Invalid PCR selection in profile

Question

Invalid PCR selection in profile

Closed this issue a year ago · 4 comments

When running an application that uses libtss2-fapi on my workstation I receive the error:

debug:marshal:src/tss2-mu/base-types.c:170:Tss2_MU_UINT8_Unmarshal() offset parameter non-NULL, updated to 25
debug:marshal:src/tss2-mu/tpml-types.c:175:Tss2_MU_TPML_PCR_SELECTION_Unmarshal() offset parameter non-NULL, updated to 25
ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:2276:ifapi_check_profile_pcr_selection() Hash alg for PCR selection not available. ErrorCode (0x0006000b)
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:555:Fapi_Provision_Finish() Invalid PCR selection in profile. ErrorCode (0x0006000b)

From Googling the error this may be a limitation where you can only read 24 PCRs though this was reported on the tpm2-tools github - tpm2-software/tpm2-tools#119.

I can provide further logs. Currently just using the default fapi-config.json and fapi-profiles. Also my code is working as expected on a Raspberry PI with TPM hat.

Using version 4.0.1 compiled on Intel x86-64 platform.

Answer 1 · 2023-08-14T12:24:49.000Z

@deanobob sha1 and sha256 are used in the default profile. I your TPM does not support sha1 just delete the following 3 line in the profile files (should be installed in /usr/local/etc/tpm2-tss/fapi-profiles/):

     { "hash": "TPM2_ALG_SHA1",
         "pcrSelect": [ ],
     },

Answer 2 · 2023-08-14T13:09:10.000Z

@deanobob sha1 and sha256 are used in the default profile. I your TPM does not support sha1 just delete the following 3 line in the profile files (should be installed in /usr/local/etc/tpm2-tss/fapi-profiles/):
     { "hash": "TPM2_ALG_SHA1",
         "pcrSelect": [ ],
     },

Thanks for your quick reply. I have removed the SHA1 config as described and have now got a little further during provisioning of the device. It now returns an error 'Authorization callback not defined'.

ERROR:fapi:src/tss2-fapi/fapi_util.c:457:ifapi_set_auth() Authorization callback not defined. ErrorCode (0x0006002a)
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:1006:Fapi_Provision_Finish() Set auth value ErrorCode (0x0006002a)
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:174:Fapi_Provision() ErrorCode (0x0006002a) Provision

Any ideas why I would see this? I can't see anything obvious in the debug logging.

Thanks again for your help!

Answer 3 · 2023-08-14T13:32:50.000Z

@deanobob Is your lockout hierarchy protected by a password? FAPI tries to set the lockout parameters an needs the auth value. If there is an auth value defined for the lockout hierarchy you have to provide the callback to set this password as in the following simplified example:

#define PASSWORD "pwd"

static TSS2_RC
auth_callback(
    char const *objectPath,
    char const *description,
    const char **auth,
    void *userData)
{
    UNUSED(description);
    UNUSED(userData);

    if (!objectPath) {
        return_error(TSS2_FAPI_RC_BAD_VALUE, "No path.");
    }

    *auth = PASSWORD;
    return TSS2_RC_SUCCESS;
}
....
r = Fapi_SetAuthCB(context, auth_callback, NULL);
goto_if_error(r, "Error SetPolicyAuthCallback", error);

The error message should be better to show that the error is related to the lockout hierarchy.

Answer 4 · 2023-08-14T13:44:56.000Z

Thanks for your help I think I know what's happening now. Closing as the original issue is solved :)