Bug 1769215

Summary: tpm2-abrmd[3026]: ERROR:tcti:src/tss2-tcti/tcti-device.c:439:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory
Product: [Fedora] Fedora Reporter: Mikhail <mikhail.v.gavrilov>
Component: tpm2-abrmdAssignee: Yunying Sun <yunying.sun>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: adpacifico, alciregi, bugzilla, craig48, djuran, fmartine, jsnitsel, philip.b.tricca, robatino, simon.bachenberg, yunying.sun
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tpm2-abrmd-2.2.0-4.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-18 20:54:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
$ journalctl -u tpm2-abrmd.service -b none

Description Mikhail 2019-11-06 07:59:03 UTC
Created attachment 1633223 [details]
$ journalctl -u tpm2-abrmd.service -b

Description of problem:

Nov 06 01:20:43 localhost.localdomain systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
Nov 06 01:20:43 localhost.localdomain tpm2-abrmd[3026]: ERROR:tcti:src/tss2-tcti/tcti-device.c:439:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory
Nov 06 01:20:43 localhost.localdomain tpm2-abrmd[3026]: failed to initialize device TCTI context: 0xa000a
Nov 06 01:20:43 localhost.localdomain tpm2-abrmd[3026]: init_thread_func: failed to create TCTI with name "libtss2-tcti-device.so.0" and conf "(null)"
Nov 06 01:20:43 localhost.localdomain tpm2-abrmd[3026]: g_bus_unown_name: assertion 'owner_id > 0' failed
Nov 06 01:20:43 localhost.localdomain systemd[1]: tpm2-abrmd.service: Main process exited, code=exited, status=1/FAILURE
Nov 06 01:20:43 localhost.localdomain systemd[1]: tpm2-abrmd.service: Failed with result 'exit-code'.
Nov 06 01:20:43 localhost.localdomain systemd[1]: Failed to start TPM2 Access Broker and Resource Management Daemon.
Nov 06 01:20:48 localhost.localdomain systemd[1]: tpm2-abrmd.service: Service RestartSec=5s expired, scheduling restart.
Nov 06 01:20:48 localhost.localdomain systemd[1]: tpm2-abrmd.service: Scheduled restart job, restart counter is at 1.
Nov 06 01:20:49 localhost.localdomain systemd[1]: Stopped TPM2 Access Broker and Resource Management Daemon.



Version-Release number of selected component (if applicable):
$ rpm -q tpm2-abrmd
tpm2-abrmd-2.2.0-2.fc31.x86_64


How reproducible:
Always.

Comment 1 Yunying Sun 2019-11-06 09:08:32 UTC
According to this line, it seems there's no tpm device available on your machine:
ERROR:tcti:src/tss2-tcti/tcti-device.c:439:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory

You will need a working /dev/tpm* device(either discrete hardware TPM module on board, or a firmware simulated one like PTT on Intel platforms) before using tpm2-abrmd.

Refer to: https://github.com/tpm2-software/tpm2-abrmd/issues/642

Comment 2 Mikhail 2019-11-06 09:44:48 UTC
Yes on my machine no tpm device.
But why this service try starting every five seconds?
I did not change default distribution settings.


$ systemctl status tpm2-abrmd.service
‚óŹ tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon
   Loaded: loaded (/usr/lib/systemd/system/tpm2-abrmd.service; disabled; vendor preset: disabled)
   Active: activating (auto-restart) (Result: exit-code) since Wed 2019-11-06 14:41:37 +05; 305ms ago
  Process: 111094 ExecStart=/usr/sbin/tpm2-abrmd (code=exited, status=1/FAILURE)
 Main PID: 111094 (code=exited, status=1/FAILURE)
      CPU: 6ms

Comment 3 Yunying Sun 2019-11-28 05:15:12 UTC
Adding tpm2-abrmd maintainer Philip. 
@Philip, would you be able to help clarifying? Or maybe it's a valid issue to be addressed? Thank you.

Comment 4 Chris Murphy 2019-12-03 05:26:53 UTC
I'm seeing this on Fedora 31 with tpm2-abrmd-2.2.0-2.fc31.x86_64, which is installed by default on Fedora Workstation 31. If tpm2-abrmd expects to find a TPM2, and can't silence itself after some reasonable number of attempts or time frame, then it needs to be removed from the default package set.

Comment 5 Chris Murphy 2019-12-03 06:37:59 UTC
I wonder if this is related to bug 1776030 and/or bug 1776030, because I see references:

'failed to allocate dbus proxy object: Error calling StartServiceByName for com.intel.tss2.Tabrmd: Timeout was reached'

$ dmesg | grep -i tpm
[    0.000000] efi:  SMBIOS=0x3a57a000  ESRT=0x3a57d718  ACPI 2.0=0x3affe014  PROP=0x229ce278  TPMEventLog=0x22728018 
[    0.017799] ACPI: TPM2 0x000000003AFF9000 000034 (v03 HPQOEM INSYDE   00000000 HP   00040000)
[    1.002049] tpm_crb MSFT0101:00: can't request region for resource [mem 0x3af5b000-0x3af5b02f]
[    1.002052] tpm_crb: probe of MSFT0101:00 failed with error -16
[    1.121088] ima: No TPM chip found, activating TPM-bypass!

Comment 6 Javier Martinez Canillas 2019-12-03 11:52:42 UTC
This seems to have been fixed upstream:

https://github.com/tpm2-software/tpm2-abrmd/pull/669/

I've updated the tpm2-abrmd package to 2.3.0, cherry-picked the commits from that pull-request and did the following scratch build for you to test:

https://koji.fedoraproject.org/koji/taskinfo?taskID=39422034

Comment 7 Philip Tricca 2019-12-03 15:52:45 UTC
I'm working on a few other related bug fixes. Should have a 2.3.1 bugfix in RC before the holiday.

Comment 8 Chris Murphy 2019-12-03 19:07:55 UTC
> https://koji.fedoraproject.org/koji/taskinfo?taskID=39422034

This does fix the journal spamming; although the unit does still fail, which for a default package is a release criterion violation. I'm not sure why it started failing only after F31 release though; it's as if it's being poked differently by fwupd? fwupd has been updated since release.

And oops on comment 5, the other possibly related bug is bug 1731758.

Comment 9 Javier Martinez Canillas 2019-12-03 23:29:47 UTC
> 
> This does fix the journal spamming; although the unit does still fail, which

Yes, even with the upstream fix the service will still fail to start, it just will avoid the retry. That's why I suggested in https://github.com/tpm2-software/tpm2-abrmd/pull/669/#issuecomment-561111842 that we should add a ConditionPathExistsGlob=/dev/tpm* option to the [Unit] section.

Comment 10 Javier Martinez Canillas 2019-12-03 23:31:55 UTC
(In reply to Chris Murphy from comment #5)

[snip]

> 
> $ dmesg | grep -i tpm
> [    0.000000] efi:  SMBIOS=0x3a57a000  ESRT=0x3a57d718  ACPI 2.0=0x3affe014
> PROP=0x229ce278  TPMEventLog=0x22728018 
> [    0.017799] ACPI: TPM2 0x000000003AFF9000 000034 (v03 HPQOEM INSYDE  
> 00000000 HP   00040000)
> [    1.002049] tpm_crb MSFT0101:00: can't request region for resource [mem
> 0x3af5b000-0x3af5b02f]
> [    1.002052] tpm_crb: probe of MSFT0101:00 failed with error -16

This seems to be an issue with the TPM driver that fails to probe, which leads to the TPM character device not being present.

But I would file a separate bug for this kernel bug.

Comment 11 Chris Murphy 2019-12-04 01:53:49 UTC
Yep. Filed that in 2016.
https://bugzilla.kernel.org/show_bug.cgi?id=185631

Also posted to linux-integrity@
https://www.spinics.net/lists/linux-integrity/msg04971.html

At least as it relates to Fedora Workstation, I'd say any use of the TPM by Fedora without express use permission must be completely safe in a dual boot context as there's every reason to believe it's "in use" by Windows. I have no idea if a TPM can be shared or in what conditions it can't be.

Comment 12 Yunying Sun 2020-01-08 05:12:26 UTC
Noticed Javier's fixes for this issue has been merged upstream since 2.3.1-rc0(https://github.com/tpm2-software/tpm2-abrmd/pull/676).
With that suppose both issues(the daemon startup failure when no tpm device available, and the loopless restart) could be fixed.

Comment 13 Javier Martinez Canillas 2020-01-08 10:45:17 UTC
(In reply to Yunying Sun from comment #12)
> Noticed Javier's fixes for this issue has been merged upstream since
> 2.3.1-rc0(https://github.com/tpm2-software/tpm2-abrmd/pull/676).
> With that suppose both issues(the daemon startup failure when no tpm device
> available, and the loopless restart) could be fixed.

Yes, I think that those fixes should address this bugzilla and even bugs like #1788558 since the daemon won't enter a restart loop anymore.

Comment 14 Yunying Sun 2020-01-13 09:58:49 UTC
I just backported the fix and rebuild the package. New RPMs are available at:
https://koji.fedoraproject.org/koji/taskinfo?taskID=40468842

Please help to try it out, and update here whether it fixes the issue or not. Thanks.

Comment 15 Yunying Sun 2020-01-14 06:09:34 UTC
Updated 2.2.0-4 RPM available at:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1428972
This issue is supposed to be fixed. Please help to verify. Thanks.

If all issues fixed, adding Karma +1 could speed up the updated RPM available for F31:
https://bodhi.fedoraproject.org/updates/FEDORA-2020-fbf5351fe3

Comment 16 Al Pacifico 2020-01-14 15:26:42 UTC
I am still seeing it at Tue 14 Jan 2020 03:26:27 PM UTC

Comment 17 Fedora Update System 2020-01-16 19:50:53 UTC
tpm2-abrmd-2.2.0-4.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-fbf5351fe3

Comment 18 Fedora Update System 2020-01-18 20:54:14 UTC
tpm2-abrmd-2.2.0-4.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Yunying Sun 2020-02-03 10:48:50 UTC
tpm2-abrmd-2.2.0-4 is now availalbe for F31. If the issue gets fixed, is it to close this ticket?