** Description changed: [ Impact ] * This is a change for hardware enablement. * On the NVIDIA Jetson Orin platforms (Nano, NX, and AGX) installed with candidate Ubuntu for Jetson images (Jammy: https://cdimage.ubuntu.com/nvidia-tegra/ubuntu-server/jammy/daily- preinstalled/ Noble: https://cdimage.ubuntu.com/nvidia-tegra/ubuntu- server/noble/daily-preinstalled/), when performing encrypt and decrypt operations using ECC or RSA through clevis-encrypt-tpm2, the following error is displayed: "authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode". * On the NVIDIA Jetson Orin platforms, the TPM (Trusted Platform Module) is an fTPM (Firmware TPM), implemented as an OP-TEE Trusted Application. The "DA Lockout" message is not actually been hammered by a dictionary attack, but when OP-TEE Secure Storage is unavailable, TPM NVRAM is unavailable so the system locks everyone out. * This error will be fixed properly initializing the TPM, by first starting the TEE-supplicant and then installing the "tpm_ftpm_tee" module, using a system-d Drop-In file to override the TEE-supplicant initialization sequence. TEE-supplicant has been set as a dependency of the "nvidia-tegra-defaults" package, for it to be installed in the Ubuntu for Jetson images. [ Test Plan ] 1. Install the candidate Ubuntu for Jetson image on a Jetson Orin device (Jammy: https://cdimage.ubuntu.com/nvidia-tegra/ubuntu- server/jammy/daily-preinstalled/manual/, Noble: https://cdimage.ubuntu.com/nvidia-tegra/ubuntu-server/noble/daily- preinstalled/current/). 2. Run the commands below, for both cases (ECC and RSA) the following error will be displayed: "authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode". * ECC encrypt and decrypt: ``` $ sudo apt install clevis-tpm2 -y $ sudo chmod 666 /dev/tpmrm0 #This is only needed before updating the package, since the updated package runs this step. $ rand=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c32768) $ result=$(echo -n $rand | clevis-encrypt-tpm2 '{"hash": "sha256", "key":"ecc", "pcr_bank":"sha256","pcr_ids":"0,1"}' | clevis-decrypt-tpm2) $ [[ $result == $rand ]] && echo "The strings are the same" || echo "there was an error" ``` * RSA encrypt and decrypt: ``` $ sudo apt install clevis-tpm2 -y $ sudo chmod 666 /dev/tpmrm0 #This is only needed before updating the package, since the updated package runs this step. $ rand=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c32768) $ result=$(echo -n $rand | clevis-encrypt-tpm2 '{"hash": "sha256", "key":"rsa", "pcr_bank":"sha256","pcr_ids":"0,1"}' | clevis-decrypt-tpm2) $ [[ $result == $rand ]] && echo "The strings are the same" || echo "there was an error" ``` If the following error is displayed when testing the "Noble" version of this package: "A TPM2 device with the in-kernel resource manager is needed!", proceed with the steps described in bullet #3. 3. If testing the "Noble" version of the package, ensure to have the CONFIG_ARM_FFA_TRANSPORT Kernel config symbol set to "y". ``` $ grep CONFIG_ARM_FFA_TRANSPORT /boot/config-$(uname -r) CONFIG_ARM_FFA_TRANSPORT=y ``` If CONFIG_ARM_FFA_TRANSPORT is set to "m" the Kernel can be updated by installing the `linux-nvidia-tegra-ppadev-jetson-devel` package as shown below. It is important to say that the Tegra Noble Kernel is still under development, that's why to test this updated package in "Noble" it should be used the devel-daily Kernel. ``` $ sudo add-apt-repository ppa:ubuntu-tegra/kernel-daily $ sudo apt update $ sudo apt install linux-nvidia-tegra-ppadev-jetson-devel $ sudo reboot now $ grep CONFIG_ARM_FFA_TRANSPORT /boot/config-$(uname -r) CONFIG_ARM_FFA_TRANSPORT=y ``` 4. Then, proceed installing the updated "nvidia-tegra-defaults" package. 5. Rerun the "encrypt and decrypt" testing instructions described on bullet #2 and confirm that now the tests succeed. 6. The "Questing" and "Plucky" versions of the package were tested on a "Noble" image following described the instructions for "Noble". [ Where problems could occur ] * If a user installs this package on a different platform which doesn't has the proper TEE support enabled in the Kernel, the following message can be displayed when starting the tee-supplicant service: "failed to find an OP-TEE supplicant device". * If a user installs this package on a different platform which doesn't has the "tpm_ftpm_tee" module support, the system-d Drop-In will fail to install such Kernel module. * If user installs the package on a "Noble" environment which does not have the CONFIG_ARM_FFA_TRANSPORT=y set, the TEE-supplicant service will not be started, so, before installing the "Noble" version of the package it is recommended to verify the CONFIG_ARM_FFA_TRANSPORT value as suggested in the test plan. * No additional problems should happen since this fix only ensures that the TEE-supplicant is running before installing the "tpm_ftpm_tee" module. [ Other Info ] * This tee/tpm initialization sequence was discussed in the following private bug: https://bugs.launchpad.net/riverside/+bug/2103405 + + * It is important to say that the fact of the Noble Kernel being under + development is not a blocker for this SRU. The Jammy kernel does not + need extra configurations and is the only serie for which has a public + image released; for Noble, the relevant kernel is currently private, and + it should go public in the following weeks, currently it is being tested + using development images with private build infrastructure (typically + building on GH, using private PPAs), finally, as per the Questing and + Plucky series, there aren't plans to work on an image on those.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2119159 Title: [SRU] [Nano] [Agx] [Nx] DA Lockout issues when performing encrypt and decrypt operations using ECC or RSA through clevis-encrypt-tpm2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nvidia-tegra-defaults/+bug/2119159/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
