This bug was initially created as a copy of Bug #2158597 I am copying this bug because: The same applies to tpm2-tss in F37 tpm2-tss-3.2.1-1.fc37 tpm2-tools-5.4-1.fc37 Description of problem: After updating to tpm2-tss-3.2.1-1 one cannot get EK certificate # tpm2_getekcertificate -o ek_ecc.crt ERROR:esys:src/tss2-esys/esys_iutil.c:1096:esys_GetResourceObject() Error: Esys handle does not exist (70018). ERROR: Esys_SequenceComplete(0x70018) - esapi:The ESYS_TR resource object is bad ERROR: Failed to get shandle ERROR: Failed to read NVRAM area at index 0x1C00002 This is a regression compared to tpm2-tss-3.2.0-1 Tested with swtpm How reproducible: always Steps to Reproduce: 1. see above
Can you provide the details how you created the original certificate so I can try and come up with a reproducer please?
*** Bug 2158597 has been marked as a duplicate of this bug. ***
If possible could you also try to see if it's also a problem in the new 4.0.0 release that just landed in rawhide.
original certificate is generated by swtpm swtpm setup is done in https://github.com/RedHat-SP-Security/keylime-tests/blob/main/setup/configure_tpm_emulator/test.sh#L63 The problem doesn't seem to be present on rawhide. # rpm -q tpm2-tss tpm2-tools tpm2-tss-4.0.0-1.fc38.x86_64 tpm2-tools-5.4-1.fc38.x86_64 # tpm2_getekcertificate -o ek_ecc.crt # file ek_ecc.crt ek_ecc.crt: Certificate, Version=3 Certificate, Version=02
Reported upstream: https://github.com/tpm2-software/tpm2-tss/issues/2537
Just to clarify, while we are running swtpm on a target system directly, same issue impacts virtual systems where TPM device is emulated through swtpm by QEMU/KVM.
Actually, on F36 we are seeing more failures than on F37. The following error we can see only on F36, maybe this is due a different tpm2-tools version. keylime_agent[5114]: Traceback (most recent call last): keylime_agent[5114]: File "/usr/local/bin/keylime_agent", line 33, in <module> keylime_agent[5114]: sys.exit(load_entry_point('keylime==6.5.2', 'console_scripts', 'keylime_agent')()) keylime_agent[5114]: File "/usr/local/lib/python3.10/site-packages/keylime-6.5.2-py3.10.egg/keylime/cmd/agent.py", line 7, in main keylime_agent[5114]: keylime_agent.main() keylime_agent[5114]: File "/usr/local/lib/python3.10/site-packages/keylime-6.5.2-py3.10.egg/keylime/keylime_agent.py", line 698, in main keylime_agent[5114]: (ekcert, ek_tpm, aik_tpm) = tpm_instance.tpm_init( keylime_agent[5114]: File "/usr/local/lib/python3.10/site-packages/keylime-6.5.2-py3.10.egg/keylime/tpm/tpm_main.py", line 910, in tpm_init keylime_agent[5114]: ekcert = self.read_ekcert_nvram() keylime_agent[5114]: File "/usr/local/lib/python3.10/site-packages/keylime-6.5.2-py3.10.egg/keylime/tpm/tpm_main.py", line 1498, in read_ekcert_nvram keylime_agent[5114]: raise Exception("tpm2_nvread for ekcert failed with code " + str(code) + ": " + str(errout)) keylime_agent[5114]: Exception: tpm2_nvread for ekcert failed with code 1: ['ERROR:esys:src/tss2-esys/esys_iutil.c:1096:esys_GetResourceObject() Error: Esys handle does not exist (70018). \n', 'ERROR: Esys_SequenceComplete(0x70018) - esapi:The ESYS_TR resource object is bad\n', 'ERROR: Failed to get shandle\n', 'ERROR: Failed to read NVRAM area at index 0x1C00002\n', 'ERROR: Unable to run tpm2_nvread\n'] systemd[1]: keylime_agent.service: Main process exited, code=exited, status=1/FAILURE Jan 05 13:11:01
Updating tpm2-tools to 5.4 also "fixes" the issue -- which is why there is no problem with rawhide.
From upstream: Would it be possible for you to create a trace for the command: TSS2_LOG=all+trace tpm2_getekcertificate -o ek_ecc.crt > trace 2>&1 and check the current version of the tools with: tpm2_getekcertificate -v
Created attachment 1937395 [details] trace from "TSS2_LOG=all+trace tpm2_getekcertificate -o ek_ecc.crt"
tpm2_getekcertificate -v tool="tpm2_getekcertificate" version="5.2" tctis="libtss2-tctildr" tcti-default=tcti-abrmd
I am sorry for the confusion. The problem described in the Description is present only on F36. In parallel to that in the keylime project we have encountered test failures on F37 with the rust keylime agent. Both were passing when tpm2-tss was downgraded. I didn't investigate deeply whether there could be two distinct issues present and unfortunately did not try the simplified reproducer provided in the bug report (that works only F36, I can confirm). I will ask keylime devs for assistance with debugging the issue with the rust agent and report back when we have more details about the problem on F37.
So I don't believe this bug should be present in F-37, only in F-36 and that will be fixed when we update to tpm2-tools 5.3+ (doing a 5.4 build now). There may be a bug in rust-tss-esapi but that should be handled with a separate bug.
FEDORA-2023-3a9674404c has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2023-3a9674404c
FEDORA-2023-3a9674404c has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-3a9674404c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-3a9674404c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-3a9674404c has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.