[tpm2] Re: TPM2 provider stuck during handshake

[tpm2] Re: TPM2 provider stuck during handshake

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 2520 bytes --]

On Wed, 2022-06-08 at 16:16 +0200, Remi Tricot-Le Breton wrote:
> Hello,
> 
> I've been trying to make the TPM2 provider work in my environment 
> (Ubuntu 20.04) for quite some time and I did not succeed yet.

Interesting so you must have OpenSSL version 3.0 or greater installed
becuase it defaults to OpenSSL 1.1.1f. Below it seems provider
options work, so that must be the case.

> 
> I tried using the commands suggested in docs/certificates.md to
> create a 
> self signed certificate which I then used in an "openssl s_server" 
> instance but when I try to connect to this SSL server, the handshake 
> fails to complete.
> The three commands I used are the following:
>      openssl req -provider tpm2 -x509 -subj "/C=GB/CN=foo" -keyout 
> testkey.pem -out testcert.pem
>      openssl s_server -provider tpm2 -provider default -propquery 
> ?provider=tpm2 -accept 4443 -www -key testkey.pem -cert testcert.pem
>      curl --cacert testcert.pem https://localhost:4443/
> 
> The curl command ends in a timeout and the server remains stuck
> (without 
> raising errors).
> 
> I rebuilt the tpm2 provider with the enable-debug=yes option added
> in 
> order to understand what was happening and I noticed that the server
> was 
> stuck when trying to duplicate a context ("DIGEST DUP" was dumped on
> the 
> server's standard output), and more specifically in the 
> Tss2_Sys_ExecuteFinish function which in turn calls tctildr_receive
> with 
> a -1 timeout (out of which we apparently never get out).
> 
> Do any of you know if I missed something or if it is a bug ?
> I could provide the full standard output log or a complete backtrace
> of 
> the stuck server if needed but they might end up being unnecessary
> noise 
> if the bug comes from my wrong use of the provider.
> 

So if it is stuck in OSSL_FUNC_DIGEST_DUPCTX, which is a call to
tpm2_digest_dupctx, which calls tpm2_hash_sequence_dup and has two TPM
functions within it, Esys_ContextSave and Esys_ContextLoad do you know
which one it's hanging in?

are your running against a real TPM or the simulator and have you tried
it with the simulator? If you are running against a real TPM what is
your TCTI, is it using /dev/tpm0 or /dev/tpmrm0 or tpm2-abrmd?


> Thanks
> 
> Rémi LB
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: TPM2 provider stuck during handshake

[Remi Tricot-Le Breton]

[-- Attachment #1: Type: text/plain, Size: 2996 bytes --]

Hello thanks for your reply,

On 08/06/2022 16:47, Roberts, William C wrote:
> On Wed, 2022-06-08 at 16:16 +0200, Remi Tricot-Le Breton wrote:
>> Hello,
>>
>> I've been trying to make the TPM2 provider work in my environment
>> (Ubuntu 20.04) for quite some time and I did not succeed yet.
> Interesting so you must have OpenSSL version 3.0 or greater installed
> becuase it defaults to OpenSSL 1.1.1f. Below it seems provider
> options work, so that must be the case.
Yes I do have an OpenSSL 3 (3.1.0-dev actually which I built from sources).

>
>> I tried using the commands suggested in docs/certificates.md to
>> create a
>> self signed certificate which I then used in an "openssl s_server"
>> instance but when I try to connect to this SSL server, the handshake
>> fails to complete.
>> The three commands I used are the following:
>>       openssl req -provider tpm2 -x509 -subj "/C=GB/CN=foo" -keyout
>> testkey.pem -out testcert.pem
>>       openssl s_server -provider tpm2 -provider default -propquery
>> ?provider=tpm2 -accept 4443 -www -key testkey.pem -cert testcert.pem
>>       curl --cacert testcert.pem https://localhost:4443/
>>
>> The curl command ends in a timeout and the server remains stuck
>> (without
>> raising errors).
>>
>> I rebuilt the tpm2 provider with the enable-debug=yes option added
>> in
>> order to understand what was happening and I noticed that the server
>> was
>> stuck when trying to duplicate a context ("DIGEST DUP" was dumped on
>> the
>> server's standard output), and more specifically in the
>> Tss2_Sys_ExecuteFinish function which in turn calls tctildr_receive
>> with
>> a -1 timeout (out of which we apparently never get out).
>>
>> Do any of you know if I missed something or if it is a bug ?
>> I could provide the full standard output log or a complete backtrace
>> of
>> the stuck server if needed but they might end up being unnecessary
>> noise
>> if the bug comes from my wrong use of the provider.
>>
> So if it is stuck in OSSL_FUNC_DIGEST_DUPCTX, which is a call to
> tpm2_digest_dupctx, which calls tpm2_hash_sequence_dup and has two TPM
> functions within it, Esys_ContextSave and Esys_ContextLoad do you know
> which one it's hanging in?
It's hanging in the Esys_ContextLoad call.
> are your running against a real TPM or the simulator and have you tried
> it with the simulator? If you are running against a real TPM what is
> your TCTI, is it using /dev/tpm0 or /dev/tpmrm0 or tpm2-abrmd?
I'm using a real TPM, using /dev/tpmrm0. I'll try using a simulator as 
well tomorrow.
I made some tests with the tpm engine as well just to make sure that the 
hardware was working properly and it seemed to work fine.
>
>> Thanks
>>
>> Rémi LB
>> _______________________________________________
>> tpm2 mailing list -- tpm2(a)lists.01.org
>> To unsubscribe send an email to tpm2-leave(a)lists.01.org
>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

Rémi LB

[tpm2] Re: TPM2 provider stuck during handshake

[Petr Gotthard]

[-- Attachment #1: Type: text/plain, Size: 2306 bytes --]

Hi Rémi,
I can't think of any simple reason why you getting that error.
 
Do you use a TPM simulator (which?) or a real TPM chip? And do you use it with the abrmd manager, or not?
(In general, the abrmd is recommended for complex operations like PKI.)
 
 
Petr
 
______________________________________________________________
> Od: "Remi Tricot-Le Breton" <rlebreton(a)haproxy.com>
> Komu: tpm2(a)lists.01.org
> Datum: 08.06.2022 16:16
> Předmět: [tpm2] TPM2 provider stuck during handshake
>
Hello,
 
 I've been trying to make the TPM2 provider work in my environment 
 (Ubuntu 20.04) for quite some time and I did not succeed yet.
 
 I tried using the commands suggested in docs/certificates.md to create a 
 self signed certificate which I then used in an "openssl s_server" 
 instance but when I try to connect to this SSL server, the handshake 
 fails to complete.
 The three commands I used are the following:
     openssl req -provider tpm2 -x509 -subj "/C=GB/CN=foo" -keyout 
 testkey.pem -out testcert.pem
     openssl s_server -provider tpm2 -provider default -propquery 
 ?provider=tpm2 -accept 4443 -www -key testkey.pem -cert testcert.pem
     curl --cacert testcert.pem https://localhost:4443/ <https://localhost:4443/>
 
 The curl command ends in a timeout and the server remains stuck (without 
 raising errors).
 
 I rebuilt the tpm2 provider with the enable-debug=yes option added in 
 order to understand what was happening and I noticed that the server was 
 stuck when trying to duplicate a context ("DIGEST DUP" was dumped on the 
 server's standard output), and more specifically in the 
 Tss2_Sys_ExecuteFinish function which in turn calls tctildr_receive with 
 a -1 timeout (out of which we apparently never get out).
 
 Do any of you know if I missed something or if it is a bug ?
 I could provide the full standard output log or a complete backtrace of 
 the stuck server if needed but they might end up being unnecessary noise 
 if the bug comes from my wrong use of the provider.
 
 Thanks
 
 Rémi LB
 _______________________________________________
 tpm2 mailing list -- tpm2(a)lists.01.org
 To unsubscribe send an email to tpm2-leave(a)lists.01.org
 %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 3084 bytes --]