Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tpm2_ptool destroy doesn't work #863

Open
WolleTD opened this issue May 30, 2024 · 1 comment
Open

tpm2_ptool destroy doesn't work #863

WolleTD opened this issue May 30, 2024 · 1 comment

Comments

@WolleTD
Copy link

WolleTD commented May 30, 2024

When trying to run tpm2_ptool destroy --pid 1, the tool fails with an IndexError at https://github.com/tpm2-software/tpm2-pkcs11/blob/master/tools/tpm2_pkcs11/commandlets_store.py#L202

Easy enough: pobj['handle'] doesn't exist anymore, the model was changed in ad8ebdf (four years ago). I looked through the commit and tried the following patch:

--- src/tpm2-pkcs11-1.9.0/tools/tpm2_pkcs11/commandlets_store.py	2022-03-01 23:04:32.000000000 +0100
+++ commandlets_store.py	2024-05-30 18:48:01.957878596 +0200
@@ -10,7 +10,7 @@
 from .command import commandlet
 
 from .db import Db
-from .utils import bytes_to_file
+from .utils import get_pobject
 from .utils import TemporaryDirectory
 from .utils import query_yes_no
 from .utils import create_primary
@@ -199,10 +199,10 @@
             with TemporaryDirectory() as d:
                 tpm2 = Tpm2(d)
 
-                tr_file = bytes_to_file(pobj['handle'], d)
+                pobj_handle = get_pobject(pobj, tpm2, hierarchyauth, d)
 
                 db.rmprimary(pid)
-                tpm2.evictcontrol(hierarchyauth, tr_file)
+                tpm2.evictcontrol(hierarchyauth, pobj_handle)
 
 @commandlet("dbup")
 class DbUp(Command):

Unfortunately, that doesn't work. It once failed with the following error:

File "/usr/lib/python3.12/site-packages/tpm2_pkcs11/commandlets_store.py", line 205, in __call__
  tpm2.evictcontrol(hierarchyauth, pobj_handle)
File "/usr/lib/python3.12/site-packages/tpm2_pkcs11/tpm2.py", line 105, in evictcontrol
  raise RuntimeError("Could not execute tpm2_evictcontrol: %s" %
RuntimeError: Could not execute tpm2_evictcontrol: b'WARNING:esys:src/tss2-esys/api/Esys_EvictControl.c:330:Esys_EvictControl_Finish() Received TPM Error \nERROR:esys:src/tss2-esys/api/Esys_EvictControl.c:114:Esys_EvictControl() Esys Finish ErrorCode (0x000009a2) \nERROR: Esys_EvictControl(0x9A2) - tpm:session(1):authorization failure without DA implications\nERROR: Unable to run tpm2_evictcontrol\n'

Formatted warning:

WARNING:esys:src/tss2-esys/api/Esys_EvictControl.c:330:Esys_EvictControl_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_EvictControl.c:114:Esys_EvictControl() Esys Finish ErrorCode (0x000009a2)
ERROR: Esys_EvictControl(0x9A2) - tpm:session(1):authorization failure without DA implications
ERROR: Unable to run tpm2_evictcontrol

After that one time, I always get an empty byte string instead of this warning. I haven't rebooted yet, though.

I'm not familiar with the code and can't tell whether the patch is wrong or there's another issue.
@WolleTD
Copy link
Author

WolleTD commented May 30, 2024

Update: after some more playing around with the TPM, in both cases (with and without warning message) after the patch, both the SQLite table entry and the persistent handle in the TPM are actually removed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@WolleTD