Open chopinrlz opened 6 months ago
It would be interesting to get the output of:
TSS2_LOG=fapi+debug tss2_provision
You can undo the provisioning with tss2_delete -p /
afterwards if it was successful.
or
tpm2_createek -c ek.ctx -G rsa -u ek.pub
tpm2_getekcertificate -u ek.pub > ek.cert
openssl x509 -in ek.cert -inform der -text
To skip the certificate check you can add:
"ek_cert_less": "yes"
to the fapi config file (See man fapi-config)
Now the provisioning should work.
Here is the verbatim output of TSS2_LOG=fapi+debug tss2_provision
debug:fapi:src/tss2-fapi/ifapi_config.c:203:expand_home() Expanding path ~/.local/share/tpm2-tss/user/keystore to user's home
debug:fapi:src/tss2-fapi/ifapi_config.c:290:ifapi_config_initialize_finish() Configuration profile directory: /usr/local/etc/tpm2-tss/fapi-profiles/
debug:fapi:src/tss2-fapi/ifapi_config.c:291:ifapi_config_initialize_finish() Configuration user directory: /home/daltas/.local/share/tpm2-tss/user/keystore
debug:fapi:src/tss2-fapi/ifapi_config.c:292:ifapi_config_initialize_finish() Configuration key storage directory: /usr/local/var/lib/tpm2-tss/system/keystore
debug:fapi:src/tss2-fapi/ifapi_config.c:293:ifapi_config_initialize_finish() Configuration profile name: P_ECCP256SHA256
debug:fapi:src/tss2-fapi/ifapi_config.c:294:ifapi_config_initialize_finish() Configuration TCTI:
debug:fapi:src/tss2-fapi/ifapi_config.c:295:ifapi_config_initialize_finish() Configuration log directory: /usr/local/var/run/tpm2-tss/eventlog/
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:44:copy_policy_digest() Copy policy digest (to) : Copy digest size: 32 (size=32):
0000: 00000000000000000000000000000000 ................
0010: 00000000000000000000000000000000 ................
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:470:ifapi_calculate_policy_secret() call
debug:fapi:src/tss2-fapi/fapi_crypto.c:1624:ifapi_crypto_hash_start() call: context=0x7ffe3bfd1b00 hashAlg=11
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:176:calculate_policy_key_param() Digest Start (size=32):
0000: 00000000000000000000000000000000 ................
0010: 00000000000000000000000000000000 ................
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x5cce675b5512 and size 32
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=32):
0000: 00000000000000000000000000000000 ................
0010: 00000000000000000000000000000000 ................
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x7ffe3bfd1b14 and size 4
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=4):
0000: 00000151 ...Q
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:183:calculate_policy_key_param() Key name (size=4):
0000: 4000000b @...
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x5cce675b5a0a and size 4
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=4):
0000: 4000000b @...
debug:fapi:src/tss2-fapi/fapi_crypto.c:1746:ifapi_crypto_hash_finish() finish hash (size=32):
0000: b627b043d329fbeb7dfefbddee7d3d1f .'.C.)..}....}=.
0010: 4391c9f6cbbd96a1bac6a99ae1775a3a C............wZ:
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:189:calculate_policy_key_param() Digest Finish (size=32):
0000: b627b043d329fbeb7dfefbddee7d3d1f .'.C.)..}....}=.
0010: 4391c9f6cbbd96a1bac6a99ae1775a3a C............wZ:
debug:fapi:src/tss2-fapi/fapi_crypto.c:1624:ifapi_crypto_hash_start() call: context=0x7ffe3bfd1b00 hashAlg=11
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x5cce675b5512 and size 32
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=32):
0000: b627b043d329fbeb7dfefbddee7d3d1f .'.C.)..}....}=.
0010: 4391c9f6cbbd96a1bac6a99ae1775a3a C............wZ:
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x5cce675b59b6 and size 0
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=0):
debug:fapi:src/tss2-fapi/fapi_crypto.c:1746:ifapi_crypto_hash_finish() finish hash (size=32):
0000: 837197674484b3f81a90cc8d46a5d724 .q.gD.......F..$
0010: fd52d76e06520b64f2a1da1b331469aa .R.n.R.d....3.i.
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:44:copy_policy_digest() Copy policy digest (from) : Copy digest size: 32 (size=32):
0000: 837197674484b3f81a90cc8d46a5d724 .q.gD.......F..$
0010: fd52d76e06520b64f2a1da1b331469aa .R.n.R.d....3.i.
debug:fapi:src/tss2-fapi/fapi_crypto.c:1624:ifapi_crypto_hash_start() call: context=0x7ffe3bfd19d0 hashAlg=11
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x7ffe3bfd19e0 and size 122
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=122):
0000: 0023000b000300b20020837197674484 .#.........q.gD.
0010: b3f81a90cc8d46a5d724fd52d76e0652 ......F..$.R.n.R
0020: 0b64f2a1da1b331469aa000600800043 .d....3.i......C
0030: 00100003001000205d03eec2f23c9a49 ........]....<.I
0040: 298ad750dafebe0e7c68185554db1145 )..P....|h.UT..E
0050: a0c8f89977f0cd9f00206057321ec74f ....w.....`W2..O
0060: 34870c1993c1ce51bd200b04a41e6711 4......Q......g.
0070: ecfa859f67e1339de084 ....g.3...
debug:fapi:src/tss2-fapi/fapi_crypto.c:1746:ifapi_crypto_hash_finish() finish hash (size=32):
0000: 109e8885059dca6ff1aed4e292112861 .......o......(a
0010: 1cc453735cd2806f2c87dd088f08733e ..Ss\..o,.....s>
debug:fapi:src/tss2-fapi/fapi_util.c:2135:ifapi_authorize_object() Authorize object: 101
debug:fapi:src/tss2-fapi/fapi_util.c:2641:ifapi_nv_read() success
debug:fapi:src/tss2-fapi/ifapi_curl.c:172:ifapi_curl_verify_ek_cert() EK Certificate: -----BEGIN CERTIFICATE-----
MIICszCCAligAwIBAgIBATAKBggqhkjOPQQDAjBIMRYwFAYFZ4EFAgEMC2lkOjU2
NEQ1NzAwMRYwFAYFZ4EFAgIMC1ZNd2FyZSBUUE0yMRYwFAYFZ4EFAgMMC2lkOjAw
MDIwMDY1MCAXDTI0MDUwOTIwNDIwOVoYDzIwNzQwNTA5MjA0MjA5WjBIMRYwFAYF
Z4EFAgEMC2lkOjU2NEQ1NzAwMRYwFAYFZ4EFAgIMC1ZNd2FyZSBUUE0yMRYwFAYF
Z4EFAgMMC2lkOjAwMDIwMDY1MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXQPu
wvI8mkkpitdQ2v6+DnxoGFVU2xFFoMj4mXfwzZ9gVzIex080hwwZk8HOUb0gCwSk
HmcR7PqFn2fhM53ghKOCAS8wggErMA4GA1UdDwEB/wQEAwIDCDBYBgNVHREBAf8E
TjBMpEowSDEWMBQGBWeBBQIBDAtpZDo1NjRENTcwMDEWMBQGBWeBBQICDAtWTXdh
cmUgVFBNMjEWMBQGBWeBBQIDDAtpZDowMDAyMDA2NTAMBgNVHRMBAf8EAjAAMBAG
A1UdJQQJMAcGBWeBBQgBMCEGA1UdCQQaMBgwFgYFZ4EFAhAxDTALDAMyLjACAQAC
AXQwHQYDVR0OBBYEFM6kfXI1aBffYqp1fk20fDuDpH8UMCkGCCsGAQUFBwEBBB0w
GzAZBggrBgEFBQcwAoYNeC1zZWxmc2lnbmVkOjARBgNVHSAECjAIMAYGBFUdIAAw
HwYDVR0jBBgwFoAUzqR9cjVoF99iqnV+TbR8O4OkfxQwCgYIKoZIzj0EAwIDSQAw
RgIhAJbxcixLRJVDNuRoVuMn13YRXL+oiBzuSIAlU0Eljyn8AiEAziJn42sAZKgG
bP93Clk7EIQscReRFEUe8DV2kVM2rtE=
-----END CERTIFICATE-----
ERROR:fapi:src/tss2-fapi/ifapi_curl.c:403:ifapi_get_curl_buffer() curl_url_set for CURUPART_URL failed: Unsupported URL scheme
ERROR:fapi:src/tss2-fapi/ifapi_curl.c:195:ifapi_curl_verify_ek_cert() ErrorCode (0x00060025) Get certificate.
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:969:Fapi_Provision_Finish() ErrorCode (0x00060025) Verify EK certificate
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:177:Fapi_Provision() ErrorCode (0x00060025) Provision
Fapi_Provision(0x60025) - fapi:No certificate
debug:fapi:src/tss2-fapi/api/Fapi_Finalize.c:46:Fapi_Finalize() called: context: 0x7ffe3bfd2108, *context: 0x5cce67596df0
debug:fapi:src/tss2-fapi/api/Fapi_Finalize.c:97:Fapi_Finalize() finished
It ends with the same error message, unsupported URL scheme, but the debug trace shows a certificate. So is it the contents of the EK certificate that tpm2-tss must not like, I'm guessing. I imported the certificate into Kleopatra and dumped the details below:
ID: 0x3950CB9B
S/N: 01
(dec): 1
Issuer: 2.23.133.2.3=#69643A3030303230303635,2.23.133.2.2=#564D776172652054504D32,2.23.133.2.1=#69643A3536344435373030
Subject: 2.23.133.2.3=#69643A3030303230303635,2.23.133.2.2=#564D776172652054504D32,2.23.133.2.1=#69643A3536344435373030
sha2_fpr: 6C:4E:B6:42:D6:24:62:12:04:9E:5D:46:10:A3:DC:B6:AB:2D:82:94:88:6E:1D:FA:DC:31:4C:D0:72:D2:E7:1F
sha1_fpr: B1:68:B1:81:28:B7:47:17:17:C2:4F:D1:58:33:11:44:39:50:CB:9B
md5_fpr: 32:2C:D8:E9:90:10:61:2C:35:2C:C2:A0:B0:86:B7:D0
certid: 78081C0042F7FA019ACB952A98771F933C48130D.01
keygrip: 8BA808EA56628A596D7BD3EC9C731383DF06BFA0
notBefore: 2024-05-09 20:42:09
notAfter: 2074-05-09 20:42:09
hashAlgo: 1.2.840.10045.4.3.2
keyType: nistp256
subjKeyId: CEA47D72356817DF62AA757E4DB47C3B83A47F14
authKeyId: [none]
authKeyId.ki: CEA47D72356817DF62AA757E4DB47C3B83A47F14
keyUsage: keyAgreement
extKeyUsage: 2.23.133.8.1 (suggested)
policies: 2.5.29.32.0
chainLength: not a CA
crlDP: [none]
authInfo: 1.3.6.1.5.5.7.48.2 (caIssuers)
x-selfsigned:
subjInfo: [none]
extn: 2.5.29.9 [26 octets]
extn: 1.3.6.1.5.5.7.1.1 (authorityInfoAccess) [29 octets]
You can see VMware TPM2 in the certificate name. I exported it from Kleopatra to a pem file you can fetch below.
@chopinrlz Thank you very much for the trace. I have created a PR to improve the error message.
I setup a clean install of Ubuntu Server 24.04 with a clean install of tpm2-tss from master about 5 minutes ago. This is on a VMware Workstation 17.5.1 virtual machine with a TPM. When calling
Fapi_Provision
with NULL for both hierarchies, and a random value for the lockout, the function call fails with the following error messages:The error code returned is
393253
which decodes tofapi:No certificate
. The issue appears to be originating atifapi_get_curl_buffer()
with the error Unsupported URL scheme.Fapi_Initialize
andFapi_GetInfo
andFapi_SetAuthCB
all work as expected.