-
Notifications
You must be signed in to change notification settings - Fork 58
Description
Mentioned in #277 while trying to test draft PR #281.
First noticed last month on Sept 29 and documented here.
System info: Running this on a Fedora 34 VM using swtpm with chardev.
I am getting this error while running code that uses the tss-esapi
as a dependency. This error occurs when using tss-esapi = "7.0.0-alpha.1"
in our Cargo.toml
or when trying to pin to any commit from GitHub, ex. tss-esapi = { git = "https://github.com/parallaxsecond/rust-tss-esapi.git", commit = "3e42b49f772f296150d0421998af1e8d55bb2478"}
(even pinning to commits older than Sept. 29). The error does not occur when using tss-esapi = "6.1.1"
.
WARNING:esys:src/tss2-esys/api/Esys_ActivateCredential.c:321:Esys_ActivateCredential_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_ActivateCredential.c:105:Esys_ActivateCredential() Esys
Finish ErrorCode (0x00000101)
Error: Tpm { err: Tss2Error(FormatZero(FormatZeroResponseCode { .0: 257, error_number: 1,
format_selector: false, version: true, tcg_vendor_indicator: false, severity: false })), kind:
Some(Failure), message: "commands not being accepted because of a TPM failure. NOTE:
This may be returned by TPM2_GetTestResult() as the testResultparameter" }
I notice that when switching between tss-esapi = "6.1.1"
as a dependency vs any other version or commit, some minor code changes are necessary in Keylime due to some reorganization and the new Public
type in the tss-esapi
. Otherwise these compilation errors result:
error[E0432]: unresolved imports `tss_esapi::interface_types::algorithm::SignatureScheme`, `tss_esapi::utils::Signature`
--> src/tpm.rs:36:60
|
36 | algorithm::{AsymmetricAlgorithm, HashingAlgorithm, SignatureScheme},
| ^^^^^^^^^^^^^^^ no `SignatureScheme` in `interface_types::algorithm`
...
50 | utils::{PcrData, Signature},
| ^^^^^^^^^ no `Signature` in `utils`
error[E0308]: mismatched types
--> src/tpm.rs:113:34
|
113 | let tpm_pub_vec = pub_to_vec(tpm_pub);
| ^^^^^^^ expected struct `TPM2B_PUBLIC`, found enum `tss_esapi::structures::Public`
error[E0308]: mismatched types
--> src/tpm.rs:247:35
|
247 | let tpm2_pub_vec = pub_to_vec(ak_tpm2b_pub);
| ^^^^^^^^^^^^ expected struct `TPM2B_PUBLIC`, found enum `tss_esapi::structures::Public`
Once I resolve the compilation errors and I'm able to build using a tss-esapi
version other than 6.1.1
, I run the Keylime agent and get the ActivateCredential
error.
It is entirely possible that the error stems from my changes in Keylime not using the updated tss-esapi
properly and I am still trying to investigate that. Unfortunately I'm under some time constraints so I'm not sure how far I can dive into it immediately. @ueno is pretty knowledgeable about the Rust Keylime codebase as well and may have ideas.
@ionut-arm Regarding your question about the self-test, did you mean tpm2_selftest
? This seems to succeed and values from tpm2_pcrread
look normal also:
[root@fedora ~]# tpm2_selftest
[root@fedora ~]# echo $?
0