Bug 1753686 - The output from iml2text for remote attestation is empty (no data)
Summary: The output from iml2text for remote attestation is empty (no data)
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: IoT
Version: rawhide
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Peter Robinson
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-19 15:04 UTC by moluguk
Modified: 2019-09-21 17:59 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-21 17:59:03 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description moluguk 2019-09-19 15:04:01 UTC 
Description of problem:
In Fedora IoT 31, as part of Remote Attestation, executing iml2text is fetching no data.

Version-Release number of selected component (if applicable):
Fedora IoT 31

How reproducible:

Steps to Reproduce:
1. Installed openpts RPM as follows:
$ wget https://kojipkgs.fedoraproject.org//packages/openpts/0.2.6/13.fc24/x86_64/openpts-0.2.6-13.fc24.x86_64.rpm
$ sudo dnf-3 install openpts-0.2.6-13.fc24.x86_64.rpm

Package also available @ https://fedora.pkgs.org/30/fedora-x86_64/openpts-0.2.6-13.fc24.x86_64.rpm.html
Last stable version of openpts is fc24 only.

Installing directly says following issue:
[root@localhost remattest]# dnf-3 install openpts
Last metadata expiration check: 3:23:07 ago on Thursday 19 September 2019 05:59:27 AM EDT.
No match for argument: openpts
Error: Unable to find a match: openpts
[root@localhost remattest]#
2. At time of performing steps of Event Log (iml2text) got the issue

$ sudo cp /sys/kernel/security/tpm0/binary_bios_measurements .
$ iml2text -i binary_bios_measurements -P
$ tail -n 1 ~/.openpts/openpts.log
[ERROR] iml2text.c:1188 getEventLog failed rc=0x4
$

$ tpm2_pcrlist gives correct results
sha1 :
  0  : 38f8ffe07f2099a35a23159ef3793b87f88bbb2f
...
  23 : 0000000000000000000000000000000000000000
sha256 :
  0  : 85749dad791a4125477bf1454958d4647a95fc41a08219e9387f6546c4121e19
...
  23 : 0000000000000000000000000000000000000000000000000000000000000000
$ 
Actual results:
No contents

Expected results:
Sample as follows:
#       PCR-00: C9 91 9F 0B D5 FF 50 39 2C 64 36 B7 17 AF BF DE 25 8E FC DD
#       PCR-01: CD EE 9E 30 7F 13 98 1F C8 95 FE E5 2D 9E CB C4 BF D5 93 0D
...
#       PCR-23: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
Additional info:
1. Wondering what is the issue. Is ptsc and tcsd daemons applicable in Fedora IoT 31, as per my knowledge that are applicable only tpm 1.2
2. Used dnf-3 instead of rpm-ostree due to certain issues, hope this won't be an issue. 
3. Added ima parameters (ima=on ima_policy=tcb rootflags=i_version) using
rpm-ostree kargs --editor
and rebooted system to take effect.
Comment 1 Peter Robinson 2019-09-21 17:59:03 UTC 
(In reply to moluguk from comment #0)
> Description of problem:
> In Fedora IoT 31, as part of Remote Attestation, executing iml2text is
> fetching no data.
> 
> Version-Release number of selected component (if applicable):
> Fedora IoT 31
> 
> How reproducible:
> 
> Steps to Reproduce:
> 1. Installed openpts RPM as follows:
> $ wget
> https://kojipkgs.fedoraproject.org//packages/openpts/0.2.6/13.fc24/x86_64/
> openpts-0.2.6-13.fc24.x86_64.rpm
> $ sudo dnf-3 install openpts-0.2.6-13.fc24.x86_64.rpm
> 
> Package also available @
> https://fedora.pkgs.org/30/fedora-x86_64/openpts-0.2.6-13.fc24.x86_64.rpm.
> html
> Last stable version of openpts is fc24 only.

Platform Trust Services looks to be pre tpm v1, openpts last shipped in 2015 and it was only ever PoC. It's fc24 only because it's FTBFS and it's been retire in F-31.

The spec was published in 2011 https://trustedcomputinggroup.org/wp-content/uploads/IFM_PTS_v1_0_r28.pdf

> Installing directly says following issue:
> [root@localhost remattest]# dnf-3 install openpts
> Last metadata expiration check: 3:23:07 ago on Thursday 19 September 2019
> 05:59:27 AM EDT.
> No match for argument: openpts
> Error: Unable to find a match: openpts
> [root@localhost remattest]#
> 2. At time of performing steps of Event Log (iml2text) got the issue
> 
> $ sudo cp /sys/kernel/security/tpm0/binary_bios_measurements .
> $ iml2text -i binary_bios_measurements -P
> $ tail -n 1 ~/.openpts/openpts.log
> [ERROR] iml2text.c:1188 getEventLog failed rc=0x4
> $
> 
> $ tpm2_pcrlist gives correct results
> sha1 :
>   0  : 38f8ffe07f2099a35a23159ef3793b87f88bbb2f
> ...
>   23 : 0000000000000000000000000000000000000000
> sha256 :
>   0  : 85749dad791a4125477bf1454958d4647a95fc41a08219e9387f6546c4121e19
> ...
>   23 : 0000000000000000000000000000000000000000000000000000000000000000
> $ 
> Actual results:
> No contents
> 
> Expected results:
> Sample as follows:
> #       PCR-00: C9 91 9F 0B D5 FF 50 39 2C 64 36 B7 17 AF BF DE 25 8E FC DD
> #       PCR-01: CD EE 9E 30 7F 13 98 1F C8 95 FE E5 2D 9E CB C4 BF D5 93 0D
> ...
> #       PCR-23: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
> Additional info:
> 1. Wondering what is the issue. Is ptsc and tcsd daemons applicable in
> Fedora IoT 31, as per my knowledge that are applicable only tpm 1.2

We don't support tpm 1.2 in Fedora IoT

> 2. Used dnf-3 instead of rpm-ostree due to certain issues, hope this won't
> be an issue. 

Well I wonder if it's actually IoT at all, we don't ship any dnf, and dnf has been v4 for quite some time.

> 3. Added ima parameters (ima=on ima_policy=tcb rootflags=i_version) using
> rpm-ostree kargs --editor
> and rebooted system to take effect.

Basically openpts is dead and we won't ever support it.
Note You need to log in before you can comment on or make changes to this bug.