Closed CajusH closed 4 years ago
Hmmm... Did you export the OPENSSL_CONF environment variable to use the openssl.cnf file you created ?
No, this has never been required and I see that the engine is used: Every time I issue a command using openssl I see
Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set.
on the system console. As I tried the command examples from README.md again this morning some of them seem to work now. I have no explanation why it is working now, maybe a reboot was required afte installation and configuration. Nevertheless tpm2tss-genkey seems to try to access /dev/tpm0 causing the error messages below. The ECDSA operations still do not seem to work.
Engine information
Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" (tpm2tss) TPM2-TSS engine for OpenSSL [RSA, RAND] [ available ]
Random data
Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. f8723e71b7380712684a
RSA decrypt
Initializing Setting owner auth to empty auth. Setting parent auth to empty auth. Generating RSA key for 2048 bits keysize. Establishing connection with TPM. ERROR:tcti:src/tss2-tcti/tcti-device.c:440:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory WARNING:tcti:src/tss2-tcti/tctildr.c:62:tcti_from_init() TCTI init for function 0x7f8210e7ed90 failed with a000a WARNING:tcti:src/tss2-tcti/tctildr.c:92:tcti_from_info() Could not initialize TCTI named: tcti-device ERROR:tcti:src/tss2-tcti/tctildr-dl.c:150:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-default.so Initializing Already initialized Creating primary key under owner. Generating the RSA key inside the TPM. Generated the RSA key inside the TPM.
Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key mykey Loaded key uses alg-id 1 Creating RSA key object. Created RSA key object. TPM2 Key loaded writing RSA key
Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd"
Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key mykey Loaded key uses alg-id 1 Creating RSA key object. Created RSA key object. TPM2 Key loaded rsa_priv_dec called for scheme 1 and input data(size=256): 07ea443a126f0ddbb9208030531fc553ba9ea5b704d597b3f437351fe624ff95ff8c6f8ea274a20cee25b9bd5e2a6a6022e51f2d47c01ab77474b2dda5e590714fa0b558dec1d490f43a45b3bb1fcf53dfcaf595712f9e6e881ddc50600e54d8585e51cddd59daad3c4301d15022909bc5d806158b04a437df7190b9168dddcd2db1a7a7ec9ae601b1f92fd0a27c3430136bb2744734b8453818ad0c2d59eba53d932aadeeeea9ffec15e94954838f78191fe18b408ce844a07896c6bc8c0d35df5b2731c539ac892a32406cfdf9585735b2ae758864b013c366ecccc36f18dff1ec39b57d50e60bce21bc1e4327e9a2c3313479fd83750958c67083a7fc18b3 Establishing connection with TPM. Creating primary key under owner. Loading key blob. Decrypted message (size=15): 31323334353637383930414243440a
Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key mykey Loaded key uses alg-id 1 Creating RSA key object. Created RSA key object. TPM2 Key loaded rsa_priv_dec called for scheme 1 and input data(size=256): 3c0028d97ff59d37a27795b746f09d9839c229aa5165a2a8bc850a369431c10e6bc1022fc21077a4469ddca960fbc56c9076b74f7ae98f61eac79497b962a7ed9787c491f00d5fc560c67893eee1f97bca7c13849026c94744bf342922d421946cdec401689aae1cb16f7c50c38b7bf99143015e87fbd2757e49b57bdd208cf9bc6402c4b12beadb456def808c88153d8cea394e472a5ad145340c286305f6ec995e8d269675aa038d751208f9f57c7394e177826d78e258fb4a09fcd2a6029443a07731c768b58ac01344573b6d52ca93c656e74c29863b97379297fbf71294bc48f5f0f86e8180b093c0f8efcea80840aabab12511d12e170369ea3171059f Establishing connection with TPM. Creating primary key under owner. Loading key blob. Decrypted message (size=15): 31323334353637383930414243440a
RSA sign
Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key mykey Loaded key uses alg-id 1 Creating RSA key object. Created RSA key object. TPM2 Key loaded writing RSA key
Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key mykey Loaded key uses alg-id 1 Creating RSA key object. Created RSA key object. TPM2 Key loaded rsa_priv_enc called for scheme 1 and input data(size=15): 31323334353637383930414243440a Padded digest data (size=256): 0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0031323334353637383930414243440a Establishing connection with TPM. Creating primary key under owner. Loading key blob. Signing (via decrypt operation). Signature done (size=256): 68c60f6298f6a52c400e6324555c011296e5c9e515b488a5df7730e3a06cf095535606cb133d1f6a9ce44461f5c0a02e5568d78e9340f92ebf48827fd7813aeb8070fae5cecc4b7456918e984a96ee9ff67a9c20ec120ef8b87d2eefbbfb58ad2423bee6de1e5dde6c3965dfc52ff5099a1e933d6cf819e1a11a6ee103af7268930ea25227f98678bdf1551c9502437d7bac20815503e2b8534c24cfbde28bfe9268c5b039952ec7d21462807f721c8b53652efc267a2e1f7b2a18d07f856a8149c8f42eb2cf1b89dc96721f3a81cd72947aeb5bc3fb676c26e93b51ac3b9c9bb2d3edacb21d0b814a85bcbe1f4552444ae2aa1424f80070b749f02e1e2fd409
Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" Signature Verified Successfully
ECDSA operations If I add “ECDSA” to default_algorithms in my openssl.cnf (e.g. default_algorithms = RSA, RAND, ECDSA) I get an error, so I assume this algorithm is not supported???
Initializing (rdrand) Intel RDRAND engine (dynamic) Dynamic engine loading support (tpm2tss) TPM2-TSS engine for OpenSSL 139720382007104:error:260BD096:engine routines:ENGINE_set_default_string:invalid string:crypto/engine/eng_fat.c:91:str=RSA, RAND, ECDSA 139720382007104:error:260BC066:engine routines:int_engine_configure:engine configuration error:crypto/engine/eng_cnf.c:141:section=tpm2tss_section, name=default_algorithms, value=RSA, RAND, ECDSA 139720382007104:error:0E07606D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:173:module=engines, value=engine_section, retcode=-1
With default_algorithms = RSA, RAND I get
Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" (rdrand) Intel RDRAND engine (dynamic) Dynamic engine loading support (tpm2tss) TPM2-TSS engine for OpenSSL
I am not sure, if tis is the root cause for the failure in the second command of the ECDSA operations section.
Initializing Setting owner auth to empty auth. Setting parent auth to empty auth. GenKey for ecdsa. Establishing connection with TPM. ERROR:tcti:src/tss2-tcti/tcti-device.c:440:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory WARNING:tcti:src/tss2-tcti/tctildr.c:62:tcti_from_init() TCTI init for function 0x7f27a71ded90 failed with a000a WARNING:tcti:src/tss2-tcti/tctildr.c:92:tcti_from_info() Could not initialize TCTI named: tcti-device ERROR:tcti:src/tss2-tcti/tctildr-dl.c:150:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-default.so Initializing Already initialized Creating primary key under owner. Generating the ECC key inside the TPM. Generated the ECC key inside the TPM.
Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key mykey Loaded key uses alg-id 23 Creating ECC key object. Created ECC key object. TPM2 Key loaded ecdsa_sign called for input data(size=15): 31323334353637383930414243440a Public Key operation error 139993813067584:error:8007806B:tpm2-tss-engine:ecdsa_sign:Unknown padding scheme requested:src/tpm2-tss-engine-ecc.c:208: 139993813067584:error:8007406F:tpm2-tss-engine:esys_ctx_free:Some unknown error occured:src/tpm2-tss-engine-common.c:106:
Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Loading private key mykey Loaded key uses alg-id 23 Creating ECC key object. Created ECC key object. TPM2 Key loaded Signature Verification Failure
Self Signed certificate generate operation
Initializing Setting owner auth to empty auth. Setting parent auth to empty auth. Generating RSA key for 2048 bits keysize. Establishing connection with TPM. ERROR:tcti:src/tss2-tcti/tcti-device.c:440:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory WARNING:tcti:src/tss2-tcti/tctildr.c:62:tcti_from_init() TCTI init for function 0x7f7ae05f8d90 failed with a000a WARNING:tcti:src/tss2-tcti/tctildr.c:92:tcti_from_info() Could not initialize TCTI named: tcti-device ERROR:tcti:src/tss2-tcti/tctildr-dl.c:150:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-default.so Initializing Already initialized Creating primary key under owner. Generating the RSA key inside the TPM. Generated the RSA key inside the TPM.
No template, please set one up. problems making Certificate Request
Would you mind export TSS2_LOG=tcti+trace
and then the output of genkey ?
TPM2TOOLS_TCTI=tabrmd:bus_name=com.intel.tss2.Tabrmd
Initializing Setting owner auth to empty auth. Setting parent auth to empty auth. Generating RSA key for 2048 bits keysize. Establishing connection with TPM. debug:tcti:src/tss2-tcti/tctildr-dl.c:293:tctildr_get_tcti() name: "(null)", conf: "(null)" debug:tcti:src/tss2-tcti/tctildr-dl.c:240:tctildr_get_default() Attempting to connect using standard TCTI: Access libtss2-tcti-default.so trace:tcti:src/tss2-tcti/tctildr-dl.c:132:tcti_from_file() Attempting to load TCTI file: libtss2-tcti-default.so trace:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_info() Attempting to load TCTI info trace:tcti:src/tss2-tcti/tctildr.c:86:tcti_from_info() Loaded TCTI info named: tcti-device trace:tcti:src/tss2-tcti/tctildr.c:87:tcti_from_info() TCTI description: TCTI module for communication with Linux kernel interface. trace:tcti:src/tss2-tcti/tctildr.c:88:tcti_from_info() TCTI config_help: Path to TPM character device. Default value is: TCTI_DEVICE_DEFAULT trace:tcti:src/tss2-tcti/tctildr.c:44:tcti_from_init() Initializing TCTI for config: (null) ERROR:tcti:src/tss2-tcti/tcti-device.c:440:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory WARNING:tcti:src/tss2-tcti/tctildr.c:62:tcti_from_init() TCTI init for function 0x7f319ecf9d90 failed with a000a WARNING:tcti:src/tss2-tcti/tctildr.c:92:tcti_from_info() Could not initialize TCTI named: tcti-device ERROR:tcti:src/tss2-tcti/tctildr-dl.c:150:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-default.so debug:tcti:src/tss2-tcti/tctildr-dl.c:245:tctildr_get_default() Failed to load standard TCTI number 0 debug:tcti:src/tss2-tcti/tctildr-dl.c:240:tctildr_get_default() Attempting to connect using standard TCTI: Access libtss2-tcti-tabrmd.so trace:tcti:src/tss2-tcti/tctildr-dl.c:132:tcti_from_file() Attempting to load TCTI file: libtss2-tcti-tabrmd.so.0 trace:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_info() Attempting to load TCTI info trace:tcti:src/tss2-tcti/tctildr.c:86:tcti_from_info() Loaded TCTI info named: tcti-abrmd trace:tcti:src/tss2-tcti/tctildr.c:87:tcti_from_info() TCTI description: TCTI module for communication with tabrmd. trace:tcti:src/tss2-tcti/tctildr.c:88:tcti_from_info() TCTI config_help: This conf string is a series of key / value pairs where keys and values are separated by the '=' character and each pair is separated by the ',' character. Valid keys are "bus_name" and "bus_type". trace:tcti:src/tss2-tcti/tctildr.c:44:tcti_from_init() Initializing TCTI for config: (null) debug:tcti:src/tss2-tcti/tctildr.c:68:tcti_from_init() Initialized TCTI for config: (null) debug:tcti:src/tss2-tcti/tctildr.c:96:tcti_from_info() Initialized TCTI named: tcti-abrmd debug:tcti:src/tss2-tcti/tctildr-dl.c:158:tcti_from_file() Initialized TCTI file: libtss2-tcti-tabrmd.so.0 Initializing Already initialized Creating primary key under owner. Generating the RSA key inside the TPM. Generated the RSA key inside the TPM.
Ok, so seems like you have a symbolic link from libtss2-tcti-default.so to libtss2-tcti-device.so The idea of libtss2-tcti-default.so is to allow users to configure the default way they want to talk to the TPM. Try to get rid of libtss2-tcti-default.so then the regular search order of tabrmd, tpmrm0, tpm0 should be executed.
P.S. The TPM2TOOLS_TCTI
variable only influences the tpm2-tools project. Not the tpm2-tss-engine. I the name should imply I think.
Yes, there is a symbolic link from libtss2-tcti-default.so to libtss2-tcti-device.so It is generated by default by the tpm2-tss package and the configure option to set a different lib as default isn’t working in the package, so I deleted the symlink manually and the error messages are gone.
I also found the problem with the ECDSA operations from README.md: the “mydata” file was corrupt
Thanks for your help! Cajus
I am trying to get tpm2-tss-engine working with tpm2simulator (from http://github.com/stwagnr/tpm2simulator.git). There is no physical TPM available in my system. I am using tpm2-tss-2.3.2 tpm2-tools-4.0.1 tpm2-abrmd-2.3.1 tpm2simulator tpm2-tss-engine-1.1.0-rc0
tpm2-abrmd is running with the option "--tcti=mssim" for the tpm2-tools I set TPM2TOOLS_TCTI=tabrmd:bus_name=com.intel.tss2.Tabrmd tpm2-tools work as expected with this settings
I have added the openssl.conf.samle to my /etc/ssl/openssl.cnf with the required changes: dynamic_path = /usr/lib64/engines-1.1/libtpm2tss.so (lib64 instead of lib) default_algorithms = RSA, RAND (ECDSA from the sample is not supported?!) SET_TCTI = tabrmd:bus_name=com.intel.tss2.Tabrmd The SET_TCTI is the same as I set in the environment for the tpm2-tools
tpm2tss-genkey fails because it always try to use /dev/tpm0 , not using the one from SET_TCTI?
./tpm2tss-genkey mykey Initializing Setting owner auth to empty auth. Setting parent auth to empty auth. Generating RSA key for 2048 bits keysize. Establishing connection with TPM. ERROR:tcti:src/tss2-tcti/tcti-device.c:440:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory WARNING:tcti:src/tss2-tcti/tctildr.c:62:tcti_from_init() TCTI init for function 0x7f26073e7d90 failed with a000a WARNING:tcti:src/tss2-tcti/tctildr.c:92:tcti_from_info() Could not initialize TCTI named: tcti-device ERROR:tcti:src/tss2-tcti/tctildr-dl.c:150:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-default.so Initializing Already initialized Creating primary key under owner. Generating the RSA key inside the TPM. Generated the RSA key inside the TPM.
I also tried SET_TCTI = device:/dev/tttpm00 but it isn't using this setting either.
openssl req -new -x509 -keyform engine -engine tpm2tss -out rsa.crt -subj dummyCert Initializing Setting TCTI option to "tabrmd:bus_name=com.intel.tss2.Tabrmd" engine "tpm2tss" set. Generating a 2048 bit RSA private key ...................+++++ ..................+++++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
problems making Certificate Request
This does not work either ("problems making Certificate Request"), but mybe because of the failing tpm2tss-genkey?
If I use the tpm2-tools, I can see the access to the TPM, as the tpm2simulator keeps all his data in /tmp/NVChip and the date changes if I write somehing to the TPM. But the date never changes, when I use openssl and the tpm2-tss-engine
Any ideas what I am doing wrong?