[tpm2] Re: TPM2 provider stuck during handshake

[Remi Tricot-Le Breton <rlebreton at haproxy.com>]

[-- Attachment #1: Type: text/plain, Size: 2996 bytes --]

Hello thanks for your reply,

On 08/06/2022 16:47, Roberts, William C wrote:
> On Wed, 2022-06-08 at 16:16 +0200, Remi Tricot-Le Breton wrote:
>> Hello,
>>
>> I've been trying to make the TPM2 provider work in my environment
>> (Ubuntu 20.04) for quite some time and I did not succeed yet.
> Interesting so you must have OpenSSL version 3.0 or greater installed
> becuase it defaults to OpenSSL 1.1.1f. Below it seems provider
> options work, so that must be the case.
Yes I do have an OpenSSL 3 (3.1.0-dev actually which I built from sources).

>
>> I tried using the commands suggested in docs/certificates.md to
>> create a
>> self signed certificate which I then used in an "openssl s_server"
>> instance but when I try to connect to this SSL server, the handshake
>> fails to complete.
>> The three commands I used are the following:
>>       openssl req -provider tpm2 -x509 -subj "/C=GB/CN=foo" -keyout
>> testkey.pem -out testcert.pem
>>       openssl s_server -provider tpm2 -provider default -propquery
>> ?provider=tpm2 -accept 4443 -www -key testkey.pem -cert testcert.pem
>>       curl --cacert testcert.pem https://localhost:4443/
>>
>> The curl command ends in a timeout and the server remains stuck
>> (without
>> raising errors).
>>
>> I rebuilt the tpm2 provider with the enable-debug=yes option added
>> in
>> order to understand what was happening and I noticed that the server
>> was
>> stuck when trying to duplicate a context ("DIGEST DUP" was dumped on
>> the
>> server's standard output), and more specifically in the
>> Tss2_Sys_ExecuteFinish function which in turn calls tctildr_receive
>> with
>> a -1 timeout (out of which we apparently never get out).
>>
>> Do any of you know if I missed something or if it is a bug ?
>> I could provide the full standard output log or a complete backtrace
>> of
>> the stuck server if needed but they might end up being unnecessary
>> noise
>> if the bug comes from my wrong use of the provider.
>>
> So if it is stuck in OSSL_FUNC_DIGEST_DUPCTX, which is a call to
> tpm2_digest_dupctx, which calls tpm2_hash_sequence_dup and has two TPM
> functions within it, Esys_ContextSave and Esys_ContextLoad do you know
> which one it's hanging in?
It's hanging in the Esys_ContextLoad call.
> are your running against a real TPM or the simulator and have you tried
> it with the simulator? If you are running against a real TPM what is
> your TCTI, is it using /dev/tpm0 or /dev/tpmrm0 or tpm2-abrmd?
I'm using a real TPM, using /dev/tpmrm0. I'll try using a simulator as 
well tomorrow.
I made some tests with the tpm engine as well just to make sure that the 
hardware was working properly and it seemed to work fine.
>
>> Thanks
>>
>> Rémi LB
>> _______________________________________________
>> tpm2 mailing list -- tpm2(a)lists.01.org
>> To unsubscribe send an email to tpm2-leave(a)lists.01.org
>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

Rémi LB