irtimmer/tpm2-pk11

Failed to open device file /dev/tpm0: Device or resource busy

forx617 opened this issue · 6 comments

Problem fixed in the issue #65 seems to be reappeared.

I'm using:

  • ARM platform linux based with a running real /dev/tpm0 device (kernel driver tpm_tis)
  • last released tpm2-tss stack : 2.0.0 release
  • last commit for tpm2-pk11 : 2343865

Created a persistent tpm key:

#tpm2_listpersistent
persistent-handle[0]:0x81000000 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt

Then the following fail:

#ssh-keygen -D /usr/lib/pkcs11/libtpm2-pk11.so
ERROR:tcti:src/tss2-tcti/tcti-device.c:281:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: Device or resource busy
C_OpenSession failed: 5
cannot read public key from pkcs11

Is there a solution for this problem?

According to the output of ssh-keygen, libtpm2-pk11 is configured to directly access /dev/tpm0, while the user is not allowed to access it or another process already has access to the tpm2 (like the tpm2 abrmd daemon)

I haven't any user process accessing to the /dev/tpm0, only the "tpm_tis" linux kernel module.
I'm not using the tpm2-abrmd daemon.

This is my configuration for libtpm2-pk11:

#Type can be device/socket/tabrmd
type device
#Hostname to connect when using socket
hostname localhost
#Port number of TPM socket to connect to
port 2321
#Device to use as TPM
device /dev/tpm0
#Sign using encrypt in case TPM doesn't support hash format
#For example SSH use SHA512 which isn't supported by all TPM's
#Enabling this option requires key's to be encryption keys instead of signing only keys
sign-using-encrypt true
#Set login_required in case keys are protected by a password
#Notice currently only a single password for all keys is supported
#Depending on the TPM settings, providing wrong passwords can lead to a lockout
login-required false

What could be the problem?

Update (with debug enabled):
_

#/usr/local/bin/tpm2_listpersistent
persistent-handle[0]:0x81000000 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt
#/usr/local/bin/tpm2_readpublic -H 0x81000000
name: 000bb892c97e114eec1b9cd0e603e99cf9884942c02aa2e3f62e68428003b125ef96
qualified name: 000bfccbb940299e74f0277d38f14afdec8b70cb3669e6c8d944fc257c4edc7d0dc9
algorithm:
value: sha256
raw: 0xb
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt
raw: 0x30072
type:
value: rsa
raw: 0x1
rsa: b4f053fdd79965da70349d035ce30ae9ce46dfc09083568e8c1a413aa3b6bfe4ce836e11a2e34ab19c37ec9bc9fffa3615cd956615dd43c1c5c877cc8883de3a0cae008d55e75b22b316e3bb872827
#/usr/local/bin/tpm2_startup -v
tool="/usr/local/bin/tpm2_startup" version="R_1.5-2-gc16bbf5-dirty" tctis="dynamic" tcti-default=device dlclose=enabled
#ssh-keygen -D /usr/lib/pkcs11/libtpm2-pk11.so
2018-10-03 07:30:35 [tpm-pk11] C_GetInfo
2018-10-03 07:30:35 [tpm-pk11] C_GetSlotList: present = true
2018-10-03 07:30:35 [tpm-pk11] C_GetSlotList: present = true
2018-10-03 07:30:35 [tpm-pk11] C_GetTokenInfo: id = 4660
2018-10-03 07:30:35 [tpm-pk11] C_OpenSession: id = 4660, flags = 6
ERROR:tcti:src/tss2-tcti/tcti-device.c:281:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: Device or resource busy
C_OpenSession failed: 5
2018-10-03 07:30:35 [tpm-pk11] C_Finalize
cannot read public key from pkcs11

_

As said in my old post i haven't any user process accessing to the /dev/tpm0, access broker tpm2-tabrmd is not installed and tpm2-tss stack used is the release 2.0.0.

Any suggestion is appreciated.

BR

I almost forgot, but as pkcs11 allows multiple sessions in different threads, for each session a new connection to the tpm is opened beside the global connection to receive some basic information about the TPM. Therefore a resource manager is required, like abrmd or the one included in recent kernel versions (untested). Can probably be solved by adding a mutex to allow requests from different threads, but there are currently no plans to implement it.

restart tpm2-abrmd solve my problem~
service restart tpm2-abrmd