[Bug 1970999] Re: Cannot load certificate stored in NVM

Mon Dec 12 16:01:36 UTC 2022

Hello Jim, or anyone else affected,

Accepted tpm2-openssl into kinetic-proposed. The package will build now
and be available at
https://launchpad.net/ubuntu/+source/tpm2-openssl/1.1.0-2ubuntu0.1 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
kinetic to verification-done-kinetic. If it does not fix the bug for
you, please add a comment stating that, and change the tag to
verification-failed-kinetic. In either case, without details of your
testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: tpm2-openssl (Ubuntu Kinetic)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-kinetic

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970999

Title:
  Cannot load certificate stored in NVM

Status in tpm2-openssl package in Ubuntu:
  Fix Released
Status in tpm2-openssl source package in Jammy:
  Fix Committed
Status in tpm2-openssl source package in Kinetic:
  Fix Committed
Status in tpm2-openssl source package in Lunar:
  Fix Released

Bug description:
  [ Impact ]
  Makes it impossible to use certain TPM functionality via openssl, more precisely extracting the TPM vendor certificate

  [ Test Plan ]
  Run the appropriate command on a machine with an affected TPM.

  Before the fix:

  root at jammy:/tmp# openssl x509 -provider tpm2 -provider default -in handle:0x1c0000a
  WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error 
  ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x000001c4) 
  Could not read certificate from handle:0x1c0000a
  40C70C33C37F0000:error:4000000C:tpm2::cannot load key::-1:452 tpm:parameter(1):value is out of range or is not correct for the context
  Unable to load certificate

  After the fix:

  root at jammy:~# openssl x509 -provider tpm2 -provider default -in handle:0x1c0000a
  -----BEGIN CERTIFICATE-----
  MIIDBDCCAqmgAwIBAgIUBojh2fQZ3 <...>

  [ Where problems could occur ]
  Theoretically loading from NVM could be affected, but the fix is from upstream and no regressions due to this change have been reported in half a year.

  [Original Description]
  $ lsb_release -rd
  Description:    Ubuntu 22.04 LTS
  Release:        22.04

  $ apt-cache policy tpm2-openssl
  tpm2-openssl:
    Installed: 1.0.1-1
    Candidate: 1.0.1-1
    Version table:
   *** 1.0.1-1 500
          500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
          100 /var/lib/dpkg/status

  Please see https://github.com/tpm2-software/tpm2-openssl/issues/35.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tpm2-openssl/+bug/1970999/+subscriptions