Ubuntu
tpm2-openssl package

tpm2-openssl cannot be used with TPM chips exposing spec level below 1.38 (eg: Azure)

Bug #1996498 reported by Mussier
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tpm2-openssl (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Luca Boccassi
Kinetic
Fix Released
Undecided
Luca Boccassi
Lunar
Fix Released
Undecided
Unassigned

Bug Description

[ Impact ]
Ubuntu Jammy images running in Azure cannot use the TPM via tpm2-openssl, as the TPM2_CreateLoaded function that tpm2-openssl uses was only introduced with Specification Level 1.38. The SLB9665 chip which is used in Azure supports 1.16 and does not have an update to 1.38, so this function is not available.

[ Test Plan ]
On an affected machine run the appropriate command to reproduce the issue. Before the fix:

root@jammy:/tmp# openssl ecparam -provider tpm2 -name secp256r1 -genkey -out root.key.pem
using curve name prime256v1 instead of secp256r1
WARNING:esys:src/tss2-esys/api/Esys_CreateLoaded.c:368:Esys_CreateLoaded_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_CreateLoaded.c:129:Esys_CreateLoaded() Esys Finish ErrorCode (0x000b0143)
unable to generate key
4027962DC27F0000:error:4000000B:tpm2::cannot create key::-1:721219 rmt:error(2.0): command code not supported

After the fix:

root@jammy:/tmp# openssl ecparam -provider tpm2 -name secp256r1 -genkey -out root.key.pem
using curve name prime256v1 instead of secp256r1
root@jammy:/tmp# cat root.key.pem
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN TSS2 PRIVATE KEY-----
MIHPBgZngQUKAQOgAwEBAQIEQAAAAQRYAFYAIwALAAYAcgAAABAAEAADABAAIJxE
7F1JAtETed5TWceDbgpTM3mKIfnhcRurZCuwlH+fACBYDxdv5OgU5bWAVV3OteEm
VnCvpjJWxx2+9ck/IcrxlARgAF4AICnQLh8FddTTqK5b3R632Jbgy8R0gEEHzW6C
f7QfqYhkABC/aq8GiGMQu5hZfe8U6I08o/LrEdku7EFKoGtWpVhZrNVWV5fg6Ymh
5EJMJBtE0ScaVXqCbIztSyIU
-----END TSS2 PRIVATE KEY-----

[ Where problems could occur ]
The fix affects the core part of the library, that talks to the TPM, so any functionality could be affected. However the fix has been upstream and released for half a year, and no regressions have been reported.

[ Original Description ]
Hi,

Here are the technicals details :

---
lmussier@lmussier-vm:~$ lsb_release -rd
Description: Ubuntu 22.04.1 LTS
Release: 22.04

---

lmussier@lmussier-vm:~$ apt-cache policy tpm2-openssl
tpm2-openssl:
  Installed: (none)
  Candidate: 1.0.1-1
  Version table:
     1.0.1-1 500
        500 http://ch.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages

---

Could you condiser to upgrade this package to https://github.com/tpm2-software/tpm2-openssl/releases/tag/1.1.1.

In the currently provided package there is an issue preventing its use on some hardware and virtual machines.
see https://github.com/tpm2-software/tpm2-openssl/commit/83cc5c20515f9b008b6dbce0b3a60c71744ee23a for details.

The 1.1.1 is a huge improvement for usability since one can use this package even on virtual appliances.
I personnaly use azure vm's and I can't use the TPM out of the box.

Regards.

See original description
Luca Boccassi (bluca)
Changed in tpm2-openssl (Ubuntu):
status: New → Confirmed
Revision history for this message
Luca Boccassi (bluca) wrote :

Fixed and tested package available on ubuntu/jammy on Salsa: https://salsa.debian.org/debian/tpm2-openssl/-/tree/ubuntu/jammy

description: updated
summary: - Could you consider to upgrade to 1.1.1
+ tpm2-openssl cannot be used with TPM chips exposing spec level below
+ 1.38 (eg: Azure)
Christian Ehrhardt  (paelzer)
Changed in tpm2-openssl (Ubuntu Lunar):
status: Confirmed → Fix Released
Changed in tpm2-openssl (Ubuntu Kinetic):
status: New → Confirmed
Changed in tpm2-openssl (Ubuntu Jammy):
status: New → Confirmed
Revision history for this message
Luca Boccassi (bluca) wrote :

Also prepared and tested an ubuntu/kinetic branch on Salsa, ready for sponsor upload: https://salsa.debian.org/debian/tpm2-openssl/-/tree/ubuntu/kinetic

Luca Boccassi (bluca)
Changed in tpm2-openssl (Ubuntu Jammy):
status: Confirmed → In Progress
Changed in tpm2-openssl (Ubuntu Kinetic):
status: Confirmed → In Progress
Luca Boccassi (bluca)
Changed in tpm2-openssl (Ubuntu Jammy):
assignee: nobody → Luca Boccassi (bluca)
Changed in tpm2-openssl (Ubuntu Kinetic):
assignee: nobody → Luca Boccassi (bluca)
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Mussier, or anyone else affected,

Accepted tpm2-openssl into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/tpm2-openssl/1.1.0-2ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in tpm2-openssl (Ubuntu Kinetic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-kinetic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Mussier, or anyone else affected,

Accepted tpm2-openssl into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/tpm2-openssl/1.0.1-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in tpm2-openssl (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed-jammy
Revision history for this message
Luca Boccassi (bluca) wrote :

Tested 1.0.1-1ubuntu0.1 in Jammy, fixes the issue for me.

Revision history for this message
Mussier (lmussier) wrote :

Tested 1.0.1-1ubuntu0.1 in Jammy on azure VM, fixes the issue for me either.

Luca Boccassi (bluca)
tags: added: verification-done verification-done-jammy verification-done-kinetic
removed: verification-needed verification-needed-jammy verification-needed-kinetic
tags: removed: verification-done
Brian Murray (brian-murray)
tags: added: verification-needed-kinetic
removed: verification-done-kinetic
Luca Boccassi (bluca)
tags: added: verification-done-kinetic
removed: verification-needed-kinetic
Revision history for this message
Luca Boccassi (bluca) wrote :

I have done the same tests as jammy on a kinetic image, these issues are fixed there too. I ran the check from the bug description, and verified it works on kinetic (package version 1.1.0-2ubuntu0.1 from proposed) and on jammy (package version 1.0.1-1ubuntu0.1 from proposed).

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tpm2-openssl - 1.1.0-2ubuntu0.1

---------------
tpm2-openssl (1.1.0-2ubuntu0.1) kinetic; urgency=medium

  * Backport patch to make EC keys provide
    OSSL_PKEY_PARAM_MANDATORY_DIGEST (LP: #1971000)
  * Backport patch to fix using tpm2-openssl on Azure (LP: #1996498)
  * Backport patches to fix loading certificates from NVM (LP: #1970999)

 -- Luca Boccassi <email address hidden> Tue, 06 Dec 2022 14:30:58 +0000

Changed in tpm2-openssl (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for tpm2-openssl has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tpm2-openssl - 1.0.1-1ubuntu0.1

---------------
tpm2-openssl (1.0.1-1ubuntu0.1) jammy; urgency=medium

  * Backport patch to make EC keys provide
    OSSL_PKEY_PARAM_MANDATORY_DIGEST (LP: #1971000)
  * Backport patch to fix using tpm2-openssl on Azure (LP: #1996498)
  * Backport patches to fix loading certificates from NVM (LP: #1970999)

 -- Luca Boccassi <email address hidden> Mon, 05 Dec 2022 20:14:05 +0000

Changed in tpm2-openssl (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.