search

tpm2-software / tpm2-tools

The source repository for the Trusted Platform Module (TPM2.0) tools
https://tpm2-software.github.io
714 stars 377 forks source link

tpm2_ptool fails to init with error #3218

Open nikolkam opened 1 year ago

nikolkam commented 1 year ago

Trying to execute command on Ubuntu 20.04. tpm2_ptool init --transient-parent --path /some/path Fails with following error. Traceback (most recent call last):   File "/tmp/tpm2-pkcs11/tpm2-pkcs11-1.6.0/tools/tpm2_pkcs11/commandlets_store.py", line 100, in __call__   File "/tmp/tpm2-pkcs11/tpm2-pkcs11-1.6.0/tools/tpm2_pkcs11/utils.py", line 430, in create_primary   File "/tmp/tpm2-pkcs11/tpm2-pkcs11-1.6.0/tools/tpm2_pkcs11/tpm2.py", line 82, in createprimary RuntimeError: Could not execute tpm2_createprimary: b'ERROR: Esys_StartAuthSession(0xA000A) - tcti:IO failure\nERROR: Invalid parent key authorization\nERROR: Unable to run tpm2_createprimary\n' Could not execute tpm2_createprimary: b'ERROR: Esys_StartAuthSession(0xA000A) - tcti:IO failure\nERROR: Invalid parent key authorization\nERROR: Unable to run tpm2_createprimary\n' I've only found this issue on one of the users setup, it worked on other users as expected in creating a store. I'm still new to using the tpm2, so not sure if this is the bug or there is something wrong with the setup. Any workaround or fix is appreciated.

tpm2_createprimary version=4.1.1 tpm2-tools version = 4.1.1

JuergenReppSIT commented 1 year ago

@nikolkam Access to the tpm device is seemingly not possible (tcti error 0xa000a). tpm2_ptool uses the tpm tool commands under the hood. Can you execute commands e.g.: tpm2_getcap handles-nv-index

nikolkam commented 1 year ago

@JuergenReppSIT The tpm2_getcap handles-nv-index returns multiple handles of the nv index. If it's not able to access the tpm device at all would it be still possible to print them? Output:

JuergenReppSIT commented 1 year ago

@nikolkam the access to the tcti interface seems to be working. The error occurs when the following command is executed: tpm2_createprimary -c /tmp/tmpa_fs1793/context.out -g sha256 -G rsa where tmpa_fs1793 is a temporary directory created by ptool. Can you execute this command with a existing temporary dirctory?

nikolkam commented 1 year ago

@JuergenReppSIT I haven't got a reply from user yet, but when I asked user to execute tpm2_createprimary -c primary.txt he got the same error. ERROR: Esys_StartAuthSession(0xA000A) - tcti:IO failure ERROR: Invalid parent key authorization ERROR: Unable to run /opt/forticlient/tpm2/bin/tpm2_createprimary

JuergenReppSIT commented 1 year ago

@nikolkam Normally this command should work. Does the error also occur if the hierarchy is used: tpm2_createprimary -C o -c /tmp/tmpa_fs1793/context.out -g sha256 -G rsa If the error still occurs you could try to create a tcti lo: TSS2_LOG=tcti+trace tpm2_createprimary -C o -c /tmp/prim.ctx -g sha256 -G rsa But if it's possible I would try a tpm2_clear