Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need help ->TPM out of memory for object contexts problem after porting test from engine(openssl_1.1.1) to providers(openssl3.0.2) tpm2-openssl #116

Open
CDBAILLY opened this issue Jul 8, 2024 · 2 comments
Labels
question Further information is requested

Comments

@CDBAILLY
Copy link

CDBAILLY commented Jul 8, 2024

I am using tmp through Engine for openssl_1.1.1w

Hi team,
we work in a ubuntu 20.04 environment
we installed following packages :

tpm2-tss-3.2.0.tar.gz
tpm2-abrmd-2.4.1.tar.gz
tpm2-tools-5.3.tar.gz
tpm2-tss-engine-1.1.0.tar.gz

we make a lot of tests during which

  • we create tpm keypair using tpm2tss_rsa_genkey and tpm2tss_ecc_genkey
  • we create a pkey context using tpm2tss_rsa_makekey and tpm2tss_ecc_makekey
  • we create a certificate using the public key of the pkey context
  • we sign this certificate with the private key of pkey
  • we destroy the X509 using standard function of openssl
  • we destroy the EVP_PKEY using the standard functions of openssl.

All works fine

We ported our application on ubuntu 22.04 with openssl 3.0:

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

This time we use providers ands installed the following packages :

tpm2-tss-4.0.1.tar.gz
tpm2-abrmd-3.0.0.tar.gz
tpm2-tools-5.5.tar.gz
tpm2-openssl version 1.2.0

we do exactly the same tests

this works until a certain point after some tests :

[8823.180][52509]:[INFO ]********************************* TEST 95 *****************************
[8823.180][52509]:[INFO ]
[CPPTest]: ASSERT OK in test_cs_certmgt_intCert_start_end_enroll at line 7345[CPPTest]: file ../../../../../tests/integration_tests/crypto_agent/integration_cs_crypto_cert_mgt.c, line 7345
[CPPTest]: Assert OK

[8823.180][52509]:[INFO ] Asked = CS_KEYPAIR_TPM : Result = CS_KEYPAIR_TPM return message Operation successful RSA GEN INIT rsa 3
RSA GEN_SET_PARAMS [ bits ]
RSA GEN 2048 bits
RSA GEN parent: primary 0x40000001
RSA GET_PARAMS [ bits security-bits max-size ]
RSA CLEANUP
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x87
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x87
ENCODER rsa pkcs1/der DOES_SELECTION 0x87
ENCODER rsa pkcs1/der DOES_SELECTION 0x87
ENCODER rsa pkcs1/der DOES_SELECTION 0x87
ENCODER rsa pkcs1/der DOES_SELECTION 0x87
ENCODER rsa pkcs1/pem DOES_SELECTION 0x87
ENCODER rsa pkcs1/pem DOES_SELECTION 0x87
ENCODER rsa pkcs1/pem DOES_SELECTION 0x87
ENCODER rsa pkcs1/pem DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87
ENCODER tss PrivateKeyInfo/pem ENCODE 0x87
DER DECODER DECODE
TSS2 DECODER DECODE 0x87
TSS2 DECODER LOAD parent: primary 0x40000001
TSS2 DECODER DECODE 0x87
TSS2 DECODER LOAD parent: primary 0x40000001
TSS2 DECODER DECODE found RSA
RSA LOAD
RSA GET_PARAMS [ bits security-bits max-size ]
RSA HAS 87
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86
ENCODER rsa pkcs1/der DOES_SELECTION 0x86
ENCODER rsa pkcs1/pem DOES_SELECTION 0x86
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x86
ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x86
ENCODER rsa SubjectPublicKeyInfo/der ENCODE 0x86
RSA EXPORT 87
SIGN DIGEST_INIT rsa MD=SHA2-256
SIGN GET_CTX_PARAMS [ algorithm-id ]
SIGN DIGEST_SIGN estimate
SIGN DIGEST_SIGN
RSA FREE

[8826.780][52509]:[INFO ]The { cn = myMagnificientSAN1,c = CN,o = Shanghai,ou = =SE=,sn = 012345678910 } certificate has been successfully generated and added to the store as internal certificate
[8826.780][52509]:[INFO ]
[CPPTest] Operation successful : ASSERT OK in test_cs_certmgt_intCert_start_end_enroll at line 7360 [CPPTest]: file ../../../../../tests/integration_tests/crypto_agent/integration_cs_crypto_cert_mgt.c, line 7360
[CPPTest]: Operation successful Assert OK

DER DECODER DECODE
TSS2 DECODER DECODE 0x87
TSS2 DECODER LOAD parent: primary 0x40000001
TSS2 DECODER DECODE 0x87
TSS2 DECODER LOAD parent: primary 0x40000001
TSS2 DECODER DECODE found RSA
RSA LOAD
RSA GET_PARAMS [ bits security-bits max-size ]
RSA HAS 87

[8828.610][52509]:[INFO ]
[CPPTest] Operation successful : ASSERT OK in test_cs_certmgt_intCert_start_end_enroll at line 7361 [CPPTest]: file ../../../../../tests/integration_tests/crypto_agent/integration_cs_crypto_cert_mgt.c, line 7361
[CPPTest]: Operation successful Assert OK

[8828.610][52509]:[INFO ]
[CPPTest] Operation successful : ASSERT OK in test_cs_certmgt_intCert_start_end_enroll at line 7362 [CPPTest]: file ../../../../../tests/integration_tests/crypto_agent/integration_cs_crypto_cert_mgt.c, line 7362
[CPPTest]: Operation successful Assert OK

[8828.610][52509]:[INFO ]
[CPPTest] src cs_certmgt_get_keyPairType : ASSERT OK in test_cs_certmgt_intCert_start_end_enroll at line 7366 [CPPTest]: file ../../../../../tests/integration_tests/crypto_agent/integration_cs_crypto_cert_mgt.c, line 7366
[CPPTest]: src cs_certmgt_get_keyPairType Assert OK

RSA GEN INIT rsa 3
RSA GEN_SET_PARAMS [ bits ]
RSA GEN 2048 bits
RSA GEN parent: primary 0x40000001
RSA GET_PARAMS [ bits security-bits max-size ]
RSA CLEANUP
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x87
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x87
ENCODER rsa pkcs1/der DOES_SELECTION 0x87
ENCODER rsa pkcs1/der DOES_SELECTION 0x87
ENCODER rsa pkcs1/der DOES_SELECTION 0x87
ENCODER rsa pkcs1/der DOES_SELECTION 0x87
ENCODER rsa pkcs1/pem DOES_SELECTION 0x87
ENCODER rsa pkcs1/pem DOES_SELECTION 0x87
ENCODER rsa pkcs1/pem DOES_SELECTION 0x87
ENCODER rsa pkcs1/pem DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87
� 0x87
ENCODER tss PrivateKeyInfo/pem ENCODE 0x87
DER DECODER DECODE
TSS2 DECODER DECODE 0x87
TSS2 DECODER LOAD parent: primary 0x40000001
WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000b0902)
TSS2 DECODER DECODE 0x87
TSS2 DECODER LOAD parent: primary 0x40000001
WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000b0902)
TSS2 DECODER DECODE found (null)

[8830.640][52509]:[ERROR]TPM2TSS_R_CANNOT_MAKE_KEY in /home/tpm/GIT/cs-brick/libs/cryptoAl/ptf/gnu/linux/cryptoAl_openssl/../../../../src/cryptoAl_openssl/cs_cryptoAl_openssl.c at line 6486
[8830.640][52509]:[ERROR]CHECK_PARAM failed in function cs_tlsal_genCertFromKeypair (../../../../../src/tlsal/cs_crypto_tlsal.c:826) for parameter: keyCtx->kctx

[8830.640][52509]:[ERROR]newRemainingTpmKPSlots incorrect at 6239 in cs_openssl_cryptoAl_set_remainingTpmKPSlots
[8830.640][52509]:[INFO ]
[CPPTest] Certificate file creation failed : ASSERT Failed in test_cs_certmgt_intCert_start_end_enroll at line 7379 [CPPTest]: file ../../../../../tests/integration_tests/crypto_agent/integration_cs_crypto_cert_mgt.c, line 7379
[CPPTest]: Certificate file creation failed Assert Failed

According to tpm2_rc_decode it seems related to memory :

tpm@tpm-ossl3:~ tpm2_rc_decode 0x000b0902
rmt:warn(2.0): out of memory for object contexts
tpm@tpm-ossl3:~$

I dont understand why we have not the same problem with engines as the tests are exactly the same and that we dont use any flush function
EVP_KEY objects are destroyed after the signing process

What am i missing?
Thanks for your help

@gotthardp
Copy link
Contributor

Are you using the resource manager? See https://github.com/tpm2-software/tpm2-openssl/tree/master#limited-resources
If not, please try using the tpm2-abrmd.

@gotthardp gotthardp added the question Further information is requested label Oct 7, 2024
@CDBAILLY
Copy link
Author

CDBAILLY commented Oct 9, 2024

Hi Petr,

the install process on ubuntu22 is the following :
1 : tpm2-tss-4.0.1.tar.gz
2 : tpm2-abrmd-3.0.0.tar.gz <- so yes it is installed
3 : tpm2-tools-5.5.tar.gz
4 : ibmtpm1682.tar.gz <- simu
5 : git clone https://github.com/tpm2-software/tpm2-openssl

cd tpm2-openssl

git checkout 1.2.0 etc..

I joined the complete install scripts on a ubuntu22.04 server
TPMInstall22.04.04LTS.zip

Thanks for your help,

Cyril

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants