Cannot load certificate stored in NVM
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tpm2-openssl (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Luca Boccassi | ||
Kinetic |
Fix Released
|
Undecided
|
Luca Boccassi | ||
Lunar |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
Makes it impossible to use certain TPM functionality via openssl, more precisely extracting the TPM vendor certificate
[ Test Plan ]
Run the appropriate command on a machine with an affected TPM.
Before the fix:
root@jammy:/tmp# openssl x509 -provider tpm2 -provider default -in handle:0x1c0000a
WARNING:
ERROR:esys:
Could not read certificate from handle:0x1c0000a
40C70C33C37F000
Unable to load certificate
After the fix:
root@jammy:~# openssl x509 -provider tpm2 -provider default -in handle:0x1c0000a
-----BEGIN CERTIFICATE-----
MIIDBDCCAqmgAwI
[ Where problems could occur ]
Theoretically loading from NVM could be affected, but the fix is from upstream and no regressions due to this change have been reported in half a year.
[Original Description]
$ lsb_release -rd
Description: Ubuntu 22.04 LTS
Release: 22.04
$ apt-cache policy tpm2-openssl
tpm2-openssl:
Installed: 1.0.1-1
Candidate: 1.0.1-1
Version table:
*** 1.0.1-1 500
500 http://
100 /var/lib/
Please see https:/
Changed in tpm2-openssl (Ubuntu): | |
status: | New → Confirmed |
Changed in tpm2-openssl (Ubuntu Lunar): | |
status: | Confirmed → Fix Released |
Changed in tpm2-openssl (Ubuntu Kinetic): | |
status: | New → Confirmed |
Changed in tpm2-openssl (Ubuntu Jammy): | |
status: | New → Confirmed |
Changed in tpm2-openssl (Ubuntu Jammy): | |
status: | Confirmed → In Progress |
Changed in tpm2-openssl (Ubuntu Kinetic): | |
status: | Confirmed → In Progress |
Changed in tpm2-openssl (Ubuntu Jammy): | |
assignee: | nobody → Luca Boccassi (bluca) |
Changed in tpm2-openssl (Ubuntu Kinetic): | |
assignee: | nobody → Luca Boccassi (bluca) |
tags: |
added: verification-done verification-done-jammy verification-done-kinetic removed: verification-needed verification-needed-jammy verification-needed-kinetic |
tags: | removed: verification-done |
Fixed and tested package available on ubuntu/jammy on Salsa: https:/ /salsa. debian. org/debian/ tpm2-openssl/ -/tree/ ubuntu/ jammy