Hi Adrian, Issac, John, I would like to sincerely apologise for the unacceptable delay of nearly one year on this bug. It really is too long.
I'm going to make this my top priority from now on, so please, bear with me, and let's get this fixed as quickly as we can, while doing everything properly. I have been working on this bug for the past week or two, and I have some progress to share. You likely are very well aware of the upstream issue I have been working on the past year: https://github.com/tpm2-software/tpm2-tss/issues/2889 Juergen Repp had written a fix / workaround in the form of: commit 00c1c2b8a81dedd2edfd283b76ec108947d4f13a From: Juergen Repp <[email protected]> Date: Sat, 28 Sep 2024 10:50:06 +0200 Subject: Options: Add option to allow usage of password session. Link: https://github.com/tpm2-software/tpm2-tools/commit/00c1c2b8a81dedd2edfd283b76ec108947d4f13a I have now completed backporting this to version 5.2 in jammy. A copy of the patch is here: https://paste.ubuntu.com/p/b7f34GBZZr/ I then wrote a patch which checks if FIPS mode is enabled, and if it is, then to enable the new --pwd-session flag by default. A copy of the patch is here: https://paste.ubuntu.com/p/SDSK5GyQTd/ I did some tests, and it seems to work okay: BEFORE: $ sudo tpm2 clear ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:412:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) DigestSignInit ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1244:iesys_compute_hmac() HMAC error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1354:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_Clear.c:188:Esys_Clear_Async() Error in computation of auth values ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_Clear.c:74:Esys_Clear() Error in async function ErrorCode (0x00070001) ERROR: Esys_Clear(0x70001) - esapi:Catch all for all errors not otherwise specified ERROR: Unable to run clear AFTER: $ sudo tpm2 clear WARN: FIPS mode enabled. Enabling pwd-session usage. Disable with --disable-pwd-session if necessary. BEFORE: $ sudo tpm2_nvdefine -s 64 0x1500016 ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:412:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) DigestSignInit ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1244:iesys_compute_hmac() HMAC error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1354:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:234:Esys_NV_DefineSpace_Async() Error in computation of auth values ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:99:Esys_NV_DefineSpace() Error in async function ErrorCode (0x00070001) ERROR: Failed to define NV area at index 0x1500016 ERROR: Esys_NV_DefineSpace(0x70001) - esapi:Catch all for all errors not otherwise specified ERROR: Failed to create NV index 0x1500016. ERROR: Unable to run tpm2_nvdefine $ cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 64 > key.txt $ sudo tpm2_nvwrite -i key.txt 0x1500016 ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:412:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) DigestSignInit ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1244:iesys_compute_hmac() HMAC error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1354:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_NV_Write.c:212:Esys_NV_Write_Async() Error in computation of auth values ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_NV_Write.c:87:Esys_NV_Write() Error in async function ErrorCode (0x00070001) ERROR: Failed to write NV area at index 0x1500016 ERROR: Tss2_Sys_NV_Write(0x70001) - esapi:Catch all for all errors not otherwise specified ERROR: Unable to run tpm2_nvwrite $ sudo tpm2_nvread 0x1500016 WARN: Reading full size of the NV index ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:412:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) DigestSignInit ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1244:iesys_compute_hmac() HMAC error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1354:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:206:Esys_NV_Read_Async() Error in computation of auth values ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:82:Esys_NV_Read() Error in async function ErrorCode (0x00070001) ERROR: Esys_NV_Read(0x70001) - esapi:Catch all for all errors not otherwise specified ERROR: Failed to read NVRAM area at index 0x1500016 ERROR: Unable to run tpm2_nvread AFTER: $ sudo tpm2_nvdefine -s 64 0x1500016 WARN: FIPS mode enabled. Enabling pwd-session usage. Disable with --disable-pwd-session if necessary. nv-index: 0x1500016 $ cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 64 > key.txt $ sudo tpm2_nvwrite -i key.txt 0x1500016 WARN: FIPS mode enabled. Enabling pwd-session usage. Disable with --disable-pwd-session if necessary. $ sudo tpm2_nvread 0x1500016 WARN: FIPS mode enabled. Enabling pwd-session usage. Disable with --disable-pwd-session if necessary. WARN: Reading full size of the NV index 84G6vhoY4JTOa11P5tcmtMSPbUlhOHB4DhBldt5SQxoMbTKoDtTsFvbZZOs9Chj3 And of course, LUKS and clevis with TPM bind: BEFORE: $ sudo clevis luks bind -d /dev/vdc tpm2 '{"hash":"sha256","pcr_bank":"sha256","key":"rsa","pcr_ids":"0,2,4,7"}}' Enter existing LUKS password: Warning: Value 512 is outside of the allowed entropy range, adjusting it. ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:412:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) DigestSignInit ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1244:iesys_compute_hmac() HMAC error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1354:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:244:Esys_CreatePrimary_Async() Error in computation of auth values ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:110:Esys_CreatePrimary() Error in async function ErrorCode (0x00070001) ERROR: Esys_CreatePrimary(0x70001) - esapi:Catch all for all errors not otherwise specified ERROR: Unable to run tpm2_createprimary Creating TPM2 primary key failed! Invalid input! Usage: jose jwe fmt -i JWE [-I CT] [-o JWE] [-O CT] [-c] Failed to import token from file. Error saving metadata to LUKS2 header in device /dev/vdc Unable to update metadata; operation cancelled Error adding new binding to /dev/vdc AFTER: $ sudo clevis luks bind -d /dev/vdc tpm2 '{"hash":"sha256","pcr_bank":"sha256","key":"rsa","pcr_ids":"0,2,4,7"}}' Enter existing LUKS password: Warning: Value 512 is outside of the allowed entropy range, adjusting it. WARN: FIPS mode enabled. Enabling pwd-session usage. Disable with --disable-pwd-session if necessary. WARN: FIPS mode enabled. Enabling pwd-session usage. Disable with --disable-pwd-session if necessary. WARN: FIPS mode enabled. Enabling pwd-session usage. Disable with --disable-pwd-session if necessary. WARN: FIPS mode enabled. Enabling pwd-session usage. Disable with --disable-pwd-session if necessary. WARN: FIPS mode enabled. Enabling pwd-session usage. Disable with --disable-pwd-session if necessary. It did succeed. I haven't tested it any further. I will do that in the coming days. Also on my todo list is try systemd-cryptenroll. Now, since I am enabling --pwd-session by default, I did add the warning message: WARN: FIPS mode enabled. Enabling pwd-session usage. Disable with --disable-pwd-session if necessary. I am looking for feedback on this. It goes to stderr, and shouldn't get in the way. If you dislike it, let me know and I will remove it. I have some test packages for you to try if you wish. Please use them in a VM to test out the new changes, and please don't run this in production just yet. Please note this package is NOT SUPPORTED by Canonical, and is for TESTING PURPOSES ONLY. ONLY Install in a dedicated test environment. Instructions to Install (On a jammy system): 1) sudo add-apt-repository ppa:mruffell/lp2074270-test 2) sudo apt update 3) sudo apt install tpm2-tools 4) sudo apt-cache policy tpm2-tools | grep Installed Installed: 5.2-1ubuntu0.0+lp2074270v20250630b2 Try out the test package, and let me know how it goes. Again, I apologise for the delay, and I will work to getting this resolved as soon as I can. Thanks, Matthew -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2074270 Title: tpm2_tools error 0x70001 with fips-updates on 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tpm2-tools/+bug/2074270/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
