tpm2-tools icon indicating copy to clipboard operation
tpm2-tools copied to clipboard

Published 20 hours ago verified publisher icon tpm2-software

tpm2_ptool fails to init with error

Open nikolkam opened this issue 1 year ago • 5 comments

Trying to execute command on Ubuntu 20.04. tpm2_ptool init --transient-parent --path /some/path Fails with following error. Traceback (most recent call last):   File "/tmp/tpm2-pkcs11/tpm2-pkcs11-1.6.0/tools/tpm2_pkcs11/commandlets_store.py", line 100, in __call__   File "/tmp/tpm2-pkcs11/tpm2-pkcs11-1.6.0/tools/tpm2_pkcs11/utils.py", line 430, in create_primary   File "/tmp/tpm2-pkcs11/tpm2-pkcs11-1.6.0/tools/tpm2_pkcs11/tpm2.py", line 82, in createprimary RuntimeError: Could not execute tpm2_createprimary: b'ERROR: Esys_StartAuthSession(0xA000A) - tcti:IO failure\nERROR: Invalid parent key authorization\nERROR: Unable to run tpm2_createprimary\n' Could not execute tpm2_createprimary: b'ERROR: Esys_StartAuthSession(0xA000A) - tcti:IO failure\nERROR: Invalid parent key authorization\nERROR: Unable to run tpm2_createprimary\n' I've only found this issue on one of the users setup, it worked on other users as expected in creating a store. I'm still new to using the tpm2, so not sure if this is the bug or there is something wrong with the setup. Any workaround or fix is appreciated.

tpm2_createprimary version=4.1.1 tpm2-tools version = 4.1.1

nikolkam avatar Mar 08 '23 00:03 nikolkam

@nikolkam Access to the tpm device is seemingly not possible (tcti error 0xa000a). tpm2_ptool uses the tpm tool commands under the hood. Can you execute commands e.g.: tpm2_getcap handles-nv-index

JuergenReppSIT avatar Mar 10 '23 19:03 JuergenReppSIT

@JuergenReppSIT The tpm2_getcap handles-nv-index returns multiple handles of the nv index. If it's not able to access the tpm device at all would it be still possible to print them? Output:

  • 0x1400001
  • 0x1400002
  • 0x1500016
  • 0x1C00002
  • 0x1C0000A
  • 0x1C10102
  • 0x1C101C0

nikolkam avatar Mar 10 '23 20:03 nikolkam

@nikolkam the access to the tcti interface seems to be working. The error occurs when the following command is executed: tpm2_createprimary -c /tmp/tmpa_fs1793/context.out -g sha256 -G rsa where tmpa_fs1793 is a temporary directory created by ptool. Can you execute this command with a existing temporary dirctory?

JuergenReppSIT avatar Mar 11 '23 10:03 JuergenReppSIT

@JuergenReppSIT I haven't got a reply from user yet, but when I asked user to execute tpm2_createprimary -c primary.txt he got the same error. ERROR: Esys_StartAuthSession(0xA000A) - tcti:IO failure ERROR: Invalid parent key authorization ERROR: Unable to run /opt/forticlient/tpm2/bin/tpm2_createprimary

nikolkam avatar Mar 14 '23 22:03 nikolkam

@nikolkam Normally this command should work. Does the error also occur if the hierarchy is used: tpm2_createprimary -C o -c /tmp/tmpa_fs1793/context.out -g sha256 -G rsa If the error still occurs you could try to create a tcti lo: TSS2_LOG=tcti+trace tpm2_createprimary -C o -c /tmp/prim.ctx -g sha256 -G rsa But if it's possible I would try a tpm2_clear

JuergenReppSIT avatar Mar 15 '23 06:03 JuergenReppSIT