search

tpm2-software / tpm2-tss

OSS implementation of the TCG TPM2 Software Stack (TSS2)
https://tpm2-software.github.io
BSD 2-Clause "Simplified" License
730 stars 359 forks source link

Issue with TCTI and Evolution #2427

Open fansari opened 1 year ago

fansari commented 1 year ago

Please check this:

https://bugzilla.redhat.com/show_bug.cgi?id=2129915

https://gitlab.gnome.org/GNOME/evolution/-/issues/2049

I also see this:

[root@bat ~]# journalctl -b | grep -i tcti
Sep 29 13:24:51 bat.localdomain org.gnome.Evolution.desktop[5395]: ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0
Sep 29 13:25:16 bat.localdomain org.gnome.Evolution.desktop[5395]: ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: tabrmd
Sep 29 13:25:16 bat.localdomain org.gnome.Evolution.desktop[5395]: ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
williamcroberts commented 1 year ago

What version of fapi, can you do pkg-config --modversion tss2-fapi

fansari commented 1 year ago

I get this output:

[fansari@bat tpm]$ pkg-config --modversion tss2-fapi
Package tss2-fapi was not found in the pkg-config search path.
Perhaps you should add the directory containing `tss2-fapi.pc'
to the PKG_CONFIG_PATH environment variable
Package 'tss2-fapi', required by 'virtual:world', not found

These packages are installed:

[fansari@bat tpm]$ rpm -qa | grep "^tpm\|^tss"
tpm2-tss-3.2.0-3.fc36.x86_64
tpm2-abrmd-selinux-2.3.1-5.fc36.noarch
tss2-1.6.0-4.fc36.x86_64
tpm2-pkcs11-tools-1.7.0-2.fc36.x86_64
tpm2-abrmd-2.4.1-1.fc36.x86_64
tpm2-tools-5.2-2.fc36.x86_64
tpm2-pkcs11-1.7.0-2.fc36.x86_64
williamcroberts commented 1 year ago

Oh, you don't have the development package that contains the .pc files. I'm not sure how do this offhand but could you see what version of the tpm2-tss is installed?

fansari commented 1 year ago

Yes, this is tpm2-tss-3.2.0-3.fc36.x86_64.

williamcroberts commented 1 year ago

Hrrm, they're using tctildr, it shouldn't be spewing a bunch of errors since commit 860a2cc which is since 3.1.0. You said you got it working so it's connecting to a TPM, do you know what tcti connection it making (ie how it;s getting to the tpm)?

fansari commented 1 year ago

What I got working is the FAPI. This means a command like "tssgetrandom -ns -by 20" does not spit errors but works.

I have no idea about this TCTI at all. I just noticed that Evolution takes a long time to startup and then I checked the error message when I started Evolution on the CLI. I did not intend to do anything with TPM in Evolution.

williamcroberts commented 1 year ago

Ahh understood. Could you strace the tssgetrandom command and attach a log?

fansari commented 1 year ago

Yes. But as I said: this command works now. Also tss2_getrandom is working. tssgetrandom-strace.log tss2_getrandom-strace.log

williamcroberts commented 1 year ago

Yes. But as I said: this command works now. Also tss2_getrandom is working.

Yeah, I wanted to see a successful run. Sorry I really meant our tss2_getrandom as tssgetrandom seems to be something else that uses the ibm stack. Looks like it intializes a tpm2-tabrmd connection:

openat(AT_FDCWD, "/lib64/libtss2-tcti-tabrmd.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832

I wonder if the dbus permissions are blocking it? What user/groups (including supplemental groups), is the process running in: Sep 29 13:24:51 bat.localdomain org.gnome.Evolution.desktop[5395]

In older versions of tpm2-tabrmd before commit https://github.com/tpm2-software/tpm2-abrmd/commit/0c659acc0eaf6830fc5f607a0fe99f6e298b5acf it should have allowed anyone to connect, since that commit, which has never been on a release, it requires folks to be in the tss group.

For some reason, in the context of tss2_getrandom it can initialize a dbus connection and in the evolution case it cannot, if we can figure out the contextual difference we will likely get our answer.

fansari commented 1 year ago

I have deinstalled the tss2 package now (this IBM stack). I guess I will not need both stacks.

My user fansari is in the tss group.

[fansari@bat ~]$ id
uid=60257(fansari) gid=60257(fansari) groups=60257(fansari),10(wheel),59(tss),968(jackuser),1100(plugdev) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I see these processes:

[fansari@bat ~]$ ps -ef | grep -v grep | grep -i evolution
fansari     3317    2880  0 12:54 ?        00:00:00 /usr/libexec/evolution-source-registry
fansari     3340    2880  0 12:54 ?        00:00:00 /usr/libexec/evolution-calendar-factory
fansari     3378    2880  0 12:54 ?        00:00:00 /usr/libexec/evolution-addressbook-factory
fansari     3520    3134  0 12:54 ?        00:00:00 /usr/libexec/evolution-data-server/evolution-alarm-notify
fansari     4726    3185  1 12:58 ?        00:00:04 evolution
[fansari@bat ~]$ journalctl -b | grep -i tcti
Oct 01 12:58:29 bat.localdomain org.gnome.Evolution.desktop[4726]: ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0
Oct 01 12:58:54 bat.localdomain org.gnome.Evolution.desktop[4726]: ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: tabrmd
Oct 01 12:58:54 bat.localdomain org.gnome.Evolution.desktop[4726]: ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
[fansari@bat ~]$ ps -e o pid,user,group,supgrp,comm | grep 4726
   4726 fansari  fansari  wheel,tss,jackuser,plugdev,fansari       evolution
williamcroberts commented 1 year ago

I wonder if this an SE Linux dbus permission thing... Do you see any avc denied messages? If you setenforce 0 does the problem go away?

fansari commented 1 year ago

Since I used systemd-homed I changed SELinux to permissive since I could not get things working in enforcing mode.

[fansari@bat keys]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

This means: no - in my case it is not an SELinux issue.

williamcroberts commented 1 year ago

Darn I am really out of ideas. @AndreasFuchsTPM or @JuergenReppSIT have you seen this before at all?

JuergenReppSIT commented 1 year ago

Darn I am really out of ideas. @AndreasFuchsTPM or @JuergenReppSIT have you seen this before at all? no I haven't seen such a behaviour. @fansari Perhaps you could check what happens if you create the following link: sudo ln -s libtss2-tcti-device.so libtss2-tcti-default.so or add "device:/dev/tpmrm0" for tcti in the fapi profile.

fansari commented 1 year ago

I see these files. But since I am using Fedora Silverblue with os-tree /usr is write protected.

[root@bat fapi-profiles]# find /usr -name "libtss2*"
/usr/lib64/libtss2-esys.so.0
/usr/lib64/libtss2-esys.so.0.0.0
/usr/lib64/libtss2-fapi.so.1
/usr/lib64/libtss2-fapi.so.1.0.0
/usr/lib64/libtss2-mu.so.0
/usr/lib64/libtss2-mu.so.0.0.0
/usr/lib64/libtss2-rc.so.0
/usr/lib64/libtss2-rc.so.0.0.0
/usr/lib64/libtss2-sys.so.1
/usr/lib64/libtss2-sys.so.1.0.0
/usr/lib64/libtss2-tcti-cmd.so.0
/usr/lib64/libtss2-tcti-cmd.so.0.0.0
/usr/lib64/libtss2-tcti-device.so.0
/usr/lib64/libtss2-tcti-device.so.0.0.0
/usr/lib64/libtss2-tcti-mssim.so.0
/usr/lib64/libtss2-tcti-mssim.so.0.0.0
/usr/lib64/libtss2-tcti-pcap.so.0
/usr/lib64/libtss2-tcti-pcap.so.0.0.0
/usr/lib64/libtss2-tcti-swtpm.so.0
/usr/lib64/libtss2-tcti-swtpm.so.0.0.0
/usr/lib64/libtss2-tcti-tabrmd.so.0
/usr/lib64/libtss2-tcti-tabrmd.so.0.0.0
/usr/lib64/libtss2-tctildr.so.0
/usr/lib64/libtss2-tctildr.so.0.0.0

In the fap-profile I find nothing about tcti.

I have added this to my P_ECCP256SHA256.json but it does not change the behaviour:

"tcti": "device:/dev/tpmrm0"
JuergenReppSIT commented 1 year ago

I have added this to my P_ECCP256SHA256.json but it does not change the behaviour:

@fansari Sorry, my mistake. "tcti": "device:/dev/tpmrm0" should be added to fapi-config.json.

fansari commented 1 year ago

The problem still persists:

Oct 04 18:27:56 bat.localdomain org.gnome.Evolution.desktop[7704]: ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: tabrmd
Oct 04 18:27:56 bat.localdomain org.gnome.Evolution.desktop[7704]: ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
JuergenReppSIT commented 1 year ago

@fansari If you can't create the link could you please try: ln -s /usr/lib64/libtss2-tcti-device.so.0 libtss2-tcti-default.so export LD_LIBRARY_PATH=. evolution

fansari commented 1 year ago

This gives this result:

[fansari@bat evolution-test]$ ln -s /usr/lib64/libtss2-tcti-device.so.0 libtss2-tcti-default.so
[fansari@bat evolution-test]$ export LD_LIBRARY_PATH=.
[fansari@bat evolution-test]$ evolution

** (evolution:6136): WARNING **: 18:01:10.059: Failed to create connection with service: Timeout was reached
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: tabrmd 
ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
ERROR: Could not initialize tpm ctx: 0x5
ERROR: Getting tokens from esysdb backend failed.
williamcroberts commented 1 year ago

ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: tabrmd ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI ERROR: Could not initialize tpm ctx: 0x5 ERROR: Getting tokens from esysdb backend failed.

Ahh so evolution is integrated with tpm2-pkcs11. Thats at least another piece of the puzzle.

JuergenReppSIT commented 1 year ago

@fansari The behavior seems to have changed after you created the link an the LD_LIBRARY_PATH was set. Do you have access rights do /dev/tpmrm0? If you are not in the group tss you should execute:

usermod -a -G tss $USER
su - $USER
fansari commented 1 year ago

I already am a member of the tss group.

This user/group stuff has diferent commands with systemd-homed anyway.

When I remember crorrectly I did it like this:

homectl update fansari --member-of=wheel,jackuser,plugdev,tss

Here you see the groups my user belongs to:

[fansari@bat keys]$ id
uid=60257(fansari) gid=60257(fansari) groups=60257(fansari),10(wheel),59(tss),968(jackuser),1100(plugdev) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I joined the tss group right after I installed the TPM2 chip into my PC.

Here the permissons of /dev/tpmrm0:

crw-rw----. 1 tss tss 253, 65536 Oct  8 12:59 /dev/tpmrm0

I can work with the TPM2 chip in general. For example something like this works:

[fansari@bat keys]$ tss2_getrandom --numBytes=20 --hex --data=-
04b72c27684d56c57195171570fab152385c9aba
JuergenReppSIT commented 1 year ago

@fansari To get more information could you please execute: TPM2_PKCS11_LOG_LEVEL=2 evolution

fansari commented 1 year ago 
[fansari@bat evolution-test]$ export LD_LIBRARY_PATH=.
[fansari@bat evolution-test]$ TPM2_PKCS11_LOG_LEVEL=2 evolution
INFO on line: "393" in file: "src/pkcs11.c": enter "C_GetFunctionList"
INFO on line: "393" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0
INFO on line: "381" in file: "src/pkcs11.c": enter "C_Initialize"
INFO on line: "41" in file: "src/lib/backend.c": Initializing backends
INFO on line: "115" in file: "src/lib/backend_fapi.c": Calling Fapi_Initialize
INFO on line: "1331" in file: "src/lib/db.c": Could not stat db at path "/etc/tpm2_pkcs11/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "2529" in file: "src/lib/db.c": Using sqlite3 DB: "/home/fansari/.tpm2_pkcs11/tpm2_pkcs11.sqlite3"
INFO on line: "2487" in file: "src/lib/db.c": No DB upgrade needed
INFO on line: "437" in file: "src/lib/tpm.c": tcti=tabrmd:

** (evolution:16454): WARNING **: 16:45:40.653: Failed to create connection with service: Timeout was reached
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: tabrmd
ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
ERROR on line: "61" in file: "src/lib/token.c": Could not initialize tpm ctx: 0x5
ERROR on line: "183" in file: "src/lib/backend.c": Getting tokens from esysdb backend failed.
INFO on line: "76" in file: "src/lib/backend.c": Destroying backends
INFO on line: "125" in file: "src/lib/backend_fapi.c": Calling Fapi_Finalize
INFO on line: "381" in file: "src/pkcs11.c": return "C_Initialize" value: 5
JuergenReppSIT commented 1 year ago

@fansari Could you please produce this trace with: export TPM2_PKCS11_TCTI=device:/dev/tpmrm0

fansari commented 1 year ago 
[fansari@bat evolution-test]$ export LD_LIBRARY_PATH=.
[fansari@bat evolution-test]$ export TPM2_PKCS11_TCTI=device:/dev/tpmrm0
[fansari@bat evolution-test]$ TPM2_PKCS11_LOG_LEVEL=2 evolution
INFO on line: "393" in file: "src/pkcs11.c": enter "C_GetFunctionList"
INFO on line: "393" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0
INFO on line: "381" in file: "src/pkcs11.c": enter "C_Initialize"
INFO on line: "41" in file: "src/lib/backend.c": Initializing backends
INFO on line: "115" in file: "src/lib/backend_fapi.c": Calling Fapi_Initialize
INFO on line: "1331" in file: "src/lib/db.c": Could not stat db at path "/etc/tpm2_pkcs11/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "2529" in file: "src/lib/db.c": Using sqlite3 DB: "/home/fansari/.tpm2_pkcs11/tpm2_pkcs11.sqlite3"
INFO on line: "2487" in file: "src/lib/db.c": No DB upgrade needed
INFO on line: "437" in file: "src/lib/tpm.c": tcti=device:/dev/tpmrm0
INFO on line: "412" in file: "src/lib/mech.c": Updating mech detail table that PSS signatures are: bad
INFO on line: "186" in file: "src/lib/backend.c": Esysdb returned 1 token
INFO on line: "299" in file: "src/lib/backend_fapi.c": /P_ECCP256SHA256/HS/SRK aka /HS/SRK is not a token, ignoring
INFO on line: "299" in file: "src/lib/backend_fapi.c": /P_ECCP256SHA256/HS/SRK/mySigningKey aka /HS/SRK/mySigningKey is not a token, ignoring
INFO on line: "201" in file: "src/lib/backend.c": FAPI + Esysdb returned 1 token
INFO on line: "437" in file: "src/lib/tpm.c": tcti=device:/dev/tpmrm0
INFO on line: "234" in file: "src/lib/backend.c": Esysdb + FAPI returned 2 token
INFO on line: "381" in file: "src/pkcs11.c": return "C_Initialize" value: 0
INFO on line: "397" in file: "src/pkcs11.c": enter "C_GetSlotList"
INFO on line: "397" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0
INFO on line: "397" in file: "src/pkcs11.c": enter "C_GetSlotList"
INFO on line: "397" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0
INFO on line: "397" in file: "src/pkcs11.c": enter "C_GetSlotList"
INFO on line: "397" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0
INFO on line: "397" in file: "src/pkcs11.c": enter "C_GetSlotList"
INFO on line: "397" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0
INFO on line: "397" in file: "src/pkcs11.c": enter "C_GetSlotList"
INFO on line: "397" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0
INFO on line: "397" in file: "src/pkcs11.c": enter "C_GetSlotList"
INFO on line: "397" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0
INFO on line: "401" in file: "src/pkcs11.c": enter "C_GetSlotInfo"
INFO on line: "401" in file: "src/pkcs11.c": return "C_GetSlotInfo" value: 0
INFO on line: "405" in file: "src/pkcs11.c": enter "C_GetTokenInfo"
INFO on line: "405" in file: "src/pkcs11.c": return "C_GetTokenInfo" value: 0
INFO on line: "413" in file: "src/pkcs11.c": enter "C_GetMechanismList"
INFO on line: "413" in file: "src/pkcs11.c": return "C_GetMechanismList" value: 0
INFO on line: "413" in file: "src/pkcs11.c": enter "C_GetMechanismList"
INFO on line: "413" in file: "src/pkcs11.c": return "C_GetMechanismList" value: 0
INFO on line: "433" in file: "src/pkcs11.c": enter "C_OpenSession"
INFO on line: "433" in file: "src/pkcs11.c": return "C_OpenSession" value: 0
INFO on line: "433" in file: "src/pkcs11.c": enter "C_OpenSession"
INFO on line: "433" in file: "src/pkcs11.c": return "C_OpenSession" value: 0
INFO on line: "489" in file: "src/pkcs11.c": enter "C_FindObjectsInit"
INFO on line: "489" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0
INFO on line: "493" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "493" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
INFO on line: "497" in file: "src/pkcs11.c": enter "C_FindObjectsFinal"
INFO on line: "497" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0
INFO on line: "437" in file: "src/pkcs11.c": enter "C_CloseSession"
INFO on line: "437" in file: "src/pkcs11.c": return "C_CloseSession" value: 0
INFO on line: "641" in file: "src/pkcs11.c": enter "C_GenerateRandom"
INFO on line: "641" in file: "src/pkcs11.c": return "C_GenerateRandom" value: 0
INFO on line: "637" in file: "src/pkcs11.c": enter "C_SeedRandom"
INFO on line: "637" in file: "src/pkcs11.c": return "C_SeedRandom" value: 0
INFO on line: "489" in file: "src/pkcs11.c": enter "C_FindObjectsInit"
INFO on line: "489" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0
INFO on line: "493" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "493" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
INFO on line: "497" in file: "src/pkcs11.c": enter "C_FindObjectsFinal"
INFO on line: "497" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0
INFO on line: "401" in file: "src/pkcs11.c": enter "C_GetSlotInfo"
INFO on line: "401" in file: "src/pkcs11.c": return "C_GetSlotInfo" value: 0
INFO on line: "405" in file: "src/pkcs11.c": enter "C_GetTokenInfo"
INFO on line: "405" in file: "src/pkcs11.c": return "C_GetTokenInfo" value: 0
INFO on line: "413" in file: "src/pkcs11.c": enter "C_GetMechanismList"
INFO on line: "413" in file: "src/pkcs11.c": return "C_GetMechanismList" value: 0
INFO on line: "413" in file: "src/pkcs11.c": enter "C_GetMechanismList"
INFO on line: "413" in file: "src/pkcs11.c": return "C_GetMechanismList" value: 0
INFO on line: "433" in file: "src/pkcs11.c": enter "C_OpenSession"
INFO on line: "433" in file: "src/pkcs11.c": return "C_OpenSession" value: 0
INFO on line: "433" in file: "src/pkcs11.c": enter "C_OpenSession"
INFO on line: "433" in file: "src/pkcs11.c": return "C_OpenSession" value: 0
INFO on line: "489" in file: "src/pkcs11.c": enter "C_FindObjectsInit"
INFO on line: "357" in file: "src/lib/object.c": Token 2 contains no objects.
INFO on line: "489" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0
INFO on line: "493" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "493" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
INFO on line: "497" in file: "src/pkcs11.c": enter "C_FindObjectsFinal"
INFO on line: "497" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0
INFO on line: "437" in file: "src/pkcs11.c": enter "C_CloseSession"
INFO on line: "437" in file: "src/pkcs11.c": return "C_CloseSession" value: 0
INFO on line: "641" in file: "src/pkcs11.c": enter "C_GenerateRandom"
INFO on line: "641" in file: "src/pkcs11.c": return "C_GenerateRandom" value: 0
INFO on line: "637" in file: "src/pkcs11.c": enter "C_SeedRandom"
INFO on line: "637" in file: "src/pkcs11.c": return "C_SeedRandom" value: 0
INFO on line: "489" in file: "src/pkcs11.c": enter "C_FindObjectsInit"
INFO on line: "357" in file: "src/lib/object.c": Token 2 contains no objects.
INFO on line: "489" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0
INFO on line: "493" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "493" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
INFO on line: "497" in file: "src/pkcs11.c": enter "C_FindObjectsFinal"
INFO on line: "497" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0

evolution opens quickly now. Even if I don't set LD_LIBRARY_PATH.

Seems that this TPM2_PKCS11_TCTI did the trick.

What does this mean? Does evolution expect this device somewhere else by default?

I have an idea: I found this im my .bashrc:

export TPM2_PKCS11_TCTI=tabrmd:

This was recommended in some documentation. So I simply followed this advice and set it. Seems this was a mistake.

Well, not really. Unsetting this gives the waiting problem again.

When I set this in my .bashrc as you said I at least avoid this waiting probem.

But TCTI still reports an error:

[fansari@bat evolution-test]$ export LD_LIBRARY_PATH=.
[fansari@bat evolution-test]$ evolution
ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
ERROR: Could not initialize tpm ctx: 0x5
ERROR: Getting tokens from esysdb backend failed.
JuergenReppSIT commented 1 year ago

@fansari Thank you for your patience an for the hint with your .bashrc. That explains why setting the LD_LIBRARY_PATH did not work. What happens if you use the tool commands with tabrmd? e.g.: tpm2_getcap handles-persistent -Ttabrmd

fansari commented 1 year ago 
[fansari@bat evolution-test]$ tpm2_getcap handles-persistent -Ttabrmd
- 0x81000001
- 0x81010001
JuergenReppSIT commented 1 year ago

@fansari Does everything work if you set: export TPM2_PKCS11_TCTI=device:/dev/tpmrm0 in your .bashrc, execute bash, and start evolution?

fansari commented 1 year ago

Yes - this is what I tried. Now it is fast but still with errors:

[fansari@bat evolution-test]$ evolution
ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
ERROR: Could not initialize tpm ctx: 0x5
ERROR: Getting tokens from esysdb backend failed.
JuergenReppSIT commented 1 year ago

@fansari That's strange. In the last trace you did produce there were no error message. Could you please produce the trace again with TPM2_PKCS11_LOG_LEVEL=2 evolution

fansari commented 1 year ago 
[fansari@bat evolution-test]$ export LD_LIBRARY_PATH=.
[fansari@bat evolution-test]$ TPM2_PKCS11_LOG_LEVEL=2 evolution
INFO on line: "393" in file: "src/pkcs11.c": enter "C_GetFunctionList"
INFO on line: "393" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0
INFO on line: "381" in file: "src/pkcs11.c": enter "C_Initialize"
INFO on line: "41" in file: "src/lib/backend.c": Initializing backends
INFO on line: "115" in file: "src/lib/backend_fapi.c": Calling Fapi_Initialize
INFO on line: "1331" in file: "src/lib/db.c": Could not stat db at path "/etc/tpm2_pkcs11/tpm2_pkcs11.sqlite3", error: No such file or directory
INFO on line: "2529" in file: "src/lib/db.c": Using sqlite3 DB: "/home/fansari/.tpm2_pkcs11/tpm2_pkcs11.sqlite3"
INFO on line: "2487" in file: "src/lib/db.c": No DB upgrade needed
INFO on line: "437" in file: "src/lib/tpm.c": tcti=/dev/tpmrm0
ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
ERROR on line: "61" in file: "src/lib/token.c": Could not initialize tpm ctx: 0x5
ERROR on line: "183" in file: "src/lib/backend.c": Getting tokens from esysdb backend failed.
INFO on line: "76" in file: "src/lib/backend.c": Destroying backends
INFO on line: "125" in file: "src/lib/backend_fapi.c": Calling Fapi_Finalize
INFO on line: "381" in file: "src/pkcs11.c": return "C_Initialize" value: 5
JuergenReppSIT commented 1 year ago

@fansari There is one difference. When it worked you did use "device:/dev/tpmrm0" in the error case you did use "/dev/tpmrm0"

fansari commented 1 year ago

You are right. I forgot the "device:" part in my .bashrc. Now evolution starts without errors.

So this was the solution:

export TPM2_PKCS11_TCTI=device:/dev/tpmrm0

Only question remaining: why is this necessary? What does evolution assume instead?

And if evolution is expecting something else: why is this not working on my system?

From my perspective the default should work.

But of course this is another topic since I guess you are not a developer of evolution.

I have updated the evolution ticket.

https://bugzilla.redhat.com/show_bug.cgi?id=2129915

JuergenReppSIT commented 1 year ago

@fansari Now the kernel resource manager is used instead of the tabrmd resource manager. It's strange that the tpm2 tools work with tabrmd while there is a problem with libtpm2_pkcs11. I'm not familiar with tabrmd. Perhaps @williamcroberts has an idea?

JuergenReppSIT commented 1 year ago

@fansari Perhaps you could try to execute: sudo journalctl -u .tpm2-abrmd.service to check whether there are any problems with abrmd.

fansari commented 1 year ago

This is the output:

-- Boot 9cef9d43a69c4391b04cc7accf68dacd --
Oct 08 12:48:23 bat.localdomain systemd[1]: Starting tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon...
Oct 08 12:48:23 bat.localdomain systemd[1]: Started tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon.
Oct 08 12:58:25 bat.localdomain systemd[1]: Stopping tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon...
Oct 08 12:58:25 bat.localdomain systemd[1]: tpm2-abrmd.service: Deactivated successfully.
Oct 08 12:58:25 bat.localdomain systemd[1]: Stopped tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon.
-- Boot e5f16c58f7de405580e08766e3383524 --
Oct 08 12:59:25 bat.localdomain systemd[1]: Starting tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon...
Oct 08 12:59:25 bat.localdomain systemd[1]: Started tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon.
AndreasFuchsTPM commented 1 year ago 
export TPM2_PKCS11_TCTI=device:/dev/tpmrm0

Only question remaining: why is this necessary? What does evolution assume instead?

And if evolution is expecting something else: why is this not working on my system?

From my perspective the default should work.

If no TPM2_PKCS11_TCTI environment variable is specified, that "sane" (TM) default should be executed. That is, try tpm2-abrmd first, then /dev/tpmrm0, then /dev/tpm0 etc.

I'd propose to have a look at env | grep TCTI and look for anything unusual there.

As for why the tcti-tabrmd does not work; this must have something to do with dbus permissions or the unix domain socket that are used by this tcti to communicate with the daemon.

Are you running evolution in a container or directly on the os ? (I read some container info somewhere along the lines) What additional restrictions (such as SELinux or AppArmor) are in place ? Maybe you could call dbus-monitor --system as see if there are some hints on what's going on.

fansari commented 1 year ago

I had installed the RPM version of evolution. The only reason I did that is that I had an issue with the flatpak version which is solved now.

Since this is a RedHat system (Fedora Silverblue) SELinux is enabled. But I also set it to permissive and it did not change anything.

The flatpak version does not have these issues. Maybe it does not interact with TPM at all.