Issue with TPM2 Encrypt/Decrypt Functionality and TSS API Integration

Linux-Integrity Archive mirror
 help / color / mirror / Atom feed

* Issue with TPM2 Encrypt/Decrypt Functionality and TSS API Integration
@ 2024-03-05 22:31 Samuel Lee
  2024-03-25 16:03 ` Ken Goldman
  2024-03-25 16:05 ` Ken Goldman
  0 siblings, 2 replies; 3+ messages in thread
From: Samuel Lee @ 2024-03-05 22:31 UTC (permalink / raw
  To: tpm2; +Cc: linux-integrity

Dear TPM 2.0 Mailing List Community,

I am currently facing an issue while attempting to utilize the TPM2
Encrypt/Decrypt functionality in conjunction with the TSS API
integration.

I have followed the steps outlined in the TPM2 Encrypt/Decrypt man
page (https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_encryptdecrypt.1/)
to create primary and key contexts successfully. However, when I
attempt to use the encrypt/decrypt functionality, I encounter the
following errors:

# tpm2_encryptdecrypt -c key.ctx -o secret.enc secret.dat
WARN: Using a weak IV, try specifying an IV
WARNING:esys:src/tss2-esys/api/Esys_EncryptDecrypt2.c:322:Esys_EncryptDecrypt2_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_EncryptDecrypt2.c:107:Esys_EncryptDecrypt2()
Esys Finish ErrorCode (0x000b0143)
WARNING:esys:src/tss2-esys/api/Esys_EncryptDecrypt.c:328:Esys_EncryptDecrypt_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_EncryptDecrypt.c:110:Esys_EncryptDecrypt()
Esys Finish ErrorCode (0x000002c9)
ERROR: Esys_EncryptDecrypt(0x2C9) - tpm:parameter(2):mode of operation
not supported
ERROR: Unable to run tpm2_encryptdecrypt

Further investigation led me to the discovery that the TPM I am using
does not support the TPM2_CC_Encryptdecrypt2 command, as confirmed by
the output of

# tpm2_getcap commands | grep -i Encryptdecrypt
TPM2_CC_EncryptDecrypt:

In an attempt to resolve this issue, I decided to explore utilizing
the TSS API instead. However, I encountered a new error when
attempting to create a primary context using the tsscreateprimary
command:

# tsscreateprimary -hi p -st -opu primary.pub
TSS_Socket_Open: Error on connect to localhost:2321
TSS_Socket_Open: client connect: error 111 Connection refused
createprimary: failed, rc 000b0008
TSS_RC_NO_CONNECTION - Failure connecting to lower layer

For additional context, my system configuration is as follows:

Kernel version: 6.6.8-g19a0c7318c79
Installed packages: tpm2-tools, tpm2-abrmd, tss2
Discrete TPM in use: ATTPM20P by Microchip

I would greatly appreciate any insights, suggestions, or guidance on
how to address this issue. Additionally, if there are alternative
approaches or best practices for achieving the desired TPM
functionality in my environment, I would be eager to learn about them.

Thank you in advance for your time and assistance.

Samuel Lee

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Issue with TPM2 Encrypt/Decrypt Functionality and TSS API Integration
  2024-03-05 22:31 Issue with TPM2 Encrypt/Decrypt Functionality and TSS API Integration Samuel Lee
@ 2024-03-25 16:03 ` Ken Goldman
  2024-03-25 16:05 ` Ken Goldman
  1 sibling, 0 replies; 3+ messages in thread
From: Ken Goldman @ 2024-03-25 16:03 UTC (permalink / raw
  To: Samuel Lee, tpm2; +Cc: linux-integrity

The TPM 2.0 Library specification is a library of possible functions.  A 
platform specific specification (e.g., PC Client) specifies which 
commands are mandatory.

I assume that the TPM you are using does not implement TPM2 Encrypt/Decrypt.

In general, check the platform specific specification and use only
mandatory features for interoperability.

On 3/5/2024 5:31 PM, Samuel Lee wrote:
> Dear TPM 2.0 Mailing List Community,
> 
> I am currently facing an issue while attempting to utilize the TPM2
> Encrypt/Decrypt functionality in conjunction with the TSS API
> integration.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Issue with TPM2 Encrypt/Decrypt Functionality and TSS API Integration
  2024-03-05 22:31 Issue with TPM2 Encrypt/Decrypt Functionality and TSS API Integration Samuel Lee
  2024-03-25 16:03 ` Ken Goldman
@ 2024-03-25 16:05 ` Ken Goldman
  1 sibling, 0 replies; 3+ messages in thread
From: Ken Goldman @ 2024-03-25 16:05 UTC (permalink / raw
  To: Samuel Lee, tpm2; +Cc: linux-integrity

This indicates that the TSS is trying to connect to a
TPM over a socket interface. This is typical for a software TPM
aka a TPM simulator.

I suspect that you do not have a TPM simulator running.

On 3/5/2024 5:31 PM, Samuel Lee wrote:
> # tsscreateprimary -hi p -st -opu primary.pub
> TSS_Socket_Open: Error on connect to localhost:2321
> TSS_Socket_Open: client connect: error 111 Connection refused
> createprimary: failed, rc 000b0008
> TSS_RC_NO_CONNECTION - Failure connecting to lower layer

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-03-25 16:06 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-05 22:31 Issue with TPM2 Encrypt/Decrypt Functionality and TSS API Integration Samuel Lee
2024-03-25 16:03 ` Ken Goldman
2024-03-25 16:05 ` Ken Goldman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).