-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tpm2: fix dangling loaded session after tpm2_createpolicy #484
Conversation
Clevis cleans the context regurarly from transient objects by invoking `tpm2_flushcontext -t`, but there is one case which Clevis omits. The `tpm2_createpolicy` command loads new session and this needs to be cleaned by a call to `tpm2_flushcontext -l`, see [1]. This is usually not an issue when resource manager is used (i.e. with `/dev/tpmrm0` device), but when raw TPM device `/dev/tpm0` or software TPM (swtpm) without resource manager is used, the usage of clevis ends with the following error: ``` WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:390:Esys_StartAuthSession_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x00000903) ERROR: Esys_StartAuthSession(0x903) - tpm:warn(2.0): out of memory for session contexts ``` [1] tpm2-software/tpm2-tools#3427 Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
It seems they will be fixing the behaviour of |
Reproduction with # export TPM2TOOLS_TCTI=device:/dev/tpm0
# tpm2_getcap pcrs
selected-pcrs:
- sha1: [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
- sha256: [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
# echo "test" | clevis encrypt tpm2 '{"pcr_ids":"23"}' | clevis decrypt
test
# echo "test" | clevis encrypt tpm2 '{"pcr_ids":"23"}' | clevis decrypt
test
# echo "test" | clevis encrypt tpm2 '{"pcr_ids":"23"}' | clevis decrypt
WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:390:Esys_StartAuthSession_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x00000903)
ERROR: Esys_StartAuthSession(0x903) - tpm:warn(2.0): out of memory for session contexts
ERROR: Unable to run tpm2_create
Creating TPM2 object for jwk failed! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your PR, @oldium . Sorry for my ignorance but ... is it necessary to call it twice? Is not a call to this command valid?:
tpm2_flushcontext -t -l
Your question is right on target, I have checked exactly that. 😁 This is supported since |
@sarroutbi But meson could check for that, safe command to execute is:
When it reports The correct command/sequence can be generated during build (with |
Thanks for clarifying. In that case, I would keep it as it is now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Clevis cleans the context regurarly from transient objects by invoking
tpm2_flushcontext -t
, but there is one case which Clevis omits. Thetpm2_createpolicy
command loads new session and this needs to be cleaned by a call totpm2_flushcontext -l
, see tpm2-software/tpm2-tools#3427.This is usually not an issue when resource manager is used (i.e. with
/dev/tpmrm0
device), but when raw TPM device/dev/tpm0
or software TPM (swtpm) without resource manager is used, the usage of clevis (multiple calls are required) ends with the following error: