tpm2-tools, and now 'tpm2_pcrlist -v' shows "tctis="tabrmd,socket,device". Better yet, tpm2_pcrlist works, displaying all the PCRs as it should. Thanks everyone.
@flihp, should that dependency be included in the bb recipe for tpm2-tools on openembedded? Strictly speaking, I suppose it's not necessary; but it seems like its absence could/would be a problem.
martinezjavier
commented
6 years ago @pscheie glad that you sorted. And yes, I think that dependency should be in the Bitbake recipe.
martinezjavier
commented
6 years ago @pscheie BTW, could you please close the issue since it was a problem with your build environment. In any case, you may file an issue in https://github.com/flihp/meta-measured for the dependency in the recipe.
pscheie
commented
6 years ago @martinezjavier Will do.
flihp
commented
6 years ago This got fixed in meta-measured master branch. Didn't get pulled into any of the release branches though. Will take this up in https://github.com/flihp/meta-measured/issues/71
I've got tpm2-abrmd building in our Wind River Linux 8 build, along with the tpm2-tools and tpm2-tss packages, and that's all running on our target board that has a built-in TPM2. Using systemd (systemctl) I can start tpm2-abrmd, and it seems to run, i.e., it reports no errors, but how do I know if it's actually connecting to the TPM? When I try to run any of the tpm2 tools, e.g., tpm2_pcrlist, I get a "Failed to initialize tcti context: 0x1" error. That suggests the tools are not talking to the abrmd.
In /etc/default/tpm2-abrmd (which the systemd unit file pulls in) --tcti=device is set. If I start tpm2-abrmd by hand thusly:
it starts and I get debug output and no errors. And when I run tpm2_pcrlist nothing appears in the debug output, suggesting tpm2_pcrlist is not actually connecting to the abrmd. What am I missing?