Re: TPM error 0x0901, possibly related to TPM2_PT_CONTEXT_GAP_MAX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu Apr 4, 2024 at 5:19 AM EEST, William Brown wrote:
> Hi all,
>
> I've been recently working on enabling TPM support within a number of PAM modules. I'm certainly not a TPM expert, but I have noticed some issues when testing.
>
> We have a number of tests/examples in the rust-tss-esapi project, such as an example that shows how to hmac a value:
>
> ```
> # TCTI=device:/dev/tpmrm0 cargo run --example hmac --features generate-bindings
>     Finished dev [unoptimized + debuginfo] target(s) in 0.07s
>      Running `target/debug/examples/hmac`
> true: TpmProperties(TaggedTpmPropertyList { tagged_tpm_properties: [] })
> hmac1 = Digest(Zeroizing([54, 176, 122, 39, 222, 112, 105, 131, 3, 158, 89, 12, 38, 14, 184, 176, 97, 38, 60, 37, 9, 49, 176, 80, 191, 161, 64, 233, 163, 47, 254, 1]))
> hmac2 = Digest(Zeroizing([54, 176, 122, 39, 222, 112, 105, 131, 3, 158, 89, 12, 38, 14, 184, 176, 97, 38, 60, 37, 9, 49, 176, 80, 191, 161, 64, 233, 163, 47, 254, 1]))
> ```
>
> When this test program is run repeatedly, it begins to fail with:
>
> ERROR:tcti:src/tss2-tcti/tcti-device.c:197:tcti_device_receive() Failed to get response size fd 3, got errno 14: Bad address
> ERROR:esys:src/tss2-esys/api/Esys_FlushContext.c:238:Esys_FlushContext_Finish() Received a non-TPM Error
> ERROR:esys:src/tss2-esys/api/Esys_FlushContext.c:89:Esys_FlushContext() Esys Finish ErrorCode (0x000a000a)
> thread 'main' panicked at tss-esapi/examples/hmac.rs:170:48:
> called `Result::unwrap()` on an `Err` value: TssError(Tcti(TctiReturnCode { base_error: IoError }))
> stack backtrace:
>
> This is associated with dmesg erros such as:
>
> [83754.340909] tpm tpm0: tpm2_save_context: failed with a TPM error 0x0901
> [83754.343680] tpm tpm0: A TPM error (459) occurred flushing context
> [83754.345650] tpm tpm0: tpm2_commit_space: error -14

0x0901 is TPM_RC_CONTEXT_GAP, which means according to TCG spec that:

"This response code can be returned for commands that manage session
contexts. It indicates that the gap between the lowest numbered active session
and the highest numbered session is at the limits of the session tracking logic.
The remedy is to load the session context with the lowest number so that its
tracking number can be updated."

Since the code is accessing /dev/tpm0 and not /dev/tpmrm0 this issue
should be mitigated by the user space resource manager.

[1] Section 6.2 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-3-Commands.pdf

BR, Jarkko
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux