create_tpm_key_util fails to create signing key

[preisacm]

I tried to create the required signing key with create_tpm_key-util.c. The Error occurs when trying to clear the TPM:

# ./create_tpm_key pubkey.txt pubkeyhandle.txt
Saving public key to pubkey.txt and handle to pubkeyhandle.txt
WARNING:tcti:src/tss2-tcti/tcti-device.c:314:tcti_device_receive() TPM2 response size disagrees with number of bytes read from fd 3. Header says 0 but we read 29 bytes. 
ERROR:sys:src/tss2-sys/api/Tss2_Sys_Execute.c:117:Tss2_Sys_ExecuteFinish() Malformed reponse: Invalid tag in response header: 0 
Clear ret=0X80011
Condition 'TSS2_RC_SUCCESS == ret' failed
    in file: '/root/ecdaa-network-wrapper/create_tpm_key-util.c'
    in function: 'create_key'
    at line: 154

When I comment out line 154-156 in create_tpm_key-util.c and manually clear the TPM in advance, another problem occurs while creating the primary key:

# ./create_tpm_key pubkey.txt pubkeyhandle.txt
Saving public key to pubkey.txt and handle to pubkeyhandle.txt
CreatePrimary ret=0X80012
Condition 'TSS2_RC_SUCCESS == ret' failed
    in file: '/root/ecdaa-network-wrapper/create_tpm_key-util.c'
    in function: 'create_key'
    at line: 158

The Setup for tpm_tools and tpm_sapi is working properly. My Setup is as follows:

• Ubuntu 20.04 Server
• Hardware TPM2.0 from Infineon
• TSS 2.3.3 installed manually, since Ubuntu 20.04 provides only TSS 2.3.2, as recommended in this project
• All other required packages are Ubuntu 20.04 default versions
• Since I wanted to understand your code I copied the file with all dependencies in a separate directory.

If you need further Information about my Setup, feel free to contact me.

[zanebeckwith]

I think I've seen errors like this before when I've switched between different versions or implementations of the TSS. In those cases, it clears up if I make sure I uninstall all TSS's I might have, install only the TSS I want, clear the ecdaa build (i.e. wipe out your CMake build directory), then rerun cmake and make. It might also be helpful to power-cycle the TPM (i.e. shutdown and restart your computer, assuming you're using a TPM on your motherboard).

Also, you should be OK to use TSS 2.3.2. The version specification in the README isn't correct. I've used this library built against the TSS library available on Debian Buster, which is version 2.1.0. Sorry, that's really confusing.

My final advice is to not use the source-built TSS, but use the package available on your platform.

Try these tips (completely remove any installations of the TSS you have, install just the libtss2-dev package, maybe do a sudo ldconfig for good measure, maybe reboot your machine for good measure, wipe and rebuild your ecdaa). See if that clears it up. If it doesn't, I'm out of ideas...

[zanebeckwith]

@preisacm did my comments help resolve your issue?

[preisacm]

Sorry for my late answer. I took another machine with a similar hardware Setup (Intel CPU instead AMD), installed Ubuntu 20.04 from scratch and use now the packaged versions of libtss2-dev. Unfortunately I come to the exact same error. Tss2_Sys_Clear returns with 0x80011 and the same error message as above.

When installing Debian 10.6 on the same machine, your program indeed works. It seems that there was an update of the TPM2 SAPI where the size of the response header is now checked and your program is not aware of that. I will continue testing to narrow this problem down.

[zanebeckwith]

@preisacm I'm so sorry it's taken me so long to get back to you. I hope working on the Debian 10 machine has kept you from blocking on me.

I think I've figured out the issue you were running into. This is an issue I saw in another TPM-related project I maintain, and just didn't connect the dots until now.

The TPM2 SAPI library is very sensitive to non-zero-initialized argument structs. The ecdaa project has only just recently transitioned to using this implementation. The create_tpm_key-util utility wasn't updated to zero-initialize all structs, and I think that was the issue you were seeing. That utility doesn't get tested during the usual CI flow (key creation for the simulator is handled by a different utility).

Check out the zanebeckwith/zero-init-createkey branch, and see if that fixes your problem. This branch implements the zero-initialization.

I'm not sure what I was doing that kept me from reproducing this issue initially, so I apologize for the time waste!

[preisacm]

Thanks for the update - The script now creates the keys correctly, so this project works now also on Ubuntu 20.04

[zanebeckwith]

Ha, that's funny, I didn't see your comment from a few weeks ago, until you closed this issue just now.

I'm glad this fixed your issue. I'll merge the fix to the mainline now

I'm curious: what are you using the library for?

[preisacm]

I'm using that project as part for my master thesis within the Digidow project (https://digidow.eu). There a sensor with a TPM and a camera becomes a DAA member and should be the entry point of a "trusted distributed authentication system". That's why I want to get the TPM features running.

[zanebeckwith]

Very interesting! Good luck, hope this project helps you!