pkcs11-tool and FAPI not provisioned and ErrorCode (0x00060034) Entities_List errors

[Dvergatal]

Hi all, I have sucesfully compiled tpm2-pkcs11 and it ss working for me with libp11 engine library together with openssl, but the problem is that i'm getting this errors:

ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:221:Fapi_List_Finish() FAPI not provisioned. 
ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List 
ERROR: Listing FAPI token objects failed.

whenever i do something on the tpm token. Nevertheless all crypto materials are being made, the token is also initialized and all is working but i do not know why this error even occurs.

Could someone explain that to me what does it mean?

[williamcroberts]

TL;DR Its superfluous, ignore it.

The tpm2-tss project ships with library called FAPI. This has been integrated into the project so keys stored using FAPI will be discovered and integrated into the token list. However, when FAPI isn't set up you get this error, but the library internally ignores it. The logging is an artifact of how tpm2-tss project does its logging.

You can suppress the logs, aaccording to https://github.com/tpm2-software/tpm2-tss/blob/aa7595d01612eef6fd19af3545c280e1fbb9a0dd/doc/logging.md, by:

export TSS2_LOG=fapi+NONE

Alternatively, you can compile the backend out of tpm2-pkcs11 via:

./configure --with-fapi=no

[Dvergatal]

Ok and what for FAPI is? Because i haven' found any relevant informations about it, just that it is some Feature API.

Ahh ok it is for storing keys in tpm instead in sqlite database. Correct me if i'm wrong.

[williamcroberts]

Ok and what for FAPI is? Because i haven' found any relevant informations about it, just that it is some Feature API.

Yes it's called the Feature API and its meant to be a higher level API to the TPM.

Ahh ok it is for storing keys in tpm instead in sqlite database. Correct me if i'm wrong.

Yes and no. It stores them to the file system instead, which conceptually isn't much different. The important thing, is those key blobs resident on disk are protected with both access controls as well as by the TPM itself.

[Dvergatal]

Ahh ok it is for storing keys in tpm instead in sqlite database. Correct me if i'm wrong.

Yes and no. It stores them to the file system instead, which conceptually isn't much different. The important thing, is those key blobs resident on disk are protected with both access controls as well as by the TPM itself.

Ok that is what i was not rally sure. Thx for the feedback.

[Dvergatal]

Hi @williamcroberts I have read recently FAPI.md and i have seen that you wrote about 3rd solution using _tss2provision. I have run it from shell and now all warnings and errors disappeard now.

From what i understood in the tss2_provision.1.md the whole provisioning process is being made on the TPM hardware right?

[williamcroberts]

Yes its being made on the tpm hardware.

[Dvergatal]

Ok, one more thing, this provisioning is being made according to the hardware? If i'll take out the tpm from the board and insert it to another one, than it will be unusable (the provisioning is being made according to the hardware on which it was first provisioned)?

[williamcroberts]

Ok, one more thing, this provisioning is being made according to the hardware? If i'll take out the tpm from the board and insert it to another one, than it will be unusable (the provisioning is being made according to the hardware on which it was first provisioned)?

No it's made to that TPM. So if you place it on another system, the TPM will still "work". But measured state could be different so you'd lock yourself out of certain keys potentially. This is analogous to you stole my smartcard. For transient objects, you'd need to steal my TPM and the key blobs from wherever they were stored. Obviously, you would still need to satisfy whatever authorizations needed to access anything on the TPM.

[Dvergatal]

Ok, and the measured state is being made from what? Some board components?

BTW. I'm sorry for off-top, but i'm interested in some of tpm mechanism, because i have no idea on how to store securely pkcs11-tpm user password... On other pkcs#11 implementations i have secure boot implementation with some other mechanisms and i simply do not know.

[Dvergatal]

One more thing is it possible to delete already provisioned profile?

[williamcroberts]

Ok, and the measured state is being made from what? Some board components?

It's your boot firmware and OS measuring various bits into different PCRs, what goes into what I don't know off the top of my head. @idesai might know the details.

BTW. I'm sorry for off-top, but i'm interested in some of tpm mechanism, because i have no idea on how to store securely pkcs11-tpm user password... On other pkcs#11 implementations i have secure boot implementation with some other mechanisms and i simply do not know.

Right now everything is pin based, but in the future we will have support for objects with policies that can be tied to PCR state. For now, you could perhaps do something like seal the pin to the tpm in an object that is protected by PCR state. Then unseal that object and use that pin to access the pkcs11 layer. The downside here, is that the pin is in the clear in the host OS, so if your attack model includes a compromised kernel or MITM attack, the attacker could then access pkcs11 layer without the measured state being correct.

[Manouchehri]

For now, you could perhaps do something like seal the pin to the tpm in an object that is protected by PCR state.

@williamcroberts One roundabout way is to have ~/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 on a filesystem that's encrypted and protected/binded to the PCRs you want to use.

First run follow this guide https://github.com/wmcelderry/systemd_with_tpm2#full-process to get FDE (aside from /boot) with TPM2 working.

sudo systemd-cryptenroll --tpm2-device=auto --wipe-slot=tpm2 --tpm2-pcrs=0,1,2,3,4,5,7,8,9,10,11,12,13,14 /dev/nvme0n1p3

/etc/crypttab

nvme0n1p3_crypt UUID=878e2b41-7ae5-4d82-b37b-890a51608127 none tpm2-device=auto,luks,discard

[idesai]

Ok, and the measured state is being made from what? Some board components?

It's your boot firmware and OS measuring various bits into different PCRs, what goes into what I don't know off the top of my head. @idesai might know the details.

BTW. I'm sorry for off-top, but i'm interested in some of tpm mechanism, because i have no idea on how to store securely pkcs11-tpm user password... On other pkcs#11 implementations i have secure boot implementation with some other mechanisms and i simply do not know.

Right now everything is pin based, but in the future we will have support for objects with policies that can be tied to PCR state. For now, you could perhaps do something like seal the pin to the tpm in an object that is protected by PCR state. Then unseal that object and use that pin to access the pkcs11 layer. The downside here, is that the pin is in the clear in the host OS, so if your attack model includes a compromised kernel or MITM attack, the attacker could then access pkcs11 layer without the measured state being correct.