search

tpm2-software / tpm2-abrmd

TPM2 Access Broker & Resource Management Daemon implementing the TCG spec.
https://github.com/tpm2-software/tpm2-abrmd
BSD 2-Clause "Simplified" License
116 stars 100 forks source link

tpm2-abrmd issues on yocto kirkstone #813

Closed Dvergatal closed 2 years ago

Dvergatal commented 2 years ago

Hi all, I have switched from yocto dunfell to kirkstone and now I am facing an issue with starting tpm2-abrmd daemon, with such and error:

Jun 01 11:47:23 eg tpm2-abrmd[28208]: ERROR:tcti:../tpm2-tss-3.2.0/src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
Jun 01 11:47:23 eg tpm2-abrmd[28208]: init_thread_func: failed to create TCTI with conf "device:/dev/tpm0", got RC: 0xa0015
Jun 01 11:47:23 eg tpm2-abrmd[28208]: g_bus_unown_name: assertion 'owner_id > 0' failed
Jun 01 11:47:23 eg systemd[1]: tpm2-abrmd.service: Main process exited, code=exited, status=74/IOERR

The most funny thing is, that with dunfell release we have been using the same recipes which are currently in kirkstone:

and all was working correctly.

The main change is that now openssl 3.0.3 is being used.

williamcroberts commented 2 years ago 
tpm2_rc_decode 0xa0015
tcti:Functionality not supported

I wonder if this is the async io issue in the kernel and I cannot recall the detail. @JuergenReppSIT or @AndreasFuchsSIT to you recall?

@Dvergatal what was the old kernel version and what is the new kernel version. Also, lets make sure its not a permissions thing, what is the group/user/mode of /dev/tpm0 and what user is the tpm2-abrmd service running as?

Dvergatal commented 2 years ago

@williamcroberts the previous version was 5.4.58 and I have switched to 5.4.195 due to openssl api changes.

These is the group/user/mode of /dev/tpm0:

root@eg ~> ls -al /dev/tpm0
crw-rw---- 1 tss root 10, 224 Jun  1 16:20 /dev/tpm0

and this is the output of /etc/dbus-1/system.d/tpm2-abrmd.conf:

<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
  <!-- ../system.conf have denied everything, so we just punch some holes -->
  <policy user="tss">
    <allow own="com.intel.tss2.Tabrmd"/>
  </policy>
  <policy user="root">
    <allow own="com.intel.tss2.Tabrmd"/>
  </policy>
  <policy context="default">
    <allow send_destination="com.intel.tss2.Tabrmd"/>
    <allow receive_sender="com.intel.tss2.Tabrmd"/>
  </policy>
</busconfig>

P.S.I have also recompiled the old kernel 5.4.58 and the error is still the same.

Dvergatal commented 2 years ago

@williamcroberts I think that this might be some permissions problem, because I have the same problem with iotedge service and reading a key file:

Jun 02 07:48:18 eg iotedged[768]: 2022-06-02T07:48:17Z [ERR!] (/usr/src/debug/libiothsm-std/1.1.8-r0/iotedge-1.1.8/hsm-sys/azure-iot-hsm-c/src/hsm_utils.c:read_file_into_buffer_impl:167) Could not open file for reading /var/lib/iotedge/hsm/enc_keys/edgelet-masterWt5mT2xpO72EPKlt2Tt0Sq4uJCrMvfl2rzzKRB3pnyo_.enc.key. >

but

root@eg ~> ll /var/lib/iotedge/hsm/enc_keys/edgelet-masterWt5mT2xpO72EPKlt2Tt0Sq4uJCrMvfl2rzzKRB3pnyo_.enc.key 
-rw------- 1 iotedge iotedge 32 Jun  2 07:48 /var/lib/iotedge/hsm/enc_keys/edgelet-masterWt5mT2xpO72EPKlt2Tt0Sq4uJCrMvfl2rzzKRB3pnyo_.enc.key
Dvergatal commented 2 years ago

@williamcroberts Perhaps I hurried up a little with this verdict. I have turned the logs with export TSS2_LOG=all+TRACE and to my surprise the output of this command tpm2-abrmd --allow-root is like this:

debug:tcti:../tpm2-tss-3.2.0/src/tss2-tcti/tctildr.c:159:tctildr_conf_parse() name_conf: "device:/dev/tpm0" 
debug:tcti:../tpm2-tss-3.2.0/src/tss2-tcti/tctildr.c:177:tctildr_conf_parse() TCTI name: "device" 
debug:tcti:../tpm2-tss-3.2.0/src/tss2-tcti/tctildr.c:182:tctildr_conf_parse() TCTI conf: "/dev/tpm0" 
debug:tcti:../tpm2-tss-3.2.0/src/tss2-tcti/tctildr-dl.c:299:tctildr_get_tcti() name: "device", conf: "/dev/tpm0" 
trace:tcti:../tpm2-tss-3.2.0/src/tss2-tcti/tctildr-dl.c:136:tcti_from_file() Attempting to load TCTI file: device 
debug:tcti:../tpm2-tss-3.2.0/src/tss2-tcti/tctildr-dl.c:92:handle_from_name() Could not load TCTI file: "device": device: cannot open shared object file: No such file or directory 
debug:tcti:../tpm2-tss-3.2.0/src/tss2-tcti/tctildr-dl.c:107:handle_from_name() Could not load TCTI file "device": libtss2-tcti-device.so.0: cannot open shared object file: No such file or directory 
debug:tcti:../tpm2-tss-3.2.0/src/tss2-tcti/tctildr-dl.c:120:handle_from_name() Failed to load TCTI for name "device": libtss2-tcti-device.so: cannot open shared object file: No such file or directory 
ERROR:tcti:../tpm2-tss-3.2.0/src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 

** (tpm2-abrmd:9585): CRITICAL **: 08:05:14.860: init_thread_func: failed to create TCTI with conf "device:/dev/tpm0", got RC: 0xa0015

(tpm2-abrmd:9585): GLib-GIO-CRITICAL **: 08:05:14.861: g_bus_unown_name: assertion 'owner_id > 0' failed

and of course I have verified if I have this library and It's not on the system.

This is a huge change because on the previous yocto I had this library and on kirkstone the bitbake returned me an ERROR: device-1.0.0-r0 do_package_write_deb: An allarch packagegroup shouldn't depend on packages which are dynamically renamed (libtss2-mu to libtss2-mu0), (libtss2-tcti-device to libtss2-tcti-device0) and (libtss2-tcti-mssim to libtss2-tcti-mssim0).

Dvergatal commented 2 years ago

OK, i was right:] I have added libtss2-tcti-device dependency and now everything is working correctly :] So this is a bug in yocto itself.

williamcroberts commented 2 years ago

Glad you got it, sorry for not responding sooner I was traveling.