Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tpm2_createpolicy keeps dangling loaded session #3427

Open
oldium opened this issue Oct 5, 2024 · 4 comments · May be fixed by #3429
Open

tpm2_createpolicy keeps dangling loaded session #3427

oldium opened this issue Oct 5, 2024 · 4 comments · May be fixed by #3429

Comments

@oldium
Copy link

oldium commented Oct 5, 2024
edited
Loading

When tpm2_createpolicy is called with --policy-pcr, it requires an output file (policy) being specified, but at the same time it creates and keeps a loaded session of type TPM2_SE_TRIAL.

Reproduction:

#> export TPM2TOOLS_TCTI=device:/dev/tpm0
#> tpm2_createpolicy --policy-pcr -l sha256:10 -L pcr.policy
372defeded4318e0ebc658590e25e0c7c9871bf037881739d39e14e4934151f3
#> tpm2_getcap handles-loaded-session
- 0x3000000

When called multiple times, the call fails on:

WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:390:Esys_StartAuthSession_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x00000903)
ERROR: Esys_StartAuthSession(0x903) - tpm:warn(2.0): out of memory for session contexts
ERROR: Unable to run tpm2_createpolicy

Is this intentional? Is it required to call tpm2_flushcontext -l every time the tpm2_createpolicy is called on raw TPM device or on software-emulated TPM (swtpm)? This does not happen on /dev/tpmrm0, though (as expected).
@JuergenReppSIT
Copy link
Member

yes tpm2_flushcontext is needed here. Autoflush (-R) is only implemented for key objects.

@oldium
Copy link
Author

oldium commented Oct 5, 2024

Ok, thanks and also thanks for fast response 😊

@oldium
Copy link
Author

oldium commented Oct 5, 2024
edited
Loading

I found one strange behaviour. Compare the following:

WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:390:Esys_StartAuthSession_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x00000903)
ERROR: Esys_StartAuthSession(0x903) - tpm:warn(2.0): out of memory for session contexts
ERROR: Unable to run tpm2_create

This happens in the clevis tool, which calls both tpm2_createpolicy and tpm2_create. The difference is that tpm2_createpolicy keeps dangling loaded session, while the tpm2_create does not. I would expect that tpm2_createpolicy also cleans the session after usage like the tpm2_create does. Right?

oldium added a commit to oldium/clevis that referenced this issue Oct 5, 2024
@oldium
tpm2: fix dangling loaded session after tpm2_createpolicy
c2fb351 
Clevis cleans the context regurarly from transient objects by invoking
`tpm2_flushcontext -t`, but there is one case which Clevis omits. The
`tpm2_createpolicy` command loads new session and this needs to be cleaned
by a call to `tpm2_flushcontext -l`, see [1].

This is usually not an issue when resource manager is used (i.e. with
`/dev/tpmrm0` device), but when raw TPM device `/dev/tpm0` or software TPM
(swtpm) without resource manager is used, the usage of clevis ends with
the following error:

```
WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:390:Esys_StartAuthSession_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x00000903)
ERROR: Esys_StartAuthSession(0x903) - tpm:warn(2.0): out of memory for session contexts
```

[1] tpm2-software/tpm2-tools#3427

Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium oldium mentioned this issue Oct 5, 2024
Merged
@JuergenReppSIT
Copy link
Member

@oldium yes you are right it makes no sense keep the session which is just used to compute the policy digest. I will create a PR which flushes the session in this case. And I think also an option to save the session context should be added if --policy-session is used.

oldium added a commit to oldium/clevis that referenced this issue Oct 6, 2024
@oldium
tpm2: fix dangling loaded session after tpm2_createpolicy
e230058 
Clevis cleans the context regurarly from transient objects by invoking
`tpm2_flushcontext -t`, but there is one case which Clevis omits. The
`tpm2_createpolicy` command loads new session and this needs to be cleaned
by a call to `tpm2_flushcontext -l`, see [1].

This is usually not an issue when resource manager is used (i.e. with
`/dev/tpmrm0` device), but when raw TPM device `/dev/tpm0` or software TPM
(swtpm) without resource manager is used, the usage of clevis ends with
the following error:

```
WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:390:Esys_StartAuthSession_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x00000903)
ERROR: Esys_StartAuthSession(0x903) - tpm:warn(2.0): out of memory for session contexts
```

[1] tpm2-software/tpm2-tools#3427

Signed-off-by: Oldřich Jedlička <[email protected]>
sarroutbi pushed a commit to latchset/clevis that referenced this issue Oct 8, 2024
@oldium
tpm2: fix dangling loaded session after tpm2_createpolicy (#484)
4b754bd 
Clevis cleans the context regurarly from transient objects by invoking
`tpm2_flushcontext -t`, but there is one case which Clevis omits. The
`tpm2_createpolicy` command loads new session and this needs to be cleaned
by a call to `tpm2_flushcontext -l`, see [1].

This is usually not an issue when resource manager is used (i.e. with
`/dev/tpmrm0` device), but when raw TPM device `/dev/tpm0` or software TPM
(swtpm) without resource manager is used, the usage of clevis ends with
the following error:

```
WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:390:Esys_StartAuthSession_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x00000903)
ERROR: Esys_StartAuthSession(0x903) - tpm:warn(2.0): out of memory for session contexts
```

[1] tpm2-software/tpm2-tools#3427

Signed-off-by: Oldřich Jedlička <[email protected]>
JuergenReppSIT added a commit to JuergenReppSIT/tpm2-tools that referenced this issue Oct 12, 2024
@JuergenReppSIT
tpm2_createpolicy: flush session for trial policy.
c54b296 
The created session is flushed if a trial policy is only used to compute
the policy digest.
Fixes: tpm2-software#3427

Signed-off-by: Juergen Repp <[email protected]>
@JuergenReppSIT JuergenReppSIT linked a pull request Oct 12, 2024 that will close this issue
Open
JuergenReppSIT added a commit to JuergenReppSIT/tpm2-tools that referenced this issue Oct 12, 2024
@JuergenReppSIT
tpm2_createpolicy: flush session for trial policy.
f8bc8fb 
The created session is flushed if a trial policy is only used to compute
the policy digest.
Fixes: tpm2-software#3427

Signed-off-by: Juergen Repp <[email protected]>
JuergenReppSIT added a commit to JuergenReppSIT/tpm2-tools that referenced this issue Oct 12, 2024
@JuergenReppSIT
tpm2_createpolicy: flush session for trial policy.
0b0d227 
The created session is flushed if a trial policy is only used to compute
the policy digest.
Fixes: tpm2-software#3427

Signed-off-by: Juergen Repp <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tpm2_createpolicy: flush session for trial policy. JuergenReppSIT/tpm2-tools
2 participants
@oldium @JuergenReppSIT