Closed mgerstner closed 5 years ago
The idea about the default was to provide a hook for update-alternatives, i.e. if you install tpm2-abrmd you will link to its tcti, if you don't install it, you link to tcti-device.
The thing about the .0 suffixes is an issue for tpm2-tss, but also gonna be mine there. I should probably also change the loglevel from warning to info in that case...
Since this is a tpm2-tss issue, I'll close it here.
We are currently packaging tpm2-tss-engine for SUSE Linux distributions. I did some first tests and I'm wondering about the situation with looking up a working tcti library. While I think the issue originates in tpm2-tss itself the effects currently only show in tpm2-tss-engine. If you think it's more appropriate I can also move this issue over to tpm2-tss instead.
In your own example output in
README.md
we can see the warnings of the form:It turns out that tpm2-tss-engine utilizes the tpm2-tss call
Esys_Initialize()
and doesn't explicitly specify any tcti mechanism or ABI to use. In this case the tpm2-tss's internal functionget_tcti_default()
iterates over a couple of TCTI names to try like:or if that fails it tries to directly talk to
/dev/tpm0
,/dev/tpmrm0
or a simulator.This leads to the following problems:
.so
symlinks without version number are usually only packaged in-devel
packages that are not usually installed by users. This was already brought up in tpm2-abrmd and tpm2-tools e.g. in issue tpm2-software/tpm2-tools#1057.tpm2-abrmd
but not be allowed to open the/dev/tpm0
device directly. If the tpm2-tss-engine fails to open the tabrmd tcti and falls back to using/dev/tpm0
directly then this will fail due to missing permissions in such a case.There seems to be some inconsistency in the handling of opening the tcti libraries. In tpm2-abrmd the versioned variant of the tctis are opened in
tcti_util_discover_info()
. The same is true for tpm2-tools intpm2_tcti_ldr_dlopen()
. They're trying to open libraries of the formlibtss2-tcti-%s.so.0
. tpm2-tss's ownget_tcti_default()
implementation is not doing this, however.It is also unclear to me what the
libtss2-tcti-default.so
library is about thatget_tcti_default()
tries to load before any other tcti. There is no sign of this library and/or symlink being created anywhere in the tpm2 projects. Also I couldn't find any documentation on it. Are packagers or admins expected to create this link themselves to their liking? Another way to specify a default tcti seems to be to specify--with-tctidefaultmodule
when building tpm2-tss.