-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Creating AK triggers TPM failure with hardware TPM on some Intel systems #367
Comments
Hey, thanks for reporting this! Any chance you can get a backtrace of where the example hangs, or figure out at least the call that does it (at any level of abstraction lower than
Is that output before the process was killed or after? There are 4 handles that get flushed following that example: three sessions (1 for the EK, 2 for the AK), and the primary EK object. The Unfortunately it's kinda difficult to figure things out just from the code, especially since it seems to only fail on some select hardware. Perhaps it has something to do with the limitations of those TPMs (e.g., in terms of available memory), and we don't follow some portion of the spec in our calls? |
This very strange. The only time I have encountered something that hangs using the tss-esapi crate was when I had two different process trying to access the TPM simultaneously without using a resource manager. What version of tpm-tss is used in the minimal reproduction example? Or what versions have you tested with and achieved the same error? If you get a chance to run it on actual hardware could you enable tpm2-tss trace output while running the minimal reproduction example and post what gets printed to the output. I will try to reproduce using our integration tests. |
Hello, |
It could be. But it is kind of strange it only happens with tss-esapi crate. It should happen for anything that uses the ESAPI even python code. |
Maybe? I don't think we know that well why we get the hanging when there are multiple threads trying to access without a RM... Maybe we could reproduce some of the errors, but if you only use the TPM simulator you won't get the calls going through the kernel stack. |
I got my hands on the machine today so I was able to run some tests. Here's the output of the example with The device seems to be |
I have been looking at this a little bit and have not detected anything strange so far. The only thing I can see is that Do you happen to have the link to the Python code that works? |
Yes, this sounds familiar as we saw it before with swtpm, although I don't know enough to make a stronger connection between that error and this one.
These are the tpm2_tss and tpm2_tools libraries used by the Python agent. I'm not sure where something corresponding to |
Update: Looks like this is the equivalent code in the Python agent, specifically using this from the above TPM libraries.
|
I'm submitting this on behalf of my team, including @kkaarreell and @sergio-correia.
While running tests on the Rust Keylime agent using a hardware TPM, the team noticed that running the Create AK function triggers a failed TPM state on certain Intel systems (we don't have an exhaustive list). These same hardware TPMs work fine with our other Python agent, which does not use the
rust-tss-esapi
, leading us to believe this error may berust-tss-esapi
related. There is a miminal reproducer here that fails on this line.Note: We don't currently have a Fedora test machine with hardware TPM as of today, but can get one if necessary. @sergio-correia did test this on F35 in the past week and reports similar results.
All
tpm2_
commands produce expected output before running the mini reproducer. The output related to the error includes the following below:This shows how the mini reproducer process hangs on
ak::create_ak()
:Output from
dmesg
after running the reproducer:with that
257
error indicating...Here is the output of
tpm2_pcrread
after running the reproducer:And
tpm2_gettestresult
(the value for data before the test was0001f9db000000000000
):Any ideas on this?
The text was updated successfully, but these errors were encountered: