tpm2-openssl cannot be used with TPM chips exposing spec level below 1.38 (eg: Azure)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tpm2-openssl (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Luca Boccassi | ||
Kinetic |
Fix Released
|
Undecided
|
Luca Boccassi | ||
Lunar |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
Ubuntu Jammy images running in Azure cannot use the TPM via tpm2-openssl, as the TPM2_CreateLoaded function that tpm2-openssl uses was only introduced with Specification Level 1.38. The SLB9665 chip which is used in Azure supports 1.16 and does not have an update to 1.38, so this function is not available.
[ Test Plan ]
On an affected machine run the appropriate command to reproduce the issue. Before the fix:
root@jammy:/tmp# openssl ecparam -provider tpm2 -name secp256r1 -genkey -out root.key.pem
using curve name prime256v1 instead of secp256r1
WARNING:
ERROR:esys:
unable to generate key
4027962DC27F000
After the fix:
root@jammy:/tmp# openssl ecparam -provider tpm2 -name secp256r1 -genkey -out root.key.pem
using curve name prime256v1 instead of secp256r1
root@jammy:/tmp# cat root.key.pem
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN TSS2 PRIVATE KEY-----
MIHPBgZngQUKAQO
7F1JAtETed5TWce
VnCvpjJWxx2+
f7QfqYhkABC/
5EJMJBtE0ScaVXq
-----END TSS2 PRIVATE KEY-----
[ Where problems could occur ]
The fix affects the core part of the library, that talks to the TPM, so any functionality could be affected. However the fix has been upstream and released for half a year, and no regressions have been reported.
[ Original Description ]
Hi,
Here are the technicals details :
---
lmussier@
Description: Ubuntu 22.04.1 LTS
Release: 22.04
---
lmussier@
tpm2-openssl:
Installed: (none)
Candidate: 1.0.1-1
Version table:
1.0.1-1 500
500 http://
---
Could you condiser to upgrade this package to https:/
In the currently provided package there is an issue preventing its use on some hardware and virtual machines.
see https:/
The 1.1.1 is a huge improvement for usability since one can use this package even on virtual appliances.
I personnaly use azure vm's and I can't use the TPM out of the box.
Regards.
Changed in tpm2-openssl (Ubuntu): | |
status: | New → Confirmed |
Changed in tpm2-openssl (Ubuntu Lunar): | |
status: | Confirmed → Fix Released |
Changed in tpm2-openssl (Ubuntu Kinetic): | |
status: | New → Confirmed |
Changed in tpm2-openssl (Ubuntu Jammy): | |
status: | New → Confirmed |
Changed in tpm2-openssl (Ubuntu Jammy): | |
status: | Confirmed → In Progress |
Changed in tpm2-openssl (Ubuntu Kinetic): | |
status: | Confirmed → In Progress |
Changed in tpm2-openssl (Ubuntu Jammy): | |
assignee: | nobody → Luca Boccassi (bluca) |
Changed in tpm2-openssl (Ubuntu Kinetic): | |
assignee: | nobody → Luca Boccassi (bluca) |
tags: |
added: verification-done verification-done-jammy verification-done-kinetic removed: verification-needed verification-needed-jammy verification-needed-kinetic |
tags: | removed: verification-done |
tags: |
added: verification-needed-kinetic removed: verification-done-kinetic |
tags: |
added: verification-done-kinetic removed: verification-needed-kinetic |
Fixed and tested package available on ubuntu/jammy on Salsa: https:/ /salsa. debian. org/debian/ tpm2-openssl/ -/tree/ ubuntu/ jammy