Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0

Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0

[Philip Tricca]

[-- Attachment #1: Type: text/plain, Size: 3446 bytes --]

On 07/20/2018 06:33 AM, Scheie, Peter M wrote:
> -----Original Message-----
> From: Joshua Lock [mailto:joshua.g.lock(a)linux.intel.com] 
> Sent: Friday, July 20, 2018 6:00 AM
> To: Scheie, Peter M; tpm2(a)lists.01.org
> Subject: Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0
> 
> On 19/07/2018 17:08, Scheie, Peter M wrote:
>>
>> -----Original Message-----
>> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Joshua Lock
>> Sent: Thursday, July 19, 2018 5:24 AM
>> To: tpm2(a)lists.01.org
>> Subject: Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0
>>
>>
>>
>> On 18/07/2018 22:17, Scheie, Peter M wrote:
>>> By the way, does abrmd default to trying to connect to /dev/tpm0?  When
>>> working with the emulator on my laptop, I have to start abrmd with
>>> '--tcti=libtss2-tcti-mssim.so' but I assume that's just for when there
>>> is no TPM device, right?
>>
>> Correct, if no --tcti value is passed abrmd defaults to using the device
>> tcti:
>> https://github.com/tpm2-software/tpm2-abrmd/blob/2296d48a1004aff5f93d6ec23a50819f2a5c5584/src/tcti-dynamic.c#L138
>>
>> At line 142 you can see where the default value of the TCTI library file
>> property is set to "libtss2-tcti-device.so".
>>
>>> So, with tpm2-abrmd running, if I call, say, tpm2_pcrlist or
>>> tpm2_nvlist, to just query the TPM, it will display the PCRs or the NV
>>> indexes but then follow that with a "Segmentation fault", and syslog
>>> shows things like this:
>>>
>>> Jun 27 22:32:42 localhost audit[1432]: ANOM_ABEND auid=1000 uid=1000
>>> gid=1000 ses=1 pid=1432 comm="gdbus" exe="/usr/bin/tpm2_pcrlist" sig=11
>>>
>>> Jun 27 22:32:42 localhost kernel: gdbus[1432]: segfault at 7f8327acc750
>>> ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in
>>> libtss2-mu.so.0.0.0[7f8328284000+3f000]
>>>
>>> Jun 27 22:32:42 localhost kernel[363]: gdbus[1432]: segfault at
>>> 7f8327acc750 ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in
>>> libtss2-mu.so.0.0.0[7f8328284000+3f000]
>>>
>>> Trying to write to the TPM, e.g., take ownership, doesn't work at all:
>>>
>>> localhost:~$ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
>>>
>>> ERROR: Could not change hierarchy for Owner. TPM Error:0x9a2
>>
>> I just recently learned about tpm2_rc_decode[1], it tells me:
>>
>> $ ./tools/aux/tpm2_rc_decode 0x9a2
>> tpm:session(1):authorization failure without DA implications
>>
>> Is this TPM already configured? Have you replicated on more than one system?
>>
>> Joshua
>>
>> ***********************************************************
>> Oops, you are correct: I had already taken ownership of the TPM previously, but was not supplying the owner password when trying to write to it.   With that in mind, I can write/configure the TPM as expected.  However, I'm still getting a segfault message after each operation.
>>
> 
> Glad to hear, though the segfault is worrying. Could you install debug 
> packages and find out more about the segfault?
> 
> Thanks,
> Joshua
> 
> ************************************************************
> Wind River has suggested that since it appears the segfaults are appearing on the "gdbus" process, it may be dbus related.  One possibility is that the dbus version in WRL8 is not in sync with the newer tpm2 utilities.

Does WRL9 ship with SELinux or some other security policy enforced?

Philip

Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0

[Scheie, Peter M]

[-- Attachment #1: Type: text/plain, Size: 3832 bytes --]

-----Original Message-----
From: Philip Tricca [mailto:flihp(a)twobit.org] 
Sent: Monday, July 23, 2018 10:24 AM
To: Scheie, Peter M
Cc: Joshua Lock; tpm2(a)lists.01.org
Subject: Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0

On 07/20/2018 06:33 AM, Scheie, Peter M wrote:
> -----Original Message-----
> From: Joshua Lock [mailto:joshua.g.lock(a)linux.intel.com] 
> Sent: Friday, July 20, 2018 6:00 AM
> To: Scheie, Peter M; tpm2(a)lists.01.org
> Subject: Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0
> 
> On 19/07/2018 17:08, Scheie, Peter M wrote:
>>
>> -----Original Message-----
>> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Joshua Lock
>> Sent: Thursday, July 19, 2018 5:24 AM
>> To: tpm2(a)lists.01.org
>> Subject: Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0
>>
>>
>>
>> On 18/07/2018 22:17, Scheie, Peter M wrote:
>>> By the way, does abrmd default to trying to connect to /dev/tpm0?  When
>>> working with the emulator on my laptop, I have to start abrmd with
>>> '--tcti=libtss2-tcti-mssim.so' but I assume that's just for when there
>>> is no TPM device, right?
>>
>> Correct, if no --tcti value is passed abrmd defaults to using the device
>> tcti:
>> https://github.com/tpm2-software/tpm2-abrmd/blob/2296d48a1004aff5f93d6ec23a50819f2a5c5584/src/tcti-dynamic.c#L138
>>
>> At line 142 you can see where the default value of the TCTI library file
>> property is set to "libtss2-tcti-device.so".
>>
>>> So, with tpm2-abrmd running, if I call, say, tpm2_pcrlist or
>>> tpm2_nvlist, to just query the TPM, it will display the PCRs or the NV
>>> indexes but then follow that with a "Segmentation fault", and syslog
>>> shows things like this:
>>>
>>> Jun 27 22:32:42 localhost audit[1432]: ANOM_ABEND auid=1000 uid=1000
>>> gid=1000 ses=1 pid=1432 comm="gdbus" exe="/usr/bin/tpm2_pcrlist" sig=11
>>>
>>> Jun 27 22:32:42 localhost kernel: gdbus[1432]: segfault at 7f8327acc750
>>> ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in
>>> libtss2-mu.so.0.0.0[7f8328284000+3f000]
>>>
>>> Jun 27 22:32:42 localhost kernel[363]: gdbus[1432]: segfault at
>>> 7f8327acc750 ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in
>>> libtss2-mu.so.0.0.0[7f8328284000+3f000]
>>>
>>> Trying to write to the TPM, e.g., take ownership, doesn't work at all:
>>>
>>> localhost:~$ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
>>>
>>> ERROR: Could not change hierarchy for Owner. TPM Error:0x9a2
>>
>> I just recently learned about tpm2_rc_decode[1], it tells me:
>>
>> $ ./tools/aux/tpm2_rc_decode 0x9a2
>> tpm:session(1):authorization failure without DA implications
>>
>> Is this TPM already configured? Have you replicated on more than one system?
>>
>> Joshua
>>
>> ***********************************************************
>> Oops, you are correct: I had already taken ownership of the TPM previously, but was not supplying the owner password when trying to write to it.   With that in mind, I can write/configure the TPM as expected.  However, I'm still getting a segfault message after each operation.
>>
> 
> Glad to hear, though the segfault is worrying. Could you install debug 
> packages and find out more about the segfault?
> 
> Thanks,
> Joshua
> 
> ************************************************************
> Wind River has suggested that since it appears the segfaults are appearing on the "gdbus" process, it may be dbus related.  One possibility is that the dbus version in WRL8 is not in sync with the newer tpm2 utilities.

Does WRL9 ship with SELinux or some other security policy enforced?

Philip

*************************************************************
No, or at least we're not using SELinux in this case.

Peter

Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0

[Scheie, Peter M]

[-- Attachment #1: Type: text/plain, Size: 3251 bytes --]

-----Original Message-----
From: Joshua Lock [mailto:joshua.g.lock(a)linux.intel.com] 
Sent: Friday, July 20, 2018 6:00 AM
To: Scheie, Peter M; tpm2(a)lists.01.org
Subject: Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0

On 19/07/2018 17:08, Scheie, Peter M wrote:
> 
> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Joshua Lock
> Sent: Thursday, July 19, 2018 5:24 AM
> To: tpm2(a)lists.01.org
> Subject: Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0
> 
> 
> 
> On 18/07/2018 22:17, Scheie, Peter M wrote:
>> By the way, does abrmd default to trying to connect to /dev/tpm0?  When
>> working with the emulator on my laptop, I have to start abrmd with
>> '--tcti=libtss2-tcti-mssim.so' but I assume that's just for when there
>> is no TPM device, right?
> 
> Correct, if no --tcti value is passed abrmd defaults to using the device
> tcti:
> https://github.com/tpm2-software/tpm2-abrmd/blob/2296d48a1004aff5f93d6ec23a50819f2a5c5584/src/tcti-dynamic.c#L138
> 
> At line 142 you can see where the default value of the TCTI library file
> property is set to "libtss2-tcti-device.so".
> 
>> So, with tpm2-abrmd running, if I call, say, tpm2_pcrlist or
>> tpm2_nvlist, to just query the TPM, it will display the PCRs or the NV
>> indexes but then follow that with a "Segmentation fault", and syslog
>> shows things like this:
>>
>> Jun 27 22:32:42 localhost audit[1432]: ANOM_ABEND auid=1000 uid=1000
>> gid=1000 ses=1 pid=1432 comm="gdbus" exe="/usr/bin/tpm2_pcrlist" sig=11
>>
>> Jun 27 22:32:42 localhost kernel: gdbus[1432]: segfault at 7f8327acc750
>> ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in
>> libtss2-mu.so.0.0.0[7f8328284000+3f000]
>>
>> Jun 27 22:32:42 localhost kernel[363]: gdbus[1432]: segfault at
>> 7f8327acc750 ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in
>> libtss2-mu.so.0.0.0[7f8328284000+3f000]
>>
>> Trying to write to the TPM, e.g., take ownership, doesn't work at all:
>>
>> localhost:~$ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
>>
>> ERROR: Could not change hierarchy for Owner. TPM Error:0x9a2
> 
> I just recently learned about tpm2_rc_decode[1], it tells me:
> 
> $ ./tools/aux/tpm2_rc_decode 0x9a2
> tpm:session(1):authorization failure without DA implications
> 
> Is this TPM already configured? Have you replicated on more than one system?
> 
> Joshua
> 
> ***********************************************************
> Oops, you are correct: I had already taken ownership of the TPM previously, but was not supplying the owner password when trying to write to it.   With that in mind, I can write/configure the TPM as expected.  However, I'm still getting a segfault message after each operation.
> 

Glad to hear, though the segfault is worrying. Could you install debug 
packages and find out more about the segfault?

Thanks,
Joshua

************************************************************
Wind River has suggested that since it appears the segfaults are appearing on the "gdbus" process, it may be dbus related.  One possibility is that the dbus version in WRL8 is not in sync with the newer tpm2 utilities.

Peter

Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0

[Joshua Lock]

[-- Attachment #1: Type: text/plain, Size: 2708 bytes --]

On 19/07/2018 17:08, Scheie, Peter M wrote:
> 
> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Joshua Lock
> Sent: Thursday, July 19, 2018 5:24 AM
> To: tpm2(a)lists.01.org
> Subject: Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0
> 
> 
> 
> On 18/07/2018 22:17, Scheie, Peter M wrote:
>> By the way, does abrmd default to trying to connect to /dev/tpm0?  When
>> working with the emulator on my laptop, I have to start abrmd with
>> '--tcti=libtss2-tcti-mssim.so' but I assume that's just for when there
>> is no TPM device, right?
> 
> Correct, if no --tcti value is passed abrmd defaults to using the device
> tcti:
> https://github.com/tpm2-software/tpm2-abrmd/blob/2296d48a1004aff5f93d6ec23a50819f2a5c5584/src/tcti-dynamic.c#L138
> 
> At line 142 you can see where the default value of the TCTI library file
> property is set to "libtss2-tcti-device.so".
> 
>> So, with tpm2-abrmd running, if I call, say, tpm2_pcrlist or
>> tpm2_nvlist, to just query the TPM, it will display the PCRs or the NV
>> indexes but then follow that with a "Segmentation fault", and syslog
>> shows things like this:
>>
>> Jun 27 22:32:42 localhost audit[1432]: ANOM_ABEND auid=1000 uid=1000
>> gid=1000 ses=1 pid=1432 comm="gdbus" exe="/usr/bin/tpm2_pcrlist" sig=11
>>
>> Jun 27 22:32:42 localhost kernel: gdbus[1432]: segfault at 7f8327acc750
>> ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in
>> libtss2-mu.so.0.0.0[7f8328284000+3f000]
>>
>> Jun 27 22:32:42 localhost kernel[363]: gdbus[1432]: segfault at
>> 7f8327acc750 ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in
>> libtss2-mu.so.0.0.0[7f8328284000+3f000]
>>
>> Trying to write to the TPM, e.g., take ownership, doesn't work at all:
>>
>> localhost:~$ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
>>
>> ERROR: Could not change hierarchy for Owner. TPM Error:0x9a2
> 
> I just recently learned about tpm2_rc_decode[1], it tells me:
> 
> $ ./tools/aux/tpm2_rc_decode 0x9a2
> tpm:session(1):authorization failure without DA implications
> 
> Is this TPM already configured? Have you replicated on more than one system?
> 
> Joshua
> 
> ***********************************************************
> Oops, you are correct: I had already taken ownership of the TPM previously, but was not supplying the owner password when trying to write to it.   With that in mind, I can write/configure the TPM as expected.  However, I'm still getting a segfault message after each operation.
> 

Glad to hear, though the segfault is worrying. Could you install debug 
packages and find out more about the segfault?

Thanks,
Joshua

Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0

[Scheie, Peter M]

[-- Attachment #1: Type: text/plain, Size: 3121 bytes --]

-----Original Message-----
From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Philip Tricca
Sent: Thursday, July 19, 2018 9:31 AM
To: Joshua Lock
Cc: tpm2(a)lists.01.org
Subject: Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0

On Thu, Jul 19, 2018 at 11:24:23AM +0100, Joshua Lock wrote:
> 
> 
> On 18/07/2018 22:17, Scheie, Peter M wrote:
> >By the way, does abrmd default to trying to connect to /dev/tpm0?  When
> >working with the emulator on my laptop, I have to start abrmd with
> >'--tcti=libtss2-tcti-mssim.so' but I assume that's just for when there is
> >no TPM device, right?
> 
> Correct, if no --tcti value is passed abrmd defaults to using the device
> tcti:
> https://github.com/tpm2-software/tpm2-abrmd/blob/2296d48a1004aff5f93d6ec23a50819f2a5c5584/src/tcti-dynamic.c#L138
> 
> At line 142 you can see where the default value of the TCTI library file
> property is set to "libtss2-tcti-device.so".
> 
> >So, with tpm2-abrmd running, if I call, say, tpm2_pcrlist or tpm2_nvlist,
> >to just query the TPM, it will display the PCRs or the NV indexes but then
> >follow that with a "Segmentation fault", and syslog shows things like
> >this:
> >
> >Jun 27 22:32:42 localhost audit[1432]: ANOM_ABEND auid=1000 uid=1000
> >gid=1000 ses=1 pid=1432 comm="gdbus" exe="/usr/bin/tpm2_pcrlist" sig=11
> >
> >Jun 27 22:32:42 localhost kernel: gdbus[1432]: segfault at 7f8327acc750 ip
> >00007f8327acc750 sp 00007f8326ab2c38 error 14 in
> >libtss2-mu.so.0.0.0[7f8328284000+3f000]
> >
> >Jun 27 22:32:42 localhost kernel[363]: gdbus[1432]: segfault at
> >7f8327acc750 ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in
> >libtss2-mu.so.0.0.0[7f8328284000+3f000]
> >
> >Trying to write to the TPM, e.g., take ownership, doesn't work at all:
> >
> >localhost:~$ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
> >
> >ERROR: Could not change hierarchy for Owner. TPM Error:0x9a2
> 
> I just recently learned about tpm2_rc_decode[1], it tells me:
> 
> $ ./tools/aux/tpm2_rc_decode 0x9a2
> tpm:session(1):authorization failure without DA implications
> 
> Is this TPM already configured? Have you replicated on more than one system?

100% recommend verifying this configuration on a more "typical" Linux
distro since this is nearly impossible for us to repro. Also WRL is
based on OpenEmbedded? Can you get a working system up on a stock Sumo
build?

Philip
_______________________________________________
tpm2 mailing list
tpm2(a)lists.01.org
https://lists.01.org/mailman/listinfo/tpm2

**************************************************************
WRL8 is largely yocto based, so one-off OE recipes usually work with it.  That is, I think WRL8 uses a lot of OE recipes (perhaps even whole layers), but it has nothing for tpm2* stuff, so I've been using the OE recipes.   (WRL9 is all yocto, I've been told, getting rid of the last bits of proprietary WR stuff.)  But we're not using OE, i.e., Sumo, itself for a build environment; it's WR.  I'll see if I can figure out a way to do a stock Sumo build.

Peter

Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0

[Scheie, Peter M]

[-- Attachment #1: Type: text/plain, Size: 2460 bytes --]


-----Original Message-----
From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Joshua Lock
Sent: Thursday, July 19, 2018 5:24 AM
To: tpm2(a)lists.01.org
Subject: Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0



On 18/07/2018 22:17, Scheie, Peter M wrote:
> By the way, does abrmd default to trying to connect to /dev/tpm0?  When 
> working with the emulator on my laptop, I have to start abrmd with 
> '--tcti=libtss2-tcti-mssim.so' but I assume that's just for when there 
> is no TPM device, right?

Correct, if no --tcti value is passed abrmd defaults to using the device 
tcti:
https://github.com/tpm2-software/tpm2-abrmd/blob/2296d48a1004aff5f93d6ec23a50819f2a5c5584/src/tcti-dynamic.c#L138

At line 142 you can see where the default value of the TCTI library file 
property is set to "libtss2-tcti-device.so".

> So, with tpm2-abrmd running, if I call, say, tpm2_pcrlist or 
> tpm2_nvlist, to just query the TPM, it will display the PCRs or the NV 
> indexes but then follow that with a "Segmentation fault", and syslog 
> shows things like this:
> 
> Jun 27 22:32:42 localhost audit[1432]: ANOM_ABEND auid=1000 uid=1000 
> gid=1000 ses=1 pid=1432 comm="gdbus" exe="/usr/bin/tpm2_pcrlist" sig=11
> 
> Jun 27 22:32:42 localhost kernel: gdbus[1432]: segfault at 7f8327acc750 
> ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in 
> libtss2-mu.so.0.0.0[7f8328284000+3f000]
> 
> Jun 27 22:32:42 localhost kernel[363]: gdbus[1432]: segfault at 
> 7f8327acc750 ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in 
> libtss2-mu.so.0.0.0[7f8328284000+3f000]
> 
> Trying to write to the TPM, e.g., take ownership, doesn't work at all:
> 
> localhost:~$ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
> 
> ERROR: Could not change hierarchy for Owner. TPM Error:0x9a2

I just recently learned about tpm2_rc_decode[1], it tells me:

$ ./tools/aux/tpm2_rc_decode 0x9a2
tpm:session(1):authorization failure without DA implications

Is this TPM already configured? Have you replicated on more than one system?

Joshua

***********************************************************
Oops, you are correct: I had already taken ownership of the TPM previously, but was not supplying the owner password when trying to write to it.   With that in mind, I can write/configure the TPM as expected.  However, I'm still getting a segfault message after each operation.

Peter

Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0

[Philip Tricca]

[-- Attachment #1: Type: text/plain, Size: 2191 bytes --]

On Thu, Jul 19, 2018 at 11:24:23AM +0100, Joshua Lock wrote:
> 
> 
> On 18/07/2018 22:17, Scheie, Peter M wrote:
> >By the way, does abrmd default to trying to connect to /dev/tpm0?  When
> >working with the emulator on my laptop, I have to start abrmd with
> >'--tcti=libtss2-tcti-mssim.so' but I assume that's just for when there is
> >no TPM device, right?
> 
> Correct, if no --tcti value is passed abrmd defaults to using the device
> tcti:
> https://github.com/tpm2-software/tpm2-abrmd/blob/2296d48a1004aff5f93d6ec23a50819f2a5c5584/src/tcti-dynamic.c#L138
> 
> At line 142 you can see where the default value of the TCTI library file
> property is set to "libtss2-tcti-device.so".
> 
> >So, with tpm2-abrmd running, if I call, say, tpm2_pcrlist or tpm2_nvlist,
> >to just query the TPM, it will display the PCRs or the NV indexes but then
> >follow that with a "Segmentation fault", and syslog shows things like
> >this:
> >
> >Jun 27 22:32:42 localhost audit[1432]: ANOM_ABEND auid=1000 uid=1000
> >gid=1000 ses=1 pid=1432 comm="gdbus" exe="/usr/bin/tpm2_pcrlist" sig=11
> >
> >Jun 27 22:32:42 localhost kernel: gdbus[1432]: segfault at 7f8327acc750 ip
> >00007f8327acc750 sp 00007f8326ab2c38 error 14 in
> >libtss2-mu.so.0.0.0[7f8328284000+3f000]
> >
> >Jun 27 22:32:42 localhost kernel[363]: gdbus[1432]: segfault at
> >7f8327acc750 ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in
> >libtss2-mu.so.0.0.0[7f8328284000+3f000]
> >
> >Trying to write to the TPM, e.g., take ownership, doesn't work at all:
> >
> >localhost:~$ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
> >
> >ERROR: Could not change hierarchy for Owner. TPM Error:0x9a2
> 
> I just recently learned about tpm2_rc_decode[1], it tells me:
> 
> $ ./tools/aux/tpm2_rc_decode 0x9a2
> tpm:session(1):authorization failure without DA implications
> 
> Is this TPM already configured? Have you replicated on more than one system?

100% recommend verifying this configuration on a more "typical" Linux
distro since this is nearly impossible for us to repro. Also WRL is
based on OpenEmbedded? Can you get a working system up on a stock Sumo
build?

Philip

Re: [tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0

[Joshua Lock]

[-- Attachment #1: Type: text/plain, Size: 1859 bytes --]



On 18/07/2018 22:17, Scheie, Peter M wrote:
> By the way, does abrmd default to trying to connect to /dev/tpm0?  When 
> working with the emulator on my laptop, I have to start abrmd with 
> '--tcti=libtss2-tcti-mssim.so' but I assume that's just for when there 
> is no TPM device, right?

Correct, if no --tcti value is passed abrmd defaults to using the device 
tcti:
https://github.com/tpm2-software/tpm2-abrmd/blob/2296d48a1004aff5f93d6ec23a50819f2a5c5584/src/tcti-dynamic.c#L138

At line 142 you can see where the default value of the TCTI library file 
property is set to "libtss2-tcti-device.so".

> So, with tpm2-abrmd running, if I call, say, tpm2_pcrlist or 
> tpm2_nvlist, to just query the TPM, it will display the PCRs or the NV 
> indexes but then follow that with a "Segmentation fault", and syslog 
> shows things like this:
> 
> Jun 27 22:32:42 localhost audit[1432]: ANOM_ABEND auid=1000 uid=1000 
> gid=1000 ses=1 pid=1432 comm="gdbus" exe="/usr/bin/tpm2_pcrlist" sig=11
> 
> Jun 27 22:32:42 localhost kernel: gdbus[1432]: segfault at 7f8327acc750 
> ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in 
> libtss2-mu.so.0.0.0[7f8328284000+3f000]
> 
> Jun 27 22:32:42 localhost kernel[363]: gdbus[1432]: segfault at 
> 7f8327acc750 ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in 
> libtss2-mu.so.0.0.0[7f8328284000+3f000]
> 
> Trying to write to the TPM, e.g., take ownership, doesn't work at all:
> 
> localhost:~$ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
> 
> ERROR: Could not change hierarchy for Owner. TPM Error:0x9a2

I just recently learned about tpm2_rc_decode[1], it tells me:

$ ./tools/aux/tpm2_rc_decode 0x9a2
tpm:session(1):authorization failure without DA implications

Is this TPM already configured? Have you replicated on more than one system?

Joshua

[tpm2] getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0

[Scheie, Peter M]

[-- Attachment #1: Type: text/plain, Size: 4291 bytes --]

The good news is that with help from Wind River, I've been able to get tpm2-tss 2.0.0, tpm2-abrmd 2.0.0, and tpm2-tools 3.1.0 to build in our WR Linux 8 environment.  We had been on versions 1.4.0, 1.2.0, and 3.0.3 respectively, which are working fine, but I wanted to get onto current releases.  Had to add a couple patches and a bunch of package declarations into our bbappend files (we're using @flihp's OE recipes which were written for the earlier versions), but now they all build without error.

The bad news is that now on the target I'm getting segfaults with the tools and I can't really use the TPM.  As the system boots up, I see some abrmd errors in the log, but I think that's just abrmd trying to talk to the TPM before the TPM is ready; eventually systemd restarts abrmd and it does start without errors.  Here's the log in case it's helpful:

Jun 27 22:27:14 localhost kernel: ACPI: TPM2 0x000000009CBF9000 000034 (v03 INSYDE HSW-LPT  00000000 ACPI 00040000)
Jun 27 22:27:15 localhost systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
Jun 27 22:27:15 localhost systemd[1]: tpm2-abrmd.service: Main process exited, code=exited, status=1/FAILURE
Jun 27 22:27:15 localhost systemd[1]: Failed to start TPM2 Access Broker and Resource Management Daemon.
Jun 27 22:27:15 localhost systemd[1]: tpm2-abrmd.service: Unit entered failed state.
Jun 27 22:27:15 localhost systemd[1]: tpm2-abrmd.service: Failed with result 'exit-code'.
Jun 27 22:27:15 localhost kernel[363]: ACPI: TPM2 0x000000009CBF9000 000034 (v03 INSYDE HSW-LPT  00000000 ACPI 00040000)
Jun 27 22:27:15 localhost tpm2-abrmd[366]: ERROR:tcti:/localhome/pscheie/workspace-mdsu-scheie/projects/mdsu/bitbake_build/tmp/work/broadwell-64-wrs-linux/tpm2-tss/2.0.0-r0/tpm2-tss-2.0.0/src/tss2-tcti/tcti-device.c:281:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory
Jun 27 22:27:15 localhost tpm2-abrmd[366]: ** (tpm2-abrmd:366): WARNING **: failed to initialize device TCTI context: 0xa000a
Jun 27 22:27:15 localhost tpm2-abrmd[366]: ** (tpm2-abrmd:366): CRITICAL **: TCTI initialization failed: 0xa000a
Jun 27 22:27:20 localhost systemd[1]: tpm2-abrmd.service: Service hold-off time over, scheduling restart.
Jun 27 22:27:20 localhost systemd[1]: Stopped TPM2 Access Broker and Resource Management Daemon.
Jun 27 22:27:20 localhost systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
Jun 27 22:27:20 localhost systemd[1]: Started TPM2 Access Broker and Resource Management Daemon.

By the way, does abrmd default to trying to connect to /dev/tpm0?  When working with the emulator on my laptop, I have to start abrmd with '--tcti=libtss2-tcti-mssim.so' but I assume that's just for when there is no TPM device, right?

So, with tpm2-abrmd running, if I call, say, tpm2_pcrlist or tpm2_nvlist, to just query the TPM, it will display the PCRs or the NV indexes but then follow that with a "Segmentation fault", and syslog shows things like this:

Jun 27 22:32:42 localhost audit[1432]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=1 pid=1432 comm="gdbus" exe="/usr/bin/tpm2_pcrlist" sig=11
Jun 27 22:32:42 localhost kernel: gdbus[1432]: segfault at 7f8327acc750 ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in libtss2-mu.so.0.0.0[7f8328284000+3f000]
Jun 27 22:32:42 localhost kernel[363]: gdbus[1432]: segfault at 7f8327acc750 ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in libtss2-mu.so.0.0.0[7f8328284000+3f000]

Trying to write to the TPM, e.g., take ownership, doesn't work at all:

localhost:~$ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
ERROR: Could not change hierarchy for Owner. TPM Error:0x9a2
ERROR: Unable to run tpm2_takeownership
Segmentation fault
and syslog shows

Jun 27 23:08:03 localhost audit[1539]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=1 pid=1539 comm="gdbus" exe="/usr/bin/tpm2_takeownership" sig=11
Jun 27 23:08:03 localhost kernel: gdbus[1539]: segfault at 7ff2fe95c750 ip 00007ff2fe95c750 sp 00007ff2fd942c38 error 14 in libtss2-mu.so.0.0.0[7ff2ff114000+3f000]
Jun 27 23:08:03 localhost kernel[363]: gdbus[1539]: segfault at 7ff2fe95c750 ip 00007ff2fe95c750 sp 00007ff2fd942c38 error 14 in libtss2-mu.so.0.0.0[7ff2ff114000+3f000]

Any suggestions?

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 9177 bytes --]