[tpm2] Re: Debugging tpm2 tools based of FAPI

[tpm2] Re: Debugging tpm2 tools based of FAPI

[Florian.Schreiner]

[-- Attachment #1: Type: text/plain, Size: 10147 bytes --]

Hi Phani,

unfortunately I don't have the environment to replicate your error and I also haven't heard of this error yet. It would be good to share the root cause when you have found it, so that other users don't run into the same error.

I would propose that you setup a TPM system with the respective hardware setup and software versions, which doesn't run into this API error. Then you can verify what the difference is to your setup and where the error comes from. One possibility of a basic reference setup would be a Raspberry Pi. There is an application note available on the Infineon website here: https://www.infineon.com/cms/en/product/promopages/tpm-tss-quickstarter/ in the link at the bottom of the page. The Application Note describes a specific system setup that should work and in section 9 there is also a description on how to include the TPM Simulator. Therefore the TPM Simulator should work on this setup. If the error on this system and these chosen software versions also occurs, we have a common basis to compare and replicate the error.

Best,
Florian


From: Phani Srinivas <phani.srinivas(a)in.abb.com>
Sent: Freitag, 7. August 2020 07:49
To: Schreiner Florian (IFAG DSS ESS STM) <Florian.Schreiner(a)infineon.com>; tpm2(a)lists.01.org
Subject: RE: Debugging tpm2 tools based of FAPI

Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe<http://iweb.infineon.com/en-US/Support/security/CDC/pse/Pages/pce.aspx>.


Hello Florian,

I am using the simulator(mssim config) and removing the persistent data(NVChip), But it seems of no help, I see the following error after the clean up

WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision
Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode

Do you have any preliminary steps to run the tools based out FAPI implementation before running the tool as mentioned in the man pages.

Regards
Phani Srinivas S



From: Florian.Schreiner(a)infineon.com<mailto:Florian.Schreiner(a)infineon.com> <Florian.Schreiner(a)infineon.com<mailto:Florian.Schreiner(a)infineon.com>>
Sent: Thursday, August 6, 2020 7:03 PM
To: Phani Srinivas <phani.srinivas(a)in.abb.com<mailto:phani.srinivas(a)in.abb.com>>; tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
Subject: RE: Debugging tpm2 tools based of FAPI


This email originated from outside of your organization. Please do not click on links or open attachments unless you recognize the sender and know the content is safe.


Hi Phani,

I don't know the error code in particular, but the messages say, that you triggered the DA Lockout the security mechanism. This mechanism is implemented to block Dictionary Attacks (DA), which are used by attackers to try out as many passwords as possible in a short amount of time. Dictionaries with typical passwords improve the efficiency of those attacks.
The TPM blocks this with a lockout, i.e. if you have tried to many false authorizations in a short period of time, the TPM  blocks any further requests until a time runs out. The time increases as more false authorizations are being executed.

Therefore it seems you triggeded the DA lockout with this timeout in the first runs and later on the TPM reports, that it is still in the DA Lockout.
A recovery method is that you let the TPM powered and wait for the timeout to be over. After that the TPM should work normally.
There are commands available where you can read the amount of time the timeout still takes. There are also commands that allow to reset the DA Lockout using the DA Lockout Auth, so that you don't need to wait for the timeout. The DA Lockout Auth is for example the password of the admin.

As you are using the Simulator, there should be also a simple method to erase the persistent data stored in the simulator as it provides no security.

Best,
Florian


Infineon Technologies AG
Security Architect
IFAG DSS ESS TCE
Office: +49 89 234 21833
Mobile: +49 (160) 90105611
Fax: +49 (89) 234 152183300
Florian.Schreiner(a)infineon.com<mailto:Florian.Schreiner(a)infineon.com>

81726 Munich
Germany

www.infineon.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.infineon.com%2F&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947726463&sdata=Osl%2BIrH2Qe348sg5VrANKlOzQgwJqIXW3g7eqEflfzA%3D&reserved=0>  Discoveries<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.infineon.com%2Fdiscoveries&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947736458&sdata=UwfEkQGq3MNH%2FfJPETUmrUy7XPgdsfh54RBkszD7mUQ%3D&reserved=0>  Facebook<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2Finfineon&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947736458&sdata=6KOKOWyZ7KmtWiUFmKDSxdLI3jQjB%2FdkjKKasYr87e0%3D&reserved=0>  Twitter<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FInfineon&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947746457&sdata=rNeTalOXzsvSM0mmRxpKhbtOVJv9va09fSBDoEQiTKY%3D&reserved=0>  LinkedIn<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Finfineon-technologies&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947756449&sdata=fYJiCOiRvTYH4tNUD%2FvRs0Lk32O6PoUFnQjKuwfUXqk%3D&reserved=0>

Part of your life. Part of tomorrow.

Infineon Technologies AG
Chairman of the Supervisory Board: Dr. Wolfgang Eder
Management Board: Dr. Reinhard Ploss (CEO), Dr. Helmut Gassel, Jochen Hanebeck, Dr. Sven Schneider
Registered Office: Neubiberg
Commercial Register: München HRB 126492

This e-mail and any attachments are confidential. They are intended solely for the attention and use of the named addressee(s). If you are not the named addressee(s) you must not use, disclose, retain or reproduce all or any part of the information contained in this e-mail or any attachments. Any unauthorized use or disclosure may be unlawful. If you have received this e-mail by mistake, please inform the sender immediately and delete it and all copies from your system and destroy any hard copies of it.

From: Phani Srinivas <phani.srinivas(a)in.abb.com<mailto:phani.srinivas(a)in.abb.com>>
Sent: Donnerstag, 6. August 2020 15:17
To: tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
Subject: [tpm2] Debugging tpm2 tools based of FAPI

Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fiweb.infineon.com%2Fen-US%2FSupport%2Fsecurity%2FCDC%2Fpse%2FPages%2Fpce.aspx&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947756449&sdata=wbWAU1ydy0FbazsnrrzwPJ%2F7D%2FzxPiTh80ffFr0up98%3D&reserved=0>.


Hello All,

I was successful in making the FAPI integration tests  work and tried out some of the scenarios in creating the keys and perform the key operations

But when I used the tools based out of FAPI, I see the following errors

export TPM20TEST_TCTI=mssim:host=127.0.0.1,port=2321
root(a)edgesec101:/home/edgesec100/phaniWS/tpm2_tools/tpm2-tools/tools/fapi# ./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x0000098e) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x0000098e) Provision
Fapi_Provision(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented

And later I have  removed the NVChip created in simulator dir, and ran again I see a different error

./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision
Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode


Couldn't get from the documentation any pre-requisites to follow to make the tpm2 tools based out of  fapi  to make them work.

I see some RM configuration to be done, but not successful in my trials, any suggestions how the environment shall be set up to make the tpm2 tools based out of fapi to work.


Regards
Phani Srinivas S
R&D Prinicipal Engineer ABB


[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 27014 bytes --]

[tpm2] Re: Debugging tpm2 tools based of FAPI

[Phani Srinivas]

[-- Attachment #1: Type: text/plain, Size: 8454 bytes --]

Hello Florian,

I am using the simulator(mssim config) and removing the persistent data(NVChip), But it seems of no help, I see the following error after the clean up

WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision
Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode

Do you have any preliminary steps to run the tools based out FAPI implementation before running the tool as mentioned in the man pages.

Regards
Phani Srinivas S



From: Florian.Schreiner(a)infineon.com <Florian.Schreiner(a)infineon.com>
Sent: Thursday, August 6, 2020 7:03 PM
To: Phani Srinivas <phani.srinivas(a)in.abb.com>; tpm2(a)lists.01.org
Subject: RE: Debugging tpm2 tools based of FAPI

This email originated from outside of your organization. Please do not click on links or open attachments unless you recognize the sender and know the content is safe.

Hi Phani,

I don't know the error code in particular, but the messages say, that you triggered the DA Lockout the security mechanism. This mechanism is implemented to block Dictionary Attacks (DA), which are used by attackers to try out as many passwords as possible in a short amount of time. Dictionaries with typical passwords improve the efficiency of those attacks.
The TPM blocks this with a lockout, i.e. if you have tried to many false authorizations in a short period of time, the TPM  blocks any further requests until a time runs out. The time increases as more false authorizations are being executed.

Therefore it seems you triggeded the DA lockout with this timeout in the first runs and later on the TPM reports, that it is still in the DA Lockout.
A recovery method is that you let the TPM powered and wait for the timeout to be over. After that the TPM should work normally.
There are commands available where you can read the amount of time the timeout still takes. There are also commands that allow to reset the DA Lockout using the DA Lockout Auth, so that you don't need to wait for the timeout. The DA Lockout Auth is for example the password of the admin.

As you are using the Simulator, there should be also a simple method to erase the persistent data stored in the simulator as it provides no security.

Best,
Florian


Infineon Technologies AG
Security Architect
IFAG DSS ESS TCE
Office: +49 89 234 21833
Mobile: +49 (160) 90105611
Fax: +49 (89) 234 152183300
Florian.Schreiner(a)infineon.com<mailto:Florian.Schreiner(a)infineon.com>

81726 Munich
Germany

www.infineon.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.infineon.com%2F&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947726463&sdata=Osl%2BIrH2Qe348sg5VrANKlOzQgwJqIXW3g7eqEflfzA%3D&reserved=0>  Discoveries<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.infineon.com%2Fdiscoveries&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947736458&sdata=UwfEkQGq3MNH%2FfJPETUmrUy7XPgdsfh54RBkszD7mUQ%3D&reserved=0>  Facebook<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2Finfineon&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947736458&sdata=6KOKOWyZ7KmtWiUFmKDSxdLI3jQjB%2FdkjKKasYr87e0%3D&reserved=0>  Twitter<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FInfineon&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947746457&sdata=rNeTalOXzsvSM0mmRxpKhbtOVJv9va09fSBDoEQiTKY%3D&reserved=0>  LinkedIn<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Finfineon-technologies&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947756449&sdata=fYJiCOiRvTYH4tNUD%2FvRs0Lk32O6PoUFnQjKuwfUXqk%3D&reserved=0>

Part of your life. Part of tomorrow.

Infineon Technologies AG
Chairman of the Supervisory Board: Dr. Wolfgang Eder
Management Board: Dr. Reinhard Ploss (CEO), Dr. Helmut Gassel, Jochen Hanebeck, Dr. Sven Schneider
Registered Office: Neubiberg
Commercial Register: München HRB 126492

This e-mail and any attachments are confidential. They are intended solely for the attention and use of the named addressee(s). If you are not the named addressee(s) you must not use, disclose, retain or reproduce all or any part of the information contained in this e-mail or any attachments. Any unauthorized use or disclosure may be unlawful. If you have received this e-mail by mistake, please inform the sender immediately and delete it and all copies from your system and destroy any hard copies of it.

From: Phani Srinivas <phani.srinivas(a)in.abb.com<mailto:phani.srinivas(a)in.abb.com>>
Sent: Donnerstag, 6. August 2020 15:17
To: tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
Subject: [tpm2] Debugging tpm2 tools based of FAPI

Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fiweb.infineon.com%2Fen-US%2FSupport%2Fsecurity%2FCDC%2Fpse%2FPages%2Fpce.aspx&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947756449&sdata=wbWAU1ydy0FbazsnrrzwPJ%2F7D%2FzxPiTh80ffFr0up98%3D&reserved=0>.

Hello All,

I was successful in making the FAPI integration tests  work and tried out some of the scenarios in creating the keys and perform the key operations

But when I used the tools based out of FAPI, I see the following errors

export TPM20TEST_TCTI=mssim:host=127.0.0.1,port=2321
root(a)edgesec101:/home/edgesec100/phaniWS/tpm2_tools/tpm2-tools/tools/fapi# ./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x0000098e) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x0000098e) Provision
Fapi_Provision(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented

And later I have  removed the NVChip created in simulator dir, and ran again I see a different error

./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision
Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode


Couldn't get from the documentation any pre-requisites to follow to make the tpm2 tools based out of  fapi  to make them work.

I see some RM configuration to be done, but not successful in my trials, any suggestions how the environment shall be set up to make the tpm2 tools based out of fapi to work.


Regards
Phani Srinivas S
R&D Prinicipal Engineer ABB


[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 21545 bytes --]

[tpm2] Re: Debugging tpm2 tools based of FAPI

[Florian.Schreiner]

[-- Attachment #1: Type: text/plain, Size: 5303 bytes --]

Hi Phani,

I don't know the error code in particular, but the messages say, that you triggered the DA Lockout the security mechanism. This mechanism is implemented to block Dictionary Attacks (DA), which are used by attackers to try out as many passwords as possible in a short amount of time. Dictionaries with typical passwords improve the efficiency of those attacks.
The TPM blocks this with a lockout, i.e. if you have tried to many false authorizations in a short period of time, the TPM  blocks any further requests until a time runs out. The time increases as more false authorizations are being executed.

Therefore it seems you triggeded the DA lockout with this timeout in the first runs and later on the TPM reports, that it is still in the DA Lockout.
A recovery method is that you let the TPM powered and wait for the timeout to be over. After that the TPM should work normally.
There are commands available where you can read the amount of time the timeout still takes. There are also commands that allow to reset the DA Lockout using the DA Lockout Auth, so that you don't need to wait for the timeout. The DA Lockout Auth is for example the password of the admin.

As you are using the Simulator, there should be also a simple method to erase the persistent data stored in the simulator as it provides no security.

Best,
Florian


Infineon Technologies AG
Security Architect
IFAG DSS ESS TCE
Office: +49 89 234 21833
Mobile: +49 (160) 90105611
Fax: +49 (89) 234 152183300
Florian.Schreiner(a)infineon.com<mailto:Florian.Schreiner(a)infineon.com>

81726 Munich
Germany

www.infineon.com<http://www.infineon.com>  Discoveries<http://www.infineon.com/discoveries>  Facebook<http://www.facebook.com/infineon>  Twitter<http://www.twitter.com/Infineon>  LinkedIn<http://www.linkedin.com/company/infineon-technologies>

Part of your life. Part of tomorrow.

Infineon Technologies AG
Chairman of the Supervisory Board: Dr. Wolfgang Eder
Management Board: Dr. Reinhard Ploss (CEO), Dr. Helmut Gassel, Jochen Hanebeck, Dr. Sven Schneider
Registered Office: Neubiberg
Commercial Register: München HRB 126492

This e-mail and any attachments are confidential. They are intended solely for the attention and use of the named addressee(s). If you are not the named addressee(s) you must not use, disclose, retain or reproduce all or any part of the information contained in this e-mail or any attachments. Any unauthorized use or disclosure may be unlawful. If you have received this e-mail by mistake, please inform the sender immediately and delete it and all copies from your system and destroy any hard copies of it.

From: Phani Srinivas <phani.srinivas(a)in.abb.com>
Sent: Donnerstag, 6. August 2020 15:17
To: tpm2(a)lists.01.org
Subject: [tpm2] Debugging tpm2 tools based of FAPI

Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe<http://iweb.infineon.com/en-US/Support/security/CDC/pse/Pages/pce.aspx>.


Hello All,

I was successful in making the FAPI integration tests  work and tried out some of the scenarios in creating the keys and perform the key operations

But when I used the tools based out of FAPI, I see the following errors

export TPM20TEST_TCTI=mssim:host=127.0.0.1,port=2321
root(a)edgesec101:/home/edgesec100/phaniWS/tpm2_tools/tpm2-tools/tools/fapi# ./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x0000098e) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x0000098e) Provision
Fapi_Provision(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented

And later I have  removed the NVChip created in simulator dir, and ran again I see a different error

./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision
Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode


Couldn't get from the documentation any pre-requisites to follow to make the tpm2 tools based out of  fapi  to make them work.

I see some RM configuration to be done, but not successful in my trials, any suggestions how the environment shall be set up to make the tpm2 tools based out of fapi to work.


Regards
Phani Srinivas S
R&D Prinicipal Engineer ABB


[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 17148 bytes --]