[Bug 1996498] Re: tpm2-openssl cannot be used with TPM chips exposing spec level below 1.38 (eg: Azure)

Łukasz Zemczak 1996498 at bugs.launchpad.net
Mon Dec 12 16:01:53 UTC 2022 

Hello Mussier, or anyone else affected,

Accepted tpm2-openssl into kinetic-proposed. The package will build now
and be available at
https://launchpad.net/ubuntu/+source/tpm2-openssl/1.1.0-2ubuntu0.1 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
kinetic to verification-done-kinetic. If it does not fix the bug for
you, please add a comment stating that, and change the tag to
verification-failed-kinetic. In either case, without details of your
testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: tpm2-openssl (Ubuntu Kinetic)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-kinetic

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1996498

Title:
  tpm2-openssl cannot be used with TPM chips exposing spec level below
  1.38 (eg: Azure)

Status in tpm2-openssl package in Ubuntu:
  Fix Released
Status in tpm2-openssl source package in Jammy:
  Fix Committed
Status in tpm2-openssl source package in Kinetic:
  Fix Committed
Status in tpm2-openssl source package in Lunar:
  Fix Released

Bug description:
  [ Impact ]
  Ubuntu Jammy images running in Azure cannot use the TPM via tpm2-openssl, as the TPM2_CreateLoaded function that tpm2-openssl uses was only introduced with Specification Level 1.38. The SLB9665 chip which is used in Azure supports 1.16 and does not have an update to 1.38, so this function is not available.

  [ Test Plan ]
  On an affected machine run the appropriate command to reproduce the issue. Before the fix:

  root at jammy:/tmp# openssl ecparam -provider tpm2 -name secp256r1 -genkey -out root.key.pem
  using curve name prime256v1 instead of secp256r1
  WARNING:esys:src/tss2-esys/api/Esys_CreateLoaded.c:368:Esys_CreateLoaded_Finish() Received TPM Error 
  ERROR:esys:src/tss2-esys/api/Esys_CreateLoaded.c:129:Esys_CreateLoaded() Esys Finish ErrorCode (0x000b0143) 
  unable to generate key
  4027962DC27F0000:error:4000000B:tpm2::cannot create key::-1:721219 rmt:error(2.0): command code not supported

  After the fix:

  root at jammy:/tmp# openssl ecparam -provider tpm2 -name secp256r1 -genkey -out root.key.pem
  using curve name prime256v1 instead of secp256r1
  root at jammy:/tmp# cat root.key.pem 
  -----BEGIN EC PARAMETERS-----
  BggqhkjOPQMBBw==
  -----END EC PARAMETERS-----
  -----BEGIN TSS2 PRIVATE KEY-----
  MIHPBgZngQUKAQOgAwEBAQIEQAAAAQRYAFYAIwALAAYAcgAAABAAEAADABAAIJxE
  7F1JAtETed5TWceDbgpTM3mKIfnhcRurZCuwlH+fACBYDxdv5OgU5bWAVV3OteEm
  VnCvpjJWxx2+9ck/IcrxlARgAF4AICnQLh8FddTTqK5b3R632Jbgy8R0gEEHzW6C
  f7QfqYhkABC/aq8GiGMQu5hZfe8U6I08o/LrEdku7EFKoGtWpVhZrNVWV5fg6Ymh
  5EJMJBtE0ScaVXqCbIztSyIU
  -----END TSS2 PRIVATE KEY-----

  [ Where problems could occur ]
  The fix affects the core part of the library, that talks to the TPM, so any functionality could be affected. However the fix has been upstream and released for half a year, and no regressions have been reported.

  [ Original Description ]
  Hi,

  Here are the technicals details :

  ---
  lmussier at lmussier-vm:~$ lsb_release -rd
  Description:	Ubuntu 22.04.1 LTS
  Release:	22.04

  ---

  lmussier at lmussier-vm:~$ apt-cache policy tpm2-openssl
  tpm2-openssl:
    Installed: (none)
    Candidate: 1.0.1-1
    Version table:
       1.0.1-1 500
          500 http://ch.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages

  ---

  Could you condiser to upgrade this package to
  https://github.com/tpm2-software/tpm2-openssl/releases/tag/1.1.1.

  In the currently provided package there is an issue preventing its use on some hardware and virtual machines.
  see https://github.com/tpm2-software/tpm2-openssl/commit/83cc5c20515f9b008b6dbce0b3a60c71744ee23a for details.

  The 1.1.1 is a huge improvement for usability since one can use this package even on virtual appliances.
  I personnaly use azure vm's and I can't use the TPM out of the box.

  Regards.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tpm2-openssl/+bug/1996498/+subscriptions

More information about the Ubuntu-sponsors mailing list