tpm2_tools error 0x70001 with fips-updates on 22.04

[awithy]

OS: Ubuntu 22.04 with fips-updates

Symptom: Use of TPM2 tools fails with error code 0x70001 (e.g., tpm2_clear, tpm2_nvdefine 0x1500018 -C o -s 32). I assume this is an incompatibility between tpm2-tools (5.2-1build1) and the fips OpenSSL package (3.0.5-0ubuntu0.1+Fips2.1).

Example:

tpm2_clear
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:412:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) DigestSignInit
ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1244:iesys_compute_hmac() HMAC error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1354:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:188:Esys_Clear_Async() Error in computation of auth values ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:74:Esys_Clear() Error in async function ErrorCode (0x00070001)
ERROR: Esys_Clear(0x70001) - esapi:Catch all for all errors not otherwise specified
ERROR: Unable to run tpm2_clear

Steps to reproduce:

1. Install new Ubuntu Server 22.04
2. Apply all updates
3. Attach pro license and enable fips-updates service
4. Install tpm2-tools
5. Reboot
6. Run sudo tpm2_clear

This looks similar to:

https://github.com/tpm2-software/tpm2-tools/issues/2957

Thank you in advance for considering this issue. Please let me know if I can help troubleshoot further.

[AndreasFuchsTPM]

Yes, the ERROR originates from an OpenSSL call to DigestSignInit for an HMAC. I have no clue how in the world this can go fail... I'm afraid, you'll have to debug, maybe set a breakpoint on DigestSignInit using gdb and see what the call looks like and why it fails...