Sample code fails to sign data with real TPM on Infineon SLB 9665TT2.0

[Maher4Ever]

Hello there,

While trying to setup auto-provisioning of IoT Edge devices with Azure DPS through the use of TPM 2.0. We're using the LEC 7233 industrial PC as the hardware platform. This PC has a Infineon SLB 9665TT2.0 TPM 2.0 chip. As you can read more in issue report Azure/iotedge#441, the security daemon fails to sign data from hash.

Since the error stems from this library, I tried to determine if the issue was in the security daemon's usage of the library or is inherent to the implementation of the library.

There are no instructions yet on how to compile the library, but digging through the CMake file I ended up using the following commands:

$ cd azure-utpm-c
$ mkdir build && cd build
$ cmake -Drun_e2e_tests:BOOL=ON -Drun_unittests:BOOL=ON -Duse_emulator:BOOL=OFF ..
$ make

Then I ran all the tests and all of them passed. Although I almost didn't bother to do the next step after all tests passed, I decided to run the sample code just for completeness sake. Lo and behold, I finally get an error from the Func:SignData function just like the IoT Edge security daemon:

$ sudo samples/utpm_sample/utpm_sample
Endorsement Key: [CENSORED]

Storage Root Key: [CENSORED]

Error: Time:Fri Oct 19 10:13:16 2018 File:/home/priva/Desktop/azure-utpm-c/src/tpm_codec.c Func:TSS_DispatchCmd Line:1087 response size is not expected size.
Error: Time:Fri Oct 19 10:13:16 2018 File:/home/priva/Desktop/azure-utpm-c/src/tpm_codec.c Func:SignData Line:379 Hashing token data failed TPM_RC_COMMAND_SIZE
Failed to sign data with tpm

Random bytes: 67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a

I modified the error log to print out the actual sizes in function and got this:

Error: Time:Fri Oct 19 10:35:38 2018 File:/home/priva/Desktop/azure-utpm-c/src/tpm_codec.c Func:TSS_DispatchCmd Line:1087 response size 4096 is not expected size 10.
Error: Time:Fri Oct 19 10:35:38 2018 File:/home/priva/Desktop/azure-utpm-c/src/tpm_codec.c Func:SignData Line:379 Hashing token data failed TPM_RC_COMMAND_SIZE
Failed to sign data with tpm

Do you have any suggestions on how to fix this issue?

[jebrando]

@Maher4Ever I have not tested with this TPM chip. I will attempt to get this device and report back further.

[Maher4Ever]

@jebrando Awesome! Let me know if we can be of any assistance as we'll be more than happy to help.

[Maher4Ever]

@jebrando Have you had time to reproduce this issue on the Infineon SLB 9665TT2.0?

[Maher4Ever]

@jebrando Would it be possible to get a list of TPM chips this library has been tested on?

[jebrando]

@Maher4Ever Do you know if the TPM is using a SHA512 algorithm? I just added support for this algorithm a few weeks ago. There were a few people wanting support for this so we turn it on.

Also @darobs has just recently tested on a infineon chip for raspberry pi and got it working with Edge. I'm not sure of the differences between these two chips, but it seems to work for this one.

Please try it with the new SHA512 code and let me know if you get a different result.

[Maher4Ever]

@jebrando This TPM only supports SHA-128 and SHA-256. I compiled the utpm_sample again and tried to run it after configuring the TPM to use SHA-256 but to no avail; the same signing error still pops up.

[darobs]

Hello @jebrando and @Maher4Ever,

The chip I have for Raspberry Pi is the Optiga SLB 9670.

This is a new error to me. For most problems related to setup, it usually fails on our about init.

[Maher4Ever]

@darobs Could you clarify what you mean by "our about init"?

[Maher4Ever]

We ended up getting the library to work on the same TPM 2.0 chip that contains a newer version of the firmware.