Skip to content

ActivateCredential error on non-6.1.1 versions (Esys Finish ErrorCode (0x00000101)) #285

@lkatalin

Description

@lkatalin

Mentioned in #277 while trying to test draft PR #281.
First noticed last month on Sept 29 and documented here.

System info: Running this on a Fedora 34 VM using swtpm with chardev.

I am getting this error while running code that uses the tss-esapi as a dependency. This error occurs when using tss-esapi = "7.0.0-alpha.1" in our Cargo.toml or when trying to pin to any commit from GitHub, ex. tss-esapi = { git = "https://github.com/parallaxsecond/rust-tss-esapi.git", commit = "3e42b49f772f296150d0421998af1e8d55bb2478"} (even pinning to commits older than Sept. 29). The error does not occur when using tss-esapi = "6.1.1".

WARNING:esys:src/tss2-esys/api/Esys_ActivateCredential.c:321:Esys_ActivateCredential_Finish()
 Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_ActivateCredential.c:105:Esys_ActivateCredential() Esys 
Finish ErrorCode (0x00000101) 
Error: Tpm { err: Tss2Error(FormatZero(FormatZeroResponseCode { .0: 257, error_number: 1, 
format_selector: false, version: true, tcg_vendor_indicator: false, severity: false })), kind: 
Some(Failure), message: "commands not being accepted because of a TPM failure. NOTE:
 This may be returned by TPM2_GetTestResult() as the testResultparameter" }

I notice that when switching between tss-esapi = "6.1.1" as a dependency vs any other version or commit, some minor code changes are necessary in Keylime due to some reorganization and the new Public type in the tss-esapi. Otherwise these compilation errors result:

error[E0432]: unresolved imports `tss_esapi::interface_types::algorithm::SignatureScheme`, `tss_esapi::utils::Signature`
 --> src/tpm.rs:36:60
  |
36 |         algorithm::{AsymmetricAlgorithm, HashingAlgorithm, SignatureScheme},
  |                                                            ^^^^^^^^^^^^^^^ no `SignatureScheme` in `interface_types::algorithm`
...
50 |     utils::{PcrData, Signature},
  |                      ^^^^^^^^^ no `Signature` in `utils`

error[E0308]: mismatched types
  --> src/tpm.rs:113:34
   |
113 |     let tpm_pub_vec = pub_to_vec(tpm_pub);
   |                                  ^^^^^^^ expected struct `TPM2B_PUBLIC`, found enum `tss_esapi::structures::Public`

error[E0308]: mismatched types
  --> src/tpm.rs:247:35
   |
247 |     let tpm2_pub_vec = pub_to_vec(ak_tpm2b_pub);
   |                                   ^^^^^^^^^^^^ expected struct `TPM2B_PUBLIC`, found enum `tss_esapi::structures::Public`


Once I resolve the compilation errors and I'm able to build using a tss-esapi version other than 6.1.1, I run the Keylime agent and get the ActivateCredential error.

It is entirely possible that the error stems from my changes in Keylime not using the updated tss-esapi properly and I am still trying to investigate that. Unfortunately I'm under some time constraints so I'm not sure how far I can dive into it immediately. @ueno is pretty knowledgeable about the Rust Keylime codebase as well and may have ideas.

@ionut-arm Regarding your question about the self-test, did you mean tpm2_selftest? This seems to succeed and values from tpm2_pcrread look normal also:

[root@fedora ~]# tpm2_selftest
[root@fedora ~]# echo $?
0

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions