Using tpm2-tools with tpm2-abrmd

[srayees]

Hi,

I have a TPM (vTPM) enabled on a VMWare Workstation using Ubuntu 19.10.

I am able to run the command $ sudo tpm2_getrandom 4 -v tool="tpm2_getrandom" version="4.1.1-RC1" tctis="libtss2-tctildr" tcti-default=tcti-device

I didnt have the tpm2-abrmd installed when I first did the compilation of the tpm2-tools. Subsequently I built tpm2-abrmd and installed it. Then I recompiled the tpm2-tools, but still unable get the tcti-default to change to use tpm2-abrmd. How can I use the tpm2-abrmd with tpm2-tools?

I tried setting the following: export TPM2TOOLS_TCTI="abrmd:bus_type=session,bus_name=com.intel.tss2.Tabrmd" But that didnt make any difference. Neither did using -T on the command line with the same option.

Then I installed the TPM simulator from IBM. I got the sockets between tpm2_abrmd and tpm_server to connect. But I still get the same output from the tpm2_getrandom command even if I pass the following

$ tpm2_getrandom 4 --tcti mssim:host=localhost,port=2321 -v tool="tpm2_getrandom" version="4.1.1-RC1" tctis="libtss2-tctildr" tcti-default=tcti-device

I would appreciate any guidance on getting the tpm2-tools to connect to my tpm2-abrmd.

tpm2-abrmd version 2.3.1 tpm2-tools version=4.1.1-RC1

Thanks Rayees

[tstruk]

You can try:

# unlink /usr/lib/libtss2-tcti-default.so
# ln -s /usr/lib/libtss2-tcti-tabrmd.so /usr/lib/libtss2-tcti-default.so

[srayees]

Thanks Tadeusz for the pointer.

I couldn't find the libtss2-tcti-default.so generated while building the TSS. The configuration mentions libtss2-tcti-default.so, but there is no file that is created as the output. See the build output attached. tpm2-tss_build.txt

Also looking at the tpm2 tools, they don't link to libtss2-tcti-default.so. There is a file tctildr.so, but I don't know how it works.

$ ldd tpm2_getrandom linux-vdso.so.1 (0x00007ffc355d6000) libtss2-esys.so.0 => /usr/local/lib/libtss2-esys.so.0 (0x00007fc0d6a10000) libtss2-mu.so.0 => /usr/local/lib/libtss2-mu.so.0 (0x00007fc0d69c8000) libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fc0d66f3000) libtss2-tctildr.so.0 => /usr/local/lib/libtss2-tctildr.so.0 (0x00007fc0d66e8000) libtss2-rc.so.0 => /usr/local/lib/libtss2-rc.so.0 (0x00007fc0d66de000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc0d64ed000) libtss2-sys.so.0 => /usr/local/lib/libtss2-sys.so.0 (0x00007fc0d64ba000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc0d64b4000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fc0d6491000) /lib64/ld-linux-x86-64.so.2 (0x00007fc0d6af0000)

Rayees

[tstruk]

The libtss2-tcti-default.so is just a symbolic link that you create manually, and point it to the tcti shared library that you want to use by default.

[srayees]

This seems to be working now. The -v still prints tcti-device. Thanks Tadeusz.

[srayees]

Tadeusz, Sorry to bother you again. I don't think I am using the abrmd.

I linked the file as you suggested ln -s /usr/lib64/libtss2-tcti-tabrmd.so /usr/lib/libtss2-tcti-default.so

I tried the simulator with TCTI value set correctly in the export directive. The value I get for the create_primary with the device is the same as the value I got it after setting up for the simulator, which leads me to believe that I am still using the device directly and not the abrmd.

• Rayees

[williamcroberts]

-v output just gets the name from a call to Tss2_TctiLdr_GetInfo(NULL, &info); to show what the Tss2_TctiLdr library will return. I guess we could smarten that up to grab the -T/env variable to show what will occur in the environment. That doesn't make much sense, as the -v output is tcti-default=tcti-device, note the key is tcti-default. When you specify a -T or env option, thats not the default, thats what you're telling it to do, which if it fails will just throw an error.

The tools, despite that -v output will use the proper TCTI. You can verify with strace if you need to.

[williamcroberts]

Tadeusz, Sorry to bother you again. I don't think I am using the abrmd.

I linked the file as you suggested ln -s /usr/lib64/libtss2-tcti-tabrmd.so /usr/lib/libtss2-tcti-default.so

I tried the simulator with TCTI value set correctly in the export directive. The value I get for the create_primary with the device is the same as the value I got it after setting up for the simulator, which leads me to believe that I am still using the device directly and not the abrmd.

What do you mean value?

Can you run this under strace so we can see the search logic and exactly whats going on? Can you crank up the TSS logging level too, that has debug logging on the TCTI loader logic?

[srayees]

Tadeusz, Sorry to bother you again. I don't think I am using the abrmd. I linked the file as you suggested ln -s /usr/lib64/libtss2-tcti-tabrmd.so /usr/lib/libtss2-tcti-default.so I tried the simulator with TCTI value set correctly in the export directive. The value I get for the create_primary with the device is the same as the value I got it after setting up for the simulator, which leads me to believe that I am still using the device directly and not the abrmd.

What do you mean value?

I meant the RSA key modulus that got outputted in the command. I would assume that the simulator would use a different seed and hence the modulus would be different for that one.

rsa: cdaf7a73fd4170f6d5798e65ea65341af6569c96359056e58204b06da987b025744c5487286e33ed034ea14bb1e16508355b2ddb96a022789cf8b68bb798b924d6efaded51198c5551683a71a3e4659246c9f9f6f024cd9837d8caec84199a5018b0b2ef54cb80c64ca1175386d6159ca54ee6b297657bb1ca489f9eb554caf3b162848ec2b8837ca7057f5fbc180de54eef90951c76a1410a2d2fe7132d8571264c01ff67ed791e6fef300fe7c6044a5576f808fe4f1c1e5e6ec6803d41aa47ea1772cd495a9f6942edfd79c26ecd43720e6b7202255f383ca4178bf39813e9a26dc0bfa5e8c57fe425e9ef7d131c67bca93f2d399a4e838c01ba48d9038f67

Can you run this under strace so we can see the search logic and exactly whats going on? Can you crank up the TSS logging level too, that has debug logging on the TCTI loader logic?

I will try to do that a little later and report what I find. Thanks for the pointers

[srayees]

-v output just gets the name from a call to Tss2_TctiLdr_GetInfo(NULL, &info); to show what the Tss2_TctiLdr library will return. ~I guess we could smarten that up to grab the -T/env variable to show what will occur in the environment.~ That doesn't make much sense, as the -v output is tcti-default=tcti-device, note the key is tcti-default. When you specify a -T or env option, thats not the default, thats what you're telling it to do, which if it fails will just throw an error.

The tools, despite that -v output will use the proper TCTI. You can verify with strace if you need to.

It would be nice to have a feature to indicate which tcti is being used without having to go through strace. Is symbolic linking the only way to manage tcti-default? I am trying to understand the value of having the tcti-default. My understanding is that this indicates the order in which the tcti loader will try the different available tcti options. So when I change my environment to use a different tcti setting, I would want this to get reflected somewhere to give me confidence that my environment now is different than what it was previously.

[joholl]

As @williamcroberts pointed out, you can enable logging (TSS2_LOG=tcti+trace). You can see directly which tcti libraries are tried to be loaded. For me (tcti-device, no tpm2-abrmd), the log looks like this:

$ TSS2_LOG=tcti+trace tpm2_getrandom --hex 5
debug:tcti:src/tss2-tcti/tctildr-dl.c:293:tctildr_get_tcti() name: "(null)", conf: "(null)"
debug:tcti:src/tss2-tcti/tctildr-dl.c:240:tctildr_get_default() Attempting to connect using standard TCTI: Access libtss2-tcti-default.so
trace:tcti:src/tss2-tcti/tctildr-dl.c:132:tcti_from_file() Attempting to load TCTI file: libtss2-tcti-default.so
debug:tcti:src/tss2-tcti/tctildr-dl.c:88:handle_from_name() Could not load TCTI file: "libtss2-tcti-default.so": libtss2-tcti-default.so: cannot open shared object file: No such file or directory
debug:tcti:src/tss2-tcti/tctildr-dl.c:103:handle_from_name() Could not load TCTI file "libtss2-tcti-default.so": libtss2-tcti-libtss2-tcti-default.so.so.0: cannot open shared object file: No such file or directory
debug:tcti:src/tss2-tcti/tctildr-dl.c:116:handle_from_name() Failed to load TCTI for name "libtss2-tcti-default.so": libtss2-tcti-libtss2-tcti-default.so.so: cannot open shared object file: No such file or directory
debug:tcti:src/tss2-tcti/tctildr-dl.c:245:tctildr_get_default() Failed to load standard TCTI number 0
debug:tcti:src/tss2-tcti/tctildr-dl.c:240:tctildr_get_default() Attempting to connect using standard TCTI: Access libtss2-tcti-tabrmd.so
trace:tcti:src/tss2-tcti/tctildr-dl.c:132:tcti_from_file() Attempting to load TCTI file: libtss2-tcti-tabrmd.so.0
debug:tcti:src/tss2-tcti/tctildr-dl.c:88:handle_from_name() Could not load TCTI file: "libtss2-tcti-tabrmd.so.0": libtss2-tcti-tabrmd.so.0: cannot open shared object file: No such file or directory
debug:tcti:src/tss2-tcti/tctildr-dl.c:103:handle_from_name() Could not load TCTI file "libtss2-tcti-tabrmd.so.0": libtss2-tcti-libtss2-tcti-tabrmd.so.0.so.0: cannot open shared object file: No such file or directory
debug:tcti:src/tss2-tcti/tctildr-dl.c:116:handle_from_name() Failed to load TCTI for name "libtss2-tcti-tabrmd.so.0": libtss2-tcti-libtss2-tcti-tabrmd.so.0.so: cannot open shared object file: No such file or directory
debug:tcti:src/tss2-tcti/tctildr-dl.c:245:tctildr_get_default() Failed to load standard TCTI number 1
debug:tcti:src/tss2-tcti/tctildr-dl.c:240:tctildr_get_default() Attempting to connect using standard TCTI: Access libtss2-tcti-device.s0 with /dev/tpmrm0
trace:tcti:src/tss2-tcti/tctildr-dl.c:132:tcti_from_file() Attempting to load TCTI file: libtss2-tcti-device.so.0
trace:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_info() Attempting to load TCTI info
trace:tcti:src/tss2-tcti/tctildr.c:86:tcti_from_info() Loaded TCTI info named: tcti-device
trace:tcti:src/tss2-tcti/tctildr.c:87:tcti_from_info() TCTI description: TCTI module for communication with Linux kernel interface.
trace:tcti:src/tss2-tcti/tctildr.c:88:tcti_from_info() TCTI config_help: Path to TPM character device. Default value is: TCTI_DEVICE_DEFAULT
trace:tcti:src/tss2-tcti/tctildr.c:44:tcti_from_init() Initializing TCTI for config: /dev/tpmrm0
debug:tcti:src/tss2-tcti/tctildr.c:68:tcti_from_init() Initialized TCTI for config: /dev/tpmrm0
debug:tcti:src/tss2-tcti/tctildr.c:96:tcti_from_info() Initialized TCTI named: tcti-device

[srayees]

Thanks Johannes for showing me how to enable logging. I was able to switch between tcti-abrmd and tcti-device using the method suggested by Tadeusz.

[elliotmtx]

# unlink /usr/lib/libtss2-tcti-default.so
# ln -s /usr/lib/libtss2-tcti-tabrmd.so /usr/lib/libtss2-tcti-default.so

This is to link resource manager to tpm2-abrmd

I can unlink it now and how to link it to /dev/tpmrm0?

Edit 1: I don't see /usr/lib/libtss2-tcti-default.so in my machine.

Edit 2: export TPM2TOOLS_TCTI="device:/dev/tpmrm0" using this I could set interface to tpmrm0, but how can I set it back to abrmd?

[williamcroberts]

# unlink /usr/lib/libtss2-tcti-default.so
# ln -s /usr/lib/libtss2-tcti-tabrmd.so /usr/lib/libtss2-tcti-default.so

This is to link resource manager to tpm2-abrmd

I can unlink it now and how to link it to /dev/tpmrm0?

Edit 1: I don't see /usr/lib/libtss2-tcti-default.so in my machine.

Not every machine has the link set up, so if the link isn't there, just create it and point it to whatever TCTI shared library you want.

Edit 2: export TPM2TOOLS_TCTI="device:/dev/tpmrm0" using this I could set interface to tpmrm0, but how can I set it back to abrmd?

Theirs a default search protocol, it will try tpm2-abrmd before device. You can either unset the TPM2TOOLS_TCTI env var, or modify it to be "tabrmd". You could even leave it set and overide the env variable with the --tcti option of tabrmd. Ie something like tpm2_getrandom --tcti=tabrmd