search

tpm2-software / tpm2-tss

OSS implementation of the TCG TPM2 Software Stack (TSS2)
https://tpm2-software.github.io
BSD 2-Clause "Simplified" License
715 stars 352 forks source link

Fapi_Provision Unsupported URL scheme #2833

Open chopinrlz opened 1 month ago

chopinrlz commented 1 month ago

I setup a clean install of Ubuntu Server 24.04 with a clean install of tpm2-tss from master about 5 minutes ago. This is on a VMware Workstation 17.5.1 virtual machine with a TPM. When calling Fapi_Provision with NULL for both hierarchies, and a random value for the lockout, the function call fails with the following error messages:

ERROR:fapi:src/tss2-fapi/ifapi_curl.c:403:ifapi_get_curl_buffer() curl_url_set for CURUPART_URL failed: Unsupported URL scheme
ERROR:fapi:src/tss2-fapi/ifapi_curl.c:195:ifapi_curl_verify_ek_cert() ErrorCode (0x00060025) Get certificate.
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:969:Fapi_Provision_Finish() ErrorCode (0x00060025) Verify EK certificate
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:177:Fapi_Provision() ErrorCode (0x00060025) Provision

The error code returned is 393253 which decodes to fapi:No certificate. The issue appears to be originating at ifapi_get_curl_buffer() with the error Unsupported URL scheme.

Fapi_Initialize and Fapi_GetInfo and Fapi_SetAuthCB all work as expected.

JuergenReppSIT commented 1 month ago

It would be interesting to get the output of: TSS2_LOG=fapi+debug tss2_provision You can undo the provisioning with tss2_delete -p / afterwards if it was successful. or 

tpm2_createek -c ek.ctx -G rsa -u ek.pub
tpm2_getekcertificate -u ek.pub > ek.cert
openssl x509 -in ek.cert -inform der  -text

To skip the certificate check you can add: "ek_cert_less": "yes" to the fapi config file (See man fapi-config) Now the provisioning should work.

chopinrlz commented 1 month ago

Here is the verbatim output of TSS2_LOG=fapi+debug tss2_provision

debug:fapi:src/tss2-fapi/ifapi_config.c:203:expand_home() Expanding path ~/.local/share/tpm2-tss/user/keystore to user's home
debug:fapi:src/tss2-fapi/ifapi_config.c:290:ifapi_config_initialize_finish() Configuration profile directory: /usr/local/etc/tpm2-tss/fapi-profiles/
debug:fapi:src/tss2-fapi/ifapi_config.c:291:ifapi_config_initialize_finish() Configuration user directory: /home/daltas/.local/share/tpm2-tss/user/keystore
debug:fapi:src/tss2-fapi/ifapi_config.c:292:ifapi_config_initialize_finish() Configuration key storage directory: /usr/local/var/lib/tpm2-tss/system/keystore
debug:fapi:src/tss2-fapi/ifapi_config.c:293:ifapi_config_initialize_finish() Configuration profile name: P_ECCP256SHA256

debug:fapi:src/tss2-fapi/ifapi_config.c:294:ifapi_config_initialize_finish() Configuration TCTI:
debug:fapi:src/tss2-fapi/ifapi_config.c:295:ifapi_config_initialize_finish() Configuration log directory: /usr/local/var/run/tpm2-tss/eventlog/
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:44:copy_policy_digest() Copy policy digest (to) : Copy digest size: 32 (size=32):
0000: 00000000000000000000000000000000  ................
0010: 00000000000000000000000000000000  ................
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:470:ifapi_calculate_policy_secret() call
debug:fapi:src/tss2-fapi/fapi_crypto.c:1624:ifapi_crypto_hash_start() call: context=0x7ffe3bfd1b00 hashAlg=11
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:176:calculate_policy_key_param() Digest Start (size=32):
0000: 00000000000000000000000000000000  ................
0010: 00000000000000000000000000000000  ................
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x5cce675b5512 and size 32
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=32):
0000: 00000000000000000000000000000000  ................
0010: 00000000000000000000000000000000  ................
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x7ffe3bfd1b14 and size 4
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=4):
0000: 00000151                          ...Q
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:183:calculate_policy_key_param() Key name (size=4):
0000: 4000000b                          @...
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x5cce675b5a0a and size 4
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=4):
0000: 4000000b                          @...
debug:fapi:src/tss2-fapi/fapi_crypto.c:1746:ifapi_crypto_hash_finish() finish hash (size=32):
0000: b627b043d329fbeb7dfefbddee7d3d1f  .'.C.)..}....}=.
0010: 4391c9f6cbbd96a1bac6a99ae1775a3a  C............wZ:
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:189:calculate_policy_key_param() Digest Finish (size=32):
0000: b627b043d329fbeb7dfefbddee7d3d1f  .'.C.)..}....}=.
0010: 4391c9f6cbbd96a1bac6a99ae1775a3a  C............wZ:
debug:fapi:src/tss2-fapi/fapi_crypto.c:1624:ifapi_crypto_hash_start() call: context=0x7ffe3bfd1b00 hashAlg=11
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x5cce675b5512 and size 32
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=32):
0000: b627b043d329fbeb7dfefbddee7d3d1f  .'.C.)..}....}=.
0010: 4391c9f6cbbd96a1bac6a99ae1775a3a  C............wZ:
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x5cce675b59b6 and size 0
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=0):
debug:fapi:src/tss2-fapi/fapi_crypto.c:1746:ifapi_crypto_hash_finish() finish hash (size=32):
0000: 837197674484b3f81a90cc8d46a5d724  .q.gD.......F..$
0010: fd52d76e06520b64f2a1da1b331469aa  .R.n.R.d....3.i.
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:44:copy_policy_digest() Copy policy digest (from) : Copy digest size: 32 (size=32):
0000: 837197674484b3f81a90cc8d46a5d724  .q.gD.......F..$
0010: fd52d76e06520b64f2a1da1b331469aa  .R.n.R.d....3.i.
debug:fapi:src/tss2-fapi/fapi_crypto.c:1624:ifapi_crypto_hash_start() call: context=0x7ffe3bfd19d0 hashAlg=11
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x7ffe3bfd19e0 and size 122
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=122):
0000: 0023000b000300b20020837197674484  .#.........q.gD.
0010: b3f81a90cc8d46a5d724fd52d76e0652  ......F..$.R.n.R
0020: 0b64f2a1da1b331469aa000600800043  .d....3.i......C
0030: 00100003001000205d03eec2f23c9a49  ........]....<.I
0040: 298ad750dafebe0e7c68185554db1145  )..P....|h.UT..E
0050: a0c8f89977f0cd9f00206057321ec74f  ....w.....`W2..O
0060: 34870c1993c1ce51bd200b04a41e6711  4......Q......g.
0070: ecfa859f67e1339de084              ....g.3...
debug:fapi:src/tss2-fapi/fapi_crypto.c:1746:ifapi_crypto_hash_finish() finish hash (size=32):
0000: 109e8885059dca6ff1aed4e292112861  .......o......(a
0010: 1cc453735cd2806f2c87dd088f08733e  ..Ss\..o,.....s>
debug:fapi:src/tss2-fapi/fapi_util.c:2135:ifapi_authorize_object() Authorize object: 101
debug:fapi:src/tss2-fapi/fapi_util.c:2641:ifapi_nv_read() success
debug:fapi:src/tss2-fapi/ifapi_curl.c:172:ifapi_curl_verify_ek_cert() EK Certificate: -----BEGIN CERTIFICATE-----
MIICszCCAligAwIBAgIBATAKBggqhkjOPQQDAjBIMRYwFAYFZ4EFAgEMC2lkOjU2
NEQ1NzAwMRYwFAYFZ4EFAgIMC1ZNd2FyZSBUUE0yMRYwFAYFZ4EFAgMMC2lkOjAw
MDIwMDY1MCAXDTI0MDUwOTIwNDIwOVoYDzIwNzQwNTA5MjA0MjA5WjBIMRYwFAYF
Z4EFAgEMC2lkOjU2NEQ1NzAwMRYwFAYFZ4EFAgIMC1ZNd2FyZSBUUE0yMRYwFAYF
Z4EFAgMMC2lkOjAwMDIwMDY1MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXQPu
wvI8mkkpitdQ2v6+DnxoGFVU2xFFoMj4mXfwzZ9gVzIex080hwwZk8HOUb0gCwSk
HmcR7PqFn2fhM53ghKOCAS8wggErMA4GA1UdDwEB/wQEAwIDCDBYBgNVHREBAf8E
TjBMpEowSDEWMBQGBWeBBQIBDAtpZDo1NjRENTcwMDEWMBQGBWeBBQICDAtWTXdh
cmUgVFBNMjEWMBQGBWeBBQIDDAtpZDowMDAyMDA2NTAMBgNVHRMBAf8EAjAAMBAG
A1UdJQQJMAcGBWeBBQgBMCEGA1UdCQQaMBgwFgYFZ4EFAhAxDTALDAMyLjACAQAC
AXQwHQYDVR0OBBYEFM6kfXI1aBffYqp1fk20fDuDpH8UMCkGCCsGAQUFBwEBBB0w
GzAZBggrBgEFBQcwAoYNeC1zZWxmc2lnbmVkOjARBgNVHSAECjAIMAYGBFUdIAAw
HwYDVR0jBBgwFoAUzqR9cjVoF99iqnV+TbR8O4OkfxQwCgYIKoZIzj0EAwIDSQAw
RgIhAJbxcixLRJVDNuRoVuMn13YRXL+oiBzuSIAlU0Eljyn8AiEAziJn42sAZKgG
bP93Clk7EIQscReRFEUe8DV2kVM2rtE=
-----END CERTIFICATE-----

ERROR:fapi:src/tss2-fapi/ifapi_curl.c:403:ifapi_get_curl_buffer() curl_url_set for CURUPART_URL failed: Unsupported URL scheme
ERROR:fapi:src/tss2-fapi/ifapi_curl.c:195:ifapi_curl_verify_ek_cert() ErrorCode (0x00060025) Get certificate.
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:969:Fapi_Provision_Finish() ErrorCode (0x00060025) Verify EK certificate
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:177:Fapi_Provision() ErrorCode (0x00060025) Provision
Fapi_Provision(0x60025) - fapi:No certificate
debug:fapi:src/tss2-fapi/api/Fapi_Finalize.c:46:Fapi_Finalize() called: context: 0x7ffe3bfd2108, *context: 0x5cce67596df0
debug:fapi:src/tss2-fapi/api/Fapi_Finalize.c:97:Fapi_Finalize() finished

It ends with the same error message, unsupported URL scheme, but the debug trace shows a certificate. So is it the contents of the EK certificate that tpm2-tss must not like, I'm guessing. I imported the certificate into Kleopatra and dumped the details below:

           ID: 0x3950CB9B
          S/N: 01
        (dec): 1
       Issuer: 2.23.133.2.3=#69643A3030303230303635,2.23.133.2.2=#564D776172652054504D32,2.23.133.2.1=#69643A3536344435373030
      Subject: 2.23.133.2.3=#69643A3030303230303635,2.23.133.2.2=#564D776172652054504D32,2.23.133.2.1=#69643A3536344435373030
     sha2_fpr: 6C:4E:B6:42:D6:24:62:12:04:9E:5D:46:10:A3:DC:B6:AB:2D:82:94:88:6E:1D:FA:DC:31:4C:D0:72:D2:E7:1F
     sha1_fpr: B1:68:B1:81:28:B7:47:17:17:C2:4F:D1:58:33:11:44:39:50:CB:9B
      md5_fpr: 32:2C:D8:E9:90:10:61:2C:35:2C:C2:A0:B0:86:B7:D0
       certid: 78081C0042F7FA019ACB952A98771F933C48130D.01
      keygrip: 8BA808EA56628A596D7BD3EC9C731383DF06BFA0
    notBefore: 2024-05-09 20:42:09
     notAfter: 2074-05-09 20:42:09
     hashAlgo: 1.2.840.10045.4.3.2
      keyType: nistp256
    subjKeyId: CEA47D72356817DF62AA757E4DB47C3B83A47F14
    authKeyId: [none]
 authKeyId.ki: CEA47D72356817DF62AA757E4DB47C3B83A47F14
     keyUsage: keyAgreement
  extKeyUsage: 2.23.133.8.1 (suggested)
     policies: 2.5.29.32.0
  chainLength: not a CA
        crlDP: [none]
     authInfo: 1.3.6.1.5.5.7.48.2 (caIssuers)
               x-selfsigned:
     subjInfo: [none]
         extn: 2.5.29.9  [26 octets]
         extn: 1.3.6.1.5.5.7.1.1 (authorityInfoAccess)  [29 octets]

You can see VMware TPM2 in the certificate name. I exported it from Kleopatra to a pem file you can fetch below.

tpm.pem.txt

JuergenReppSIT commented 1 month ago

@chopinrlz Thank you very much for the trace. I have created a PR to improve the error message.