Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tpm2_tools error 0x70001 with fips-updates on 22.04 #3420

Open
awithy opened this issue Jul 27, 2024 · 1 comment
Open

tpm2_tools error 0x70001 with fips-updates on 22.04 #3420

awithy opened this issue Jul 27, 2024 · 1 comment

Comments

@awithy
Copy link

awithy commented Jul 27, 2024

OS: Ubuntu 22.04 with fips-updates

Symptom: Use of TPM2 tools fails with error code 0x70001 (e.g., tpm2_clear, tpm2_nvdefine 0x1500018 -C o -s 32). I assume this is an incompatibility between tpm2-tools (5.2-1build1) and the fips OpenSSL package (3.0.5-0ubuntu0.1+Fips2.1).

Example:

tpm2_clear
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:412:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) DigestSignInit
ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1244:iesys_compute_hmac() HMAC error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1354:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:188:Esys_Clear_Async() Error in computation of auth values ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:74:Esys_Clear() Error in async function ErrorCode (0x00070001)
ERROR: Esys_Clear(0x70001) - esapi:Catch all for all errors not otherwise specified
ERROR: Unable to run tpm2_clear

Steps to reproduce:

  1. Install new Ubuntu Server 22.04
  2. Apply all updates
  3. Attach pro license and enable fips-updates service
  4. Install tpm2-tools
  5. Reboot
  6. Run sudo tpm2_clear

This looks similar to:

#2957

Thank you in advance for considering this issue. Please let me know if I can help troubleshoot further.
@awithy awithy changed the title pm2_tools error 0x70001 with fips-updates on 22.04 tpm2_tools error 0x70001 with fips-updates on 22.04 Jul 27, 2024
@AndreasFuchsTPM
Copy link
Member

Yes, the ERROR originates from an OpenSSL call to DigestSignInit for an HMAC.
I have no clue how in the world this can go fail...
I'm afraid, you'll have to debug, maybe set a breakpoint on DigestSignInit using gdb and see what the call looks like and why it fails...

JuergenReppSIT added a commit to JuergenReppSIT/tpm2-tools that referenced this issue Oct 4, 2024
@JuergenReppSIT
Options: Add option to allow usage of password session.
5248d1e 
For authentication of an object always an HMAC session was used.
For an unsalted session an openssl HMAC key with the size of the
auth value was created. This caused problems with the OpenSSL
FIPS mode if the key length is less than 112 bits.
To avoid this the option --pwd-session (-z) is added.
Here the session handle ESYS_TR_PASSWORD will be used.
For example, now the EK can be used to create a salted session:

tpm2_createek --pwd-session -Q --key-algorithm rsa --ek-context ek.ctx
tpm2_startauthsession -Q  --session salted_session.ctx --hmac-session --tpmkey-context ek.ctx
tpm2_sessionconfig -Q  salted_session.ctx --enable-decrypt
tpm2_createprimary -c prim.ctx -P session:salted_session.ctx

Adresses: tpm2-software#3420

Signed-off-by: Juergen Repp <[email protected]>
@JuergenReppSIT JuergenReppSIT mentioned this issue Oct 4, 2024
Merged
JuergenReppSIT added a commit to JuergenReppSIT/tpm2-tools that referenced this issue Oct 7, 2024
@JuergenReppSIT
Options: Add option to allow usage of password session.
d8a7a06 
For authentication of an object always an HMAC session was used.
For an unsalted session an openssl HMAC key with the size of the
auth value was created. This caused problems with the OpenSSL
FIPS mode if the key length is less than 112 bits.
To avoid this the option --pwd-session (-z) is added.
Here the session handle ESYS_TR_PASSWORD will be used.
For example, now the EK can be used to create a salted session:

tpm2_createek --pwd-session -Q --key-algorithm rsa --ek-context ek.ctx
tpm2_startauthsession -Q  --session salted_session.ctx --hmac-session --tpmkey-context ek.ctx
tpm2_sessionconfig -Q  salted_session.ctx --enable-decrypt
tpm2_createprimary -c prim.ctx -P session:salted_session.ctx

Adresses: tpm2-software#3420

Signed-off-by: Juergen Repp <[email protected]>
AndreasFuchsTPM pushed a commit that referenced this issue Dec 11, 2024
@JuergenReppSIT @AndreasFuchsTPM
Options: Add option to allow usage of password session.
00c1c2b 
For authentication of an object always an HMAC session was used.
For an unsalted session an openssl HMAC key with the size of the
auth value was created. This caused problems with the OpenSSL
FIPS mode if the key length is less than 112 bits.
To avoid this the option --pwd-session (-z) is added.
Here the session handle ESYS_TR_PASSWORD will be used.
For example, now the EK can be used to create a salted session:

tpm2_createek --pwd-session -Q --key-algorithm rsa --ek-context ek.ctx
tpm2_startauthsession -Q  --session salted_session.ctx --hmac-session --tpmkey-context ek.ctx
tpm2_sessionconfig -Q  salted_session.ctx --enable-decrypt
tpm2_createprimary -c prim.ctx -P session:salted_session.ctx

Adresses: #3420

Signed-off-by: Juergen Repp <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@awithy @AndreasFuchsTPM