tctildr is an enigma

[jhealyt]

I'm working on a embedded security product at the moment, and I'm on a hell-bent mission to remove all randomness generators from my device other than the TPM2 chip. I've removed three so far:

(1) The Intel RDRAND engine inside OpenSSL (2) The DRBG generator built into OpenSSL (3) The 'mssim' library inside tpm2-tss

The only remaining one is in the Linux kernel, i.e. the one that feeds /dev/random. I will deal with that one another day, as for now I need to get other stuff working.

So anyway I upgraded to the latest version of tpm2-tss, and now I see that there's a new file in my "/usr/lib" directory, and this file is "libtss2-tctildr.so.0.0.0". What is this? Is it some sort of dynamic TCTI loader? I've been doing web searches, and also grep'ing through code, but I can't see an explanation for what it does. I tried deleting it but then "tpm2_getrandom" fails with the error: "error while loading shared libraries: libtss2-tctildr.so.0".

By the way.... previously........... before I knew about the configuration option "--disable-mssim", I went to the bother of making a dummy library so that I could replace the simulator. Here's the code:

#include <stdint.h>    /* uint32_t */

/* The next line makes compilation fail if pointers aren't 64-Bit */
typedef int check_pointer_size[ sizeof(void*) == 8 ? 1 : -1 ];

uint32_t Tss2_Tcti_Mssim_Init(void *a, void *b, void *c)
{
    (void)a;
    (void)b;
    (void)c;

    return 0xA0001;  /* General Failure */
}

uint32_t tcti_platform_command(void *a, uint32_t b)
{
    (void)a;
    (void)b;

    return 0xA000A;  /* IO Failure */
}

struct TSS2_TCTI_INFO {
    uint32_t version;
    char const *name;
    char const *description;
    char const *config_help;
    uint32_t (*init)(void*,void*,void*);
};

struct TSS2_TCTI_INFO const *Tss2_Tcti_Info(void)
{
    static struct TSS2_TCTI_INFO const tss2_tcti_info = {
        .version = 0x2,
        .name = "tcti-socket",
        .description = "TCTI module for communication with the Microsoft TPM2 Simulator.",
        .config_help = "Key / value string in the form \"host=localhost,port=2321\".",
        .init = Tss2_Tcti_Mssim_Init,
    };

    return &tss2_tcti_info;
}

Will I have to do something similar to this in order to remove tctildr?

[joholl]

The tctildr library is indeed a dynamic TCTI loader library and a dependency to the ESAPI layer. To my knowlege there is no option to remove this dependency during configure. However, you do not have to use the TCTI loading mechanism by simply passing a TCTI to Esys_Initialize(). In this case you would need to link against the TCTI library you want to use and initialize it by your own.

If you pass a NULL for the TCTI argument to Esys_Initialize(), internally Tss2_TctiLdr_Initialize() will be called to search for an available TCTI. On machines, where dlopen() is available, the tctildr will search for the following TCTIs (in this order):

https://github.com/tpm2-software/tpm2-tss/blob/1c99117f4d102fd465655ed86aca58909a13c10d/src/tss2-tcti/tctildr-dl.c#L32-L55

After a TCTI library was found. It is dlopen()ed, initialized and used. Note, that if you pass a TCTI name to Tss2_TctiLdr_Initialize() such as "mssim", the tctildr will try out different variations of that name (e.g. "libtss2-tcti-mssim.so.0".

You should also be aware that you can "overwrite" this search by passing --with-tctidefaultmodule=<...> to configure. In this case, the tctildr will search for this TCTI module only and configure it with the (optional) configure string supplied with --with-tctidefaultconfig=<...>.

You find more information in the man pages (e.g. man Tss2_TctiLdr_Initialize).

[jhealyt]

Thank you for this.

I might end up making a dummy library that exports Tss2_TctiLdr_Finalize, Tss2_TctiLdr_FreeInfo, Tss2_TctiLdr_GetInfo, Tss2_TctiLdr_Initialize, Tss2_TctiLdr_Initialize_Ex, so that I can delete it.

I've tried deleting it already but then all the tpm2-tools fail.

[joholl]

The tools depend on the tctildr library, as well. They load the TCTI according what I explained above. If you pass the option -T/--tcti <name> to the tool, this name is passed to Tss2_TctiLdr_Initialize() in order to be loaded.

[tstruk]

More on tctildr can be found here: https://trustedcomputinggroup.org/wp-content/uploads/TCG_TSS_TCTI_v1p0_r17_pubrev.pdf

[tstruk]

Closing the issue. Feel free to reopen if you have more questions.