Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

>=4.1.0 Cannot load device TCTI when compiled with clang #2840

Open
salahcoronya opened this issue May 14, 2024 · 27 comments · May be fixed by #2843
Open

>=4.1.0 Cannot load device TCTI when compiled with clang #2840

salahcoronya opened this issue May 14, 2024 · 27 comments · May be fixed by #2843
Labels
backport Issues to be backported to old-stable bug
Milestone
4.1.3

Comments

@salahcoronya
Copy link
Contributor

tpm2-tss-4.1.0 (and above) do not see to work when compiled with clang, at least for a real TPM. Currently ( see https://bugs.gentoo.org/931885 ) its being seen under Clevis, but I can replicate with tpm2-tools.

Here's the output from tpm2_selftest (with TPM2_LOG="tcti+DEBUG")
tpm2-tss-unstable.out.gz

Specifying the TCTI on the command line doesn't help, either.
@AndreasFuchsTPM
Copy link
Member

From the output, the following seems to be most interesting:

tpm2-tss-4.1.1/src/tss2-tcti/tctildr-dl.c:255:tctildr_get_default() Attempting to connect using standard TCTI: Access libtss2-tcti-device.so.0 with /dev/tpmrm0 
debug:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tctildr.c:164:tctildr_conf_parse() name_conf: "/dev/tpmrm0" 
debug:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tctildr.c:171:tctildr_conf_parse() TCTI name: "/dev/tpmrm0" 
debug:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tctildr-dl.c:308:tctildr_get_tcti() name: "/dev/tpmrm0", conf: "(null)" 
debug:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tctildr-dl.c:115:handle_from_name() Could not load TCTI file "/dev/tpmrm0": /dev/tpmrm0: file too short 
debug:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tctildr-dl.c:115:handle_from_name() Could not load TCTI file "/dev/tpmrm0": libtss2-tcti-/dev/tpmrm0.so.0: cannot open shared object file: No such file or directory

It uses the conf (/dev/tpmrm0) for the name (should be libtss2-tcti-device.so.0).

For those entries of default tctis that do not have a .conf field, it is working correctly:

tpm2-tss-4.1.1/src/tss2-tcti/tctildr-dl.c:255:tctildr_get_default() Attempting to connect using standard TCTI: Access libtss2-tcti-default.so 
debug:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tctildr-dl.c:115:handle_from_name() Could not load TCTI file "libtss2-tcti-default.so": libtss2-tcti-default.so: cannot open shared object file: No such file or directory 
debug:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/

So I'm currently searching for what might be cause this, esp only on clang...

@AndreasFuchsTPM AndreasFuchsTPM added bug backport Issues to be backported to old-stable labels May 15, 2024
@AndreasFuchsTPM AndreasFuchsTPM added this to the 4.2.0 milestone May 15, 2024
@AndreasFuchsTPM
Copy link
Member

I tried to reproduce on raspberry pi os with clang version 11 and did not find the bug.

@salahcoronya Could you please run the following 3 commands and provide the log-files ?
(of course make sure that you have access to /dev/tpmrm0)

TSS2_LOG=tcti+trace tpm2_getrandom -Tdevice --hex 5
TSS2_LOG=tcti+trace tpm2_getrandom -Tdevice:/dev/tpmrm0 --hex 5
TSS2_LOG=tcti+trace tpm2_getrandom --hex 5

Thanks !

@salahcoronya
Copy link
Contributor Author

Here are the results (tests 1 and 3 truncated because they produce huge log files of the same output):

TSS2_LOG=tcti+trace tpm2_getrandom -Tdevice --hex 5

test1.out.gz

TSS2_LOG=tcti+trace tpm2_getrandom -Tdevice:/dev/tpmrm0 --hex 5

test2.out.gz

TSS2_LOG=tcti+trace tpm2_getrandom --hex 5

test3.out.gz

@AndreasFuchsTPM
Copy link
Member

Ok, so instead of loading the tcti-device it loads the tctildr recurively.

debug:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tctildr-dl.c:255:tctildr_get_default() Attempting to connect using standard TCTI: Access libtss2-tcti-device.so.0 with /dev/tpmrm0 
trace:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tctildr-dl.c:131:tcti_from_file() Attempting to load TCTI file: libtss2-tcti-device.so.0 
trace:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tctildr.c:114:tcti_from_info() Attempting to load TCTI info 
trace:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tctildr.c:121:tcti_from_info() Loaded TCTI info named: tctildr

Could you provide the outputs of

nm /usr/local/lib/libtss2-tcti-device.so.0 | grep tcti
xxd -c 64 /usr/local/lib/libtss2-tcti-device.so.0 | grep -i tcti

Thanks a lot !

@salahcoronya
Copy link
Contributor Author

Here's the output (note things are in a different place in my system, and the "Split debug" option is enabled)

salahx@gentoo-test-clang ~ $ nm /usr/lib/debug/usr/lib64/libtss2-tcti-device.so.0.0.0.debug | grep tcti
0000000000004230 T tcti_common_cancel_checks
0000000000004210 T tcti_common_context_cast
0000000000004220 T tcti_common_down_cast
0000000000004290 T tcti_common_receive_checks
00000000000042c0 T tcti_common_set_locality_checks
0000000000004260 T tcti_common_transmit_checks
0000000000004fc0 T tcti_device_cancel
0000000000004640 T tcti_device_context_cast
0000000000004650 T tcti_device_down_cast
0000000000004f90 T tcti_device_finalize
0000000000004fd0 T tcti_device_get_poll_handles
0000000000004750 T tcti_device_receive
0000000000005020 T tcti_device_set_locality
0000000000004660 T tcti_device_transmit
00000000000042f0 T tcti_make_sticky_not_implemented
0000000000008940 B tss2_tcti_info

salahx@gentoo-test-clang ~ $ xxd -c 64  /usr/lib/debug/usr/lib64/libtss2-tcti-device.so.0.0.0.debug | grep -i tcti
00005b40: 0205 0000 1200 0000 0000 0000 0000 0000 0000 0000 0000 0000 0805 0000 1200 0d00 5072 0000 0000 0000 1701 0000 0000 0000 0074 6374 692d 636f 6d6d 6f6e 2e63 004c  ................................Pr...............tcti-common.c.L
00005b80: 4f47 4d4f 4455 4c45 5f73 7461 7475 7300 7463 7469 2d64 6576 6963 652e 6300 6b65 792d 7661 6c75 652d 7061 7273 652e 6300 6c6f 672e 6300 6765 744c 6f67 4669 6c65  OGMODULE_status.tcti-device.c.key-value-parse.c.log.c.getLogFile
00005c80: 655f 696e 666f 0074 6374 695f 636f 6d6d 6f6e 5f63 6f6e 7465 7874 5f63 6173 7400 7463 7469 5f63 6f6d 6d6f 6e5f 646f 776e 5f63 6173 7400 7463 7469 5f63 6f6d 6d6f  e_info.tcti_common_context_cast.tcti_common_down_cast.tcti_commo
00005cc0: 6e5f 6361 6e63 656c 5f63 6865 636b 7300 7463 7469 5f63 6f6d 6d6f 6e5f 7472 616e 736d 6974 5f63 6865 636b 7300 7463 7469 5f63 6f6d 6d6f 6e5f 7265 6365 6976 655f  n_cancel_checks.tcti_common_transmit_checks.tcti_common_receive_
00005d00: 6368 6563 6b73 0074 6374 695f 636f 6d6d 6f6e 5f73 6574 5f6c 6f63 616c 6974 795f 6368 6563 6b73 0074 6374 695f 6d61 6b65 5f73 7469 636b 795f 6e6f 745f 696d 706c  checks.tcti_common_set_locality_checks.tcti_make_sticky_not_impl
00005dc0: 545f 4d61 7273 6861 6c00 5473 7332 5f4d 555f 5549 4e54 3332 5f4d 6172 7368 616c 0074 6374 695f 6465 7669 6365 5f63 6f6e 7465 7874 5f63 6173 7400 7463 7469 5f64  T_Marshal.Tss2_MU_UINT32_Marshal.tcti_device_context_cast.tcti_d
00005e00: 6576 6963 655f 646f 776e 5f63 6173 7400 7463 7469 5f64 6576 6963 655f 7472 616e 736d 6974 0064 6f4c 6f67 426c 6f62 0077 7269 7465 5f61 6c6c 0074 6374 695f 6465  evice_down_cast.tcti_device_transmit.doLogBlob.write_all.tcti_de
00005e40: 7669 6365 5f72 6563 6569 7665 0072 6561 6400 5f5f 6572 726e 6f5f 6c6f 6361 7469 6f6e 0074 6374 695f 6465 7669 6365 5f66 696e 616c 697a 6500 7463 7469 5f64 6576  vice_receive.read.__errno_location.tcti_device_finalize.tcti_dev
00005e80: 6963 655f 6361 6e63 656c 0074 6374 695f 6465 7669 6365 5f67 6574 5f70 6f6c 6c5f 6861 6e64 6c65 7300 7463 7469 5f64 6576 6963 655f 7365 745f 6c6f 6361 6c69 7479  ice_cancel.tcti_device_get_poll_handles.tcti_device_set_locality
00005ec0: 0054 7373 325f 5463 7469 5f44 6576 6963 655f 496e 6974 0054 7373 325f 5463 7469 5f49 6e66 6f00 7473 7332 5f74 6374 695f 696e 666f 0070 6172 7365 5f6b 6579 5f76  .Tss2_Tcti_Device_Init.Tss2_Tcti_Info.tss2_tcti_info.parse_key_v

@AndreasFuchsTPM
Copy link
Member

That makes no sense...

What does the strace say ?

strace -e file tpm2_getrandom --hex 5 2>&1| grep open

@salahcoronya
Copy link
Contributor Author

Again, log truncated because they produce huge log files of the same output

strace -e file tpm2_getrandom --hex 5 2>&1| grep open

strace.out.gz

@salahcoronya
Copy link
Contributor Author

If its helps, here's the output of the nm and xxd outputs without split debug:

salahx@gentoo-test-clang ~ $ nm /usr/lib64/libtss2-tcti-device.so.0 | grep tcti
0000000000004230 T tcti_common_cancel_checks
0000000000004210 T tcti_common_context_cast
0000000000004220 T tcti_common_down_cast
0000000000004290 T tcti_common_receive_checks
00000000000042c0 T tcti_common_set_locality_checks
0000000000004260 T tcti_common_transmit_checks
0000000000004fc0 T tcti_device_cancel
0000000000004640 T tcti_device_context_cast
0000000000004650 T tcti_device_down_cast
0000000000004f90 T tcti_device_finalize
0000000000004fd0 T tcti_device_get_poll_handles
0000000000004750 T tcti_device_receive
0000000000005020 T tcti_device_set_locality
0000000000004660 T tcti_device_transmit
00000000000042f0 T tcti_make_sticky_not_implemented
0000000000008940 D tss2_tcti_info
salahx@gentoo-test-clang ~ $ xxd -c 64  /usr/lib64/libtss2-tcti-device.so.0 | grep -i tcti
00000bc0: 005f 5f64 6572 6567 6973 7465 725f 6672 616d 655f 696e 666f 0074 6374 695f 636f 6d6d 6f6e 5f63 6f6e 7465 7874 5f63 6173 7400 7463 7469 5f63 6f6d 6d6f 6e5f 646f  .__deregister_frame_info.tcti_common_context_cast.tcti_common_do
00000c00: 776e 5f63 6173 7400 7463 7469 5f63 6f6d 6d6f 6e5f 6361 6e63 656c 5f63 6865 636b 7300 7463 7469 5f63 6f6d 6d6f 6e5f 7472 616e 736d 6974 5f63 6865 636b 7300 7463  wn_cast.tcti_common_cancel_checks.tcti_common_transmit_checks.tc
00000c40: 7469 5f63 6f6d 6d6f 6e5f 7265 6365 6976 655f 6368 6563 6b73 0074 6374 695f 636f 6d6d 6f6e 5f73 6574 5f6c 6f63 616c 6974 795f 6368 6563 6b73 0074 6374 695f 6d61  ti_common_receive_checks.tcti_common_set_locality_checks.tcti_ma
00000d00: 6861 6c00 5473 7332 5f4d 555f 5450 4d32 5f53 545f 4d61 7273 6861 6c00 5473 7332 5f4d 555f 5549 4e54 3332 5f4d 6172 7368 616c 0074 6374 695f 6465 7669 6365 5f63  hal.Tss2_MU_TPM2_ST_Marshal.Tss2_MU_UINT32_Marshal.tcti_device_c
00000d40: 6f6e 7465 7874 5f63 6173 7400 7463 7469 5f64 6576 6963 655f 646f 776e 5f63 6173 7400 7463 7469 5f64 6576 6963 655f 7472 616e 736d 6974 0064 6f4c 6f67 426c 6f62  ontext_cast.tcti_device_down_cast.tcti_device_transmit.doLogBlob
00000d80: 0077 7269 7465 5f61 6c6c 0074 6374 695f 6465 7669 6365 5f72 6563 6569 7665 0070 6f6c 6c00 7265 6164 005f 5f65 7272 6e6f 5f6c 6f63 6174 696f 6e00 7374 7265 7272  .write_all.tcti_device_receive.poll.read.__errno_location.strerr
00000dc0: 6f72 0074 6374 695f 6465 7669 6365 5f66 696e 616c 697a 6500 636c 6f73 6500 7463 7469 5f64 6576 6963 655f 6361 6e63 656c 0074 6374 695f 6465 7669 6365 5f67 6574  or.tcti_device_finalize.close.tcti_device_cancel.tcti_device_get
00000e00: 5f70 6f6c 6c5f 6861 6e64 6c65 7300 7463 7469 5f64 6576 6963 655f 7365 745f 6c6f 6361 6c69 7479 0054 7373 325f 5463 7469 5f44 6576 6963 655f 496e 6974 006f 7065  _poll_handles.tcti_device_set_locality.Tss2_Tcti_Device_Init.ope
00000e40: 6e00 5473 7332 5f54 6374 695f 496e 666f 0074 7373 325f 7463 7469 5f69 6e66 6f00 7061 7273 655f 6b65 795f 7661 6c75 6500 7374 7274 6f6b 5f72 0070 6172 7365 5f6b  n.Tss2_Tcti_Info.tss2_tcti_info.parse_key_value.strtok_r.parse_k
00001040: 6962 7473 7332 2d6d 752e 736f 2e30 006c 6962 7473 7332 2d74 6374 692d 6465 7669 6365 2e73 6f2e 3000 888b 0000 0000 0000 0600 0000 0100 0000 0000 0000 0000 0000  ibtss2-mu.so.0.libtss2-tcti-device.so.0.........................
00001700: 6563 7465 6420 257a 752c 2077 726f 7465 2025 7a64 2e00 2000 6465 6275 6700 5472 7969 6e67 2074 6f20 6f70 656e 2073 7065 6369 6669 6564 2054 4354 4920 6465 7669  ected %zu, wrote %zd.. .debug.Trying to open specified TCTI devi
00001740: 6365 2066 696c 6520 2573 0050 6174 6820 746f 2054 504d 2063 6861 7261 6374 6572 2064 6576 6963 652e 2044 6566 6175 6c74 2076 616c 7565 2069 733a 2054 4354 495f  ce file %s.Path to TPM character device. Default value is: TCTI_
00001880: 0074 6374 695f 6465 7669 6365 5f72 6563 6569 7665 0053 7563 6365 7373 6675 6c6c 7920 6f70 656e 6564 2064 6566 6175 6c74 2054 4354 4920 6465 7669 6365 2066 696c  .tcti_device_receive.Successfully opened default TCTI device fil
00001940: 7373 6675 6c6c 7920 6f70 656e 6564 2073 7065 6369 6669 6564 2054 4354 4920 6465 7669 6365 2066 696c 6520 2573 006b 6579 5f76 616c 7565 5f73 7472 3a20 2225 7322  ssfully opened specified TCTI device file %s.key_value_str: "%s"
000019c0: 706f 7274 2025 7300 5061 7274 6961 6c20 7265 6164 206e 6f74 2073 7570 706f 7274 6564 2000 5473 7332 5f54 6374 695f 4465 7669 6365 5f49 6e69 7400 436f 6d6d 616e  port %s.Partial read not supported .Tss2_Tcti_Device_Init.Comman
00001a40: 2025 6400 4e6f 2054 4354 4920 6465 7669 6365 2066 696c 6520 7370 6563 6966 6965 6400 4661 696c 6564 2074 6f20 6765 7420 7265 7370 6f6e 7365 2074 6169 6c20 6664   %d.No TCTI device file specified.Failed to get response tail fd
00001b00: 6661 756c 7420 5443 5449 2064 6576 6963 6520 6669 6c65 2025 7300 5443 5449 206d 6f64 756c 6520 666f 7220 636f 6d6d 756e 6963 6174 696f 6e20 7769 7468 204c 696e  fault TCTI device file %s.TCTI module for communication with Lin
00001bc0: 2061 2076 616c 6964 2061 6464 7265 7373 3a20 2564 3a20 2573 0074 6374 6900 5072 6f62 6520 6465 7669 6365 2066 6f72 2070 6172 7469 616c 2072 6573 706f 6e73 6520   a valid address: %d: %s.tcti.Probe device for partial response 
00001c00: 7265 6164 2073 7570 706f 7274 0074 6374 692d 6465 7669 6365 0025 7320 2873 697a 653d 257a 6929 3a00 5741 524e 494e 4700 2f76 6172 2f74 6d70 2f70 6f72 7461 6765  read support.tcti-device.%s (size=%zi):.WARNING./var/tmp/portage
00001dc0: 7574 7572 6520 7573 6520 6f66 2074 6869 7320 5443 5449 2077 696c 6c20 6c69 6b65 6c79 2066 6169 6c2e 0046 6169 6c65 6420 746f 206f 7065 6e20 6465 6661 756c 7420  uture use of this TCTI will likely fail..Failed to open default 
00001e00: 5443 5449 2064 6576 6963 6520 6669 6c65 2025 733a 2025 7300 4661 696c 6564 2074 6f20 6f70 656e 2073 7065 6369 6669 6564 2054 4354 4920 6465 7669 6365 2066 696c  TCTI device file %s: %s.Failed to open specified TCTI device fil
00001f40: 2d63 7279 7074 2f74 706d 322d 7473 732d 342e 312e 312d 7231 2f77 6f72 6b2f 7470 6d32 2d74 7373 2d34 2e31 2e31 2f73 7263 2f74 7373 322d 7463 7469 2f74 6374 692d  -crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tcti-
00001fc0: 7473 732d 342e 312e 312f 7372 632f 7473 7332 2d74 6374 692f 7463 7469 2d64 6576 6963 652e 6300 2020 0073 7464 6572 7200 7265 6164 5f61 6c6c 0077 7269 7465 2074  tss-4.1.1/src/tss2-tcti/tcti-device.c.  .stderr.read_all.write t
00002080: 6420 7769 7468 2065 7272 6e6f 2025 643a 2025 7300 2575 0052 6573 6f6c 7669 6e67 2068 6f73 7420 2573 0074 6374 695f 6465 7669 6365 5f74 7261 6e73 6d69 7400 4661  d with errno %d: %s.%u.Resolving host %s.tcti_device_transmit.Fa
0000cec0: 5332 5f54 4354 495f 4649 4e41 4c49 5a45 5f46 434e 005f 5f75 696e 7431 365f 7400 6c6f 6e67 0063 6f6e 6600 6900 5f49 4f5f 4649 4c45 005f 4953 7570 7065 7200 6765  S2_TCTI_FINALIZE_FCN.__uint16_t.long.conf.i._IO_FILE._ISupper.ge
0000cfc0: 6472 696e 666f 006d 6167 6963 0066 696e 616c 697a 6500 706f 6c6c 6664 0054 5353 325f 5443 5449 5f53 4554 5f4c 4f43 414c 4954 595f 4643 4e00 5453 5332 5f54 4354  drinfo.magic.finalize.pollfd.TSS2_TCTI_SET_LOCALITY_FCN.TSS2_TCT
0000d040: 325f 5463 7469 5f49 6e66 6f00 6465 6c69 6d00 4b65 7956 616c 7565 4675 6e63 002f 7661 722f 746d 702f 706f 7274 6167 652f 6170 702d 6372 7970 742f 7470 6d32 2d74  2_Tcti_Info.delim.KeyValueFunc./var/tmp/portage/app-crypt/tpm2-t
0000d100: 7469 5f63 6f6d 6d6f 6e5f 7265 6365 6976 655f 6368 6563 6b73 006f 7065 6e00 7463 7469 5f64 6576 6963 655f 636f 6e74 6578 745f 6361 7374 0068 616e 646c 6573 006b  ti_common_receive_checks.open.tcti_device_context_cast.handles.k
0000d1c0: 0069 6e5f 6164 6472 0073 6f63 6b61 6464 725f 6973 6f00 4c4f 474c 4556 454c 5f4e 4f4e 4500 7632 0062 7566 0063 6f6e 6669 675f 6865 6c70 0074 6374 695f 6374 7800  .in_addr.sockaddr_iso.LOGLEVEL_NONE.v2.buf.config_help.tcti_ctx.
0000d240: 0073 6f63 6b61 6464 725f 6178 3235 0073 697a 655f 7400 636f 6d6d 6f6e 0074 6374 695f 6465 7669 6365 5f72 6563 6569 7665 005f 5f73 6f63 6b65 745f 7479 7065 0067  .sockaddr_ax25.size_t.common.tcti_device_receive.__socket_type.g
0000d2c0: 4700 7361 6464 7200 4c4f 474c 4556 454c 5f44 4542 5547 005f 5f75 696e 7433 325f 7400 5453 5332 5f54 4354 495f 4341 4e43 454c 5f46 434e 0073 7461 7465 0074 6374  G.saddr.LOGLEVEL_DEBUG.__uint32_t.TSS2_TCTI_CANCEL_FCN.state.tct
0000d300: 695f 636f 6d6d 6f6e 005f 5f73 7369 7a65 5f74 006d 656d 6370 7900 5f5f 6c65 6e00 7463 7469 5f64 6576 6963 655f 646f 776e 5f63 6173 7400 5f49 536c 6f77 6572 005f  i_common.__ssize_t.memcpy.__len.tcti_device_down_cast._ISlower._
0000d340: 5f66 6d74 0073 6f63 6b61 6464 725f 696e 005f 5f73 6f63 6b61 6464 725f 6e73 5f5f 0072 6563 7664 5f74 6f74 616c 0054 5353 325f 5443 5449 5f43 4f4e 5445 5854 0074  _fmt.sockaddr_in.__sockaddr_ns__.recvd_total.TSS2_TCTI_CONTEXT.t
0000d380: 6374 695f 7374 6174 655f 7400 7463 7469 5f63 6f6d 6d6f 6e5f 646f 776e 5f63 6173 7400 7463 7469 5f63 6f6d 6d6f 6e5f 6361 6e63 656c 5f63 6865 636b 7300 6861 6e64  cti_state_t.tcti_common_down_cast.tcti_common_cancel_checks.hand
0000d3c0: 6c65 0064 6566 6175 6c74 5f63 6f6e 6600 5f5f 7372 6300 7463 7469 5f64 6576 6963 655f 6765 745f 706f 6c6c 5f68 616e 646c 6573 0075 7365 645f 636f 6e66 006f 6666  le.default_conf.__src.tcti_device_get_poll_handles.used_conf.off
0000d480: 325f 5443 5449 5f47 4554 5f50 4f4c 4c5f 4841 4e44 4c45 535f 4643 4e00 7374 6963 6b79 0063 6c6f 7365 0054 7373 325f 5463 7469 5f44 6576 6963 655f 496e 6974 0073  2_TCTI_GET_POLL_HANDLES_FCN.sticky.close.Tss2_Tcti_Device_Init.s
0000d500: 4500 7631 0073 686f 7274 0054 7373 325f 4d55 5f55 494e 5433 325f 556e 6d61 7273 6861 6c00 7463 7469 436f 6e74 6578 7400 5f5f 6368 0070 6174 686e 616d 6500 746f  E.v1.short.Tss2_MU_UINT32_Unmarshal.tctiContext.__ch.pathname.to
0000d540: 6b00 7374 726c 656e 0073 696e 365f 706f 7274 005f 5f69 6e36 5f75 0073 6f63 6b65 745f 7265 6376 5f62 7566 0075 696e 7433 325f 7400 5453 5332 5f54 4354 495f 5452  k.strlen.sin6_port.__in6_u.socket_recv_buf.uint32_t.TSS2_TCTI_TR
0000d580: 414e 534d 4954 5f46 434e 0074 6374 695f 6d61 6b65 5f73 7469 636b 795f 6e6f 745f 696d 706c 656d 656e 7465 6400 6770 5f6f 6666 7365 7400 5f5f 6374 7970 655f 625f  ANSMIT_FCN.tcti_make_sticky_not_implemented.gp_offset.__ctype_b_
0000d700: 5332 5f54 4354 495f 4f50 4151 5545 5f43 4f4e 5445 5854 5f42 4c4f 4200 696e 7400 7470 6d5f 6865 6164 6572 5f74 0074 6374 695f 636f 6d6d 6f6e 5f73 6574 5f6c 6f63  S2_TCTI_OPAQUE_CONTEXT_BLOB.int.tpm_header_t.tcti_common_set_loc
0000d740: 616c 6974 795f 6368 6563 6b73 0072 6300 6d65 6d73 6574 0074 6374 695f 6465 7600 5f49 4f5f 7772 6974 655f 7074 7200 5f49 4f5f 7361 7665 5f65 6e64 005f 6669 6c65  ality_checks.rc.memset.tcti_dev._IO_write_ptr._IO_save_end._file
0000d880: 0069 6e5f 706f 7274 5f74 0073 696e 365f 6164 6472 0070 6f72 7400 7265 6365 6976 6500 5453 5332 5f54 4354 495f 5245 4345 4956 455f 4643 4e00 5453 5332 5f54 4354  .in_port_t.sin6_addr.port.receive.TSS2_TCTI_RECEIVE_FCN.TSS2_TCT
0000d8c0: 495f 434f 4e54 4558 545f 434f 4d4d 4f4e 5f56 3200 6c6f 6361 6c69 7479 0074 6374 695f 6465 7669 6365 5f63 616e 6365 6c00 534f 434b 5f53 4551 5041 434b 4554 005f  I_CONTEXT_COMMON_V2.locality.tcti_device_cancel.SOCK_SEQPACKET._
0000d900: 5f73 6f63 6b61 6464 725f 6973 6f5f 5f00 7772 6974 7465 6e00 706f 7274 5f73 7472 0054 5353 325f 5443 5449 5f43 4f4d 4d4f 4e5f 434f 4e54 4558 5400 7463 7469 5f63  _sockaddr_iso__.written.port_str.TSS2_TCTI_COMMON_CONTEXT.tcti_c
0000d9c0: 636b 6164 6472 5f6e 7300 7061 7468 0072 6576 656e 7473 006d 616b 6553 7469 636b 7900 5453 5332 5f54 4354 495f 494e 464f 0044 575f 4154 455f 7369 676e 6564 5f33  ckaddr_ns.path.revents.makeSticky.TSS2_TCTI_INFO.DW_ATE_signed_3
0000da40: 7070 2d63 7279 7074 2f74 706d 322d 7473 732d 342e 312e 312d 7231 2f77 6f72 6b2f 7470 6d32 2d74 7373 2d34 2e31 2e31 2f73 7263 2f74 7373 322d 7463 7469 2f74 6374  pp-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tct
0000dac0: 7074 2f74 706d 322d 7473 732d 342e 312e 312d 7231 2f77 6f72 6b2f 7470 6d32 2d74 7373 2d34 2e31 2e31 2f73 7263 2f74 7373 322d 7463 7469 2f74 6374 692d 6465 7669  pt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tcti-devi
0000dc00: 5353 325f 5243 0069 6e74 3332 5f74 0065 7665 6e74 7300 5450 4d32 5f48 414e 444c 4500 646f 4c6f 6700 7463 7469 5f63 6f6d 6d6f 6e5f 636f 6e74 6578 745f 6361 7374  SS2_RC.int32_t.events.TPM2_HANDLE.doLog.tcti_common_context_cast
0000dc40: 0063 7478 006e 616d 6500 4457 5f41 5445 5f73 6967 6e65 645f 3634 0074 6374 695f 6465 7669 6365 5f74 7261 6e73 6d69 7400 2f76 6172 2f74 6d70 2f70 6f72 7461 6765  .ctx.name.DW_ATE_signed_64.tcti_device_transmit./var/tmp/portage
0000dd00: 0053 4f43 4b5f 5244 4d00 7369 6e5f 706f 7274 0073 696e 365f 666c 6f77 696e 666f 0054 4354 495f 5354 4154 455f 5245 4345 4956 4500 5f5f 7569 6e74 3634 5f74 0075  .SOCK_RDM.sin_port.sin6_flowinfo.TCTI_STATE_RECEIVE.__uint64_t.u
0000dd40: 696e 7438 5f74 0063 6f6d 6d61 6e64 5f62 7566 6665 7200 7473 7332 5f74 6374 695f 696e 666f 0073 7369 7a65 5f74 006e 6664 7300 6c6f 675f 7374 7269 6e67 7300 5f49  int8_t.command_buffer.tss2_tcti_info.ssize_t.nfds.log_strings._I
0000de00: 494e 4544 0054 5353 325f 5443 5449 5f50 4f4c 4c5f 4841 4e44 4c45 0054 504d 325f 5354 0070 6172 7469 616c 0054 5353 325f 5443 5449 5f49 4e49 545f 4655 4e43 0054  INED.TSS2_TCTI_POLL_HANDLE.TPM2_ST.partial.TSS2_TCTI_INIT_FUNC.T
0000de40: 5353 325f 5443 5449 5f44 4556 4943 455f 434f 4e54 4558 5400 7061 7274 6961 6c5f 7369 7a65 006b 6579 5f76 616c 7565 0063 616c 6c62 6163 6b00 5f49 4f5f 6261 636b  SS2_TCTI_DEVICE_CONTEXT.partial_size.key_value.callback._IO_back
0000dec0: 0054 4354 495f 5354 4154 455f 5452 414e 534d 4954 006f 6666 7365 7400 7463 7469 5f64 6576 6963 655f 6669 6e61 6c69 7a65 0063 6d64 005f 6368 6169 6e00 5f66 6c61  .TCTI_STATE_TRANSMIT.offset.tcti_device_finalize.cmd._chain._fla
0000e040: 636b 6164 6472 5f75 6e5f 5f00 736f 636b 6164 6472 5f78 3235 004c 4f47 4c45 5645 4c5f 494e 464f 0054 5353 325f 5443 5449 5f4d 414b 455f 5354 4943 4b59 5f46 434e  ckaddr_un__.sockaddr_x25.LOGLEVEL_INFO.TSS2_TCTI_MAKE_STICKY_FCN
00010780: 7373 2d34 2e31 2e31 2f73 7263 2f74 7373 322d 7463 7469 2f74 6374 692d 6465 7669 6365 2e68 0073 7464 696f 322d 6465 636c 2e68 0073 7472 7563 745f 4649 4c45 2e68  ss-4.1.1/src/tss2-tcti/tcti-device.h.stdio2-decl.h.struct_FILE.h
000107c0: 0063 7479 7065 2e68 0074 706d 322d 7473 732d 342e 312e 312f 7372 632f 7473 7332 2d74 6374 692f 7463 7469 2d63 6f6d 6d6f 6e2e 6300 7374 6469 6e74 2e68 0075 6e69  .ctype.h.tpm2-tss-4.1.1/src/tss2-tcti/tcti-common.c.stdint.h.uni
00010840: 7263 2f74 7373 322d 7463 7469 2f74 6374 692d 636f 6d6d 6f6e 2e68 002f 7573 722f 696e 636c 7564 652f 6e65 7469 6e65 7400 2f76 6172 2f74 6d70 2f70 6f72 7461 6765  rc/tss2-tcti/tcti-common.h./usr/include/netinet./var/tmp/portage
00010940: 2f69 6e63 6c75 6465 0073 7464 696e 742d 696e 746e 2e68 0074 706d 322d 7473 732d 342e 312e 312f 7372 632f 7473 7332 2d74 6374 692f 7463 7469 2d64 6576 6963 652e  /include.stdint-intn.h.tpm2-tss-4.1.1/src/tss2-tcti/tcti-device.
00010a00: 6374 692f 7463 7469 2d63 6f6d 6d6f 6e2e 6300 2f76 6172 2f74 6d70 2f70 6f72 7461 6765 2f61 7070 2d63 7279 7074 2f74 706d 322d 7473 732d 342e 312e 312d 7231 2f77  cti/tcti-common.c./var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/w
00010a40: 6f72 6b2f 7470 6d32 2d74 7373 2d34 2e31 2e31 2f73 7263 2f74 7373 322d 7463 7469 2f74 6374 692d 6465 7669 6365 2e63 002f 7661 722f 746d 702f 706f 7274 6167 652f  ork/tpm2-tss-4.1.1/src/tss2-tcti/tcti-device.c./var/tmp/portage/
00010b40: 745f 7479 7065 2e68 0074 706d 322d 7473 732d 342e 312e 312f 696e 636c 7564 652f 7473 7332 2f74 7373 325f 7463 7469 2e68 002f 7661 722f 746d 702f 706f 7274 6167  t_type.h.tpm2-tss-4.1.1/include/tss2/tss2_tcti.h./var/tmp/portag
000116c0: 2e73 6873 7472 7461 6200 2e73 7472 7461 6200 0074 6374 692d 636f 6d6d 6f6e 2e63 004c 4f47 4d4f 4455 4c45 5f73 7461 7475 7300 7463 7469 2d64 6576 6963 652e 6300  .shstrtab..strtab..tcti-common.c.LOGMODULE_status.tcti-device.c.
00011800: 695f 636f 6d6d 6f6e 5f63 6f6e 7465 7874 5f63 6173 7400 7463 7469 5f63 6f6d 6d6f 6e5f 646f 776e 5f63 6173 7400 7463 7469 5f63 6f6d 6d6f 6e5f 6361 6e63 656c 5f63  i_common_context_cast.tcti_common_down_cast.tcti_common_cancel_c
00011840: 6865 636b 7300 7463 7469 5f63 6f6d 6d6f 6e5f 7472 616e 736d 6974 5f63 6865 636b 7300 7463 7469 5f63 6f6d 6d6f 6e5f 7265 6365 6976 655f 6368 6563 6b73 0074 6374  hecks.tcti_common_transmit_checks.tcti_common_receive_checks.tct
00011880: 695f 636f 6d6d 6f6e 5f73 6574 5f6c 6f63 616c 6974 795f 6368 6563 6b73 0074 6374 695f 6d61 6b65 5f73 7469 636b 795f 6e6f 745f 696d 706c 656d 656e 7465 6400 6865  i_common_set_locality_checks.tcti_make_sticky_not_implemented.he
00011940: 5473 7332 5f4d 555f 5549 4e54 3332 5f4d 6172 7368 616c 0074 6374 695f 6465 7669 6365 5f63 6f6e 7465 7874 5f63 6173 7400 7463 7469 5f64 6576 6963 655f 646f 776e  Tss2_MU_UINT32_Marshal.tcti_device_context_cast.tcti_device_down
00011980: 5f63 6173 7400 7463 7469 5f64 6576 6963 655f 7472 616e 736d 6974 0064 6f4c 6f67 426c 6f62 0077 7269 7465 5f61 6c6c 0074 6374 695f 6465 7669 6365 5f72 6563 6569  _cast.tcti_device_transmit.doLogBlob.write_all.tcti_device_recei
000119c0: 7665 0070 6f6c 6c00 7265 6164 005f 5f65 7272 6e6f 5f6c 6f63 6174 696f 6e00 7374 7265 7272 6f72 0074 6374 695f 6465 7669 6365 5f66 696e 616c 697a 6500 636c 6f73  ve.poll.read.__errno_location.strerror.tcti_device_finalize.clos
00011a00: 6500 7463 7469 5f64 6576 6963 655f 6361 6e63 656c 0074 6374 695f 6465 7669 6365 5f67 6574 5f70 6f6c 6c5f 6861 6e64 6c65 7300 7463 7469 5f64 6576 6963 655f 7365  e.tcti_device_cancel.tcti_device_get_poll_handles.tcti_device_se
00011a40: 745f 6c6f 6361 6c69 7479 0054 7373 325f 5463 7469 5f44 6576 6963 655f 496e 6974 006f 7065 6e00 5473 7332 5f54 6374 695f 496e 666f 0074 7373 325f 7463 7469 5f69  t_locality.Tss2_Tcti_Device_Init.open.Tss2_Tcti_Info.tss2_tcti_i

@JuergenReppSIT
Copy link
Member

It would be interesting to see the combination of the tss trace and strace:
TSS2_LOG=tcti+trace strace -e file tpm2_getrandom -Tdevice --hex 5 2>&1 | grep "Attempting to load TCTI info" -A 2 -B 2
The loaded TCTI info should be taken from the file loaded before.

@salahcoronya
Copy link
Contributor Author

Here it is (first 1,000 lines):
tsstrace-strace.out.gz

@JuergenReppSIT
Copy link
Member

Thank you for the trace. The correct so file tcti-device is loaded with dlopen but the generated handle provides the information about tctildr.
strace showed that only /dev/tpm0 exists but with "Permission denied". Does the error also ocur if /dev/tpm0 can be used.

@salahcoronya
Copy link
Contributor Author

Here is is running as root, which can access /dev/tpm0:

tsstrace-strace-root.out.gz

@JuergenReppSIT
Copy link
Member

JuergenReppSIT commented May 16, 2024
edited
Loading

Thank you again for the trace. My assumption was wrong that tcti-device did access /dev/tpm0. The open in the trace was caused by dlopen /dev/tpm0.

@AndreasFuchsTPM
Copy link
Member

AndreasFuchsTPM commented May 16, 2024
edited
Loading

Ok, so my current suspicion is the following:
Tss2_Tcti_Info() is supposed to return a pointer to a struct.
In all of our tcti implementations, this struct is called tss2_tcti_info.
Now this symbol is exported in the data area.
My suspicion is now, that the Tss2_Tcti_Info() function of tcti-device returns the the tss2_tcti_info struct of tctildr instead of itself.
So, it is a problem of symbol resolution.

@salahcoronya Maybe you could check this by applying this patch:

diff --git a/src/tss2-tcti/tcti-device.c b/src/tss2-tcti/tcti-device.c
index bfa6a94..3e7cd22 100644
--- a/src/tss2-tcti/tcti-device.c
+++ b/src/tss2-tcti/tcti-device.c
@@ -530,7 +530,7 @@ Tss2_Tcti_Device_Init (
     return TSS2_RC_SUCCESS;
 }
 
-const TSS2_TCTI_INFO tss2_tcti_info = {
+const TSS2_TCTI_INFO tss2_tcti_device_info = {
     .version = TCTI_VERSION,
     .name = "tcti-device",
     .description = "TCTI module for communication with Linux kernel interface.",
@@ -542,5 +542,5 @@ const TSS2_TCTI_INFO tss2_tcti_info = {
 const TSS2_TCTI_INFO*
 Tss2_Tcti_Info (void)
 {
-    return &tss2_tcti_info;
+    return &tss2_tcti_device_info;
 }

and attempt again.

In the meantime, I've started setting up a gentoo-VM in parallel, but that might take some time, since my schedule is quite full and I haven't used gentoo since 2005...

Thanks for supporting in that matter !

P.S. if this ends up to be the problem, we will have to update all tctis, not just tcti-device...

@joholl
Copy link
Collaborator

joholl commented May 16, 2024
edited
Loading

Ok, this is what we know:

In tcti_from_file()

  • we print Attempting to load TCTI file: device
  • handle_from_name() actually gets passed "device"
  • we dlsym and call Tss2_Tcti_Info() on the loaded dl handle (which exists for all tctis, including tctildr)
  • on the loaded tcti info struct, we call tcti_from_info() which prints Loaded TCTI info named: tctildr

As @AndreasFuchsTPM said, this sounds like a namespace problem. I don't think your fix will solve the underlying issue. Yes, you can rename tss2_tcti_info to prevent a symbol conflict, but you cannot rename Tss2_Tcti_Info() (which will also create a symbol conflict).

We might have to use dlmopen(LM_ID_NEWLM, file_xfrm, RTLD_NOW);, see the man pages:

dlmopen()
       This function performs the same task as dlopen()—the filename and
       flags arguments, as well as the return value, are the same,
       except for the differences noted below.

       The dlmopen() function differs from dlopen() primarily in that it
       accepts an additional argument, lmid, that specifies the link-map
       list (also referred to as a namespace) in which the shared object
       should be loaded.  (By comparison, dlopen() adds the dynamically      <--- the problem?
       loaded shared object to the same namespace as the shared object
       from which the dlopen() call is made.)  The Lmid_t type is an
       opaque handle that refers to a namespace.

       The lmid argument is either the ID of an existing namespace
       (which can be obtained using the [dlinfo(3)](https://man7.org/linux/man-pages/man3/dlinfo.3.html) RTLD_DI_LMID request)
       or one of the following special values:

       LM_ID_BASE
              Load the shared object in the initial namespace (i.e., the
              application's namespace).

       LM_ID_NEWLM
              Create a new namespace and load the shared object in that
              namespace.  The object must have been correctly linked to
              reference all of the other shared objects that it
              requires, since the new namespace is initially empty.

@AndreasFuchsTPM
Copy link
Member

So I did setup a KVM with a Gentoo livecd from today and a stage3 from today.
I did emerge clang which install clang 17
I used clang17 to build tpm2-tss by hand and everything worked fine, I can call tpm2_getrandom --hex 5 and get the correct response.

@salahcoronya Could you provide me with information on how to setup a test-env for a KVM/libvirtd/virt-manager environment so that I could reproduce the issue here locally ?
Alternatively, we can post a few more patches here and you could apply and test them.

P.S. Is the a typical recent docker image that could be used in CI testing that you would recommend ?

@AndreasFuchsTPM
Copy link
Member

We might have to use dlmopen(LM_ID_NEWLM, file_xfrm, RTLD_NOW);, see the man pages:

I always thought, that this was covered by

       RTLD_GLOBAL
              The symbols defined by this shared object will be made
              available for symbol resolution of subsequently loaded
              shared objects.

       RTLD_LOCAL                                                        <-----
              This is the converse of RTLD_GLOBAL, and the default if
              neither flag is specified.  Symbols defined in this shared
              object are not made available to resolve references in
              subsequently loaded shared objects.

But it seams like its only a guarantee on the reverse of what we have here.

@salahcoronya
Copy link
Contributor Author

I tried he patch. It works for "tpm2_getrandom -Tdevice --hex 5". It does not work if -Tdevice is not specified.
tsstrace-strace.out.gz
tsstrace-strace-nodev.out.gz

@salahcoronya
Copy link
Contributor Author

salahcoronya commented May 16, 2024
edited
Loading

I use a KVM VM myself for testing tpm2-tss. There are offical docker images https://hub.docker.com/u/gentoo/. The only tricky part is tpm2-tss has to be compiled with clang and linked with lld, and gentoo uses gcc/ld.bfd by default. You'll need to set the "default-compiler-rt default-lld llvm-libunwind" USE flags on sys-devel/clang-common. Gentoo now has binary packages which should speed up the process: https://wiki.gentoo.org/wiki/Gentoo_Binary_Host_Quickstart . See https://wiki.gentoo.org/wiki/Clang to set up an environment file for tpm2-tss to compile with clang.

@JuergenReppSIT
Copy link
Member

@salahcoronya Perhaps we could try explicitly specifying RTLD_LOCAL to ensure that the symbol scope is local.
Could you please also try this patch instead of the first patch.

diff --git a/src/tss2-tcti/tctildr-dl.c b/src/tss2-tcti/tctildr-dl.c
index d26219d2f..113e70262 100644
--- a/src/tss2-tcti/tctildr-dl.c
+++ b/src/tss2-tcti/tctildr-dl.c
@@ -108,7 +108,7 @@ handle_from_name(const char *file,
             LOG_ERROR("TCTI name truncated in transform.");
             return TSS2_TCTI_RC_BAD_VALUE;
         }
-        *handle = dlopen(file_xfrm, RTLD_NOW);
+        *handle = dlopen(file_xfrm, RTLD_LAZY | RTLD_LOCAL);
         if (*handle != NULL) {
             return TSS2_RC_SUCCESS;
         } else {

@salahcoronya
Copy link
Contributor Author

No go. Same result as before:
tsstrace-strace.out.gz

This was referenced May 17, 2024
Open
Merged
@AndreasFuchsTPM AndreasFuchsTPM modified the milestones: 4.2.0, 4.1.3 May 17, 2024
@AndreasFuchsTPM
Copy link
Member

@salahcoronya I was able to reproduce this in KVM.
Could you test the commit in the linked PR ?
I'd then immediately roll a 4.1.3 release for you.

@salahcoronya
Copy link
Contributor Author

Yes, it works (I also tested it with tpm2-abrmd. That works too).

@thesamesam
Copy link

I'm a bit busy the next few days but if needed I can help figure out CI as it should be doable. Also, wonderful work - thank you all.

@AndreasFuchsTPM
Copy link
Member

@thesamesam This would be highly appreciated.
We build our containers from this repo: https://github.com/tpm2-software/tpm2-software-container
Then we run the .ci/docker.run script from this project.
Maybe we can get the same setup running for gentoo ?

@AndreasFuchsTPM
Copy link
Member

@salahcoronya 4.1.3 is released
I hope there isn't more coming...

@chopinrlz
Copy link

Not sure if this is helpful, but I just also noticed this issue appear in the latest development build of the tpm2-tss on Ubuntu using GCC. It does NOT occur in release 4.1.3, however.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backport Issues to be backported to old-stable bug
Projects
None yet
Milestone
4.1.3
Development

Successfully merging a pull request may close this issue.

TCTI: Separate namespaces for internal struct AndreasFuchsTPM/tpm2-tss
6 participants
@AndreasFuchsTPM @thesamesam @chopinrlz @JuergenReppSIT @joholl @salahcoronya