Ubuntu
tpm2-tools package

Several TPM2.0 tests fail

Bug #1642118 reported by Jerry Kao
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OEM Priority Project
Won't Fix
Medium
Unassigned
tpm2-tools (Ubuntu)
Won't Fix
High
Unassigned

Bug Description

Install tpm2-tools then run some test scripts from git (https://github.com/01org/tpm2.0-tools/tree/master/test). There are several tests failed.

steps

1.Install tpm2.0-tools from xenial/universe
  $ sudo apt-get install tpm2.0-tools
2.Clone tpm2.0-tools for test script
  $ git clone https://github.com/01org/tpm2.0-tools
3.Run resource manager daemon
  $ sudo resourcemgr
4.Run test script
  $ cd tpm2.0-tools/test
  $ ./test_all.sh
5.Check test results in test_all_fail.log and test_all_pass.log

Expected results: TPM 2.0 test items should be pass.

Actual results: TPM 2.0 test items failed.

test_tpm2_getrandom.sh pass
test_tpm2_hash.sh pass
test_tpm2_akparse.sh pass
test_tpm2_getpubek.sh pass
test_tpm2_makecredential.sh pass

test_tpm2_takeownership_all.sh fail
test_tpm2_nv.sh fail
test_tpm2_listpcrs.sh fail
test_tpm2_load.sh fail
test_tpm2_loadexternal.sh fail
test_tpm2_evictcontrol.sh fail
test_tpm2_hmac.sh fail
test_tpm2_quote.sh fail
test_tpm2_unseal.sh fail
test_tpm2_certify.sh fail
test_tpm2_evictcontrol.sh fail
test_tpm2_getpubak.sh fail
test_tpm2_activecredential.sh fail
test_tpm2_readpublic.sh fail
test_tpm2_rsaencrypt.sh fail
test_tpm2_rsadecrypt.sh fail
test_tpm2_encryptdecrypt.sh fail
test_tpm2_sign.sh fail
test_tpm2_verifysignature.sh fail

Additional information

tpm2-tools:
  Installed: 1.0.0+20160226.64b3334-0ubuntu2
  Candidate: 1.0.0+20160226.64b3334-0ubuntu2
  Version table:
 *** 1.0.0+20160226.64b3334-0ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
        100 /var/lib/dpkg/status

Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial

Linux u-Precision-7520 4.4.0-47-generic

If compile/install latest tpm2-tools in github (https://github.com/01org/tpm2.0-tools), most tests are passed.

test_tpm2_takeownership_all.sh pass
test_tpm2_nv.sh pass
test_tpm2_listpcrs.sh pass
test_tpm2_getrandom.sh pass
test_tpm2_load.sh pass
test_tpm2_loadexternal.sh pass
test_tpm2_evictcontrol.sh pass
test_tpm2_hash.sh pass
test_tpm2_hmac.sh pass
test_tpm2_akparse.sh pass
test_tpm2_certify.sh pass
test_tpm2_evictcontrol.sh pass
test_tpm2_getpubek.sh pass
test_tpm2_getpubak.sh pass
test_tpm2_makecredential.sh pass
test_tpm2_activecredential.sh pass
test_tpm2_readpublic.sh pass
test_tpm2_rsaencrypt.sh pass
test_tpm2_rsadecrypt.sh pass
test_tpm2_sign.sh pass
test_tpm2_verifysignature.sh pass

test_tpm2_quote.sh fail
test_tpm2_unseal.sh fail
test_tpm2_encryptdecrypt.sh fail

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: tpm2-tools 1.0.0+20160226.64b3334-0ubuntu2
ProcVersionSignature: Ubuntu 4.4.0-47.68-generic 4.4.24
Uname: Linux 4.4.0-47-generic x86_64
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Nov 16 10:23:33 2016
DistributionChannelDescriptor:
 # This is a distribution channel descriptor
 # For more information see http://wiki.ubuntu.com/DistributionChannelDescriptor
 canonical-oem-somerville-xenial-amd64-20160624-2
InstallationDate: Installed on 2016-11-02 (13 days ago)
InstallationMedia: Ubuntu 16.04 "Xenial" - Build amd64 LIVE Binary 20160624-10:47
SourcePackage: tpm2-tools
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Jerry Kao (jerry.kao) wrote :
Changed in tpm2-tools (Ubuntu):
status: New → Confirmed
Chih-Hsyuan Ho (chih)
Changed in oem-priority:
importance: Undecided → High
importance: High → Critical
Revision history for this message
Sylvain Pineau (sylvain-pineau) wrote :

A new stable release of tpm2-tools was released last month (v1.1 - 2016-11-04) [1] in addition to TPM2.0-TSS 1.0 [2].

Basically solving this bug means packaging the new upstream releases and backport the packages to xenial (to replace the 2016/02 git snapshot).

[1] https://github.com/01org/tpm2.0-tools/blob/master/CHANGELOG
[2 ]https://github.com/01org/TPM2.0-TSS/blob/master/CHANGELOG.md

Revision history for this message
Ivan Hu (ivan.hu) wrote :

Those failures are mostly due to the tests use

"tpm2_takeownership -c" to clear the Hierarchy auth fail

Start to clear the Hierarchy auth....

ClearControl Failed ! ErrorCode: 0x9a2

Error Code 0x9a2 means "TPM ERROR: SESSION #1, TPM_RC_BAD_AUTH: authroization failure without DA implications". So if you met any 0x9a2 error, usually it is due to that the platform auth is not NULL or owner auth is not NULL.

They have modifications for the test to avoid this issue on the following patches on https://github.com/01org/tpm2.0-tools
commit 4d5c543ae056538f0ab1a1eaa6ed0cf3362f4b58
commit f18d77cdd6029af086ce0ac1a63a8afd86d7aceb
commit adba1405e1358c9ee987121ae5e7aff4fa44afd3

and some failures are for the mismatch for the tool wrapped application between test scripts.
the tpm2 packages we have was packed on 2016.02.26 but the test script for tpm2-tools developed from 2016.4.28. It means we used newer test scripts to test old wrapped applications.
so you can find some error messages such as,

tpm2_listpcrs: invalid option -- 'L'
tpm2_quote: invalid option -- 'q'

Revision history for this message
gerald.yang (gerald-yang-tw) wrote :

I tried the latest tpm2.0-tools on github, but most of tests are failed

cat test_all_fail.log
test_tpm2_takeownership_all.sh fail
test_tpm2_nv.sh fail
test_tpm2_listpcrs.sh fail
test_tpm2_load.sh fail
test_tpm2_loadexternal.sh fail
test_tpm2_evictcontrol.sh fail
test_tpm2_hmac.sh fail
test_tpm2_quote.sh fail
test_tpm2_unseal.sh fail
test_tpm2_akparse.sh fail
test_tpm2_certify.sh fail
test_tpm2_evictcontrol.sh fail
test_tpm2_getpubek.sh fail
test_tpm2_getpubak.sh fail
test_tpm2_makecredential.sh fail
test_tpm2_activecredential.sh fail
test_tpm2_readpublic.sh fail
test_tpm2_rsaencrypt.sh fail
test_tpm2_rsadecrypt.sh fail
test_tpm2_encryptdecrypt.sh fail
test_tpm2_sign.sh fail
test_tpm2_verifysignature.sh fail

cat test_all_pass.log
test_tpm2_getrandom.sh pass
test_tpm2_hash.sh pass

Revision history for this message
Ivan Hu (ivan.hu) wrote :

@gerald,

Which machine you are using? Could you attach more detail fail log?
Looks like you don't run resourcemgr accordingly.

Revision history for this message
Ivan Hu (ivan.hu) wrote :

get the machine from gerald, Ford-DVT2-C1,
after build and re-install tpm2-tools v1.1.0 and TPM2-TSS 1.0.0

most tests pass
test_tpm2_takeownership_all.sh pass
test_tpm2_nv.sh pass
test_tpm2_listpcrs.sh pass
test_tpm2_getrandom.sh pass
test_tpm2_load.sh pass
test_tpm2_loadexternal.sh pass
test_tpm2_evictcontrol.sh pass
test_tpm2_hash.sh pass
test_tpm2_hmac.sh pass
test_tpm2_akparse.sh pass
test_tpm2_certify.sh pass
test_tpm2_evictcontrol.sh pass
test_tpm2_getpubek.sh pass
test_tpm2_getpubak.sh pass
test_tpm2_makecredential.sh pass
test_tpm2_activecredential.sh pass
test_tpm2_readpublic.sh pass
test_tpm2_rsaencrypt.sh pass
test_tpm2_rsadecrypt.sh pass
test_tpm2_sign.sh pass
test_tpm2_verifysignature.sh pass

only
test_tpm2_quote.sh fail
test_tpm2_unseal.sh fail
test_tpm2_encryptdecrypt.sh fail

So the comment from #4 should be false alarm.

Revision history for this message
Kristin Chuang (kristinchuang) wrote :

Many thanks to Scott Sweeny who provided the attached new packages
tpm2-new-packages.tar.gz for a trial test.

Results below, I think we can separate the issues we see now into 2
different conclusions:

[CASE A]
With new TPM2 packages + latest test scripts in
https://github.com/01org/tpm2.0-tools (scripts in test/system/*), we see
the following 6 failures:
    --------------
    (a) test_tpm2_quote.sh fail
    (b) test_tpm2_unseal.sh fail
    (c) test_tpm2_encryptdecrypt.sh fail
    (d) test_tpm2_send_command.sh fail
    (e) test_tpm2_dump_capability.sh fail
    (f) test_tpm2_startup.sh fail
    --------------
Note that tests (d)~(f) are new cases that were previously not in github.
If we exclude cases (d)~(f), our outcome matches (1) the results using
"tpm2" snap and (2) results in comment #6.

=> CONCLUSION: The packages provided by Scott confirmed working as expected.

[CASE B]
With new TPM2 packages + plainbox-provider-tpm2 (0.31~ppa~ubuntu16.04.1):
    --------------
    Most cases still fail, see attached
tpm2-new-packages_plainbox-report.html
    --------------
=> CONCLUSION: seems like an update is required for
plainbox-provider-tpm2 to (a) resolve these failures and (b) include new
cases introduced in github if needed

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

We should use the corresponding test script against the tpm2-tools version so that we won't test against command that does not exist.

To test v1.1.0, we should do something like

git clone https://github.com/01org/tpm2.0-tools -b v1.1.0

Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
status: New → Incomplete
Revision history for this message
Jerry Kao (jerry.kao) wrote :

The test results in original (2nd part) and in comment#6 were tested tpm2-tools 1.1.0 with the test script from the same version.

The result is consistent to fail following 3 tests.
test_tpm2_quote.sh fail
test_tpm2_unseal.sh fail
test_tpm2_encryptdecrypt.sh fail

But main issue here is the tpm2-tools version on xenial/universe is outdated, 1.0.0 built on 20160226. No matter what version of test script we used, most test cases were failed.

Changed in oem-priority:
status: Incomplete → Confirmed
Alberto Salvia Novella (es20490446e)
Changed in tpm2-tools (Ubuntu):
importance: Undecided → Medium
importance: Medium → High
Revision history for this message
gerald.yang (gerald-yang-tw) wrote :

For the three failures, the meaning of error code:

1. test_tpm2_unseal.sh
u@u-Embedded-Box-PC-3000:~/tpm2.0-tools/test/system$ tpm2_rc_decode 0x9a2
error layer
  hex: 0x0
  identifier: TSS2_TPM_ERROR_LEVEL
  description: Error produced by the TPM
format 1 error code
  hex: 0x22
  identifier: TPM_RC_BAD_AUTH
  description: authorization failure without DA implications
session
  hex: 0x100
  identifier: TPM_RC_1
  description: (null)

Not sure if this error 0x9a2 relates to comment #3

2. test_tpm2_encryptdecrypt.sh
u@u-Embedded-Box-PC-3000:~/tpm2.0-tools/test/system$ tpm2_rc_decode 0x143
error layer
  hex: 0x0
  identifier: TSS2_TPM_ERROR_LEVEL
  description: Error produced by the TPM
format 0 error code
  hex: 0x43
  name: TPM_RC_COMMAND_CODE
  description: command code not supported

0x143 means command code not supported.

3. test_tpm2_quote.sh
u@u-Embedded-Box-PC-3000:~/tpm2.0-tools/test/system$ tpm2_rc_decode 0x1d5
error layer
  hex: 0x0
  identifier: TSS2_TPM_ERROR_LEVEL
  description: Error produced by the TPM
format 1 error code
  hex: 0x15
  identifier: TPM_RC_SIZE
  description: structure is the wrong size
parameter
  hex: 0x100
  identifier: TPM_RC_1
  description: (null)

Not sure if it's a bug in tool for 0x1d5.

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

change priority to high in oem-priority unless PM want critical

Changed in oem-priority:
importance: Critical → High
Revision history for this message
Leo-Chen (leo-chen) wrote :

Hi

May I known about tpm2_rc_decode 0x1d5 and tpm2_rc_decode 0x143 failed status?if tool bug or it can be ignore on this test tpm?

Revision history for this message
Samantha Jian-Pielak (samantha-jian) wrote :

Hi Leo,
Could you share more details on the error messages and the tests that were run?

Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
importance: High → Medium
Sylvain Pineau (sylvain-pineau)
Changed in tpm2-tools (Ubuntu):
status: Confirmed → Won't Fix
Changed in oem-priority:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.