AWS NitroTPM: Able to create keys, but cannot use them tpm:parameter(2):value is out of range or is not correct for the context

[RS-Credentive]

Hello, I am attempting to use a NitroTPM for private key protection, leveraging tpm2-tss -> tpm2-pkcs11 -> openssl.

I am able to create a key, but I am unable to use the key due to an authentication error. I suspect that there is a bug in the NitroTPM software (NitroTPM is a TPM emulator backed by the Nitro cryto accelerator), but would like to prove that before approaching Amazon if possible.

I am receiving the following error when trying to access the generated key on the TPM: ERROR: Esys_StartAuthSession: tpm:parameter(2):value is out of range or is not correct for the context

Here are the versions of the pkgs installed (RHEL 8.9)

$ dnf list installed | grep openssl
openssl.x86_64                                1:1.1.1k-12.el8_9
openssl-libs.i686                             1:1.1.1k-12.el8_9
openssl-libs.x86_64                           1:1.1.1k-12.el8_9
openssl-pkcs11.i686                           0.4.10-3.el8
openssl-pkcs11.x86_64                         0.4.10-3.el8

$ dnf list installed | grep tss
tpm2-tss.x86_64                               2.3.2-5.el8                                                                          
tss2.x86_64                                   1:1.6.0-1.el8                                                                       

$ dnf list installed | grep tpm2
tpm2-pkcs11.x86_64                            1.6.0-1.el8
tpm2-pkcs11-tools.x86_64                      1.6.0-1.el8
tpm2-tools.x86_64                             4.1.1-5.el8
tpm2-tss.x86_64                               2.3.2-5.el8

I am able to create the key normally with the following commands:

tpm2_ptool init --primary-auth=mypobjpin
tpm2_ptool addtoken --pid=1 --sopin=mysopin --userpin=myuserpin --label=label
tpm2_ptool addkey --algorithm=rsa2048 --label="label" --key-label="rsa" --userpin=myuserpin
tpm2_ptool addkey --algorithm=rsa2048 --label="label" --userpin=myuserpin --attr-always-authenticate

The following command fails:

openssl req -new -x509 -days 365 -subj '/CN=my key/' -sha256 -engine pkcs11 -keyform engine -key slot_1-label_rsa -out "cert.rsa" -config ossl.cnf 

I receive the following error:

WARNING:esys:src/tss2-esys/api/Esys_TestParms.c:269:Esys_TestParms_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_TestParms.c:95:Esys_TestParms() Esys Finish ErrorCode (0x000001c4) 
WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:390:Esys_StartAuthSession_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x000002c4) 
ERROR: Esys_StartAuthSession: tpm:parameter(2):value is out of range or is not correct for the context
ERROR: Could not start Auth Session with the TPM.
ERROR: Error unsealing wrapping key
Login failed
Login to token failed, returning NULL...
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140398189541184:error:82074005:PKCS#11 module:pkcs11_login:General Error:p11_slot.c:240:
140398189541184:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:
unable to load Private Key

This same sequence of commands works with a TPM simulator using the same versions of the library, but on a different machine.

Looking at this issue on tpm2-pkcs11, @williamcroberts recommends running these commands to determine whether the TPM is the issue, or whether there is an openssl issue.

tpm2_createprimary -c primary.ctx
tpm2_startauthsession -c primary.ctx --policy-session -S session.ctx

These commands fail with the same error - ERROR: Esys_StartAuthSession: tpm:parameter(2):value is out of range or is not correct for the context.

Are there any other tests I can run that would allow me to determine whether this is a TPM bug? I have turned on DEBUG logging and will post the results in a comment, since this is already way to long :)

[RS-Credentive]

EDIT: The issue I am trying to highlight below is that the request appears correct to me. The second parameter is supposed to be a TPM2B_ENCRYPTED_SECRET and it is. Of course, I don't know how to decrypt it, so I'm not sure if the contents are incorrect, but the request appears to be formatted correctly, and so I'm not sure why I am receiving an error, except that there's a bug in the implementation. /EDIT

This is the response to the command openssl req -new -x509 -days 365 -subj '/CN=my key/' -sha256 -engine pkcs11 -keyform engine -key slot_1-label_rsa -out "cert.rsa" -config ossl.cnf

The full output of the command is attached to this comment - the specific parts with the error are below

Command:

8001 TPM_ST_NO_SESSIONS(tag) 0000013f UINT32(size) 319 00000176 TPM_CC_StartAuthSession 81000001 TPMI_DH_OBJECT key handle 81000001 TPMI_DH_ENTITY (persistent key handle)

TPM2B_NONCE(TPM2B_DIGEST) 0020 Size (UINT16) 32 bytes 5f 1b e9 a2 84 7c 57 ba 42 25 56 2d f7 1a 28 34 8c 12 de 23 25 d3 56 df e4 72 45 04 4b 13 bb 98 (DIGEST – 32 bytes)

TPM2B_ENCRYPTED_SECRET 0100 Size (UINT16) 256 bytes 47 59 dc 7f 33 c1 e4 bb 10 5c d8 64 18 e1 01 00 (16) a6 bb a6 cd 85 e7 e5 37 45 fc 74 dd dc ad 92 f1 (32) f4 82 b9 03 e6 2f e8 bf 38 b1 16 a8 d8 14 2f 9c (48) 83 41 9e c7 99 bd 33 5b 32 4a 3a 30 80 0a 38 7e (64) 29 72 54 d4 5d bb 15 81 d4 6c 9d 6d af a3 3e 17 (80) 69 a8 c4 06 b0 d3 71 2b 7c 44 56 b9 80 83 d8 19 (96) 8d 9a 75 6a f4 2c 7c f9 74 98 a9 21 42 f9 be 45 (112) 31 90 76 86 d6 59 95 54 bd 0b 9f 6e db e4 b1 25 (128) 61 c9 c8 26 f9 2e c8 ff 9b 64 2e fc 05 21 ce 3e (144) e9 19 64 a3 da 84 4d 25 72 44 1e 25 9c 33 6c 04 (160) 25 24 95 c9 87 1a c0 76 55 ef 72 13 e8 15 57 de (176) f7 2b c5 fa de 19 0a 79 1a 59 a5 e8 70 96 80 62 (192) 33 a9 a7 24 a1 e3 09 36 1f c3 4b d6 04 57 d0 6c (208) d7 15 cd c9 8b be 35 55 57 b9 3e e0 b7 d2 a6 43 (224) 58 21 c6 3b 27 a2 67 7f d8 6a e5 08 9f 9b b4 26 (240) 83 4a 65 88 c7 f3 25 65 01 60 19 a6 ec a6 f0 10 (256) 00 TPM_SE (TPM_SE_HMAC)

TPMT_SYM_DEF 0006 TPM_ALG_AES 0080 TPMU_SYM_KEY_BITS (128) 0043 TPMU_SYM_MODE (TPM_ALG_CFB) 000b TPMI_ALG_HASH (TPM_ALG_SHA256)

Response:

8001 TPM_ST_NO_SESSIONS (tag) 0000 000a (Size) 10 000002c4 RESPONSE_CODE

Low-order 12 bits
   2    c    4 
0010 1100 0100
NNNN FPEE EEEE 
N – (2)

F – format (1)

P (1)

E – Error (0x004)

Command output:

debug:tcti:src/tss2-tcti/tcti-device.c:114:tcti_device_transmit() sending 319 byte command buffer: (size=319):
                80010000013f0000
                0176810000018100
                000100205ac9d2d2
                9c22a8cbd644cdc7
                7f192fba8dab3a9e
                e0caebbe0eab2a5f
                ec747b4d01003e8e
                d44428126fa64c41
                2e85a4572dd98929
                c04b6e0fde4f7607
                6ecef3f62b7a41a3
                dc26cea448e46d43
                cfb3ef15fe559cb3
                2ed98531dbaa7dfd
                bb2dda8b39a4ed55
                ae03a9b8748dffc8
                703678fec55b0c28
                977ef22bd209b92c
                8b9925afc6ced529
                ba25c695656419e3
                64a555899cb29a6e
                443ab852463ade03
                de7b34d813737b9c
                6bceb67e38ce5c50
                c11f4ae29c24c333
                87f6451f38bcf48a
                e50c761dbb2eb6ef
                6b65d69852c2797f
                9d83905cac1da6a5
                3871b75d52347a8c
                7cee112ec637e7a9
                070019a06578c77f
                cde31747f665ed3c
                05f999cf0067052f
                007970bf3b974b1c
                52620f3f4575fc47
                141784782997bb64
                e13aa9f4a1a5350c
                52e506f1ca420000
                0600800043000b
debug:tcti:src/util/io.c:89:write_all() writing 319 bytes starting at 0x560e8c748e40 to fd 4
debug:tcti:src/util/io.c:100:write_all() wrote 319 bytes to fd 4
debug:tcti:src/tss2-tcti/tcti-device.c:297:tcti_device_receive() Response Received (size=10):
                80010000000a0000
                02c4

debug_out.txt

[JuergenReppSIT]

tpm2_createprimary -c primary.ctx tpm2_startauthsession -c primary.ctx --policy-session -S session.ctx

These commands, where you got an error, worked with tss 2.3.2 and tools 4.1 with an AMD firmware TPM and an also with an Infineon TPM without problems. Maybe tpm2_getcap algorithms will give an idea what's the difference is between swtpm and NitroTPM.

[RS-Credentive]

@JuergenReppSIT Comparing the output from the two TPMs, I see two differences:

• the NitroTPM supports some additional algorithms (which I assume I can ignore),
• the algorithm attribute response (TPMA_ALGORITHM) of ECDSA is different - on the SWTPM, the METHOD bit is set, but on NitroTPM it is not.

I'm not sure if that explains anything related to my problem. It looks like the only algorithms in use in that exchange are AES128 and SHA256, so I assume ECDSA differences are not relevant. Please let me know if I am mistaken.

I will continue investigating, but please let me know if this is relevant to the issue I am seeing.

[JuergenReppSIT]

@RS-Credentive yes I agree these differences should not have an impact. You have edited the tcti trace. One hint: you can analyse the tcti output on: https://joholl.github.io/tpmstream-web/ Just copy the tcti transmit or receive data to the web page. One question: do the following commands also produce an errror: tpm2_createprimary -G ecc -c primary.ctx tpm2_startauthsession -c primary.ctx --policy-session -S session.ctx

[RS-Credentive]

@JuergenReppSIT, thanks so much for the link. That is going to save me so much time!

I'm glad I parsed it by hand the first time, because I learned a lot, but that doesn't mean I want to do it that way every time! 😅

[RS-Credentive]

tpm2_createprimary -G ecc -c primary.ctx
tpm2_startauthsession -c primary.ctx --policy-session -S session.ctx

These commands do not produce an error on NitroTPM

[RS-Credentive]

I am trying to see if I can get ECC working in tpm_pkcs11 on the NitroTPM

[RS-Credentive]

The OpenSSL command that failed before with RSA appears to still fail with ECC. The same error is returned: ERROR: Esys_StartAuthSession: tpm:parameter(2):value is out of range or is not correct for the context.

[JuergenReppSIT]

In the tcti trace you did analyse the handle 0x81000001 was used for the tpmkey and the bindkey. Is this handle still used and does it correspond to an ecc key. You can check it with: tpm2_readpublic -c 0x81000001

[RS-Credentive]

I am grabbing the debug info for the latest openssl command, I will see if there's anything obvious there.

0x81000001 refers to an RSA key, according to tpm2_readpublic. Let me step back and see if I can use ECC keys instead of RSA for the pkcs11 emulation layer. If ECC is working, that might allow my project to move forward while I follow up with Amazon. This is a good suggestion - thank you!

[RS-Credentive]

@JuergenReppSIT, it appears to work perfectly when using ECC keys. I plan to open a ticket with Amazon regarding the issue, because the behavior with RSA keys is clearly an error, but I wanted to thank you for suggesting ECC as a workaround. I am closing the ticket and I hope anyone else with this issue on AWS finds this discussion useful.

[JuergenReppSIT]

@RS-Credentive Thank you for testing TSS with NitroTPM. It would be nice if you could tell us what Amazon has to say about it.

[RS-Credentive]

@JuergenReppSIT I finished a call with Amazon - it appears that the TPM works on other RHEL instances in AWS, so it's some issue in our kernels or libraries. We have enabled FIPS mode during installation, so I wonder whether that could be one of the issues. More testing is required. Have you all seen any issues with RHEL 8.9 in FIPS mode? It disables some algorithms, so that could be an issue.

[JuergenReppSIT]

. Have you all seen any issues with RHEL 8.9 in FIPS mode? It disables some algorithms, so that could be an issue.

@RS-Credentive no I have not seen any issues related to this topic.