* [tpm2] Re: Error on service tpm2-abrmd start
@ 2021-02-23 20:16 Roberts, William C
0 siblings, 0 replies; 3+ messages in thread
From: Roberts, William C @ 2021-02-23 20:16 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 2312 bytes --]
1. Yes you can start tpme-abrmd like so:
tpm2-abrmd --tcti=mssim
mssim will connect to the ibmtpm simulator, or you can use swtpm to connect to stefanberger's swtpm.
If you want to run as root, you can pass --allow-root, but usually you don't need root to run the daemon. /dev/tpm0 should be labelled as user tss2 and /dev/tpmrm0 should be user and group tss2.
I configure this so I can own the Dbus name for debugging by modyfing:
/etc/dbus-1/system.d/tpm2-abrmd.conf
to add my username to the list
2. Not sure about 2, how do you not have tpm2-abrmd and get the results from 1?
3. for tpm2-tools, you can pass the --tcti option, just like for tpm2-abrmd
for tss2 libraries:
SAPI: you need to pass a TCTI_CONTEXT *, which you can get via the TCTI_LDR API:
https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_tctildr.h#L25
That API takes those --tcti=<string> values.
ESAPI: Just send NULL as the TCTI_CONTEXT, it will fall back using TCTI Ldr API which has a search routine built into it.
FAPI: Its configured in the config file, but I think defaults to searching around.
________________________________
From: Kenneth Goldman <kgoldman(a)us.ibm.com>
Sent: Monday, February 15, 2021 5:19 PM
To: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] Error on service tpm2-abrmd start
Two questions actually, trying to run the Intel TSS with a SW TPM
1
Instructions for a project say to run
service tpm2-abrmd start
When I do that, I get
* Starting TPM2 Access Broker and Resource Management Daemon tpm2-abrmd
** (process:19039): WARNING **: 18:06:45.480: tcti_conf before: "device:/dev/tpm0"
** (tpm2-abrmd:19039): WARNING **: 18:06:45.488: tcti_conf after: "device:/dev/tpm0"
Refusing to run as root. Pass --allow-root if you know what you are doing.
This probably fails because I don't have /dev/tpm0,ight?
2
Later instructions says to
sudo -u tss /usr/local/sbin/tpm2-abrmd --tcti=mssim &
which fails because I don't have tpm2-abrmd. I did install the packages - Ubuntu 20.
3
Finally, if I'm using the SW TPM, can I simply skip the abrmd complexity and somehow point the Intel TSS to the SW TPM socket.
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 3608 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* [tpm2] Re: Error on service tpm2-abrmd start
@ 2021-02-24 13:44 Roberts, William C
0 siblings, 0 replies; 3+ messages in thread
From: Roberts, William C @ 2021-02-24 13:44 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3553 bytes --]
OWA sucks at inline replies, but I'll give it my best shot...
ZjQcmQRYFpfptBannerEnd
1. Yes you can start tpme-abrmd like so:
tpm2-abrmd --tcti=mssim
mssim will connect to the ibmtpm simulator, or you can use swtpm to connect to stefanberger's swtpm.
When I try this, I get:
# tpm2-abrmd --tcti=mssim --allow-root
** (process:2552): WARNING **: 16:41:13.089: tcti_conf before: "(null)"
** (tpm2-abrmd:2552): WARNING **: 16:41:13.090: tcti_conf after: "mssim"
I don't know where tcti_conf is. Perhaps I didn't install it. Advice?
[Bill] I get the same warnings; I think the logging is just overly pedantic and can probably be silenced.
If you want to run as root, you can pass --allow-root, but usually you don't need root to run the daemon. /dev/tpm0 should be labelled as user tss2 and /dev/tpmrm0 should be user and group tss2.
This would be step 2, but how would I do this with the 'mssim'? FWIW, when I try to run as not root: I get
> tpm2-abrmd --tcti=mssim
** (process:2666): WARNING **: 17:09:58.744: tcti_conf before: "(null)"
** (tpm2-abrmd:2666): WARNING **: 17:09:58.745: tcti_conf after: "mssim"
** (tpm2-abrmd:2666): CRITICAL **: 17:09:58.752: Failed to acquire DBus name com.intel.tss2.Tabrmd. UID 1000 must be allowed to "own" this name. Check DBus config and check that this is running as user tss or root.
I configure this so I can own the Dbus name for debugging by modyfing:
/etc/dbus-1/system.d/tpm2-abrmd.conf
to add my username to the list
[Bill] I sent more details I think on that private thread, but for completeness here you would add another policy block to allow your user id. Mine looks like this:
<policy user="wcrobert">
<allow own="com.intel.tss2.Tabrmd"/>
</policy>
You just drop that in the XML document under the <busconfig> </busconfig> tags with the others.
It's not obvious what 'the list' is. Is there documentation. I have xml-line text with several <policy> items.
2. Not sure about 2, how do you not have tpm2-abrmd and get the results from 1?
3. for tpm2-tools, you can pass the --tcti option, just like for tpm2-abrmd
for tss2 libraries:
SAPI: you need to pass a TCTI_CONTEXT *, which you can get via the TCTI_LDR API:
https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_tctildr.h#L25<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_tpm2-2Dsoftware_tpm2-2Dtss_blob_master_include_tss2_tss2-5Ftctildr.h-23L25&d=DwMFAw&c=jf_iaSHvJObTbx-siA1ZOg&r=DZCVG43VcL8GTneMZb8k8lEwb-O1GZktFfre1-mlmiA&m=95mr2loPsAlpwnBMFy79eDrKvMlyMeQSJblsQMR5tsE&s=htlB9HDs9jpKGrJ_TFN8Bb9OjYFOHoqAEDBrjS3m8UQ&e=>
That API takes those --tcti=<string> values.
ESAPI: Just send NULL as the TCTI_CONTEXT, it will fall back using TCTI Ldr API which has a search routine built into it.
FAPI: Its configured in the config file, but I think defaults to searching around.
That would be step 3. Do I have to be concerned with TCTI_LDR if I'm just using the command line tools? I was hoping for just:
setenv TPM2TOOLS_TCTI "mssim:host=localhost,port=2321"
[Bill] TCTI Ldr is the library the tpm2-tools uses to find a TCTI, ie go from the string "mssim:host=localhost,port=2321" to an actual TCTI. *BOTH* the -T/--tcti and
environment variable TPM2TOOLS_TCTI all map to the string passed in. So they all work the same, but the command line options can override the env variable if needed.
You also can just do: export TPM2TOOLS_TCTI=mssim as the other parts are the default values, so they are not needed.
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 6561 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* [tpm2] Re: Error on service tpm2-abrmd start
@ 2021-02-23 22:13 Kenneth Goldman
0 siblings, 0 replies; 3+ messages in thread
From: Kenneth Goldman @ 2021-02-23 22:13 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 2690 bytes --]
From: "Roberts, William C" <william.c.roberts(a)intel.com>
To: Kenneth Goldman <kgoldman(a)us.ibm.com>, "tpm2(a)lists.01.org"
<tpm2(a)lists.01.org>
Date: 02/23/2021 03:16 PM
Subject: [EXTERNAL] [tpm2] Re: Error on service tpm2-abrmd start
ZjQcmQRYFpfptBannerEnd
1. Yes you can start tpme-abrmd like so:
tpm2-abrmd --tcti=mssim
mssim will connect to the ibmtpm simulator, or you can use swtpm to
connect to stefanberger's swtpm.
When I try this, I get:
# tpm2-abrmd --tcti=mssim --allow-root
** (process:2552): WARNING **: 16:41:13.089: tcti_conf before: "(null)"
** (tpm2-abrmd:2552): WARNING **: 16:41:13.090: tcti_conf after: "mssim"
I don't know where tcti_conf is. Perhaps I didn't install it. Advice?
If you want to run as root, you can pass --allow-root, but usually you
don't need root to run the daemon. /dev/tpm0 should be labelled as user
tss2 and /dev/tpmrm0 should be user and group tss2.
This would be step 2, but how would I do this with the 'mssim'? FWIW,
when I try to run as not root: I get
> tpm2-abrmd --tcti=mssim
** (process:2666): WARNING **: 17:09:58.744: tcti_conf before: "(null)"
** (tpm2-abrmd:2666): WARNING **: 17:09:58.745: tcti_conf after: "mssim"
** (tpm2-abrmd:2666): CRITICAL **: 17:09:58.752: Failed to acquire DBus
name com.intel.tss2.Tabrmd. UID 1000 must be allowed to "own" this name.
Check DBus config and check that this is running as user tss or root.
I configure this so I can own the Dbus name for debugging by modyfing:
/etc/dbus-1/system.d/tpm2-abrmd.conf
to add my username to the list
It's not obvious what 'the list' is. Is there documentation. I have
xml-line text with several <policy> items.
2. Not sure about 2, how do you not have tpm2-abrmd and get the results
from 1?
3. for tpm2-tools, you can pass the --tcti option, just like for
tpm2-abrmd
for tss2 libraries:
SAPI: you need to pass a TCTI_CONTEXT *, which you can get via the
TCTI_LDR API:
https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_tctildr.h#L25
That API takes those --tcti=<string> values.
ESAPI: Just send NULL as the TCTI_CONTEXT, it will fall back using
TCTI Ldr API which has a search routine built into it.
FAPI: Its configured in the config file, but I think defaults to
searching around.
That would be step 3. Do I have to be concerned with TCTI_LDR if I'm
just using the command line tools? I was hoping for just:
setenv TPM2TOOLS_TCTI "mssim:host=localhost,port=2321"
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 4925 bytes --]
[-- Attachment #3: graycol.gif --]
[-- Type: image/gif, Size: 105 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-02-24 13:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-23 20:16 [tpm2] Re: Error on service tpm2-abrmd start Roberts, William C
2021-02-23 22:13 Kenneth Goldman
2021-02-24 13:44 Roberts, William C
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.