[tpm2] Re: [SPAM] Re: TPM2 provider stuck during handshake

[Remi Tricot-Le Breton <rlebreton at haproxy.com>]

[-- Attachment #1: Type: text/plain, Size: 3166 bytes --]

Hi Petr,

On 08/06/2022 16:47, Petr Gotthard wrote:
>
> Hi Rémi,
>
> I can't think of any simple reason why you getting that error.
>
> Do you use a TPM simulator (which?) or a real TPM chip?
>

I'm using a real chip.

> And do you use it with the abrmd manager, or not?
>
> (In general, the abrmd is recommended for complex operations like PKI.)
>

I actually don't know. I had to install the abrmd when I first tried 
using a simulator (before realizing that I actually had an integrated 
TPM chip) but I don't know if it is still used or not.
I'm not that familiar with the TPM ecosystem. I mainly tried this 
provider because it's one of the few already available "external" 
providers (as in not made by openssl).

> Petr
>
> ______________________________________________________________
> > Od: "Remi Tricot-Le Breton" <rlebreton(a)haproxy.com>
> > Komu: tpm2(a)lists.01.org
> > Datum: 08.06.2022 16:16
> > Předmět: [tpm2] TPM2 provider stuck during handshake
> >
>
> Hello,
>
> I've been trying to make the TPM2 provider work in my environment
> (Ubuntu 20.04) for quite some time and I did not succeed yet.
>
> I tried using the commands suggested in docs/certificates.md to create a
> self signed certificate which I then used in an "openssl s_server"
> instance but when I try to connect to this SSL server, the handshake
> fails to complete.
> The three commands I used are the following:
>     openssl req -provider tpm2 -x509 -subj "/C=GB/CN=foo" -keyout
> testkey.pem -out testcert.pem
>     openssl s_server -provider tpm2 -provider default -propquery
> ?provider=tpm2 -accept 4443 -www -key testkey.pem -cert testcert.pem
>     curl --cacert testcert.pem https://localhost:4443/
>
> The curl command ends in a timeout and the server remains stuck (without
> raising errors).
>
> I rebuilt the tpm2 provider with the enable-debug=yes option added in
> order to understand what was happening and I noticed that the server was
> stuck when trying to duplicate a context ("DIGEST DUP" was dumped on the
> server's standard output), and more specifically in the
> Tss2_Sys_ExecuteFinish function which in turn calls tctildr_receive with
> a -1 timeout (out of which we apparently never get out).
>
> Do any of you know if I missed something or if it is a bug ?
> I could provide the full standard output log or a complete backtrace of
> the stuck server if needed but they might end up being unnecessary noise
> if the bug comes from my wrong use of the provider.
>
> Thanks
>
> Rémi LB
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
> _______________________________________________
> tpm2 mailing list --tpm2(a)lists.01.org
> To unsubscribe send an email totpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

@Petr sorry for the duplicated mail, I forgot to add the ML when 
answering and I figured it would be better to have the full history there.

Rémi LB


[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 5497 bytes --]