Error while run the tpm2_tools.py

[Darsh-Dev]

Hi,

I am facing issue with version of TPM-software packages

Packages	Version
tpm-quote-tools	1.0.4-r0
tpm-tools	1.3.9.1-r0
tpm-tools-native	1.3.9.1-r0
tpm2-abrmd	2.3.0-r0
tpm2-abrmd-native	2.3.0-r0
tpm2-pkcs11	1.1.0-r0
tpm2-tools	4.1.1-r0
tpm2-totp	0.9.9-r0
tpm2-tss	2.3.2-r0
tpm2-tss-engine	1.0.1-r0
Python	3.7
libp11	1.1.0

Issue with Resource manager d-bus

./tpm2_ptool.py init --path=/opt/tpm2-pkcs11/ Error Logs: issue:Traceback (most recent call last): File "/opt/tpm2-pkcs11/tools/tpm2_pkcs11/commandlets_store.py", line 86, in call ctx = tpm2.createprimary(ownerauth, pobjauth) File "/opt/tpm2-pkcs11/tools/tpm2_pkcs11/tpm2.py", line 33, in createprimary stderr) RuntimeError: Could not execute tpm2_createprimary: b'\n (process:22876): CRITICAL : 14:25:39.293: failed to allocate dbus proxy object: Error calling StartServiceB' Could not execute tpm2_createprimary: b'\n (process:22876): CRITICAL : 14:25:39.293: failed to allocate dbus proxy object: Error calling StartServiceByName for com.' root@stm32mp1-av96:/opt/tpm2-pkcs11/tools# find / -iname RuntimeError: Could not execute tpm2_createprimary: b'\n (process:22876): CRITICAL : 14:25:39.293: failed to allocate dbus proxy object: Error calling StartServiceB' Could not execute tpm2_createprimary: b'\n (process:22876): CRITICAL : 14:25:39.293:find: unrecognized: Could failed to allocate dbuBusyBox v1.29.3 () multi-call binary.

[PeterHuewe]

Do other simple commands like tpm2_getrandom work?

dbus-send --system --dest=org.freedesktop.DBus --type=method_call \ --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames should list something like com.intel.tss2.Tabrmd

[Darsh-Dev]

@PeterHuewe tpm2_getrandom was not working.

We are following the steps as mentioned in https://aws.amazon.com/blogs/iot/using-a-trusted-platform-module-for-endpoint-device-security-in-aws-iot-greengrass/.

We have yocto based linux platform - meta-security layer. We are changing the TPM2 package revision and following the steps. Facing some again challenges with tpm2_tools.py. After few modification in the script. We are able to run the script successfully.

./tpm2_ptool.py init --pobj-pin=123456 --path=/opt/tpm2-pkcs11/ Created a primary object of id: 1

./tpm2_ptool.py addtoken --pid=1 --pobj-pin=123456 --sopin=123456 --userpin=123456 --label=greengrass --path=/opt/tpm2-pkcs11/ auto-detecting TPM encryptdecrypt interface for wrapping key usage Using "Software" based object authorization protections Created token label: greengrass

./tpm2_ptool.py addkey --algorithm=rsa2048 --label=greengrass --userpin=123456 --key-label=greenkey --path=/opt/tpm2-pkcs11/ Added key as label: "greenkey"

Next Steps: p11-kit list-modules

root@stm32mp1-av96:~/tpm2-pkcs11/tools# p11-kit list-modules p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.23 root@stm32mp1-av96:~/tpm2-pkcs11/tools#

root@stm32mp1-av96:~/tpm2-pkcs11/tools# p11tool --list-token-urls root@stm32mp1-av96:~/tpm2-pkcs11/tools#

No token , No URLS.

[PeterHuewe]

If even tpm2_getrandom is not working your problems are 'somewhere' and more severe.

My guess is that the abrmd is not running correctly. As indicated above, try to figure it out using:

dbus-send --system --dest=org.freedesktop.DBus --type=method_call \ --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames should list something like com.intel.tss2.Tabrmd

If not, please try to start the abrmd first and try again.

[Darsh-Dev]

After following the AWS suggested steps, we have not modified the tpm2_tool.py file. However, we are not getting the module list and token url as mentioned above.

FYI,

root@stm32mp1-av96:~# dbus-send --system --print-reply --dest=org.freedesktop.DBus  /org/freedesktop/DBus org.freedesktop.DBus.ListNames

method return time=1586413799.513221 sender=org.freedesktop.DBus -> destination=:1.14 serial=3 reply_serial=2 array [ string "org.freedesktop.DBus" string ":1.7" string "org.freedesktop.login1" string ":1.8" string "org.freedesktop.timesync1" string ":1.9" string "org.freedesktop.systemd1" string "org.freedesktop.Avahi" string "org.bluez" string ":1.12" string ":1.0" string ":1.14" string ":1.1" string "org.pulseaudio.Server" string "org.freedesktop.network1" string ":1.2" string ":1.3" string "org.freedesktop.resolve1" string ":1.4" string ":1.5" string "com.intel.tss2.Tabrmd" string ":1.6" ] root@stm32mp1-av96:~#

[Note: We have connected the Tresor Mezzanine with Avenger96 board ]

[PeterHuewe]

Hi, so the tabrmd is running, great! Does tpm2_getrandom work now? if not TSS2_LOG=all+TRACE tpm2_getrandom might help to debug the issue.

[Darsh-Dev]

Its also working fine.

root@stm32mp1-av96:~# tpm2_getrandom 4 0x56 0xCB 0x0C 0xE3

[PeterHuewe]

Okay, great - progess! :)

Does ls -lah /usr/lib/*/pkcs11/ list the libtpm2_pkcs11.so ? If not try placing a simlink there. Is there a tpm2_pkcs11.module file under /usr/share/p11-kit/modules/

[Darsh-Dev]

Not able to find libtpm2_pkcs11.so

Also not able to find the tpm2_pkcs11.module.

[PeterHuewe]

Then it seems to be not properly installed - which explains why it is not listed as token or url. Is it maybe installed under /usr/local/ something ?

maybe try find / -name 'libtpm2_pkcs11.so' to see whether it exists at all.

[Darsh-Dev]

Not found libtpm2_pkcs11.so .

Tried with find / -name 'libtpm2_pkcs11.so'

Ohh Its there,

[PeterHuewe]

Hi, then try a simlink into /usr/lib/arm-linux-gnueabihf/pkcs11/ as libtpm2_pkcs11.so and add a module file to /usr/share/p11-kit/modules/tpm2_pkcs11.module with the content

module: libtpm2_pkcs11.so

critical: no

Reason why this simlink and module file was not created, is most probably, that p11kit was either not detected during or installed before ./configure of tpm2_pkcs11 and thus skipped. This might be a problem of the yocto build.

Maybe just try to re-configure/re-install tpm2_pkcs11

[Darsh-Dev]

@PeterHuewe I tried all possible way. But We are not able to run the p11kit in yocto using meta-securtiy. Pl guide us, how to proceed further?

[PeterHuewe]

So symlink and other tricks did not work? In your case, I would probably patch the configure.ac so p11kit is "detected" even if not onstalled and the paths etc set. Or maybe try to contact the package maintainer at yocto, whether somehow the dependency can be entered in yocto

[Darsh-Dev]

Hi @PeterHuewe ,

I wants to confirm, even all the packages are available, and token generated. Our output is :

root@stm32mp1-av96:~/tpm2-pkcs11/tools# p11-kit list-modules -v
    p11-kit: tpm2_pkcs11: module failed to initialize, skipping: The device is not present or unplugged
    p11-kit-trust: p11-kit-trust.so
        library-description: PKCS#11 Kit Trust Module
        library-manufacturer: PKCS#11 Kit
        library-version: 0.23
    root@stm32mp1-av96:~/tpm2-pkcs11/tools# 

On the link: https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/P11.md#p11-kit-configuration

p11-kit list-modules tpm2_pkcs11: libtpm2_pkcs11.so while in our case p11-kit-trust: p11-kit-trust.so.

Which *.so is correct one ?

[williamcroberts]

@Darsh-Dev, p11-kit kind of wraps up a bunch of pkcs11 so files and makes them all available through one interface. Thankfully, you're getting execution of tpm2-pkcs11 shared object, but the question is, is the one you think it is? (strace can be helpful to see what so files are being accessed). I ask this, because the version you have noted for tpm2-pkcs11 is 1.1.0-r0, which I am assuming is 1.1.-rc0. That version shouldn't really ever return that, except for exceptional cases. So the question is, do we have an exceptional case, or are you invoking an older version of the library? Also, cranking up the loglevel on tpm2-pkcs11 can help us spot the problem. Can you:

set TPM2_PKCS11_LOG_LEVEL=2

export TPM2_PKCS11_LOG_LEVEL=2

Run the following and output the result: pkcs11-tool -m <path to .so> -T?

For example:

pkcs11-tool --module $HOME/workspace/tpm2-pkcs11/src/.libs/libtpm2_pkcs11.so.0.0.0 -T
Available slots:
Slot 0 (0x1):                                 IBM
  token state:   uninitialized

Also run your command: p11-kit list-modules -v With the TPM2_PKCS11_LOG_LEVEL exported and set to 2.

Thanks.

[Darsh-Dev]

@williamcroberts

Enabled the debug log level as per request,

tpm2pkcs11-tool -T

root@stm32mp1-av96:~# export TPM2_PKCS11_LOG_LEVEL=2
root@stm32mp1-av96:~# tpm2pkcs11-tool -T
INFO on line: "395" in file: "src/pkcs11.c": enter "C_GetFunctionList"
INFO on line: "395" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0
INFO on line: "383" in file: "src/pkcs11.c": enter "C_Initialize"
INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/home/root/.tpm2_pkcs11/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/home/root/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/etc/tpm2_pkcs11/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "1887" in file: "src/lib/db.c": Could not find pkcs11 store
INFO on line: "1888" in file: "src/lib/db.c": Consider exporting TPM2_PKCS11_STORE to point to a valid store directory
INFO on line: "383" in file: "src/pkcs11.c": return "C_Initialize" value: 224
INFO on line: "387" in file: "src/pkcs11.c": enter "C_Finalize"
INFO on line: "387" in file: "src/pkcs11.c": return "C_Finalize" value: 400
error: PKCS11 function C_Initialize failed: rv = CKR_TOKEN_NOT_PRESENT (0xe0)
Aborting.
root@stm32mp1-av96:~# 

p11-kit list-modules -v

root@stm32mp1-av96:~# p11-kit list-modules -v
INFO on line: "395" in file: "src/pkcs11.c": enter "C_GetFunctionList"
INFO on line: "395" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0
INFO on line: "383" in file: "src/pkcs11.c": enter "C_Initialize"
INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/home/root/.tpm2_pkcs11/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/home/root/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/etc/tpm2_pkcs11/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "1887" in file: "src/lib/db.c": Could not find pkcs11 store
INFO on line: "1888" in file: "src/lib/db.c": Consider exporting TPM2_PKCS11_STORE to point to a valid store directory
INFO on line: "383" in file: "src/pkcs11.c": return "C_Initialize" value: 224
p11-kit: tpm2_pkcs11: module failed to initialize, skipping: The device is not present or unplugged
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
root@stm32mp1-av96:~# 

[PeterHuewe]

As stated in the error messages, it does not find the sqlite database (which is created at init) at any of the listed locations.

INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/home/root/.tpm2_pkcs11/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/home/root/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/etc/tpm2_pkcs11/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "1887" in file: "src/lib/db.c": Could not find pkcs11 store

It also has a solution : Consider exporting TPM2_PKCS11_STORE to point to a valid store directory to wherever you have created the sqlite database. In your case "export TPM2_PKCS11_STORE=/opt/tpm2-pkcs11" as you were using ./tpm2_ptool.py init --path=/opt/tpm2-pkcs11/

For greengrass guide this additional search path is specified at ./configure --enable-esapi-session-manage-flags --with-storedir=/opt/tpm2-pkcs11 that's why it does not need to be exported in the guide.

[PeterHuewe]

@williamcroberts side question, should we make this as INFO on line: "1887" in file: "src/lib/db.c": Could not find pkcs11 store more of a WARN/ERROR ? If we get to that point we err out anyway and the message would be helpful.

[Darsh-Dev]

@PeterHuewe We have modified it in yocto file

./configure --build=x86_64-linux --host=arm-openstlinux_weston-linux-gnueabi --target=arm-openstlinux_weston-linux-gnueabi --prefix=/usr --exec_prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/libexec --datadir=/usr/share --sysconfdir=/etc --sharedstatedir=/com --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include --oldincludedir=/usr/include --infodir=/usr/share/info --mandir=/usr/share/man --disable-silent-rules --disable-dependency-tracking --with-libtool-sysroot=/root/SEED/Gateway/Source_code/Avenger96/openstlinux-4.19-thud-mp1-19-10-09/build-openstlinuxweston-stm32mp1-av96/tmp-glibc/work/cortexa7t2hf-neon-vfpv4-openstlinux_weston-linux-gnueabi/tpm2-pkcs11/0.9.9-r0/recipe-sysroot --enable-esapi-session-manage-flags --with-storedir=/opt/tpm2-pkcs11 --disable-static

We again check,

root@stm32mp1-av96: p11-kit list-modules INFO on line: "395" in file: "src/pkcs11.c": enter "C_GetFunctionList" INFO on line: "395" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0 INFO on line: "383" in file: "src/pkcs11.c": enter "C_Initialize" INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/home/root/.tpm2_pkcs11/tpm2_pkcs11.sqlite3", error: No such file or directory INFO on line: "1871" in file: "src/lib/db.c": Could not stat db at path "/home/root/tpm2-pkcs11/tools/tpm2_pkcs11.sqlite3", error: No such file or directory INFO on line: "1903" in file: "src/lib/db.c": Using sqlite3 DB: "/opt/tpm2-pkcs11/tpm2_pkcs11.sqlite3" ERROR on line: "101" in file: "src/lib/tcti_ldr.c": Symbol "Tss2_Tcti_Info"not found in library: "(null)" WARNING:esys:src/tss2-esys/esys_context.c:118:Esys_Finalize() Finalizing NULL context. ERROR on line: "1033" in file: "src/lib/db.c": Could not initialize tpm ctx: 0x5 INFO on line: "383" in file: "src/pkcs11.c": return "C_Initialize" value: 5 p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.23 root@stm32mp1-av96:~/tpm2-pkcs11/tools#

[PeterHuewe]

Great, another piece of progress.

ERROR on line: "101" in file: "src/lib/tcti_ldr.c": Symbol "Tss2_Tcti_Info"not found in library: "(null)" Can you try calling it with export TPM2_PKCS11_TCTI="tabrmd:" ?

What is the output of: ls -lah /usr/lib/libtss2* ls -lah /usr/local/lib/libtss2*

[Darsh-Dev]

@PeterHuewe Thanks for hints.

After giving softlink ln -s libtss2-tcti-tabrmd.so.0 libtss2-tcti-tabrmd.so

Finally, its working fine,

root@stm32mp1-av96:~# p11-kit list-modules p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.23 tpm2_pkcs11: libtpm2_pkcs11.so library-description: TPM2.0 Cryptoki library-manufacturer: tpm2-software.github.io library-version: 42.42 token: greengrass manufacturer: Infineon model: SLB9670 serial-number: 0000000000000000 hardware-version: 1.16 firmware-version: 7.40 flags: rng login-required user-pin-initialized token-initialized

Thanks for continues support. We will do further testing with AWS greengrass.

[PeterHuewe]

@Darsh-Dev - glad it worked out - so we can close this? It would be really super beneficial if you could do a quick write up of all the steps you did to make it successfully run on your yocto system. The next user will be thankful.

[Darsh-Dev]

Sure @PeterHuewe I will share the complete Yocto steps, once I will validate with AWS greengrass.

Thanks for your support.

[williamcroberts]

@williamcroberts side question, should we make this as INFO on line: "1887" in file: "src/lib/db.c": Could not find pkcs11 store more of a WARN/ERROR ? If we get to that point we err out anyway and the message would be helpful.

Already done in: 452db8e6274

The next release off of master will have it. On plan on looking at the FAPI integration this week to make sure its ready for an RC next week.