Hello there,

We've seen issues where certain applications, such as iotedge daemon, or tpm_device_provision tool from azure-iot-sdk-c that rely on azure-utpm-c library start to work unstable when tpm2-abrmd running, giving out various errors originating from the azure-utpm-c library.

When attempting to run tpm_device_provision tool from azure-iot-sdk-c that uses utpm as a dependency, we saw the following behavior:

• when tpm2-abrmd is installed but is NOT running that tool works fine
• when tpm2-abrmd is running, the tool starts to fail but is expected to work.

This is caused by the load_abrmd function from the tpm_comm_linux.c that attempts to dlopen the shared library defined in the TPM_TABRMD_USERMODE_RESOURCE_MGR variable as libtss2-tcti-tabrmd.so, (but not as libtss2.tcti-tabrmd.so.0 as it is done for other defines in the same source file).

In our system the tpm2-abrmd installs that file with .so.0 and .so.0.0.0 but not as *.so file, so this causes the failure of dlopen to find the file and as a result the load_abrmd function in azure-utpm-c library falls back to the direct access to /dev/tpm0. The in-kernel resource manager might not be available in kernels earlier than 4.12, so for those systems no TPM resource manager is used at all and the tools fail because of non synchronized shared access to the /dev/tpm0.
This conflicts with tpm2-abrmd daemon that shoudl be exclusively accessing the device.

While a workaround was found to create a libtss2-tcti-tabrmd.so symlink which fixed the dlopen issue and thus used the tpm2-tabrmd resource manager, the generic behavior on some systems where those symlinks are missing or could not be created and that tpm2-tabrmd resource manager not being used at all, causing issues of shared access to /dev/tpm0, as the tpm2-abrmd daemon already using the device.

So possible fix in this library could be to also check the name libtss2-tcti-tabrmd.so.0 along with the libtss2-tcti-tabrmd.so so that not to miss the installed and running tpm2-tabrmd resource manager.

applications affected:

• everything that accesses TPM using latest azure-iot-sdk-c
• iotedge daemon (1.0.8.3)

condition of failure

• running tpm2-abrmd and
• libtss2-tcti-tabrmd.so missing (installed as libtss2-tcti-tabrmd.so.0 or with .so.0.0.0 extension)
• no kernel support for in-built TPM resource manager, /dev/tpmrm0 - kernels earlier 412
• a tool built with azure-iot-sdk-c that attemps to access TPM

Hello there,

While trying to setup auto-provisioning of IoT Edge devices with Azure DPS through the use of TPM 2.0. We're using the LEC 7233 industrial PC as the hardware platform. This PC has a Infineon SLB 9665TT2.0 TPM 2.0 chip. As you can read more in issue report Azure/iotedge#441, the security daemon fails to sign data from hash.

Since the error stems from this library, I tried to determine if the issue was in the security daemon's usage of the library or is inherent to the implementation of the library.

There are no instructions yet on how to compile the library, but digging through the CMake file I ended up using the following commands:

$ cd azure-utpm-c
$ mkdir build && cd build
$ cmake -Drun_e2e_tests:BOOL=ON -Drun_unittests:BOOL=ON -Duse_emulator:BOOL=OFF ..
$ make

Then I ran all the tests and all of them passed. Although I almost didn't bother to do the next step after all tests passed, I decided to run the sample code just for completeness sake. Lo and behold, I finally get an error from the Func:SignData function just like the IoT Edge security daemon:

$ sudo samples/utpm_sample/utpm_sample
Endorsement Key: [CENSORED]

Storage Root Key: [CENSORED]

Error: Time:Fri Oct 19 10:13:16 2018 File:/home/priva/Desktop/azure-utpm-c/src/tpm_codec.c Func:TSS_DispatchCmd Line:1087 response size is not expected size.
Error: Time:Fri Oct 19 10:13:16 2018 File:/home/priva/Desktop/azure-utpm-c/src/tpm_codec.c Func:SignData Line:379 Hashing token data failed TPM_RC_COMMAND_SIZE
Failed to sign data with tpm

Random bytes: 67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a

I modified the error log to print out the actual sizes in function and got this:

Error: Time:Fri Oct 19 10:35:38 2018 File:/home/priva/Desktop/azure-utpm-c/src/tpm_codec.c Func:TSS_DispatchCmd Line:1087 response size 4096 is not expected size 10.
Error: Time:Fri Oct 19 10:35:38 2018 File:/home/priva/Desktop/azure-utpm-c/src/tpm_codec.c Func:SignData Line:379 Hashing token data failed TPM_RC_COMMAND_SIZE
Failed to sign data with tpm

Do you have any suggestions on how to fix this issue?

Hello,

I am developping an application using Azure IoT SDK. We plan to use a TPM but for now the hardware isn't available, so we are trying to use the TPM emulator to test our cloud infrastructure until then. We are using it on Linux and connecting it to https://sourceforge.net/projects/ibmswtpm2/

We got the provisioning working, but we are not able to then connect to the Azure IoT cloud. Our code calls IoTHubDeviceClient_CreateFromDeviceAuth in azure-iot-sdk-c, which ends up calling Initialize_TPM_Codec in utpm.

That function never returns (we waited for several minutes, surely it shouldn't take that long).

I guess (but this is only a guess) this could be because of trying to initialize the TPM codec a second time, after it has already been done for the provisioning. I don't know if the TPM emulator implements or need some form of arbitration as a real TPM would. Or maybe we are asking too much of the emulator and it is not designed to be pushed this far?

Do you have any recommendations? How can I help with debugging this issue and understanding why there is a lockup? If this usage is not possible, shouldn't the function return an error code instead of just blocking forever?

Hi.

Issue

We have attempted migrate the C SDK as follows:
LTS_07_2021 --to--> LTS_07_2022
but encountered runtime errors on UTPM.

Device Information

• OpenWRT 21
• MIPS 32 24k big endian
• Provisioning Method: TPM

On Endianness

One main aspect of this migration had been the following:

• since the beginning of our codebase, there has always been an inherited patch to utpm, here gist of the patch, that was marked as acting on the endianness
• the patch had always appllied smoothly up to LTS_07_2021, then breaking when moving to LTS_07_2022
• a short test with LTS_07_2022, without such patch, had failed on tpm issues, but I do not have logs for the moment.

Question

• Is being endian agnostic a constraint for the UTPM and SDK project, and if yes are there tests in place ?
• Should we provide tests/logs for this issue ?

Thank you in advance

I could not find any point of contact thus I am opening this ticket in hope we establish communication - I am the founder of the largest TPM developers community and my hope is that we can host someone from the Microsoft team to explain us in technical detail how this migration actually happens in Azure for existing TPM adopters.

We are a group of over 500 developers who use HSM and especially TPM on a daily basis. Please engage with us and let's arrange some talk in september or october. My primary email is listed on my github profile.

Thanks,
Dimi
/Founder of TPM.dev

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request