search

tpm2-software / tpm2-tss-engine

OpenSSL Engine for TPM2 devices
https://tpm2-software.github.io
BSD 3-Clause "New" or "Revised" License
151 stars 100 forks source link

tpm2tss-genkey fails with ecdsa but not rsa on ARM #229

Closed johnneren closed 3 years ago

johnneren commented 3 years ago

Hi.

I was hoping to get a pointer in the right direction for a issue I am facing. I currently use the TPM2 module on a debian ARM based moxa device to generate a rsa key with the command: tpm2tss-genkey -a rsa test_rsa.key But now I want to generate a extra key for an IoT hub that require a ecc based key. I presume this could be done with: (please correct me if I have misunderstood) tpm2tss-genkey -a ecdsa test_ecc.key

But this command always fails with 

Error: Generating key failed
Key could not be generated.

After enabling debug and debugging with GDB I can see the flow between rsa and ecdsa is very different and it fails because the bind()/init_engine() functions are never called and thus ec_key_app_data variable is -1.

moxa@Moxa:/tmp$ tpm2tss-genkey -a ecdsa test_ecc.key
GenKey for ecdsa.
Establishing connection with TPM.
Creating primary key under owner.
Generating the ECC key inside the TPM.
Generated the ECC key inside the TPM.
Module uninitialized
Module uninitialized
Error: Generating key failed
Key could not be generated.

My original setup with only rsa was using: tpm2-tss_2.3.2 tpm2-tss-engine_1.0.1 tpm2-tools_4.1.1 tpm2-abrmd_2.3.1

I tried upgrading to: tpm2-tss_3.1.0 tpm2-tss-engine_1.1.0 tpm2-tools_5.1.1 tpm2-abrmd_2.4.0

But that did not fix anything. I'm using OpenSSL 1.1.0l 10 Sep 2019

Any suggestions or ideas on how I get the tpm2tss-genkey to generate a ecc key are more than welcome.

Thanks.

AndreasFuchsTPM commented 3 years ago

Hmmm... This is weird... See this test in our CI that's working correctly: https://github.com/tpm2-software/tpm2-tss-engine/blob/master/test/ecdsa.sh

What happens if you --enable-integration and call make check ? (You have to have the tpm-simulator installed for this)

johnneren commented 3 years ago

The test works fine :)

To further debug I decided to 'throw away' some complexity in my build system. Normally I build my tpm libs with a cross compiler in a docker image and generate debian packages for deployment.

To remove all these possible sources of uncertainty I decided to try and just install the build system on my embedded moxa device and git clone + build the tpm2-tss-engine directly on it with make install. Using that process the binary can generate a ecc key without any issue.

I obviously have an issue in my build chain somewhere. Thanks a lot for the fast response! I'll close this issue and investigate my build setup.