search

tpm2-software / tpm2-tss-engine

OpenSSL Engine for TPM2 devices
https://tpm2-software.github.io
BSD 3-Clause "New" or "Revised" License
149 stars 99 forks source link

tpm2-tss-engine not working with tpm2simulator? #160

Closed CajusH closed 4 years ago

CajusH commented 4 years ago

I am trying to get tpm2-tss-engine working with tpm2simulator (from http://github.com/stwagnr/tpm2simulator.git). There is no physical TPM available in my system. I am using tpm2-tss-2.3.2 tpm2-tools-4.0.1 tpm2-abrmd-2.3.1 tpm2simulator tpm2-tss-engine-1.1.0-rc0

tpm2-abrmd is running with the option "--tcti=mssim" for the tpm2-tools I set TPM2TOOLS_TCTI=tabrmd:bus_name=com.intel.tss2.Tabrmd tpm2-tools work as expected with this settings

I have added the openssl.conf.samle to my /etc/ssl/openssl.cnf with the required changes: dynamic_path = /usr/lib64/engines-1.1/libtpm2tss.so (lib64 instead of lib) default_algorithms = RSA, RAND (ECDSA from the sample is not supported?!) SET_TCTI = tabrmd:bus_name=com.intel.tss2.Tabrmd The SET_TCTI is the same as I set in the environment for the tpm2-tools

tpm2tss-genkey fails because it always try to use /dev/tpm0 , not using the one from SET_TCTI?

./tpm2tss-genkey mykey Initializing Setting owner auth to empty auth. Setting parent auth to empty auth. Generating RSA key for 2048 bits keysize. Establishing connection with TPM. ERROR:tcti:src/tss2-tcti/tcti-device.c:440:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory WARNING:tcti:src/tss2-tcti/tctildr.c:62:tcti_from_init() TCTI init for function 0x7f26073e7d90 failed with a000a WARNING:tcti:src/tss2-tcti/tctildr.c:92:tcti_from_info() Could not initialize TCTI named: tcti-device ERROR:tcti:src/tss2-tcti/tctildr-dl.c:150:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-default.so Initializing Already initialized Creating primary key under owner. Generating the RSA key inside the TPM. Generated the RSA key inside the TPM.

I also tried SET_TCTI = device:/dev/tttpm00 but it isn't using this setting either.

openssl req -new -x509 -keyform engine -engine tpm2tss -out rsa.crt -subj dummyCert Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Generating a 2048 bit RSA private key ...................+++++ ..................+++++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase:

problems making Certificate Request

This does not work either ("problems making Certificate Request"), but mybe because of the failing tpm2tss-genkey?

If I use the tpm2-tools, I can see the access to the TPM, as the tpm2simulator keeps all his data in /tmp/NVChip and the date changes if I write somehing to the TPM. But the date never changes, when I use openssl and the tpm2-tss-engine

Any ideas what I am doing wrong?

AndreasFuchsTPM commented 4 years ago

Hmmm... Did you export the OPENSSL_CONF environment variable to use the openssl.cnf file you created ?

CajusH commented 4 years ago

No, this has never been required and I see that the engine is used: Every time I issue a command using openssl I see

Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set.

on the system console. As I tried the command examples from README.md again this morning some of them seem to work now. I have no explanation why it is working now, maybe a reboot was required afte installation and configuration. Nevertheless tpm2tss-genkey seems to try to access /dev/tpm0 causing the error messages below. The ECDSA operations still do not seem to work.

Engine information

openssl engine -t -c tpm2tss

Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" (tpm2tss) TPM2-TSS engine for OpenSSL [RSA, RAND] [ available ]

Random data

openssl rand -engine tpm2tss -hex 10

Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. f8723e71b7380712684a

RSA decrypt

tpm2tss-genkey -a rsa -s 2048 mykey

Initializing Setting owner auth to empty auth. Setting parent auth to empty auth. Generating RSA key for 2048 bits keysize. Establishing connection with TPM. ERROR:tcti:src/tss2-tcti/tcti-device.c:440:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory WARNING:tcti:src/tss2-tcti/tctildr.c:62:tcti_from_init() TCTI init for function 0x7f8210e7ed90 failed with a000a WARNING:tcti:src/tss2-tcti/tctildr.c:92:tcti_from_info() Could not initialize TCTI named: tcti-device ERROR:tcti:src/tss2-tcti/tctildr-dl.c:150:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-default.so Initializing Already initialized Creating primary key under owner. Generating the RSA key inside the TPM. Generated the RSA key inside the TPM.

openssl rsa -engine tpm2tss -inform engine -in mykey -pubout -outform pem -out mykey.pub

Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key mykey Loaded key uses alg-id 1 Creating RSA key object. Created RSA key object. TPM2 Key loaded writing RSA key

openssl pkeyutl -pubin -inkey mykey.pub -in mydata -encrypt -out mycipher

Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd"

openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -decrypt -in mycipher -out mydata

Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key mykey Loaded key uses alg-id 1 Creating RSA key object. Created RSA key object. TPM2 Key loaded rsa_priv_dec called for scheme 1 and input data(size=256): 07ea443a126f0ddbb9208030531fc553ba9ea5b704d597b3f437351fe624ff95ff8c6f8ea274a20cee25b9bd5e2a6a6022e51f2d47c01ab77474b2dda5e590714fa0b558dec1d490f43a45b3bb1fcf53dfcaf595712f9e6e881ddc50600e54d8585e51cddd59daad3c4301d15022909bc5d806158b04a437df7190b9168dddcd2db1a7a7ec9ae601b1f92fd0a27c3430136bb2744734b8453818ad0c2d59eba53d932aadeeeea9ffec15e94954838f78191fe18b408ce844a07896c6bc8c0d35df5b2731c539ac892a32406cfdf9585735b2ae758864b013c366ecccc36f18dff1ec39b57d50e60bce21bc1e4327e9a2c3313479fd83750958c67083a7fc18b3 Establishing connection with TPM. Creating primary key under owner. Loading key blob. Decrypted message (size=15): 31323334353637383930414243440a

openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -decrypt -in mycipher -out mydata

Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key mykey Loaded key uses alg-id 1 Creating RSA key object. Created RSA key object. TPM2 Key loaded rsa_priv_dec called for scheme 1 and input data(size=256): 3c0028d97ff59d37a27795b746f09d9839c229aa5165a2a8bc850a369431c10e6bc1022fc21077a4469ddca960fbc56c9076b74f7ae98f61eac79497b962a7ed9787c491f00d5fc560c67893eee1f97bca7c13849026c94744bf342922d421946cdec401689aae1cb16f7c50c38b7bf99143015e87fbd2757e49b57bdd208cf9bc6402c4b12beadb456def808c88153d8cea394e472a5ad145340c286305f6ec995e8d269675aa038d751208f9f57c7394e177826d78e258fb4a09fcd2a6029443a07731c768b58ac01344573b6d52ca93c656e74c29863b97379297fbf71294bc48f5f0f86e8180b093c0f8efcea80840aabab12511d12e170369ea3171059f Establishing connection with TPM. Creating primary key under owner. Loading key blob. Decrypted message (size=15): 31323334353637383930414243440a

RSA sign

openssl rsa -engine tpm2tss -inform engine -in mykey -pubout -outform pem -out mykey.pub

Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key mykey Loaded key uses alg-id 1 Creating RSA key object. Created RSA key object. TPM2 Key loaded writing RSA key

openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -sign -in mydata -out mysig

Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key mykey Loaded key uses alg-id 1 Creating RSA key object. Created RSA key object. TPM2 Key loaded rsa_priv_enc called for scheme 1 and input data(size=15): 31323334353637383930414243440a Padded digest data (size=256): 0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0031323334353637383930414243440a Establishing connection with TPM. Creating primary key under owner. Loading key blob. Signing (via decrypt operation). Signature done (size=256): 68c60f6298f6a52c400e6324555c011296e5c9e515b488a5df7730e3a06cf095535606cb133d1f6a9ce44461f5c0a02e5568d78e9340f92ebf48827fd7813aeb8070fae5cecc4b7456918e984a96ee9ff67a9c20ec120ef8b87d2eefbbfb58ad2423bee6de1e5dde6c3965dfc52ff5099a1e933d6cf819e1a11a6ee103af7268930ea25227f98678bdf1551c9502437d7bac20815503e2b8534c24cfbde28bfe9268c5b039952ec7d21462807f721c8b53652efc267a2e1f7b2a18d07f856a8149c8f42eb2cf1b89dc96721f3a81cd72947aeb5bc3fb676c26e93b51ac3b9c9bb2d3edacb21d0b814a85bcbe1f4552444ae2aa1424f80070b749f02e1e2fd409

openssl pkeyutl -pubin -inkey mykey.pub -verify -in mydata -sigfile mysig

Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" Signature Verified Successfully

ECDSA operations If I add “ECDSA” to default_algorithms in my openssl.cnf (e.g. default_algorithms = RSA, RAND, ECDSA) I get an error, so I assume this algorithm is not supported???

openssl engine

Initializing (rdrand) Intel RDRAND engine (dynamic) Dynamic engine loading support (tpm2tss) TPM2-TSS engine for OpenSSL 139720382007104:error:260BD096:engine routines:ENGINE_set_default_string:invalid string:crypto/engine/eng_fat.c:91:str=RSA, RAND, ECDSA 139720382007104:error:260BC066:engine routines:int_engine_configure:engine configuration error:crypto/engine/eng_cnf.c:141:section=tpm2tss_section, name=default_algorithms, value=RSA, RAND, ECDSA 139720382007104:error:0E07606D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:173:module=engines, value=engine_section, retcode=-1

With default_algorithms = RSA, RAND I get

openssl engine

Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" (rdrand) Intel RDRAND engine (dynamic) Dynamic engine loading support (tpm2tss) TPM2-TSS engine for OpenSSL

I am not sure, if tis is the root cause for the failure in the second command of the ECDSA operations section.

tpm2tss-genkey -a ecdsa mykey

Initializing Setting owner auth to empty auth. Setting parent auth to empty auth. GenKey for ecdsa. Establishing connection with TPM. ERROR:tcti:src/tss2-tcti/tcti-device.c:440:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory WARNING:tcti:src/tss2-tcti/tctildr.c:62:tcti_from_init() TCTI init for function 0x7f27a71ded90 failed with a000a WARNING:tcti:src/tss2-tcti/tctildr.c:92:tcti_from_info() Could not initialize TCTI named: tcti-device ERROR:tcti:src/tss2-tcti/tctildr-dl.c:150:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-default.so Initializing Already initialized Creating primary key under owner. Generating the ECC key inside the TPM. Generated the ECC key inside the TPM.

openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -sign -in mydata -out mysig

Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key mykey Loaded key uses alg-id 23 Creating ECC key object. Created ECC key object. TPM2 Key loaded ecdsa_sign called for input data(size=15): 31323334353637383930414243440a Public Key operation error 139993813067584:error:8007806B:tpm2-tss-engine:ecdsa_sign:Unknown padding scheme requested:src/tpm2-tss-engine-ecc.c:208: 139993813067584:error:8007406F:tpm2-tss-engine:esys_ctx_free:Some unknown error occured:src/tpm2-tss-engine-common.c:106:

openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -verify -in mydata -sigfile mysig

Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key mykey Loaded key uses alg-id 23 Creating ECC key object. Created ECC key object. TPM2 Key loaded Signature Verification Failure

Self Signed certificate generate operation

tpm2tss-genkey -a rsa rsa.tss

Initializing Setting owner auth to empty auth. Setting parent auth to empty auth. Generating RSA key for 2048 bits keysize. Establishing connection with TPM. ERROR:tcti:src/tss2-tcti/tcti-device.c:440:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory WARNING:tcti:src/tss2-tcti/tctildr.c:62:tcti_from_init() TCTI init for function 0x7f7ae05f8d90 failed with a000a WARNING:tcti:src/tss2-tcti/tctildr.c:92:tcti_from_info() Could not initialize TCTI named: tcti-device ERROR:tcti:src/tss2-tcti/tctildr-dl.c:150:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-default.so Initializing Already initialized Creating primary key under owner. Generating the RSA key inside the TPM. Generated the RSA key inside the TPM.

openssl req -new -x509 -engine tpm2tss -key rsa.tss -keyform engine -out rsa.crt

Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key rsa.tss Loaded key uses alg-id 1 Creating RSA key object. Created RSA key object. TPM2 Key loaded You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

No template, please set one up. problems making Certificate Request

AndreasFuchsTPM commented 4 years ago

Would you mind export TSS2_LOG=tcti+trace and then the output of genkey ?

CajusH commented 4 years ago

:~/tpm2/files> env | grep TPM2TOOLS_TCTI

TPM2TOOLS_TCTI=tabrmd:bus_name=com.intel.tss2.Tabrmd

:~/tpm2/files> tpm2tss-genkey -a rsa -s 2048 mykey

Initializing Setting owner auth to empty auth. Setting parent auth to empty auth. Generating RSA key for 2048 bits keysize. Establishing connection with TPM. debug:tcti:src/tss2-tcti/tctildr-dl.c:293:tctildr_get_tcti() name: "(null)", conf: "(null)" debug:tcti:src/tss2-tcti/tctildr-dl.c:240:tctildr_get_default() Attempting to connect using standard TCTI: Access libtss2-tcti-default.so trace:tcti:src/tss2-tcti/tctildr-dl.c:132:tcti_from_file() Attempting to load TCTI file: libtss2-tcti-default.so trace:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_info() Attempting to load TCTI info trace:tcti:src/tss2-tcti/tctildr.c:86:tcti_from_info() Loaded TCTI info named: tcti-device trace:tcti:src/tss2-tcti/tctildr.c:87:tcti_from_info() TCTI description: TCTI module for communication with Linux kernel interface. trace:tcti:src/tss2-tcti/tctildr.c:88:tcti_from_info() TCTI config_help: Path to TPM character device. Default value is: TCTI_DEVICE_DEFAULT trace:tcti:src/tss2-tcti/tctildr.c:44:tcti_from_init() Initializing TCTI for config: (null) ERROR:tcti:src/tss2-tcti/tcti-device.c:440:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory WARNING:tcti:src/tss2-tcti/tctildr.c:62:tcti_from_init() TCTI init for function 0x7f319ecf9d90 failed with a000a WARNING:tcti:src/tss2-tcti/tctildr.c:92:tcti_from_info() Could not initialize TCTI named: tcti-device ERROR:tcti:src/tss2-tcti/tctildr-dl.c:150:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-default.so debug:tcti:src/tss2-tcti/tctildr-dl.c:245:tctildr_get_default() Failed to load standard TCTI number 0 debug:tcti:src/tss2-tcti/tctildr-dl.c:240:tctildr_get_default() Attempting to connect using standard TCTI: Access libtss2-tcti-tabrmd.so trace:tcti:src/tss2-tcti/tctildr-dl.c:132:tcti_from_file() Attempting to load TCTI file: libtss2-tcti-tabrmd.so.0 trace:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_info() Attempting to load TCTI info trace:tcti:src/tss2-tcti/tctildr.c:86:tcti_from_info() Loaded TCTI info named: tcti-abrmd trace:tcti:src/tss2-tcti/tctildr.c:87:tcti_from_info() TCTI description: TCTI module for communication with tabrmd. trace:tcti:src/tss2-tcti/tctildr.c:88:tcti_from_info() TCTI config_help: This conf string is a series of key / value pairs where keys and values are separated by the '=' character and each pair is separated by the ',' character. Valid keys are "bus_name" and "bus_type". trace:tcti:src/tss2-tcti/tctildr.c:44:tcti_from_init() Initializing TCTI for config: (null) debug:tcti:src/tss2-tcti/tctildr.c:68:tcti_from_init() Initialized TCTI for config: (null) debug:tcti:src/tss2-tcti/tctildr.c:96:tcti_from_info() Initialized TCTI named: tcti-abrmd debug:tcti:src/tss2-tcti/tctildr-dl.c:158:tcti_from_file() Initialized TCTI file: libtss2-tcti-tabrmd.so.0 Initializing Already initialized Creating primary key under owner. Generating the RSA key inside the TPM. Generated the RSA key inside the TPM.

AndreasFuchsTPM commented 4 years ago

Ok, so seems like you have a symbolic link from libtss2-tcti-default.so to libtss2-tcti-device.so The idea of libtss2-tcti-default.so is to allow users to configure the default way they want to talk to the TPM. Try to get rid of libtss2-tcti-default.so then the regular search order of tabrmd, tpmrm0, tpm0 should be executed.

P.S. The TPM2TOOLS_TCTI variable only influences the tpm2-tools project. Not the tpm2-tss-engine. I the name should imply I think.

CajusH commented 4 years ago

Yes, there is a symbolic link from libtss2-tcti-default.so to libtss2-tcti-device.so It is generated by default by the tpm2-tss package and the configure option to set a different lib as default isn’t working in the package, so I deleted the symlink manually and the error messages are gone.

I also found the problem with the ECDSA operations from README.md: the “mydata” file was corrupt

Thanks for your help! Cajus