Need help ->TPM out of memory for object contexts problem after porting test from engine(openssl_1.1.1) to providers(openssl3.0.2) tpm2-openssl

CDBAILLY commented 4 months ago

I am using tmp through Engine for openssl_1.1.1w

Hi team, we work in a ubuntu 20.04 environment we installed following packages :

tpm2-tss-3.2.0.tar.gz tpm2-abrmd-2.4.1.tar.gz tpm2-tools-5.3.tar.gz tpm2-tss-engine-1.1.0.tar.gz

we make a lot of tests during which

we create tpm keypair using tpm2tss_rsa_genkey and tpm2tss_ecc_genkey
we create a pkey context using tpm2tss_rsa_makekey and tpm2tss_ecc_makekey
we create a certificate using the public key of the pkey context
we sign this certificate with the private key of pkey
we destroy the X509 using standard function of openssl
we destroy the EVP_PKEY using the standard functions of openssl.

All works fine

We ported our application on ubuntu 22.04 with openssl 3.0:

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

This time we use providers ands installed the following packages :

tpm2-tss-4.0.1.tar.gz tpm2-abrmd-3.0.0.tar.gz tpm2-tools-5.5.tar.gz tpm2-openssl version 1.2.0

we do exactly the same tests

this works until a certain point after some tests :

[8823.180][52509]:[INFO ]**** TEST 95 [8823.180][52509]:[INFO ] [CPPTest]: ASSERT OK in test_cs_certmgt_intCert_start_end_enroll at line 7345[CPPTest]: file ../../../../../tests/integration_tests/crypto_agent/integration_cs_crypto_cert_mgt.c, line 7345 [CPPTest]: Assert OK

[8823.180][52509]:[INFO ] Asked = CS_KEYPAIR_TPM : Result = CS_KEYPAIR_TPM return message Operation successful RSA GEN INIT rsa 3 RSA GEN_SET_PARAMS [ bits ] RSA GEN 2048 bits RSA GEN parent: primary 0x40000001 RSA GET_PARAMS [ bits security-bits max-size ] RSA CLEANUP ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x87 ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x87 ENCODER rsa pkcs1/der DOES_SELECTION 0x87 ENCODER rsa pkcs1/der DOES_SELECTION 0x87 ENCODER rsa pkcs1/der DOES_SELECTION 0x87 ENCODER rsa pkcs1/der DOES_SELECTION 0x87 ENCODER rsa pkcs1/pem DOES_SELECTION 0x87 ENCODER rsa pkcs1/pem DOES_SELECTION 0x87 ENCODER rsa pkcs1/pem DOES_SELECTION 0x87 ENCODER rsa pkcs1/pem DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87 ENCODER tss PrivateKeyInfo/pem ENCODE 0x87 DER DECODER DECODE TSS2 DECODER DECODE 0x87 TSS2 DECODER LOAD parent: primary 0x40000001 TSS2 DECODER DECODE 0x87 TSS2 DECODER LOAD parent: primary 0x40000001 TSS2 DECODER DECODE found RSA RSA LOAD RSA GET_PARAMS [ bits security-bits max-size ] RSA HAS 87 ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86 ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86 ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86 ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86 ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86 ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86 ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86 ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86 ENCODER rsa pkcs1/der DOES_SELECTION 0x86 ENCODER rsa pkcs1/pem DOES_SELECTION 0x86 ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x86 ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x86 ENCODER rsa SubjectPublicKeyInfo/der ENCODE 0x86 RSA EXPORT 87 SIGN DIGEST_INIT rsa MD=SHA2-256 SIGN GET_CTX_PARAMS [ algorithm-id ] SIGN DIGEST_SIGN estimate SIGN DIGEST_SIGN RSA FREE

[8826.780][52509]:[INFO ]The { cn = myMagnificientSAN1,c = CN,o = Shanghai,ou = =SE=,sn = 012345678910 } certificate has been successfully generated and added to the store as internal certificate [8826.780][52509]:[INFO ] [CPPTest] Operation successful : ASSERT OK in test_cs_certmgt_intCert_start_end_enroll at line 7360 [CPPTest]: file ../../../../../tests/integration_tests/crypto_agent/integration_cs_crypto_cert_mgt.c, line 7360 [CPPTest]: Operation successful Assert OK

DER DECODER DECODE TSS2 DECODER DECODE 0x87 TSS2 DECODER LOAD parent: primary 0x40000001 TSS2 DECODER DECODE 0x87 TSS2 DECODER LOAD parent: primary 0x40000001 TSS2 DECODER DECODE found RSA RSA LOAD RSA GET_PARAMS [ bits security-bits max-size ] RSA HAS 87

[8828.610][52509]:[INFO ] [CPPTest] Operation successful : ASSERT OK in test_cs_certmgt_intCert_start_end_enroll at line 7361 [CPPTest]: file ../../../../../tests/integration_tests/crypto_agent/integration_cs_crypto_cert_mgt.c, line 7361 [CPPTest]: Operation successful Assert OK

[8828.610][52509]:[INFO ] [CPPTest] Operation successful : ASSERT OK in test_cs_certmgt_intCert_start_end_enroll at line 7362 [CPPTest]: file ../../../../../tests/integration_tests/crypto_agent/integration_cs_crypto_cert_mgt.c, line 7362 [CPPTest]: Operation successful Assert OK

[8828.610][52509]:[INFO ] [CPPTest] src cs_certmgt_get_keyPairType : ASSERT OK in test_cs_certmgt_intCert_start_end_enroll at line 7366 [CPPTest]: file ../../../../../tests/integration_tests/crypto_agent/integration_cs_crypto_cert_mgt.c, line 7366 [CPPTest]: src cs_certmgt_get_keyPairType Assert OK

RSA GEN INIT rsa 3 RSA GEN_SET_PARAMS [ bits ] RSA GEN 2048 bits RSA GEN parent: primary 0x40000001 RSA GET_PARAMS [ bits security-bits max-size ] RSA CLEANUP ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x87 ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x87 ENCODER rsa pkcs1/der DOES_SELECTION 0x87 ENCODER rsa pkcs1/der DOES_SELECTION 0x87 ENCODER rsa pkcs1/der DOES_SELECTION 0x87 ENCODER rsa pkcs1/der DOES_SELECTION 0x87 ENCODER rsa pkcs1/pem DOES_SELECTION 0x87 ENCODER rsa pkcs1/pem DOES_SELECTION 0x87 ENCODER rsa pkcs1/pem DOES_SELECTION 0x87 ENCODER rsa pkcs1/pem DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87 ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87 0x87 ENCODER tss PrivateKeyInfo/pem ENCODE 0x87 DER DECODER DECODE TSS2 DECODER DECODE 0x87 TSS2 DECODER LOAD parent: primary 0x40000001 WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000b0902) TSS2 DECODER DECODE 0x87 TSS2 DECODER LOAD parent: primary 0x40000001 WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000b0902) TSS2 DECODER DECODE found (null)

[8830.640][52509]:[ERROR]TPM2TSS_R_CANNOT_MAKE_KEY in /home/tpm/GIT/cs-brick/libs/cryptoAl/ptf/gnu/linux/cryptoAl_openssl/../../../../src/cryptoAl_openssl/cs_cryptoAl_openssl.c at line 6486 [8830.640][52509]:[ERROR]CHECK_PARAM failed in function cs_tlsal_genCertFromKeypair (../../../../../src/tlsal/cs_crypto_tlsal.c:826) for parameter: keyCtx->kctx

[8830.640][52509]:[ERROR]newRemainingTpmKPSlots incorrect at 6239 in cs_openssl_cryptoAl_set_remainingTpmKPSlots [8830.640][52509]:[INFO ] [CPPTest] Certificate file creation failed : ASSERT Failed in test_cs_certmgt_intCert_start_end_enroll at line 7379 [CPPTest]: file ../../../../../tests/integration_tests/crypto_agent/integration_cs_crypto_cert_mgt.c, line 7379 [CPPTest]: Certificate file creation failed Assert Failed

According to tpm2_rc_decode it seems related to memory :

tpm@tpm-ossl3:~ tpm2_rc_decode 0x000b0902 rmt:warn(2.0): out of memory for object contexts tpm@tpm-ossl3:~$

I dont understand why we have not the same problem with engines as the tests are exactly the same and that we dont use any flush function EVP_KEY objects are destroyed after the signing process

What am i missing? Thanks for your help

gotthardp commented 1 month ago

Are you using the resource manager? See https://github.com/tpm2-software/tpm2-openssl/tree/master#limited-resources If not, please try using the tpm2-abrmd.

CDBAILLY commented 1 month ago

Hi Petr,

the install process on ubuntu22 is the following : 1 : tpm2-tss-4.0.1.tar.gz 2 : tpm2-abrmd-3.0.0.tar.gz <- so yes it is installed 3 : tpm2-tools-5.5.tar.gz
4 : ibmtpm1682.tar.gz <- simu 5 : git clone https://github.com/tpm2-software/tpm2-openssl

cd tpm2-openssl

git checkout 1.2.0 etc..

I joined the complete install scripts on a ubuntu22.04 server TPMInstall22.04.04LTS.zip

Thanks for your help,

Cyril

tpm2-software / tpm2-openssl

Need help ->TPM out of memory for object contexts problem after porting test from engine(openssl_1.1.1) to providers(openssl3.0.2) tpm2-openssl #116