Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stop vendoring TPM2 libraries for RHEL 9 #589

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Stop vendoring TPM2 libraries for RHEL 9 #589

wants to merge 1 commit into from

Conversation

huguesBouvier
Copy link
Contributor

@huguesBouvier huguesBouvier commented Feb 20, 2024
edited by arsing
Loading

We observed in a customer issue that the DPS-TPM workflow doesn't work on
RHEL 9:

Feb 20 17:34:01 icm2 aziot-tpmd[65443]: 2024-02-20T17:34:01Z [INFO] - <-- GET /get_tpm_keys?api-version=2020-09-01 {"host": "tpmd.sock"}
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: 2024-02-20T17:34:01Z [INFO] - --> 200 {"content-type": "application/json"}
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: 2024-02-20T17:34:01Z [INFO] - <-- POST /import_auth_key?api-version=2020-09-01 {"content-type": "application/json", "host": "tpmd.sock", "content-length": "1306"}
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:327:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) EVP_PKEY_new_mac_key
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001)
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: ERROR:esys:src/tss2-esys/esys_iutil.c:1244:iesys_compute_hmac() HMAC error ErrorCode (0x00070001)
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: ERROR:esys:src/tss2-esys/esys_iutil.c:1354:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001)
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: ERROR:esys:src/tss2-esys/api/Esys_ActivateCredential.c:212:Esys_ActivateCredential_Async() Error in computation of auth values ErrorCode (0x00070001)
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: ERROR:esys:src/tss2-esys/api/Esys_ActivateCredential.c:82:Esys_ActivateCredential() Error in async function ErrorCode (0x00070001)
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: 2024-02-20T17:34:01Z [ERR!] - !!! internal error
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: 2024-02-20T17:34:01Z [ERR!] - !!! caused by: could not import auth key
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: 2024-02-20T17:34:01Z [ERR!] - !!! caused by: esapi:Catch all for all errors not otherwise specified
Feb 20 17:34:01 icm2 aziot-tpmd[65443]: 2024-02-20T17:34:01Z [INFO] - --> 500 {"content-type": "application/json"}
Feb 20 17:34:01 icm2 aziot-identityd[66569]: 2024-02-20T17:34:01Z [ERR!] - Failed to provision with IoT Hub, and no valid device backup was found: DPS client error
Feb 20 17:34:01 icm2 aziot-identityd[66569]: 2024-02-20T17:34:01Z [ERR!] - service encountered an error
Feb 20 17:34:01 icm2 aziot-identityd[66569]: 2024-02-20T17:34:01Z [ERR!] - caused by: DPS client error
Feb 20 17:34:01 icm2 aziot-identityd[66569]: 2024-02-20T17:34:01Z [ERR!] - caused by: internal error

We confirmed that removing the vendored libraries and having tpmd use
the distro libraries made it work.

@arsing arsing changed the title Update install-build-deps.sh Stop vendoring TPM2 libraries for RHEL 9 Feb 20, 2024
@arsing
Copy link
Member

arsing commented Feb 20, 2024

Package build fails because we need to include tpm2-tss-devel in the list of dnf install'd packages too. But that by itself is also not sufficient because tpm2-tss-devel doesn't actually exist in the UBI 9 repos. Hugues and I are following up internally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arsing arsing arsing approved these changes

Assignees

@arsing arsing

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@huguesBouvier @arsing