[Bug 1996498] Re: tpm2-openssl cannot be used with TPM chips exposing spec level below 1.38 (eg: Azure)

Luca Boccassi 1996498 at bugs.launchpad.net
Tue Dec 6 14:43:43 UTC 2022 

Also prepared and tested an ubuntu/kinetic branch on Salsa, ready for
sponsor upload:
https://salsa.debian.org/debian/tpm2-openssl/-/tree/ubuntu/kinetic

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1996498

Title:
  tpm2-openssl cannot be used with TPM chips exposing spec level below
  1.38 (eg: Azure)

Status in tpm2-openssl package in Ubuntu:
  Fix Released
Status in tpm2-openssl source package in Jammy:
  Confirmed
Status in tpm2-openssl source package in Kinetic:
  Confirmed
Status in tpm2-openssl source package in Lunar:
  Fix Released

Bug description:
  [ Impact ]
  Ubuntu Jammy images running in Azure cannot use the TPM via tpm2-openssl, as the TPM2_CreateLoaded function that tpm2-openssl uses was only introduced with Specification Level 1.38. The SLB9665 chip which is used in Azure supports 1.16 and does not have an update to 1.38, so this function is not available.

  [ Test Plan ]
  On an affected machine run the appropriate command to reproduce the issue. Before the fix:

  root at jammy:/tmp# openssl ecparam -provider tpm2 -name secp256r1 -genkey -out root.key.pem
  using curve name prime256v1 instead of secp256r1
  WARNING:esys:src/tss2-esys/api/Esys_CreateLoaded.c:368:Esys_CreateLoaded_Finish() Received TPM Error 
  ERROR:esys:src/tss2-esys/api/Esys_CreateLoaded.c:129:Esys_CreateLoaded() Esys Finish ErrorCode (0x000b0143) 
  unable to generate key
  4027962DC27F0000:error:4000000B:tpm2::cannot create key::-1:721219 rmt:error(2.0): command code not supported

  After the fix:

  root at jammy:/tmp# openssl ecparam -provider tpm2 -name secp256r1 -genkey -out root.key.pem
  using curve name prime256v1 instead of secp256r1
  root at jammy:/tmp# cat root.key.pem 
  -----BEGIN EC PARAMETERS-----
  BggqhkjOPQMBBw==
  -----END EC PARAMETERS-----
  -----BEGIN TSS2 PRIVATE KEY-----
  MIHPBgZngQUKAQOgAwEBAQIEQAAAAQRYAFYAIwALAAYAcgAAABAAEAADABAAIJxE
  7F1JAtETed5TWceDbgpTM3mKIfnhcRurZCuwlH+fACBYDxdv5OgU5bWAVV3OteEm
  VnCvpjJWxx2+9ck/IcrxlARgAF4AICnQLh8FddTTqK5b3R632Jbgy8R0gEEHzW6C
  f7QfqYhkABC/aq8GiGMQu5hZfe8U6I08o/LrEdku7EFKoGtWpVhZrNVWV5fg6Ymh
  5EJMJBtE0ScaVXqCbIztSyIU
  -----END TSS2 PRIVATE KEY-----

  [ Where problems could occur ]
  The fix affects the core part of the library, that talks to the TPM, so any functionality could be affected. However the fix has been upstream and released for half a year, and no regressions have been reported.

  [ Original Description ]
  Hi,

  Here are the technicals details :

  ---
  lmussier at lmussier-vm:~$ lsb_release -rd
  Description:	Ubuntu 22.04.1 LTS
  Release:	22.04

  ---

  lmussier at lmussier-vm:~$ apt-cache policy tpm2-openssl
  tpm2-openssl:
    Installed: (none)
    Candidate: 1.0.1-1
    Version table:
       1.0.1-1 500
          500 http://ch.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages

  ---

  Could you condiser to upgrade this package to
  https://github.com/tpm2-software/tpm2-openssl/releases/tag/1.1.1.

  In the currently provided package there is an issue preventing its use on some hardware and virtual machines.
  see https://github.com/tpm2-software/tpm2-openssl/commit/83cc5c20515f9b008b6dbce0b3a60c71744ee23a for details.

  The 1.1.1 is a huge improvement for usability since one can use this package even on virtual appliances.
  I personnaly use azure vm's and I can't use the TPM out of the box.

  Regards.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tpm2-openssl/+bug/1996498/+subscriptions

More information about the Ubuntu-sponsors mailing list