Ubuntu
tpm2-tools package

tpm2_nvwrite using an offset causes a TPM error

Bug #2051876 reported by Andrew Oswald
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tpm2-tools (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

The latest from tpm2-software (https://github.com/tpm2-software) fixes the issue. Would it be possible to update the current tpm2-tools .deb (and its dependencies) to reflect the current code so it can be made available by way of conventional package upgrades?

1) release info:
lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04

2) version of the package:
apt-cache policy tpm2-tools
tpm2-tools:
  Installed: 5.2-1build1
  Candidate: 5.2-1build1
  Version table:
 *** 5.2-1build1 500
        500 http://us.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
        100 /var/lib/dpkg/status

3) what I expected to happen:
Data to be written to a TPM's non-volatile memory at a specified offset.

4) what happened instead:
WARNING:esys:src/tss2-esys/api/Esys_NV_Write.c:310:Esys_NV_Write_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_Write.c:110:Esys_NV_Write() Esys Finish ErrorCode (0x0000098e)
ERROR: Failed to write NV area at index 0x1000002
ERROR: Tss2_Sys_NV_Write(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented
ERROR: Unable to run tpm2_nvwrite

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: tpm2-tools 5.2-1build1
ProcVersionSignature: Ubuntu 6.5.0-14.14~22.04.1-generic 6.5.3
Uname: Linux 6.5.0-14-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Wed Jan 31 14:14:07 2024
InstallationDate: Installed on 2024-01-16 (14 days ago)
InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2)
ProcEnviron:
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: tpm2-tools
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Andrew Oswald (aroswa) wrote :
description: updated
Revision history for this message
Sudip Mukherjee (sudipmuk) wrote :

Thanks for reporting the bug.
I tried to reproduce the issue on Jammy but could not reproduce it. The following is from my session:

# tpm2_nvdefine -C o -s 32 -a "ownerread|policywrite|ownerwrite" 1
nv-index: 0x1000001

# echo "please123abc" > nv.dat

# tpm2_nvwrite -C o -i nv.dat 1

# tpm2_nvread -C o -s 32 1
please123abc

# apt-cache policy tpm2-tools
tpm2-tools:
  Installed: 5.2-1build1
  Candidate: 5.2-1build1
  Version table:
 *** 5.2-1build1 500
        500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
        100 /var/lib/dpkg/status

It will really help us if can please give the steps that you followed to reproduce the issue.

I am marking the bug as Incomplete till then, please change the status back to New when you add the steps.

Changed in tpm2-tools (Ubuntu):
status: New → Incomplete
Revision history for this message
Andrew Oswald (aroswa) wrote :

Thanks for looking into this, Sudip! I will need to write up explicit instructions, but the issue only shows up when you attempt to write to an offset, which (I would presume) is why your test didn't produce any issues. My usecase is storing a DER encoded x509 certificate whose footprint exceeds the TPM data bus size, thus requiring multiple tpm2_nvwrite calls, with any call other than the initial, requiring the --offset flag and the appropriate offset starting point.

Revision history for this message
Andrew Oswald (aroswa) wrote :

Hello again, Sudip, hope this message finds you well!

I attempted to recreate the issue using a cert whose footprint exceeds the 1,024 byte TPM data bus by using two tpm2_nvwrite commands (the second of which specifying --offset=1024) and I'm happy to report that it's working!

However, we were experiencing the issue on HP gear and this is a Dell laptop.. so I still need to test it on HP.

thanks again!
-andy

Revision history for this message
Andrew Oswald (aroswa) wrote :

With the advent of 22.04.4, this issue seems to have been resolved.

Thanks again for looking into it, Sudip! =)

Changed in tpm2-tools (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Sudip Mukherjee (sudipmuk) wrote :

Thanks for testing Andrew.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.