Failed to open device file /dev/tpmrm0 while working on tpm2-tss-engine

[skboddula]

Hi All,

We are working on developing embedded iot edge gateway project with yocto rocko branch ( kernel 4.08 ). Currently working on setting up TPM2 & TSS2 Software packages tpm2-tss, tpm2-abrmd, tpm2-tools and tpm2-tss-engine. Managed to install all these packages and able to perform basic operations using TPM regarding like rsa encrypton/decryptiopn. But while trying to generate openssl certificates with tpm2tss as crypto engine I get the following error/warnings..

WARNING:esys:src/tss2-esys/esys_tcti_default.c:139:tcti_from_file() Could not load TCTI file: libtss2-tcti-default.so WARNING:esys:src/tss2-esys/esys_tcti_default.c:139:tcti_from_file() Could not load TCTI file: libtss2-tcti-tabrmd.so ERROR:tcti:src/tss2-tcti/tcti-device.c:399:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpmrm0: No such file or directory WARNING:esys:src/tss2-esys/esys_tcti_default.c:85:tcti_from_init() TCTI init for function 0x7fc2e1b5ccd0 failed with a000a

For 'ls' query for TPM devices, found following result didn't see any tpmrm0 device file. Read somewhere that tpmrm0 kernel resource manager support was added from kernel version > 4.12, if that is the case can anyone advice on how to integrate tpm2-tss-engine for openssl crypto operations for kernel versions <4.12.

ls /dev/tpm* /dev/tpm0

Installed following versions: tpm2-abrmd_2.0.1 tpm2-tss_2.0.0 tpm2-tools_3.1.1 tpm2-tss-engine_0.9.9 ( integrated from meta-security openembedded layer )

Thanks, Shiva.

[diabonas]

From what you posted, this output is expected and doesn't indicate a failure: different ways to connect to the TPM are tried in order, see esys_context.c:

 * If not specified, load a TCTI in this order:
 *       Library libtss2-tcti-default.so (link to the preferred TCTI)
 *       Library libtss2-tcti-tabrmd.so (tabrmd)
 *       Device /dev/tpmrm0 (kernel resident resource manager)
 *       Device /dev/tpm0 (hardware TPM)
 *       TCP socket localhost:2321 (TPM simulator)

The first three approaches fail, producing the output you posted. If there are no warnings/errors afterwards regarding /dev/tpm0, the library managed to successfully connect to the TPM. You can suppress these warnings by setting the environment variable

TSS2_LOG='esys+error:tcti+none'

but that is really just cosmetical anyway.

[diabonas]

Or probably a better way than suppressing warnings and errors completely, explicitly set the TCTI you want to use to /dev/tpm0 rather than relying on the default init sequence: this can be done in multiple ways, either by adding a library libtss2-tcti-default.so that is a symlink to libtss2-tcti-device.so or by setting the environment variable

TPM2TSSENGINE_TCTI=device:/dev/tpm0

if tpm2-tss-engine was compiled with --enable-tctienvvar.

[AndreasFuchsTPM]

I guess @diabonas explained all the right stuff. Hope this helps.

One more thing though: tpm2-tss 2.0.0 is old and expired. Same is true for tpm2-tss-engine 0.9.9 (which was pre-release and unstable).

We'll have to look into getting yocto upgrade to supported versions soon.

I'd recommend the recipes manually to use tpm2-tss 2.2.3 and tpm2-tss-engine 1.0.0 and tpm-tools 3.2 (upcoming in a few, use branch 3.X until then).

[skboddula]

Sorry for late reply, was tied with other tasks, Thank you @AndreasFuchsSIT, @diabonas for your response, as you suggested manually upgraded the tpm packges to the suggested versions now am able to use tpm2-tss-engine for crypto operations.