Bug 2110456

Summary: Registration of agent fail due to using ecc as default algorithm
Product: Red Hat Enterprise Linux 9 Reporter: Patrik Koncity <pkoncity>
Component: keylime-agent-rustAssignee: Sergio Correia <scorreia>
Status: CLOSED MIGRATED QA Contact: Karel Srot <ksrot>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: medium    
Version: 9.1CC: ansasaki, dueno, jafiala, ksrot, scorreia
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2166948 (view as bug list) Environment:
Last Closed: 2023-09-01 12:45:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2166948    

Description Patrik Koncity 2022-07-25 12:28:36 UTC 
Description of problem:

When I use different encryption and signing algorithm in keylime.conf, than default RSA the agent cannot be registered and registration fail. I used ECC instead of RSA for encryption and ECSCHNORR instead of RSASSA for signing.

Version-Release number of selected component (if applicable):


TPM Manufacturer: swtpm
Keylime version: keylime-99-1.noarch


How reproducible:


First method:

1.Install tmt via sudo dnf install -y tmt-all
2.Clone specific branch where is test scenario for different algorithm 

# git clone --branch default_algorithm https://github.com/Koncpa/keylime-tests.git

3.Run test scenario with needed setup tasks, need to be inside cloned repo dir.

# tmt run -vvv plan --name rust-keylime prepare discover -h fmf provision --how virtual -i Fedora-36 -c system execute --how tmt --interactive login finish

Second method:

1.Setup swtpm on machine
2.Install keylime package
3.Change in keylime.conf encryption algorithm to tpm_encryption_alg = ecc and signing algorithm to tpm_signing_alg = ecschnorr
4.Run keylime verifier,registrar,agent and wait for registration of agent.


Actual results:
Agent registration will fail.


Expected results:
Agent registration will be succesfull.

Additional info:

Jul 21 12:02:17 testcloud keylime_agent[3235]: WARNING:esys:src/tss2-esys/api/Esys_NV_ReadPublic.c:309:Esys_NV_ReadPublic_Finish() Received TPM Error Jul 21 12:02:17 testcloud keylime_agent[3235]: ERROR:esys:src/tss2-esys/esys_tr.c:210:Esys_TR_FromTPMPublic_Finish() Error NV_ReadPublic ErrorCode (0x0000018b) Jul 21 12:02:17 testcloud keylime_agent[3235]: ERROR:esys:src/tss2-esys/esys_tr.c:321:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x0000018b) Jul 21 12:02:17 testcloud keylime_agent[3235]: WARN keylime_agent::tpm > No EK certificate found in TPM NVRAM Jul 21 12:02:17 testcloud keylime_agent[3235]: Error: Tpm { err: WrapperError(ParamsMissing), kind: None, message: "some of the required parameters were not provided" } Jul 21 12:02:17 testcloud systemd[1]: keylime_agent.service: Main process exited, code=exited, status=1/FAILURE Jul 21 12:02:17 testcloud systemd[1]: keylime_agent.service: Failed with result 'exit-code'.
Comment 1 Karel Srot 2022-07-27 16:01:01 UTC 
I am making the description public, there is nothing secret.

Just to clarify, keylime-99 stands for the current upstream version, it is not a real RHEL RPM package. However the bug applies also the the current keylime RPM in RHEL.
Comment 2 Patrik Koncity 2022-11-10 16:56:20 UTC 
After partial fix https://github.com/keylime/keylime/pull/1156 , agent isn't still able to register, another ERROR's appeared:

Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]: 2022-11-10 11:44:24.483 - keylime.registrar_client - INFO - Agent registration requested for d432fbb3-d2f1-4a97-9ef7-75bd81c00000
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]: 2022-11-10 11:44:24.483 - keylime.secure_mount - DEBUG - Secure storage location /var/lib/keylime/secure already mounted on tmpfs
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]: 2022-11-10 11:44:24.609 - keylime.tpm - ERROR - Error decrypting AIK: Command: ['tpm2_activatecredential', '-c', '/var/lib/keylime/secure/tmpuzrw43c7', '-C', '0x81000000', '-i', '/tmp/tmpnb5_xvom', '-o', '/var/lib/keylime/secure/tmpulktj6xl', '-p', 'YrHtURHczN4u73TloXw6', '-P', 'session:/var/lib/keylime/secure/tmpvwc14jj4'] returned 1, expected 0, output [], stderr [b'WARNING:esys:src/tss2-esys/api/Esys_ActivateCredential.c:321:Esys_ActivateCredential_Finish() Received TPM Error \n', b'ERROR:esys:src/tss2-esys/api/Esys_ActivateCredential.c:105:Esys_ActivateCredential() Esys Finish ErrorCode (0x000002d5) \n', b'ERROR: Esys_ActivateCredential(0x2D5) - tpm:parameter(2):structure is the wrong size\n', b'ERROR: Unable to run tpm2_activatecredential\n']
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]: 2022-11-10 11:44:24.609 - keylime.tpm - ERROR - Command: ['tpm2_activatecredential', '-c', '/var/lib/keylime/secure/tmpuzrw43c7', '-C', '0x81000000', '-i', '/tmp/tmpnb5_xvom', '-o', '/var/lib/keylime/secure/tmpulktj6xl', '-p', 'YrHtURHczN4u73TloXw6', '-P', 'session:/var/lib/keylime/secure/tmpvwc14jj4'] returned 1, expected 0, output [], stderr [b'WARNING:esys:src/tss2-esys/api/Esys_ActivateCredential.c:321:Esys_ActivateCredential_Finish() Received TPM Error \n', b'ERROR:esys:src/tss2-esys/api/Esys_ActivateCredential.c:105:Esys_ActivateCredential() Esys Finish ErrorCode (0x000002d5) \n', b'ERROR: Esys_ActivateCredential(0x2D5) - tpm:parameter(2):structure is the wrong size\n', b'ERROR: Unable to run tpm2_activatecredential\n']
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]: Traceback (most recent call last):
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]:   File "/usr/local/lib/python3.10/site-packages/keylime-6.5.1-py3.10.egg/keylime/tpm/tpm_main.py", line 751, in activate_identity
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]:     retDict = self.__run(command, outputpaths=secpath)
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]:   File "/usr/local/lib/python3.10/site-packages/keylime-6.5.1-py3.10.egg/keylime/tpm/tpm_main.py", line 194, in __run
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]:     raise Exception(
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]: Exception: Command: ['tpm2_activatecredential', '-c', '/var/lib/keylime/secure/tmpuzrw43c7', '-C', '0x81000000', '-i', '/tmp/tmpnb5_xvom', '-o', '/var/lib/keylime/secure/tmpulktj6xl', '-p', 'YrHtURHczN4u73TloXw6', '-P', 'session:/var/lib/keylime/secure/tmpvwc14jj4'] returned 1, expected 0, output [], stderr [b'WARNING:esys:src/tss2-esys/api/Esys_ActivateCredential.c:321:Esys_ActivateCredential_Finish() Received TPM Error \n', b'ERROR:esys:src/tss2-esys/api/Esys_ActivateCredential.c:105:Esys_ActivateCredential() Esys Finish ErrorCode (0x000002d5) \n', b'ERROR: Esys_ActivateCredential(0x2D5) - tpm:parameter(2):structure is the wrong size\n', b'ERROR: Unable to run tpm2_activatecredential\n']
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]: 2022-11-10 11:44:24.609 - keylime.tpm - DEBUG - Flushing keys from TPM...
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]: 2022-11-10 11:44:24.638 - keylime.tpm - DEBUG - Flushing key handle 0x81000000
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]: 2022-11-10 11:44:24.681 - keylime.tpm - DEBUG - Flushing key handle 0x81010001
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]: 2022-11-10 11:44:24.719 - keylime.tpm - DEBUG - Flushing key handle 0x81010016
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]: Traceback (most recent call last):
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]:   File "/usr/local/bin/keylime_agent", line 33, in <module>
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]:     sys.exit(load_entry_point('keylime==6.5.1', 'console_scripts', 'keylime_agent')())
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]:   File "/usr/local/lib/python3.10/site-packages/keylime-6.5.1-py3.10.egg/keylime/cmd/agent.py", line 7, in main
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]:     keylime_agent.main()
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]:   File "/usr/local/lib/python3.10/site-packages/keylime-6.5.1-py3.10.egg/keylime/keylime_agent.py", line 800, in main
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]:     raise Exception("Activation failed")
Nov 10 11:44:24 ci-vm-10-0-139-145.hosted.upshift.rdu2.redhat.com keylime_agent[4821]: Exception: Activation failed
Comment 9 Patrik Koncity 2023-02-03 15:44:29 UTC 
After more investigating of this I found out new ERRORs.

Feb 03 10:22:58 ci-vm-10-0-136-178.hosted.upshift.rdu2.redhat.com keylime_agent[6013]: WARNING:esys:src/tss2-esys/api/Esys_NV_ReadPublic.c:309:Esys_NV_ReadPublic_Finish() Received TPM Error
Feb 03 10:22:58 ci-vm-10-0-136-178.hosted.upshift.rdu2.redhat.com keylime_agent[6013]: ERROR:esys:src/tss2-esys/esys_tr.c:209:Esys_TR_FromTPMPublic_Finish() Error NV_ReadPublic ErrorCode (0x0000018b)
Feb 03 10:22:58 ci-vm-10-0-136-178.hosted.upshift.rdu2.redhat.com keylime_agent[6013]: ERROR:esys:src/tss2-esys/esys_tr.c:320:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x0000018b)
Comment 11 RHEL Program Management 2023-09-01 12:44:01 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 12 RHEL Program Management 2023-09-01 12:45:16 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues.

Users watching this BZ may not be automatically added to the Jira ticket.  Be sure to add yourself to the Watchers field in the Jira issue if you desire to continue following this issue.