2022-11-14 08:30:32 |
Mussier |
bug |
|
|
added bug |
2022-12-05 20:10:58 |
Luca Boccassi |
tpm2-openssl (Ubuntu): status |
New |
Confirmed |
|
2022-12-05 21:46:53 |
Luca Boccassi |
description |
Hi,
Here are the technicals details :
---
lmussier@lmussier-vm:~$ lsb_release -rd
Description: Ubuntu 22.04.1 LTS
Release: 22.04
---
lmussier@lmussier-vm:~$ apt-cache policy tpm2-openssl
tpm2-openssl:
Installed: (none)
Candidate: 1.0.1-1
Version table:
1.0.1-1 500
500 http://ch.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
---
Could you condiser to upgrade this package to https://github.com/tpm2-software/tpm2-openssl/releases/tag/1.1.1.
In the currently provided package there is an issue preventing its use on some hardware and virtual machines.
see https://github.com/tpm2-software/tpm2-openssl/commit/83cc5c20515f9b008b6dbce0b3a60c71744ee23a for details.
The 1.1.1 is a huge improvement for usability since one can use this package even on virtual appliances.
I personnaly use azure vm's and I can't use the TPM out of the box.
Regards. |
[ Impact ]
Ubuntu Jammy images running in Azure cannot use the TPM via tpm2-openssl, as the TPM2_CreateLoaded function that tpm2-openssl uses was only introduced with Specification Level 1.38. The SLB9665 chip which is used in Azure supports 1.16 and does not have an update to 1.38, so this function is not available.
[ Test Plan ]
On an affected machine run the appropriate command to reproduce the issue. Before the fix:
root@jammy:/tmp# openssl ecparam -provider tpm2 -name secp256r1 -genkey -out root.key.pem
using curve name prime256v1 instead of secp256r1
WARNING:esys:src/tss2-esys/api/Esys_CreateLoaded.c:368:Esys_CreateLoaded_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_CreateLoaded.c:129:Esys_CreateLoaded() Esys Finish ErrorCode (0x000b0143)
unable to generate key
4027962DC27F0000:error:4000000B:tpm2::cannot create key::-1:721219 rmt:error(2.0): command code not supported
After the fix:
root@jammy:/tmp# openssl ecparam -provider tpm2 -name secp256r1 -genkey -out root.key.pem
using curve name prime256v1 instead of secp256r1
root@jammy:/tmp# cat root.key.pem
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN TSS2 PRIVATE KEY-----
MIHPBgZngQUKAQOgAwEBAQIEQAAAAQRYAFYAIwALAAYAcgAAABAAEAADABAAIJxE
7F1JAtETed5TWceDbgpTM3mKIfnhcRurZCuwlH+fACBYDxdv5OgU5bWAVV3OteEm
VnCvpjJWxx2+9ck/IcrxlARgAF4AICnQLh8FddTTqK5b3R632Jbgy8R0gEEHzW6C
f7QfqYhkABC/aq8GiGMQu5hZfe8U6I08o/LrEdku7EFKoGtWpVhZrNVWV5fg6Ymh
5EJMJBtE0ScaVXqCbIztSyIU
-----END TSS2 PRIVATE KEY-----
[ Where problems could occur ]
The fix affects the core part of the library, that talks to the TPM, so any functionality could be affected. However the fix has been upstream and released for half a year, and no regressions have been reported.
[ Original Description ]
Hi,
Here are the technicals details :
---
lmussier@lmussier-vm:~$ lsb_release -rd
Description: Ubuntu 22.04.1 LTS
Release: 22.04
---
lmussier@lmussier-vm:~$ apt-cache policy tpm2-openssl
tpm2-openssl:
Installed: (none)
Candidate: 1.0.1-1
Version table:
1.0.1-1 500
500 http://ch.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
---
Could you condiser to upgrade this package to https://github.com/tpm2-software/tpm2-openssl/releases/tag/1.1.1.
In the currently provided package there is an issue preventing its use on some hardware and virtual machines.
see https://github.com/tpm2-software/tpm2-openssl/commit/83cc5c20515f9b008b6dbce0b3a60c71744ee23a for details.
The 1.1.1 is a huge improvement for usability since one can use this package even on virtual appliances.
I personnaly use azure vm's and I can't use the TPM out of the box.
Regards. |
|
2022-12-05 21:47:30 |
Luca Boccassi |
summary |
Could you consider to upgrade to 1.1.1 |
tpm2-openssl cannot be used with TPM chips exposing spec level below 1.38 (eg: Azure) |
|
2022-12-05 21:47:56 |
Luca Boccassi |
bug |
|
|
added subscriber Luca Boccassi |
2022-12-05 21:48:05 |
Luca Boccassi |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2022-12-06 10:03:08 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Lunar |
|
2022-12-06 10:03:08 |
Christian Ehrhardt |
bug task added |
|
tpm2-openssl (Ubuntu Lunar) |
|
2022-12-06 10:03:08 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Kinetic |
|
2022-12-06 10:03:08 |
Christian Ehrhardt |
bug task added |
|
tpm2-openssl (Ubuntu Kinetic) |
|
2022-12-06 10:03:08 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Jammy |
|
2022-12-06 10:03:08 |
Christian Ehrhardt |
bug task added |
|
tpm2-openssl (Ubuntu Jammy) |
|
2022-12-06 10:03:29 |
Christian Ehrhardt |
tpm2-openssl (Ubuntu Lunar): status |
Confirmed |
Fix Released |
|
2022-12-06 10:03:31 |
Christian Ehrhardt |
tpm2-openssl (Ubuntu Kinetic): status |
New |
Confirmed |
|
2022-12-06 10:03:33 |
Christian Ehrhardt |
tpm2-openssl (Ubuntu Jammy): status |
New |
Confirmed |
|
2022-12-06 20:23:20 |
Luca Boccassi |
tpm2-openssl (Ubuntu Jammy): status |
Confirmed |
In Progress |
|
2022-12-06 20:23:22 |
Luca Boccassi |
tpm2-openssl (Ubuntu Kinetic): status |
Confirmed |
In Progress |
|
2022-12-08 19:59:48 |
Luca Boccassi |
tpm2-openssl (Ubuntu Jammy): assignee |
|
Luca Boccassi (bluca) |
|
2022-12-08 19:59:50 |
Luca Boccassi |
tpm2-openssl (Ubuntu Kinetic): assignee |
|
Luca Boccassi (bluca) |
|
2022-12-12 16:01:47 |
Łukasz Zemczak |
tpm2-openssl (Ubuntu Kinetic): status |
In Progress |
Fix Committed |
|
2022-12-12 16:01:48 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-12-12 16:01:50 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2022-12-12 16:01:52 |
Łukasz Zemczak |
tags |
|
verification-needed verification-needed-kinetic |
|
2022-12-12 16:02:08 |
Łukasz Zemczak |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2022-12-12 16:10:19 |
Łukasz Zemczak |
tpm2-openssl (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2022-12-12 16:10:24 |
Łukasz Zemczak |
tags |
verification-needed verification-needed-kinetic |
verification-needed verification-needed-jammy verification-needed-kinetic |
|
2022-12-23 11:52:05 |
Luca Boccassi |
tags |
verification-needed verification-needed-jammy verification-needed-kinetic |
verification-done verification-done-jammy verification-done-kinetic |
|
2022-12-23 11:54:44 |
Luca Boccassi |
tags |
verification-done verification-done-jammy verification-done-kinetic |
verification-done-jammy verification-done-kinetic |
|
2023-01-03 21:33:15 |
Brian Murray |
tags |
verification-done-jammy verification-done-kinetic |
verification-done-jammy verification-needed-kinetic |
|
2023-01-03 23:11:25 |
Luca Boccassi |
tags |
verification-done-jammy verification-needed-kinetic |
verification-done-jammy verification-done-kinetic |
|
2023-01-10 22:29:42 |
Launchpad Janitor |
tpm2-openssl (Ubuntu Kinetic): status |
Fix Committed |
Fix Released |
|
2023-01-10 22:29:52 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-01-10 22:30:22 |
Launchpad Janitor |
tpm2-openssl (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|