Ubuntu
tpm2-openssl package

Cannot load certificate stored in NVM

Bug #1970999 reported by Jim Sievert
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tpm2-openssl (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Luca Boccassi
Kinetic
Fix Released
Undecided
Luca Boccassi
Lunar
Fix Released
Undecided
Unassigned

Bug Description

[ Impact ]
Makes it impossible to use certain TPM functionality via openssl, more precisely extracting the TPM vendor certificate

[ Test Plan ]
Run the appropriate command on a machine with an affected TPM.

Before the fix:

root@jammy:/tmp# openssl x509 -provider tpm2 -provider default -in handle:0x1c0000a
WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x000001c4)
Could not read certificate from handle:0x1c0000a
40C70C33C37F0000:error:4000000C:tpm2::cannot load key::-1:452 tpm:parameter(1):value is out of range or is not correct for the context
Unable to load certificate

After the fix:

root@jammy:~# openssl x509 -provider tpm2 -provider default -in handle:0x1c0000a
-----BEGIN CERTIFICATE-----
MIIDBDCCAqmgAwIBAgIUBojh2fQZ3 <...>

[ Where problems could occur ]
Theoretically loading from NVM could be affected, but the fix is from upstream and no regressions due to this change have been reported in half a year.

[Original Description]
$ lsb_release -rd
Description: Ubuntu 22.04 LTS
Release: 22.04

$ apt-cache policy tpm2-openssl
tpm2-openssl:
  Installed: 1.0.1-1
  Candidate: 1.0.1-1
  Version table:
 *** 1.0.1-1 500
        500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
        100 /var/lib/dpkg/status

Please see https://github.com/tpm2-software/tpm2-openssl/issues/35.

See original description
Luca Boccassi (bluca)
Changed in tpm2-openssl (Ubuntu):
status: New → Confirmed
Revision history for this message
Luca Boccassi (bluca) wrote :

Fixed and tested package available on ubuntu/jammy on Salsa: https://salsa.debian.org/debian/tpm2-openssl/-/tree/ubuntu/jammy

description: updated
Revision history for this message
Luca Boccassi (bluca) wrote : affects Ubuntu/Jammy

affects Ubuntu/Jammy
status confirmed

Christian Ehrhardt  (paelzer)
Changed in tpm2-openssl (Ubuntu Lunar):
status: Confirmed → Fix Released
Changed in tpm2-openssl (Ubuntu Kinetic):
status: New → Confirmed
Changed in tpm2-openssl (Ubuntu Jammy):
status: New → Confirmed
Revision history for this message
Luca Boccassi (bluca) wrote :

Also prepared and tested an ubuntu/kinetic branch on Salsa, ready for sponsor upload: https://salsa.debian.org/debian/tpm2-openssl/-/tree/ubuntu/kinetic

Luca Boccassi (bluca)
Changed in tpm2-openssl (Ubuntu Jammy):
status: Confirmed → In Progress
Changed in tpm2-openssl (Ubuntu Kinetic):
status: Confirmed → In Progress
Luca Boccassi (bluca)
Changed in tpm2-openssl (Ubuntu Jammy):
assignee: nobody → Luca Boccassi (bluca)
Changed in tpm2-openssl (Ubuntu Kinetic):
assignee: nobody → Luca Boccassi (bluca)
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Jim, or anyone else affected,

Accepted tpm2-openssl into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/tpm2-openssl/1.1.0-2ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in tpm2-openssl (Ubuntu Kinetic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-kinetic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Jim, or anyone else affected,

Accepted tpm2-openssl into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/tpm2-openssl/1.0.1-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in tpm2-openssl (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed-jammy
Revision history for this message
Luca Boccassi (bluca) wrote :

Tested 1.0.1-1ubuntu0.1 in Jammy, fixes the issue for me.

Luca Boccassi (bluca)
tags: added: verification-done verification-done-jammy verification-done-kinetic
removed: verification-needed verification-needed-jammy verification-needed-kinetic
tags: removed: verification-done
Revision history for this message
Brian Murray (brian-murray) wrote :

I only see information about this being tested in Jammy, not Kinetic so I'm setting the verification tag for kinetic back to needed.

tags: added: verification-needed-kinetic
removed: verification-done-kinetic
Revision history for this message
Luca Boccassi (bluca) wrote (last edit ):

I have done the same tests as jammy on a kinetic image, these issues are fixed there too. I ran the check from the bug description, and verified it works on kinetic (package version 1.1.0-2ubuntu0.1 from proposed) and on jammy (package version 1.0.1-1ubuntu0.1 from proposed).

tags: added: verification-done-kinetic
removed: verification-needed-kinetic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tpm2-openssl - 1.1.0-2ubuntu0.1

---------------
tpm2-openssl (1.1.0-2ubuntu0.1) kinetic; urgency=medium

  * Backport patch to make EC keys provide
    OSSL_PKEY_PARAM_MANDATORY_DIGEST (LP: #1971000)
  * Backport patch to fix using tpm2-openssl on Azure (LP: #1996498)
  * Backport patches to fix loading certificates from NVM (LP: #1970999)

 -- Luca Boccassi <email address hidden> Tue, 06 Dec 2022 14:30:58 +0000

Changed in tpm2-openssl (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for tpm2-openssl has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tpm2-openssl - 1.0.1-1ubuntu0.1

---------------
tpm2-openssl (1.0.1-1ubuntu0.1) jammy; urgency=medium

  * Backport patch to make EC keys provide
    OSSL_PKEY_PARAM_MANDATORY_DIGEST (LP: #1971000)
  * Backport patch to fix using tpm2-openssl on Azure (LP: #1996498)
  * Backport patches to fix loading certificates from NVM (LP: #1970999)

 -- Luca Boccassi <email address hidden> Mon, 05 Dec 2022 20:14:05 +0000

Changed in tpm2-openssl (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.