tpm2-abrmd failed to work on RHEL7/CentOS7 since 1.2.0

[gwei3]

Reproduce steps:

start up tpm2-abrmd on simulator with log enabled, run below command line or tpm2_getrandom 8:

gdbus call --system --dest com.intel.tss2.Tabrmd --object-path /com/intel/tss2/Tabrmd/Tcti --method com.intel.tss2.TctiTabrmd.CreateConnection
Error: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)

And the tpm2-abrmd will exit with log as below:

---

** (tpm2-abrmd:31761): DEBUG: random_get_bytes: 0xbe8b60
** (tpm2-abrmd:31761): DEBUG: Creating connection with id: 0x2b08fbab45c13dba
** (tpm2-abrmd:31761): DEBUG: handle_map_new with handle_type 0x80, max_entries: 0x1b
** (tpm2-abrmd:31761): DEBUG: handle_map_init
** (tpm2-abrmd:31761): DEBUG: handle_map_set_property: 0x7f2288005180 max-entries: 27
** (tpm2-abrmd:31761): DEBUG: connection_class_init
** (tpm2-abrmd:31761): DEBUG: connection_set_property
** (tpm2-abrmd:31761): DEBUG: Connection 0xbe8670 set id to 0x2b08fbab45c13dba
** (tpm2-abrmd:31761): DEBUG: connection_set_property
** (tpm2-abrmd:31761): DEBUG: Connection 0xbe8670 set socket to bef460
** (tpm2-abrmd:31761): DEBUG: connection_set_property
** (tpm2-abrmd:31761): DEBUG: Connection 0xbe8670 set trans_handel_map to 0x7f2288005180
** (tpm2-abrmd:31761): DEBUG: Created connection with client FD: 10 and id: 0x2b08fbab45c13dba
** INFO: command_source_on_new_connection: adding new connection: 0xbe8670
** (tpm2-abrmd:31761): DEBUG: command_source_on_input_ready: GInputStream: 0x7f2288005090, CommandSource: 0xbe9770
** (tpm2-abrmd:31761): DEBUG: connection_manager_lookup_socket for socket: 0x7f2288005090, connection: 0xbe8670
** (tpm2-abrmd:31761): DEBUG: reading 10 bytes socket 0x7f22a3f828b0, to 0x7f2280001390
** (tpm2-abrmd:31761): DEBUG: read produced EOF
** (tpm2-abrmd:31761): DEBUG: read_tpm_buffer_alloc: err_out freeing buffer at 0x7f2280001390
** (tpm2-abrmd:31761): DEBUG: removing connection 0xbe8670 from connection_manager 0xbda700
** (tpm2-abrmd:31761): DEBUG: connection_manager 0xbda700 removing Connection 0xbe8670
** INFO: resource_manager_on_connection_removed: flushing session contexts associated with connection 0xbe8670
** (tpm2-abrmd:31761): DEBUG: resource_manager_on_connection_removed done
** (tpm2-abrmd:31761): DEBUG: command_source_on_input_ready: unref Connection: 0xbe8670
** (tpm2-abrmd:31761): DEBUG: handle_map_finalize
** (tpm2-abrmd:31761): DEBUG: command_source_on_input_ready: reomvingunref GCancellable: 0xbe8ab0
** (tpm2-abrmd:31761): DEBUG: on_name_lost: com.intel.tss2.Tabrmd
** INFO: IpcFrontend 0x7f229c002060 disconnected
** INFO: main_loop_quit
** INFO: g_main_loop_run done, cleaning up
** (tpm2-abrmd:31761): DEBUG: ipc_frontend_disconnect: 0x7f229c002060
** (tpm2-abrmd:31761): DEBUG: command_attrs_finalize: 0x7f229c003630
** (tpm2-abrmd:31761): DEBUG: resource_manager_cancel: enqueuing ControlMessage: 0x7f2288001840
** (tpm2-abrmd:31761): DEBUG: message_queue_enqueue 0x7f229c001340 : message 0x7f2288001840
** (tpm2-abrmd:31761): DEBUG: got obj: 0x7f2288001840
** (tpm2-abrmd:31761): DEBUG: resource_manager_thread: message_queue_dequeue got obj: 0x7f2288001840
** (tpm2-abrmd:31761): DEBUG: resource_manager_dispose: 0x7f229c002850
** (tpm2-abrmd:31761): DEBUG: session_list_dispose: SessionList: 0x7f229c002800 with 0 entries
** (tpm2-abrmd:31761): DEBUG: session_list_finalize: SessionList: 0x7f229c002800 with 0 entries

(tpm2-abrmd:31761): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
** (tpm2-abrmd:31761): DEBUG: response_sink_cancel enqueuing ControlMessage: 0xbe4040
** (tpm2-abrmd:31761): DEBUG: message_queue_enqueue 0x7f229c0012a0 : message 0xbe4040
** (tpm2-abrmd:31761): DEBUG: got obj: 0xbe4040
** (tpm2-abrmd:31761): DEBUG: response_sink_thread got obj: 0xbe4040
** (tpm2-abrmd:31761): DEBUG: response_sink_dispose: 0x7f229c003690
** (tpm2-abrmd:31761): DEBUG: random_finalize

With bisect, i found if I check out commit ea0636e, similar result. But if I revert commit 51a3c55, then things became working.

51a3c55 started to replace pipes with local socket, I am not able to figure out the root cause why it breaks tpm2-abrmd on RHEL/CentOS7.

@flihp Help...

[flihp]

Last I heard RHEL had supported packages for all of the TSS2 bits. Does this include tabrmd? If so do the packages work?

There are two good hints in your bug report though:

1. The problem started when the IPC mechanism was changed
2. The debug output from the daemon shows that its attempt to claim a name on dbus is being rejected

Typically this means that there is a permission problem with the dbus config and the user associated with the daemon doesn't have permission to claim the name. But this is equally likely to be a problem with SELinux permissions given the first hint above.

I'd recommend:

1. Try the packages from the distro.
2. Be sure you're building the SELinux module and installing that too.

[gwei3]

The tpm2-abrmd version packaged in RHEL was 1.1.0. So looks I don't need to try it.

And I just tried to set SELinux enforcing to Permissive, and run the reproducing steps, things work. So looks like it is really a SELinux related issue. So I will have a try on SELinux suggestion you mentioned.

[gwei3]

I tried, but failed.

The steps I tried:

git checkout 1.3.1
./bootstrap && ./configure --with-dbuspolicydir=/etc/dbus-1/system.d && make -j$(nproc) && sudo make install
make -C selinux; sudo make -C selinux install
sudo tpm2-abrmd --tcti=socket &
ps auxZ | grep abrmd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6304 0.0 0.1 193332 2772 pts/5 S 05:46 0:00 sudo /usr/local/sbin/tpm2-abrmd --tcti=socket
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6305 0.0 0.2 574432 5284 pts/5 Sl 05:46 0:00 /usr/local/sbin/tpm2-abrmd --tcti=socket
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 jimmy 6315 0.0 0.0 112648 948 pts/5 S+ 05:46 0:00 grep --color=auto abrmd

I can't get something like below:

system_u:system_r:tabrmd_t:s0 tss 6678 0.5 0.0 587400 4112 ? Ssl 14:47 0:00 /usr/local/sbin/tpm2-abrmd

What's wrong with my steps? @flihp

[flihp]

It looks like the SELinux policy is building so that's good.

There is a file context rule for /usr/sbin/tpm2-abrmd as well as /usr/local/sbin/tpm2-abrmd. Looks like you've installed the daemon at the later: https://github.com/tpm2-software/tpm2-abrmd/blob/master/selinux/tabrmd.fc#L2

Two things to check:

1. Has the new policy module been loaded?
2. Have the installed files had the appropriate labels applied as in: restorecon /usr/local/sbin/tpm2-abrmd?

[flihp]

@martinezjavier may have some good insight here as well

[martinezjavier]

Sorry for not responding to this issue before, was on holidays for a couple of days.

@gwei3, I'll refer to Fedora since that's where I (co)maintain the tpm2-software packages. But what I say should also apply to RHEL and CentOS.

As @flihp points out, this is a known issue related to the commit you found doing the bisect, the tpm2-abmrd can't run in an unconfined SELinux domain anymore and needs a SELinux policy module as he mentioned.

A SELinux policy module that makes it work was added in commit b11194d ("SELinux: Add policy module for tabrmd."), but that wasn't suitable for Fedora so I couldn't update the tpm2-abrmd package to the 1.2.0 release.

The SELinux was recently fixed on commit d2d1d07 ("[SELinux] Remove gen_require part from tpm-abrmd2 policy.") and that made it to tpm2-abrmd 1.3.0, but that release happened after the Fedora 28 freeze so it was too late. I hope to have it on Fedora 29 though.

There are two ways to have a SELinux policy module on Fedora, by adding it to the system wide selinux-policy package or to ship as an independent package as explained in the Fedora wiki. I've done the latter and proposed a tpm2-abrmd-selinux package for review. Once that's added, I can update the tpm2-abrmd package to 1.3.0.

So I would suggest to stick with the packages and versions that are included in the distro.

Now if you want to use the latest and built from source, then I think that the problem is what @flihp mentions, that the AV rules have the binary paths hardcoded and maybe you installed in a different place. There's an open issue #255 (SELinux builds with hand written Makefile) to integrate this into the autotools machinery so it doesn't have hardcoded stuff, but nobody had time to work on this yet.

Can you please share the configure options you use to build and also the output of ls -Z $(which tpm2-abrmd) and ps -auxZ | grep tpm2-abrmd?

[gwei3]

$ sudo semodule -l | grep tabrmd
tabrmd
$ ls -Z $(which tpm2-abrmd)
-rwxr-xr-x. root root system_u:object_r:tabrmd_exec_t:s0 /usr/local/sbin/tpm2-abrmd
$ ps auxZ | grep tpm2-abrmd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 30062 0.0 0.1 574432 3268 pts/2 Sl+ 19:28 0:00 tpm2-abrmd --tcti=socket
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 jimmy 30121 0.0 0.0 112648 948 pts/3 S+ 19:29 0:00 grep --color=auto tpm2-abrmd

Anything wrong above?

[gwei3]

The issue might be that the tpm2-abrmd was not started by systemd.

So I tried to reconfigure it and rebuild as below:

$ ./configure --with-dbuspolicydir=/etc/dbus-1/system.d --with-tcti-device=no && make -j$(nproc) && sudo make install

Then as root:

$ systemctl daemon-reload
$ service tpm2-abrmd start
Redirecting to /bin/systemctl start tpm2-abrmd.service
Job for tpm2-abrmd.service failed because the control process exited with error code. See "systemctl status tpm2-abrmd.service" and "journalctl -xe" for details.
$ systemctl status tpm2-abrmd.service
● tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon
Loaded: loaded (/usr/local/lib/systemd/system/tpm2-abrmd.service; disabled; vendor preset: disabled)
Active: activating (auto-restart) (Result: exit-code) since Mon 2018-04-02 19:52:17 EDT; 3s ago
Process: 6417 ExecStart=/usr/local/sbin/tpm2-abrmd (code=exited, status=1/FAILURE)
Main PID: 6417 (code=exited, status=1/FAILURE)

Apr 02 19:52:17 jw-rhel7-vm systemd[1]: tpm2-abrmd.service: main process exited, code=exited, status=1/FAILURE
Apr 02 19:52:17 jw-rhel7-vm systemd[1]: Failed to start TPM2 Access Broker and Resource Management Daemon.
Apr 02 19:52:17 jw-rhel7-vm systemd[1]: Unit tpm2-abrmd.service entered failed state.
Apr 02 19:52:17 jw-rhel7-vm systemd[1]: tpm2-abrmd.service failed.

I suspected that this might caused by the socket connection between tpm2-abrmd and the simulator, then I tried set Permissive and tried again:

$ setenforce 0
$ service tpm2-abrmd start
Redirecting to /bin/systemctl start tpm2-abrmd.service
$ ps auxZ | grep tpm2-abrmd
system_u:system_r:tabrmd_t:s0 tss 6584 0.0 0.2 637868 5320 ? Ssl 19:54 0:00 /usr/local/sbin/tpm2-abrmd

This time I can see correct label for the running tpm2-abrmd.

So, as a summary, we need to make tpm_server binary in the same domain or set selinux in Permissive mode to start tpm2-abrmd by systemd, then the tpm2-abrmd process can have the right running status as expected.

I should have a try with tpm2-abrmd connect to the device see whether it will work without set selinux as Permissive mode.

[gwei3]

To use tpm device, some observations:

1. need run tpm2-abrmd as root, or allow tss user to access /dev/tpm0 via chmod.
2. "make -C selinux install" can't make the binary with the right label, still need to run "restorecon /usr/local/sbin/tpm2-abrmd" to do this.
3. after all of these steps, I can get right results:

$ ls -Z $(which tpm2-abrmd)
-rwxr-xr-x. root root system_u:object_r:tabrmd_exec_t:s0 /usr/local/sbin/tpm2-abrmd
$ ps auxZ | grep tpm2-abrmd
system_u:system_r:tabrmd_t:s0 tss 23697 0.0 0.0 581028 5480 ? Ssl 02:04 0:00 /usr/local/sbin/tpm2-abrmd

[martinezjavier]

need run tpm2-abrmd as root, or allow tss user to access /dev/tpm0 via chmod.

The tpm2-abrmd ships a udev rule for this. Probably we should do something like the following on install:

udevadm control --reload-rules && sudo udevadm trigger

BTW, the udev rules should really be part of tpm2-tss and not the tpm2-abrmd, I've filled an issue for that (Move udev rules to tpm2-tss #412). We currently install it on Fedora as a part of the tpm2-tss package and not in tpm2-abrmd.

[martinezjavier]

@gwei3 @flihp I believe this can be closed since isn't really a bug in the tpm2-abrmd?

[gwei3]

Yeh, let me close it. Thanks for the information provided in this issue context.