Inconsistencies with looking up tcti libraries when using `Esys_Initialize()`

[mgerstner]

We are currently packaging tpm2-tss-engine for SUSE Linux distributions. I did some first tests and I'm wondering about the situation with looking up a working tcti library. While I think the issue originates in tpm2-tss itself the effects currently only show in tpm2-tss-engine. If you think it's more appropriate I can also move this issue over to tpm2-tss instead.

In your own example output in README.md we can see the warnings of the form:

WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-default.so

It turns out that tpm2-tss-engine utilizes the tpm2-tss call Esys_Initialize() and doesn't explicitly specify any tcti mechanism or ABI to use. In this case the tpm2-tss's internal function get_tcti_default() iterates over a couple of TCTI names to try like:

• libtss2-tcti-default.so
• libtss2-tcti-tabrmd.so

or if that fails it tries to directly talk to /dev/tpm0, /dev/tpmrm0 or a simulator.

This leads to the following problems:

• The .so symlinks without version number are usually only packaged in -devel packages that are not usually installed by users. This was already brought up in tpm2-abrmd and tpm2-tools e.g. in issue tpm2-software/tpm2-tools#1057.
• Getting those warnings printed, even though the respective tcti is installed (but not the -devel package) is confusing.
• There can be situations where things break completely for regular users. Regular users might be able to talk to the tpm2-abrmd but not be allowed to open the /dev/tpm0 device directly. If the tpm2-tss-engine fails to open the tabrmd tcti and falls back to using /dev/tpm0 directly then this will fail due to missing permissions in such a case.

There seems to be some inconsistency in the handling of opening the tcti libraries. In tpm2-abrmd the versioned variant of the tctis are opened in tcti_util_discover_info(). The same is true for tpm2-tools in tpm2_tcti_ldr_dlopen(). They're trying to open libraries of the form libtss2-tcti-%s.so.0. tpm2-tss's own get_tcti_default() implementation is not doing this, however.

It is also unclear to me what the libtss2-tcti-default.so library is about that get_tcti_default() tries to load before any other tcti. There is no sign of this library and/or symlink being created anywhere in the tpm2 projects. Also I couldn't find any documentation on it. Are packagers or admins expected to create this link themselves to their liking? Another way to specify a default tcti seems to be to specify --with-tctidefaultmodule when building tpm2-tss.

[AndreasFuchsTPM]

The idea about the default was to provide a hook for update-alternatives, i.e. if you install tpm2-abrmd you will link to its tcti, if you don't install it, you link to tcti-device.

The thing about the .0 suffixes is an issue for tpm2-tss, but also gonna be mine there. I should probably also change the loglevel from warning to info in that case...

[AndreasFuchsTPM]

Since this is a tpm2-tss issue, I'll close it here.