** Description changed: [ Impact ] * This is a change for hardware enablement. - * On the NVIDIA Jetson Orin platforms (Nano, NX, and AGX) installed with candidate Ubuntu for Jetson images (Jammy: https://cdimage.ubuntu.com/nvidia-tegra/ubuntu-server/jammy/daily-preinstalled/ Noble: https://cdimage.ubuntu.com/nvidia-tegra/ubuntu-server/noble/daily-preinstalled/), when performing encrypt and decrypt operations using ECC or RSA through clevis-encrypt-tpm2, the following error is displayed: "authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode". - * On the NVIDIA Jetson Orin platforms, the TPM (Trusted Platform Module) is an fTPM (Firmware TPM), implemented as an OP-TEE Trusted Application. The "DA Lockout" message is not actually been hammered by a dictionary attack, but when OP-TEE Secure Storage is unavailable, TPM NVRAM is unavailable so the system locks everyone out. - * This error will be fixed properly initializing the TPM, by first starting the TEE-supplicant and then installing the "tpm_ftpm_tee" module, using a system-d Drop-In file to override the TEE-supplicant initialization sequence. TEE-supplicant has been set as a dependency of the "nvidia-tegra-defaults" package, for it to be installed in the Ubuntu for Jetson images. + + * On the NVIDIA Jetson Orin platforms (Nano, NX, and AGX) installed with + candidate Ubuntu for Jetson images (Jammy: + https://cdimage.ubuntu.com/nvidia-tegra/ubuntu-server/jammy/daily- + preinstalled/ Noble: https://cdimage.ubuntu.com/nvidia-tegra/ubuntu- + server/noble/daily-preinstalled/), when performing encrypt and decrypt + operations using ECC or RSA through clevis-encrypt-tpm2, the following + error is displayed: "authorizations for objects subject to DA protection + are not allowed at this time because the TPM is in DA lockout mode". + + * On the NVIDIA Jetson Orin platforms, the TPM (Trusted Platform Module) + is an fTPM (Firmware TPM), implemented as an OP-TEE Trusted Application. + The "DA Lockout" message is not actually been hammered by a dictionary + attack, but when OP-TEE Secure Storage is unavailable, TPM NVRAM is + unavailable so the system locks everyone out. + + * This error will be fixed properly initializing the TPM, by first + starting the TEE-supplicant and then installing the "tpm_ftpm_tee" + module, using a system-d Drop-In file to override the TEE-supplicant + initialization sequence. TEE-supplicant has been set as a dependency of + the "nvidia-tegra-defaults" package, for it to be installed in the + Ubuntu for Jetson images. [ Test Plan ] 1. Install the candidate Ubuntu for Jetson image on a Jetson Orin device (Jammy: https://cdimage.ubuntu.com/nvidia-tegra/ubuntu- server/jammy/daily-preinstalled/manual/, Noble: https://cdimage.ubuntu.com/nvidia-tegra/ubuntu-server/noble/daily- preinstalled/current/). 2. Run the commands below, for both cases (ECC and RSA) the following error will be displayed: "authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode". * ECC encrypt and decrypt: ``` $ sudo apt install clevis-tpm2 -y - $ sudo chmod 666 /dev/tpmrm0 + + $ sudo chmod 666 /dev/tpmrm0 #This is only needed before updating + the package, since the updated package runs this step. + $ rand=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c32768) $ result=$(echo -n $rand | clevis-encrypt-tpm2 '{"hash": "sha256", "key":"ecc", "pcr_bank":"sha256","pcr_ids":"0,1"}' | clevis-decrypt-tpm2) $ [[ $result == $rand ]] && echo "The strings are the same" || echo "there was an error" ``` * RSA encrypt and decrypt: ``` $ sudo apt install clevis-tpm2 -y - $ sudo chmod 666 /dev/tpmrm0 + + $ sudo chmod 666 /dev/tpmrm0 #This is only needed before updating + the package, since the updated package runs this step. + $ rand=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c32768) $ result=$(echo -n $rand | clevis-encrypt-tpm2 '{"hash": "sha256", "key":"rsa", "pcr_bank":"sha256","pcr_ids":"0,1"}' | clevis-decrypt-tpm2) $ [[ $result == $rand ]] && echo "The strings are the same" || echo "there was an error" ``` If the following error is displayed when testing the "Noble" version of this package: "A TPM2 device with the in-kernel resource manager is needed!", proceed with the steps described in bullet #3. 3. If testing the "Noble" version of the package, ensure to have the CONFIG_ARM_FFA_TRANSPORT Kernel config symbol set to "y". ``` $ grep CONFIG_ARM_FFA_TRANSPORT /boot/config-$(uname -r) CONFIG_ARM_FFA_TRANSPORT=y ``` If CONFIG_ARM_FFA_TRANSPORT is set to "m" the Kernel can be updated by installing the `linux-nvidia-tegra-ppadev-jetson-devel` package as shown below. ``` $ sudo add-apt-repository ppa:ubuntu-tegra/kernel-daily $ sudo apt update $ sudo apt install linux-nvidia-tegra-ppadev-jetson-devel $ sudo reboot now $ grep CONFIG_ARM_FFA_TRANSPORT /boot/config-$(uname -r) CONFIG_ARM_FFA_TRANSPORT=y ``` 4. Then, proceed installing the updated "nvidia-tegra-defaults" package. 5. Rerun the "encrypt and decrypt" testing instructions described on bullet #2 and confirm that now the tests succeed. 6. The "Questing" version of the package was tested on a "Noble" image following described the instructions for "Noble". [ Where problems could occur ] - * If a user installs this package on a different platform which doesn't has the proper TEE support enabled in the Kernel, the following message can be displayed when starting the tee-supplicant service: "failed to find an OP-TEE supplicant device". - * If a user installs this package on a different platform which doesn't has the "tpm_ftpm_tee" module support, the system-d Drop-In will fail to install such Kernel module. - * No additional problems should happen since this fix only ensures that the TEE-supplicant is running before installing the "tpm_ftpm_tee" module. + * If a user installs this package on a different platform which doesn't + has the proper TEE support enabled in the Kernel, the following message + can be displayed when starting the tee-supplicant service: "failed to + find an OP-TEE supplicant device". + + * If a user installs this package on a different platform which doesn't + has the "tpm_ftpm_tee" module support, the system-d Drop-In will fail to + install such Kernel module. + + * If user installs the package on a "Noble" environment which does not + have the CONFIG_ARM_FFA_TRANSPORT=y set, the TEE-supplicant service will + not be started, so, before installing the "Noble" version of the package + it is recommended to verify the CONFIG_ARM_FFA_TRANSPORT value as + suggested in the test plan. + + * No additional problems should happen since this fix only ensures that + the TEE-supplicant is running before installing the "tpm_ftpm_tee" + module. [ Other Info ] * This tee/tpm initialization sequence was discussed in the following private bug: https://bugs.launchpad.net/riverside/+bug/2103405
** Description changed: [ Impact ] * This is a change for hardware enablement. * On the NVIDIA Jetson Orin platforms (Nano, NX, and AGX) installed with candidate Ubuntu for Jetson images (Jammy: https://cdimage.ubuntu.com/nvidia-tegra/ubuntu-server/jammy/daily- preinstalled/ Noble: https://cdimage.ubuntu.com/nvidia-tegra/ubuntu- server/noble/daily-preinstalled/), when performing encrypt and decrypt operations using ECC or RSA through clevis-encrypt-tpm2, the following error is displayed: "authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode". * On the NVIDIA Jetson Orin platforms, the TPM (Trusted Platform Module) is an fTPM (Firmware TPM), implemented as an OP-TEE Trusted Application. The "DA Lockout" message is not actually been hammered by a dictionary attack, but when OP-TEE Secure Storage is unavailable, TPM NVRAM is unavailable so the system locks everyone out. * This error will be fixed properly initializing the TPM, by first starting the TEE-supplicant and then installing the "tpm_ftpm_tee" module, using a system-d Drop-In file to override the TEE-supplicant initialization sequence. TEE-supplicant has been set as a dependency of the "nvidia-tegra-defaults" package, for it to be installed in the Ubuntu for Jetson images. [ Test Plan ] 1. Install the candidate Ubuntu for Jetson image on a Jetson Orin device (Jammy: https://cdimage.ubuntu.com/nvidia-tegra/ubuntu- server/jammy/daily-preinstalled/manual/, Noble: https://cdimage.ubuntu.com/nvidia-tegra/ubuntu-server/noble/daily- preinstalled/current/). 2. Run the commands below, for both cases (ECC and RSA) the following error will be displayed: "authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode". * ECC encrypt and decrypt: ``` $ sudo apt install clevis-tpm2 -y $ sudo chmod 666 /dev/tpmrm0 #This is only needed before updating the package, since the updated package runs this step. $ rand=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c32768) $ result=$(echo -n $rand | clevis-encrypt-tpm2 '{"hash": "sha256", "key":"ecc", "pcr_bank":"sha256","pcr_ids":"0,1"}' | clevis-decrypt-tpm2) $ [[ $result == $rand ]] && echo "The strings are the same" || echo "there was an error" ``` * RSA encrypt and decrypt: ``` $ sudo apt install clevis-tpm2 -y $ sudo chmod 666 /dev/tpmrm0 #This is only needed before updating the package, since the updated package runs this step. $ rand=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c32768) $ result=$(echo -n $rand | clevis-encrypt-tpm2 '{"hash": "sha256", "key":"rsa", "pcr_bank":"sha256","pcr_ids":"0,1"}' | clevis-decrypt-tpm2) $ [[ $result == $rand ]] && echo "The strings are the same" || echo "there was an error" ``` If the following error is displayed when testing the "Noble" version of this package: "A TPM2 device with the in-kernel resource manager is needed!", proceed with the steps described in bullet #3. 3. If testing the "Noble" version of the package, ensure to have the CONFIG_ARM_FFA_TRANSPORT Kernel config symbol set to "y". ``` $ grep CONFIG_ARM_FFA_TRANSPORT /boot/config-$(uname -r) CONFIG_ARM_FFA_TRANSPORT=y ``` If CONFIG_ARM_FFA_TRANSPORT is set to "m" the Kernel can be updated by installing the `linux-nvidia-tegra-ppadev-jetson-devel` package as shown below. ``` $ sudo add-apt-repository ppa:ubuntu-tegra/kernel-daily $ sudo apt update $ sudo apt install linux-nvidia-tegra-ppadev-jetson-devel $ sudo reboot now $ grep CONFIG_ARM_FFA_TRANSPORT /boot/config-$(uname -r) CONFIG_ARM_FFA_TRANSPORT=y ``` 4. Then, proceed installing the updated "nvidia-tegra-defaults" package. - 5. Rerun the "encrypt and decrypt" testing instructions described on bullet #2 and confirm that now the tests succeed. - 6. The "Questing" version of the package was tested on a "Noble" image following described the instructions for "Noble". + 5. Rerun the "encrypt and decrypt" testing instructions described on + bullet #2 and confirm that now the tests succeed. + + 6. The "Questing" and "Plucky" versions of the package were tested on a + "Noble" image following described the instructions for "Noble". [ Where problems could occur ] * If a user installs this package on a different platform which doesn't has the proper TEE support enabled in the Kernel, the following message can be displayed when starting the tee-supplicant service: "failed to find an OP-TEE supplicant device". * If a user installs this package on a different platform which doesn't has the "tpm_ftpm_tee" module support, the system-d Drop-In will fail to install such Kernel module. * If user installs the package on a "Noble" environment which does not have the CONFIG_ARM_FFA_TRANSPORT=y set, the TEE-supplicant service will not be started, so, before installing the "Noble" version of the package it is recommended to verify the CONFIG_ARM_FFA_TRANSPORT value as suggested in the test plan. * No additional problems should happen since this fix only ensures that the TEE-supplicant is running before installing the "tpm_ftpm_tee" module. [ Other Info ] * This tee/tpm initialization sequence was discussed in the following private bug: https://bugs.launchpad.net/riverside/+bug/2103405 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2119159 Title: [SRU] [Nano] [Agx] [Nx] DA Lockout issues when performing encrypt and decrypt operations using ECC or RSA through clevis-encrypt-tpm2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nvidia-tegra-defaults/+bug/2119159/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
