tpm2 createprimary fails on Ubuntu 22.04 LTS When FIPS is enabled

[galroty]

Hey,
I run on ubuntu 22 and after enabling fips (using Ubuntu pro, enabled fips-preview) tpm2 createprimary fails. before enabling fips everything worked fine.
user@user:~$ uname -a Linux user 5.15.0-73-fips #80+fips1-Ubuntu SMP Thu Jun 1 20:57:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

user@user:~$ sudo tpm2 createprimary [sudo] password for user: ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:412:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) DigestSignInit ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1244:iesys_compute_hmac() HMAC error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1354:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:244:Esys_CreatePrimary_Async() Error in computation of auth values ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:110:Esys_CreatePrimary() Error in async function ErrorCode (0x00070001) ERROR: Esys_CreatePrimary(0x70001) - esapi:Catch all for all errors not otherwise specified ERROR: Unable to run createprimary

user@user:~$ openssl version OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) user@user:~$ openssl list -providers Providers: base name: OpenSSL Base Provider version: 3.0.2 status: active fips name: Ubuntu 22.04 OpenSSL Cryptographic Module version: 3.0.5-0ubuntu0.1+Fips2.1 status: active user@user:~$ [0] 0:bash 1:
I also tried building and installing tpm2-tss and tpm2-tools from master but it didn't help, and I encountered the same error.
I tried debugging a bit and noticed iesys_cryptossl_hmac_start receivies size=0.
please let me know if there is other information which may assist you.
Thank you

[JuergenReppSIT]

@galroty It would be great if you could test it with the branch https://github.com/JuergenReppSIT/tpm2-tss/tree/esys-add-ossl-err-log where the openssl logging is improved.

[matthewruffell]

Hi @JuergenReppSIT,

I have been looking into this for a little while now, but I am a bit stuck.

I built tpm2-tss with JuergenReppSIT@51bb7c1 and then build tpm2-tools, but I don't really get any change in output. I don't see the string "OpenSSL reported:" anywhere.

Attached is the output of TSS2_LOG=all+TRACE ./tools/tpm2 clear:
trace.log

trace:esys_crypto:src/tss2-esys/esys_crypto.c:171:iesys_crypto_authHmac() called 
trace:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:376:iesys_cryptossl_hmac_start() called for context-pointer 0x7ffd613361d8 and hmacAlg 11 
trace:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:377:iesys_cryptossl_hmac_start() Starting  hmac with (size=0): 
trace:esys_crypto:src/tss2-esys/esys_crypto.c:34:iesys_crypto_hash_get_digest_size() call: hashAlg=11 size=0x55f610b36470 
trace:esys_crypto:src/tss2-esys/esys_crypto.c:59:iesys_crypto_hash_get_digest_size() return: *size=32 
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:412:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) DigestSignInit 

We do indeed call iesys_cryptossl_hmac_start() with size=0. Maybe FIPS 140-3 doesn't allow this?

I keep trying to add my own LOG_TRACE and LOG_DEBUG calls to iesys_cryptossl_hmac_start() but I never see them in the output even when I specify TSS2_LOG=all+TRACE. Am I missing something?

I can make you a Ubuntu 22.04 FIPS instance if you are especially interested.

Thanks,
Matthew

[JuergenReppSIT]

I can make you a Ubuntu 22.04 FIPS instance if you are especially interested.

@matthewruffell Thank you for testing. Its strange because the macro goto_ossl_error should be executed. It would be great if you could create a Ubuntu 22.04 FIPS instance.

[galroty]

From my debugging I did see that becuase of size=0 it fails because of openssl fips runtime checks. Unfortenly the openssl error code wasn't set (was 0). When I disabled runtime check in /etc/ssl/fipsmodule.cnf it worked. I hard coded size to be 16 and then it also worked. I'm not sure why size is 0 and what it means but it seems problematic on fips enbaled systems.

[galroty]

@JuergenReppSIT I built and installed your branch:
root@clarotyhost:~/tpm2-tss-debug/tpm2-tss# tpm2_createprimary ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:407:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) DigestSignInit ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:452:iesys_crypto_authHmac() Error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1317:iesys_compute_hmac() HMAC error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1427:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:245:Esys_CreatePrimary_Async() Error in computation of auth values ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:110:Esys_CreatePrimary() Error in async function ErrorCode (0x00070001) ERROR: Esys_CreatePrimary(0x70001) - esapi:Catch all for all errors not otherwise specified ERROR: Unable to run tpm2_createprimary
also I ran the unit tests and noticed some fail so I'm attaching test-suite.log
Thank you
test-suite.log

[matthewruffell]

@JuergenReppSIT Can you send me you ssh public key? An attachment, or email or link is fine. I'll make you a 22.04 FIPS instance.

[matthewruffell]

Hi @JuergenReppSIT

I have made some substantial progress on debugging, using the hints that @galroty provided.

I downloaded the source code to the jammy openssl fips packages, and read the
FIPS enablement patches, and came across:

$ sudo apt-get source openssl
$ sudo apt-get source openssl-fips

Then open:
debian/patches/0043-providers-Require-HMAC-keys-are-at-least-112-bits-in.patch:

commit 020475f86d46c2ef2603f4f1c984ccc34ed27d48
From: Chris Coulson <[email protected]>
Date: Sat, 7 Jan 2023 14:08:22 +0000
Subject: providers: Require HMAC keys are at least 112 bits in the FIPS provider

SP800-131A says that keys smaller than 112 bits are disallowed for HMAC
generation, so require that they are at least 112 bits in the FIPS provider.

Okay, so if we look at SP800-131A [3], Section 10, Table 9, which can be found
on named page 20, but really page 26 in your pdf reader, that for HMAC
generations, key lengths < 112 bits are "Disallowed", and key lengths >= 112
bits are "Acceptable".

[3] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf

In reality, this gets implemented in openssl by the patch below. The patch is
quite large but the relevant part is:

diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
index 79e849675e..8654b19047 100644
--- a/providers/common/securitycheck.c
+++ b/providers/common/securitycheck.c
@@ -202,6 +202,15 @@ int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh)
 }
 #endif /* OPENSSL_NO_DH */

+int ossl_mac_check_keylen(OSSL_LIB_CTX *ctx, size_t keylen)
+{
+#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
+    if (ossl_securitycheck_enabled(ctx))
+        return keylen >= 14;
+#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
+    return 1;
+}
+
 int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
                                            int sha1_allowed)
 {

Anyway, bringing this back to tpm2-tss. I did some test builds where I patched
iesys_cryptossl_hmac_start() to force it to have a keylength of 14, which is the
minimum required, and rebuilt:

diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index 53c2c09b..ec8c0293 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -368,7 +368,8 @@ iesys_cryptossl_hmac_start(ESYS_CRYPTO_CONTEXT_BLOB ** context,
 
     TSS2_RC r = TSS2_RC_SUCCESS;
     EVP_PKEY *hkey = NULL;

+    size = 14;
     LOG_TRACE("called for context-pointer %p and hmacAlg %d", context, hashAlg);
     LOGBLOB_TRACE(key, size, "Starting  hmac with");
     if (context == NULL || key == NULL) {

When I recompile and run tpm2-tools:

tpm2-tools# ./tools/tpm2 clear
tpm2-tools# 

it works.

If I change size = 13, and recompile:

tpm2-tools# ./tools/tpm2 clear
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:414:iesys_cryptossl_hmac_start() OpenSSL reported: error:00000000:lib(0)::reason(0) 
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:414:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) DigestSignInit 
ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:452:iesys_crypto_authHmac() Error ErrorCode (0x00070001) 
ERROR:esys:src/tss2-esys/esys_iutil.c:1352:iesys_compute_hmac() HMAC error ErrorCode (0x00070001) 
ERROR:esys:src/tss2-esys/esys_iutil.c:1462:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001) 
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:191:Esys_Clear_Async() Error in computation of auth values ErrorCode (0x00070001) 
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:77:Esys_Clear() Error in async function ErrorCode (0x00070001) 
ERROR: Esys_Clear(0x70001) - esapi:Catch all for all errors not otherwise specified
ERROR: Unable to run clear

we fail with the same error.

So, we have established root cause. All HMAC operations require a minimum
keylength of 112 bits under FIPS in jammy, and tpm2-tss is using 0 bits.

@JuergenReppSIT do you think it would be possible to change the keylength? Or should Ubuntu
carry a FIPS specific patch that creates a key?

Thanks,
Matthew

[JuergenReppSIT]

@matthewruffell @galroty Thank you for debugging the problem.
In the current implementation of the tpm tools no tpmKey and bind key is used for this session. The spec states that the empty buffer has to be used in this case for the Session key. The size you changed is is the length of the sessionKey and the auth value of the hierarchy (0 in your example). In this case the implementation could be changed because no HMAC value is needed (Architecture Spec 19.6.15 No HMAC Authorization).
But the FIPS problem would still occur for small hierarchy passwords.
I will be on vacation until September 17, 2024. We will discuss the topic in the Maintainer Telco after that.

[JuergenReppSIT]

@matthewruffell @matthewruffell I have created a PR tpm2-software/tpm2-tools/pull/3426 related to this problem.