search

tpm2-software / tpm2-abrmd

TPM2 Access Broker & Resource Management Daemon implementing the TCG spec.
https://github.com/tpm2-software/tpm2-abrmd
BSD 2-Clause "Simplified" License
115 stars 98 forks source link

tools cannnot connect to abrmd #764

Open kgold2 opened 3 years ago

kgold2 commented 3 years ago

I suspect I'm missing some install step.

The dbus-send DBus.ListNames returns string "com.intel.tss2.Tabrmd" The Introspect returns

Thise look OK.

I set TPM2TOOLS_TCTI "tabrmd:bus_name=com.intel.tss2.Tabrmd"

But every command returns:

(process:631): CRITICAL : 15:09:37.628: CreateConnection expected to return 1 handles, received 2 WARNING:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_init() TCTI init for function 0x7f3210d0be30 failed with a0001 WARNING:tcti:src/tss2-tcti/tctildr.c:109:tcti_from_info() Could not initialize TCTI named: tcti-abrmd ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: tabrmd ERROR:tcti:src/tss2-tcti/tctildr.c:416:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI ERROR: Could not load tcti, got: "tabrmd:bus_name=com.intel.tss2.Tabrmd"

If I kill abrmd and use this, the tools work. TPM2TOOLS_TCTI "mssim:host=localhost,port=2321"

williamcroberts commented 3 years ago

I suspect I'm missing some install step.

The dbus-send DBus.ListNames returns string "com.intel.tss2.Tabrmd" The Introspect returns

Thise look OK.

I set TPM2TOOLS_TCTI "tabrmd:bus_name=com.intel.tss2.Tabrmd"

You can just set that tabrmd, since bus_name is the default.

But every command returns:

(process:631): CRITICAL : 15:09:37.628: CreateConnection expected to return 1 handles, received 2 WARNING:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_init() TCTI init for function 0x7f3210d0be30 failed with a0001 WARNING:tcti:src/tss2-tcti/tctildr.c:109:tcti_from_info() Could not initialize TCTI named: tcti-abrmd ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: tabrmd ERROR:tcti:src/tss2-tcti/tctildr.c:416:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI ERROR: Could not load tcti, got: "tabrmd:bus_name=com.intel.tss2.Tabrmd"

I've never seen this... I have no definitive idea.

Im assuming your starting the service up manually, which is why you had to poke holes in the dbus config. Make sure systemd didn't fire up another instance of the service:

systemctl status tpm2-abrmd.service

If you see it running, perhaps stop and disable the systemd service:

systemctl stop tpm2-abrmd.service
systemctl disable tpm2-abrmd.service

But I'm no systemd, dbus, tpm2-abrmd expert.

If I kill abrmd and use this, the tools work. TPM2TOOLS_TCTI "mssim:host=localhost,port=2321"

Thats good, you can still just set this to "mssim"

kgold2 commented 3 years ago
  1. Using setenv TPM2TOOLS_TCTI "tabrmd" gives the same result.
  2. systemctl status tpm2-abrmd.service fails with: Failed to connect to bus: Host is down. I guess that's good.
  3. service --status-all shows [ - ] tpm2-abrmd, the - meaning it's not running. I suppose that's also good.

Although there may also be dbus issues, my reading of the error message says that the tool doesn't even know how to use abrmd, that it cannot find the TCTI plug in. It does say:

ERROR: Could not load tcti, got: "tabrmd"

So, where are these tcti's. How do they get installed, and how to the tools find them. It could be something as simple as a failure installing the piece of the tss, tools, or abrmd that has the tcti.

What does this mean? What's the file, where is it, what's it name, how to I see if it's there?

ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: tabrmd

williamcroberts commented 3 years ago

So the issue here isn't that it's not finding and loading the TCTI, because if that didn't happen you wouldn't see this error:

** (process:631): CRITICAL **: 15:09:37.628: CreateConnection expected to return 1 handles, received 2

You can try:

export G_DEBUG=all

Before running tpm2-abrmd.

When trying to find libraries, package config is your friend here:

pkg-config --list-all | grep tss2
tss2-rc                        tss2-rc - TPM2 error decoding library.
tss2-tcti-device               tss2-tcti-device - TCTI library for communicating with a TPM device node.
tss2-fapi                      tss2-fapi - TPM2 Feature API library.
tss2-tcti-mssim                tss2-tcti-mssim - TCTI library for communicating with the Microsoft TPM2 simulator.
tss2-tcti-tabrmd               tss2-tcti-tabrmd - TCTI library for communicating with the TPM2 access broker / resource manager daemon (tabrmd).
tss2-tcti-pcap                 tss2-tcti-pcap - TCTI library for debugging at the TCTI interface.
tss2-tctildr                   tss2-tctildr - Library to simplify management of TCTIs.
tss2-mu                        tss2-mu - TPM2 type marshaling and unmarshaling library.
tss2-sys                       tss2-sys - TPM2 System API library.
tss2-tcti-swtpm                tss2-tcti-swtpm - TCTI library for communicating with swtpm.
tss2-tcti-cmd                  tss2-tcti-cmd - TCTI library for communicating with a subproccess that can communicate with the TPM.
tss2-esys                      tss2-esys - TPM2 Enhanced System API library.

Then you can do things like:

pkg-config --libs-only-L tss2-tcti-tabrmd
-L/usr/local/lib

ls /usr/local/lib | grep tss2-tcti-tabrmd
libtss2-tcti-tabrmd.a
libtss2-tcti-tabrmd.la
libtss2-tcti-tabrmd.so
libtss2-tcti-tabrmd.so.0
libtss2-tcti-tabrmd.so.0.0.0

WARNING:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_init() TCTI init for function 0x7f3210d0be30 failed with a0001

williamcroberts commented 3 years ago

@kgold2 have you looked at this ticket:

Seems to be a similar issue. That bug shows that if:

ps -C tpm2-abrmd
PID TTY TIME CMD
6019 ? 00:00:00 tpm2-abrmd

Shows a question mark for the TTY, it ends up in this situation.

williamcroberts commented 3 years ago

@kgold as a last resort try this patch:

diff --git a/src/tcti-tabrmd.c b/src/tcti-tabrmd.c
index d96709e42e64..0a0e2c807589 100644
--- a/src/tcti-tabrmd.c
+++ b/src/tcti-tabrmd.c
@@ -558,10 +558,8 @@ tcti_tabrmd_connect (TSS2_TCTI_CONTEXT *context)
     }
     gint num_handles = g_unix_fd_list_get_length (fd_list);
     if (num_handles != 1) {
-        g_critical ("CreateConnection expected to return 1 handles, received %d",
+        g_warning ("CreateConnection expected to return 1 handles, received %d",
                     num_handles);
-        rc = TSS2_TCTI_RC_GENERAL_FAILURE;
-        goto out;
     }
     gint fd = g_unix_fd_list_get (fd_list, 0, &error);
     if (fd == -1) {

If we got one fd, who cares if we got another :-p

kgold2 commented 3 years ago

@kgold2 have you looked at this ticket:

* #542

Seems to be a similar issue. That bug shows that if:

ps -C tpm2-abrmd
PID TTY TIME CMD
6019 ? 00:00:00 tpm2-abrmd

Shows a question mark for the TTY, it ends up in this situation.

kgold2 commented 3 years ago

I took a quick look at the ticket. It appears that it aged out with no solution.

kgold2 commented 3 years ago

You can try:

export G_DEBUG=all

When I try this it gets a Trace/BPT trap (core dumped). Evidently tracing is doing far more than printf to stdout.

williamcroberts commented 3 years ago

Hrm, weird. Thats underpinned by GnuLib's debugging framework, perhaps its attempting to provide formatted output on something that's null. Ie printf("%s\n", NULL); is fine on glibc, but fails on others.

kgold2 commented 3 years ago 
 gint num_handles = g_unix_fd_list_get_length (fd_list);
 if (num_handles != 1) {
  • g_critical ("CreateConnection expected to return 1 handles, received %d",
  • g_warning ("CreateConnection expected to return 1 handles, received %d", num_handles);
  • rc = TSS2_TCTI_RC_GENERAL_FAILURE;
  • goto out; }

This seems to have 'fixed' it. I was still getting the warning, so I commented that out as well.

williamcroberts commented 3 years ago

Oh did you apply my patch and its segfaulting? I never tested that patch, I can't replicate your issue, do you get any output before it segfaults?

FYI Ill be carving some time out to try this on WSL and see if I can sort it out.