Re: optee_ftpm + ms-tpm-20-ref support for RSA key sizes 3072 or 4096 causes a panic

[Sumit Garg via OP-TEE <op-tee@lists.trustedfirmware.org>]

Hi Dennis,

I would rather suggest to create an issue on optee_ftpm github repo [1].
Apart from that I would like to share some of my observations below.

[1] https://github.com/OP-TEE/optee_ftpm/issues

On Fri, Aug 08, 2025 at 10:34:40AM +0000, Olivier Deprez wrote:
> Hi,
> 
> I believe the optee mailing is better placed to provide answers.
> 
> Regards,
> Olivier.
> 
> ________________________________
> From: Dennis Kong via TF-A <tf-a@lists.trustedfirmware.org>
> Sent: 07 August 2025 23:44
> To: tf-a@lists.trustedfirmware.org <tf-a@lists.trustedfirmware.org>
> Subject: [TF-A] optee_ftpm + ms-tpm-20-ref support for RSA key sizes 3072 or 4096 causes a panic
> 
> Dear community:
> 
> I apologize in advance if this is the incorrect place to solicit for input on an issue I am having when enabling support of RSA key sizes > 2048.  The environment is described below:
> TI AM642-EVM board

Can you try to reproduce this issue on Qemu? You can follow the steps to
enable fTPM on Qemu here [2].

[2] https://github.com/OP-TEE/optee_ftpm/blob/master/.github/workflows/ci.yml

> Debian Bookworm running kernel 6.6.100, tpm_ftpm_tee.ko kernel module
> Uboot booting from sdcard UEFI partition and rootfs partition
> optee_os version 4.5.0 , 4.6.0, 4.7.0 (no difference in behaviour)
> optee_client version 4.5.0, 4.6.0, 4.7.0 (no difference in behaviour)
> optee_ftpm version 4.5.0 or 4.6.0, 4.7.0 (no difference in behaviour)
> ms-tpm-20-ref commit id 98b60a44aba79b15fcce1c0d1e46cf5918400f6a and e9fc7b89d865536c46deb63f9c7d0121a3ded49c
> 
> Due to issues with RPMB, we decided to use REE_FS instead.  Everything works correctly when I create RSA 2048 keys using tpm2-openssl and related tools:
> sudo tpm2_createprimary -C o -G rsa2048 -g sha256 -c primary.ctx,  When I try rsa3072 or 4096, I get errors from the command line response saying invalid input parameters.   I changed the ms-tpm-20-ref include file TpmProfile.h to set RSA_3072 and RSA_4096 macros both to (ALG_RSA && YES).  After rebuilding and running, I now get an optee panic for ANY RSA key request INCLUDING rsa2048.  I read suggestions to increase the MAX_COMMAND_SIZE/MAX_RESPONSE_SIZE on both the kernel driver tpm_ftpm_tee.ko and also optee_os/optee_ftpm, as well to increase relevant TA_STACK_SIZE and TA_HEAP_SIZE and TA_DATA_SIZE, but nothing seems to change the panic output:
> 
> sudo tpm2_createprimary -C o -G rsa2048 -g sha256 -c primary.ctx​============================================================
> E/TC:? 0
> E/TC:? 0 TA panicked with code 0xffff0007
> E/LD:  Status of TA bc50d971-d4c9-42c4-82cb-343fb7f37896
> E/LD:   arch: aarch64
> E/LD:  region  0: va 0x40005000 pa 0x9e8b0000 size 0x002000 flags rw-s (ldelf)
> E/LD:  region  1: va 0x40007000 pa 0x9e8b2000 size 0x008000 flags r-xs (ldelf)
> E/LD:  region  2: va 0x4000f000 pa 0x9e8ba000 size 0x001000 flags rw-s (ldelf)
> E/LD:  region  3: va 0x40010000 pa 0x9e8bb000 size 0x004000 flags rw-s (ldelf)
> E/LD:  region  4: va 0x40014000 pa 0x9e8bf000 size 0x001000 flags r--s
> E/LD:  region  5: va 0x40015000 pa 0x9e934000 size 0x011000 flags rw-s (stack)
> E/LD:  region  6: va 0x40026000 pa 0x8ebf0000 size 0x002000 flags rw-- (param)
> E/LD:  region  7: va 0x4006e000 pa 0x9e8c0000 size 0x058000 flags r-xs [0]
> E/LD:  region  8: va 0x400c6000 pa 0x9e918000 size 0x01c000 flags rw-s [0]
> E/LD:   [0] bc50d971-d4c9-42c4-82cb-343fb7f37896 @ 0x4006e000
> E/LD:  Call stack:
> E/LD:   0x4006f394
> E/LD:   0x40095edc
> E/LD:   0x4007b5a8
> E/LD:   0x400985fc
> E/LD:   0x40098a70
> E/LD:   0x4006fae0
> E/LD:   0x400a5508
> E/LD:   0x40098b9c
> D/TC:? 0 user_ta_enter:195 tee_user_ta_enter: TA panicked with code 0xffff0007
> D/TC:? 0 release_ta_ctx:670 Releasing panicked TA ctx
> D/TC:? 0 tee_ta_invoke_command:798 Error: ffff3024 of 3

Can you try to map this crash log to code following [3]?

[3] https://optee.readthedocs.io/en/latest/debug/abort_dumps.html

> [  218.944680] tpm tpm0: ftpm_tee_tpm_op_send: SUBMIT_COMMAND invoke error: 0xffff3024
> [  218.952379] tpm tpm0: tpm_try_transmit: send(): error -53212
> D/TC:? 0 tee_ta_invoke_command:798 Error: ffff3024 of 3
> [  218.963359] tpm tpm0: ftpm_tee_tpm_op_send: SUBMIT_COMMAND invoke error: 0xffff3024
> [  218.974241] tpm tpm0: tpm_try_transmit: send(): error -53212
> D/TC:? 0 tee_ta_invoke_command:798 Error: ffff3024 of 3
> [  218.985675] tpm tpm0: ftpm_tee_tpm_op_send: SUBMIT_COMMAND invoke error: 0xffff3024
> [  218.993366] tpm tpm0: tpm_try_transmit: send(): error -53212
> [  218.999044] tpm tpm0: tpm2_commit_space: error -14
> ERROR:tcti:src/tss2-tcti/tcti-device.c:198:tcti_device_receive()D/TC:? 0 tee_ta_invoke_command:798 Error: ffff3024 of 3
>  Failed to get response size fd 3, got errno 14: Bad address
> E[  219.015351] tpm tpm0: ftpm_tee_tpm_op_send: SUBMIT_COMMAND invoke error: 0xffff3024
> RROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:404:Esys_Create[  219.028348] tpm tpm0: tpm_try_transmit: send(): error -53212
> Primary_Finish() Received a non-TPM Error
> ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:135:Esys_CreatePrimary() Esys Finish ErrorCode (0x000a000a)
> ERROR: Esys_CreatePrimary(0xA000A) - tcti:IO failure
> ERROR:esys:src/tss2-esys/esys_iutil.c:1145:iesys_check_sequence_async() Esys called in bad sequence.
> ERROR:esys:src/tss2-esys/api/Esys_FlushContext.c:66:Esys_FlushContext() Error in async function ErrorCode (0x00070007)
> =============================================================================
> 
> The last suggestion I saw was to change my dtb file to include a reserved memory region for optee shared memory and not use the default dynamic shared memory.  The issue I have is kernel 6.6.100's tpm_ftpm_tee ignores the "memory-region" dts statement that references the optee_shm reserved memory at at 0xa4000000 in my case.  Below is my snippet of the dts file.  I heard there are patches in the kernel ftpm driver to support the reserved shared memory, but before I try the patches, can anyone opine whether this could cause the panic that I am seeing?  Thanks in advance for anyone who can share any information
> 
> optee_shm: optee-shm@a4000000 {
>     compatible = "shared-dma-pool";
>     reg = <0x0 0xa4000000 0x0 0x01000000>;
>     no-map;
>     reusable;
> };
> 
> ....
> 
> firmware {
>       optee {
>             compatible = "linaro,optee-tz";
>             method = "smc";
>             memory-region = <&optee_shm>;

This isn't how reserved memory region is enabled. I would rather suggest
you to try disabling CFG_CORE_DYN_SHM in OP-TEE OS. But I don't think
here the problem is related to reserved vs dynamic shared memory. It
seems rather to be related to the fTPM TA itself.

-Sumit