tpm2-tss-engine
tpm2-tss-engine copied to clipboard
tpm2-software
segfault on arch linux when generating rsa 2048
I've checked and my AM4 fTPM can only handle RSA 2048 keys. When generating the private key gets written out but the clean up fails with a segfault:
[main@main tpm]$ coredumpctl debug 15160
PID: 15160 (openssl)
UID: 1000 (main)
GID: 1000 (main)
Signal: 11 (SEGV)
Timestamp: Sun 2025-09-14 22:54:14 CEST (12min ago)
Command Line: openssl genpkey -engine tpm2tss -algorithm RSA -out mykem.pem -pkeyopt rsa_keygen_bits:2048
Executable: /usr/bin/openssl
Control Group: /user.slice/user-1000.slice/[email protected]/app.slice/[email protected]
Unit: [email protected]
User Unit: [email protected]
Slice: user-1000.slice
Owner UID: 1000 (main)
Boot ID: 098fce453d554337bb748a1f4e23b121
Machine ID: 4b9b964b62004704b952c93a82dca448
Hostname: main
Storage: /var/lib/systemd/coredump/core.openssl.1000.098fce453d554337bb748a1f4e23b121.15160.1757883254000000.zst (present)
Size on Disk: 202.6K
Message: Process 15160 (openssl) of user 1000 dumped core.
Stack trace of thread 15160:
#0 0x00007f8d3e4489bb n/a (tpm2tss.so + 0x69bb)
#1 0x00007f8d3e44aee3 n/a (tpm2tss.so + 0x8ee3)
#2 0x00007f8d3dd70a3d EVP_PKEY_CTX_free (libcrypto.so.3 + 0x170a3d)
#3 0x000055f6bccf8c03 n/a (/usr/bin/openssl + 0x48c03)
#4 0x000055f6bccfaa28 n/a (/usr/bin/openssl + 0x4aa28)
#5 0x000055f6bccce458 n/a (/usr/bin/openssl + 0x1e458)
#6 0x00007f8d3d827675 n/a (libc.so.6 + 0x27675)
#7 0x00007f8d3d827729 __libc_start_main (libc.so.6 + 0x27729)
#8 0x000055f6bccce7d5 n/a (/usr/bin/openssl + 0x1e7d5)
ELF object binary architecture: AMD x86-64
GNU gdb (GDB) 16.3
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/openssl...
This GDB supports auto-downloading debuginfo from the following URLs:
<https://debuginfod.archlinux.org>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
Reading symbols from /home/main/.cache/debuginfod_client/2aa9c2e1562ca4d21e84f7b3f389af532c8235e3/debuginfo...
[New LWP 15160]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `/usr/bin/openssl genpkey -engine tpm2tss -algorithm RSA -out mykem.pem -pkeyopt rsa_keygen_bits:2048'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f8d3e4489bb in digest_sign_cleanup (ctx=ctx@entry=0x55f6d5738600) at src/tpm2-tss-engine-digest-sign.c:297
297 Esys_FlushContext(sig_data->key->esys_ctx, sig_data->seq_handle);
(gdb) thread apply all backtrace full
Thread 1 (Thread 0x7f8d3e334b80 (LWP 15160)):
#0 0x00007f8d3e4489bb in digest_sign_cleanup (ctx=ctx@entry=0x55f6d5738600) at src/tpm2-tss-engine-digest-sign.c:297
sig_data = 0x55f6d57207f0
#1 0x00007f8d3e44aee3 in rsa_pkey_cleanup (ctx=0x55f6d5738600) at src/tpm2-tss-engine-rsa.c:651
No locals.
#2 0x00007f8d3dd70a3d in EVP_PKEY_CTX_free (ctx=0x55f6d5738600) at crypto/evp/pmeth_lib.c:396
No locals.
#3 0x000055f6bccf8c03 in genpkey_main (argc=<optimized out>, argv=<optimized out>) at apps/genpkey.c:316
conf = <optimized out>
mem_out = <optimized out>
mem_outpubkey = <optimized out>
e = <optimized out>
pkey = <optimized out>
ctx = 0x55f6d5738600
outfile = <optimized out>
passarg = <optimized out>
pass = <optimized out>
prog = <optimized out>
p = <optimized out>
outpubkeyfile = <optimized out>
ciphername = <optimized out>
paramfile = <optimized out>
algname = <optimized out>
cipher = 0x0
o = <optimized out>
outformat = 32773
text = <optimized out>
ret = <optimized out>
rv = <optimized out>
do_param = <optimized out>
private = <optimized out>
i = <optimized out>
libctx = <optimized out>
keyopt = <optimized out>
#4 0x000055f6bccfaa28 in do_cmd (prog=prog@entry=0x55f6d5738e00, argc=argc@entry=9, argv=argv@entry=0x7fffb310b5b0) at apps/openssl.c:428
f = {type = FT_none, name = 0x7fffb310c7c9 "genpkey", func = 0x0, help = 0x0, deprecated_alternative = 0x0, deprecated_version = 0x0}
fp = <optimized out>
#5 0x000055f6bccce458 in main (argc=<optimized out>, argv=<optimized out>) at apps/openssl.c:309
f = {type = 4294967295, name = 0x55f6bcd97120 <prog.lto_priv> "genpkey", func = 0x2000000, help = 0x7fffb310b458, deprecated_alternative = 0x2100000019 <error: Cannot access memory at address 0x2100000019>, deprecated_version = 0x0}
fp = <optimized out>
prog = 0x55f6d5738e00
pname = <optimized out>
fname = 0x55f6bcd5254b "prog_init"
arg = {size = 0, argc = <optimized out>, argv = 0x0}
global_help = <optimized out>
global_version = <optimized out>
ret = 0
(gdb)
this was done after a fresh tpm reset via uefi and call of tpm2 clear after previous tests
