Ubuntu
tpm2-tss package

Starting a salted session fails when using an RSA key in FIPS mode

Bug #1983160 reported by Chris Coulson
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tpm2-tss (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned

Bug Description

When configuring SSH to use a TPM protected key for authentication using tpm2-pkcs11 following the steps documented in https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/SSH.md, it fails when trying to login on a system that is running in FIPS mode, with the following error message:

WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:383:Esys_StartAuthSession_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x000002c4)
ERROR: Esys_StartAuthSession: tpm:parameter(2):value is out of range or is not correct for the context
ERROR: Could not start Auth Session with the TPM.
ERROR: Error unsealing wrapping key
C_Login failed: 5
login failed
pkcs11_get_key failed
sign_and_send_pubkey: signing failed for RSA "": error in libcrypto

Parameter 2 in this case is the encrypted salt supplied to the TPM2_StartAuthSession command. tpm2-pkcs11 is creating a session that is salted with a value which is encrypted with the public part of a TPM protected RSA key before being sent to the TPM.

This encryption happens in iesys_cryptossl_pk_encrypt which has a bug in the version in focal that was fixed accidentally in https://github.com/tpm2-software/tpm2-tss/commit/362fda1daa398da2944e76013c215500761d46a5.

In focal, iesys_cryptossl_pk_encrypt generates a RSA key using openssl and then overwrites the public modulus with the one associated with the TPM key. This fails when running a FIPS certified version of openssl in FIPS mode because openssl performs a test on the generated key, which results in the Montgomery value associated with the generated public modulus being cached. The cached value isn't updated when the public modulus is changed, and the incorrect value is used in the subsequent encryption operation.

[Impact]
It's not possible to use tpm2-pkcs11 on a system that is running in FIPS mode with the version of tpm2-tss in focal.

This is fixed by partially backporting https://github.com/tpm2-software/tpm2-tss/commit/362fda1daa398da2944e76013c215500761d46a5 so that iesys_cryptossl_pk_encrypt does not perform an unnecessary key generation.

[Test plan]

[racb: pending amendment - see comment 3 below]
[amc: Test plan updated with the additional information that addresses 2 of the 3 points in comment #3. The third point is addressed in comment #5]

Follow the instructions detailed in https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/SSH.md and verify that it is possible to login to localhost with the TPM protected key.
Or follow the reproduction steps below in both FIPS mode and non-FIPS mode (see https://ubuntu.com/security/certifications/docs/fips-enablement for steps to enable and disable FIPS):

```
# Add the key

```
sudo usermod -a -G tss $USER
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --label=ssh --userpin=MySecretPassword --sopin=MyRecoveryPassword
tpm2_ptool addkey --label=ssh --userpin=MySecretPassword --algorithm=rsa2048
```

# List the public SSH keys

```
ssh-keygen -D /usr/local/lib/libtpm2_pkcs11.so 2>/dev/null
```

Those warnings/errors are displayed, but can be ignored from what I can understand (see https://github.com/tpm2-software/tpm2-pkcs11/issues/655):

```
WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:226:Fapi_List_Finish() Profile of path not provisioned: /HS/SRK
ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List
ERROR: Listing FAPI token objects failed.
```

# Add the SSH key authorized_keys

Add this key to root's authorized keys:

```
ssh-keygen -D /usr/local/lib/libtpm2_pkcs11.so 2>/dev/null | sudo tee -a /root/.ssh/authorized_keys
```

# SSH as root

Pin is `MySecretPassword`:

```
ssh -I /usr/local/lib/libtpm2_pkcs11.so root@localhost
```

Observe the error.
```

[Regression potential]
This is minimal - iesys_cryptossl_pk_encrypt is implemented this way already in releases after focal. It's also only used by StartAuthSession when called with a TPM key, which isn't that usual.

See original description
Chris Coulson (chrisccoulson)
Changed in tpm2-tss (Ubuntu):
status: New → Fix Released
Changed in tpm2-tss (Ubuntu Focal):
status: New → Triaged
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hi Chris,

Thanks for opening the bug. Do you have a step-by-step reproducer of this, please? So that I can reproduce this here on a container as well? This is also something that should go in the "Test Plan" section of the bug. :)

Utkarsh Gupta (utkarsh)
Changed in tpm2-tss (Ubuntu Jammy):
status: New → Fix Released
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Oookay. So the minimal reproducer would be:
```
# Add the key

```
sudo usermod -a -G tss $USER
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --label=ssh --userpin=MySecretPassword --sopin=MyRecoveryPassword
tpm2_ptool addkey --label=ssh --userpin=MySecretPassword --algorithm=rsa2048
```

# List the public SSH keys

```
ssh-keygen -D /usr/local/lib/libtpm2_pkcs11.so 2>/dev/null
```

Those warnings/errors are displayed, but can be ignored from what I can understand (see https://github.com/tpm2-software/tpm2-pkcs11/issues/655):

```
WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:226:Fapi_List_Finish() Profile of path not provisioned: /HS/SRK
ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List
ERROR: Listing FAPI token objects failed.
```

# Add the SSH key authorized_keys

Add this key to root's authorized keys:

```
ssh-keygen -D /usr/local/lib/libtpm2_pkcs11.so 2>/dev/null | sudo tee -a /root/.ssh/authorized_keys
```

# SSH as root

Pin is `MySecretPassword`:

```
ssh -I /usr/local/lib/libtpm2_pkcs11.so root@localhost
```

Observe the error.
```

description: updated
Revision history for this message
Robie Basak (racb) wrote :

We assume that it’s the client on which FIPS needs to be enabled to reproduce this issue, and not necessarily the server. If this is right, please could you state that explicitly to confirm - both in the Impact and mention a step to enable FIPS in the Test Plan?

Please fix the references to /usr/local in the Test Plan as we assume they don’t apply here.

Is the code path that is being changed possible to exercise for users not using FIPS? If so, is there any risk to this class of users, and would it be useful to verify this for QA during SRU verification? Or would this be pointless?

Accepting since the above won’t change that decision, but the discussion in the above paragraph may need to change the Test Plan to include the non-FIPS users.

Changed in tpm2-tss (Ubuntu Focal):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello Chris, or anyone else affected,

Accepted tpm2-tss into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/tpm2-tss/2.3.2-1ubuntu0.20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

description: updated
Revision history for this message
Ivan Kapelyukhin (ikapelyukhin) wrote :

@racb, /usr/local does apply: libtpm2-pkcs11 package is available only for Jammy. On Focal users are building it from source. The bug was fixed in libtss2-esys0, it's being installed from the package.

Here's the revised test plan:

1. Create an instance with vTPM:

gcloud compute instances create ivan-test \
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-policy=TERMINATE \
--image-project=ubuntu-os-pro-cloud \
--image-family=ubuntu-pro-2004-lts \
--service-account GCE_SERVICE_ACCOUNT \
--shielded-integrity-monitoring \
--shielded-secure-boot

2. [Optionally, depending on what we are testing] Enable FIPS:

sudo ua auto-attach
sudo ua enable fips
sudo reboot

3. Build `tpm2-pkcs11` from source:

sudo apt-get update
sudo apt install -y \
    build-essential git \
    autoconf automake doxygen libtool \
    libcurl4-openssl-dev libdbus-1-dev libgcrypt-dev \
    libglib2.0-dev libjson-c-dev libsqlite3-dev libssl-dev \
    python3-cryptography python3-pyasn1-modules python3-yaml \
    uuid-dev libyaml-dev tpm2-tools libtss2-dev

mkdir -p ~/src
cd ~/src

wget https://github.com/autoconf-archive/autoconf-archive/archive/v2019.01.06.tar.gz
wget https://github.com/tpm2-software/tpm2-pkcs11/releases/download/1.7.0/tpm2-pkcs11-1.7.0.tar.gz

tar xf v2019.01.06.tar.gz
tar xf tpm2-pkcs11-1.7.0.tar.gz

cd ~/src/tpm2-pkcs11-1.7.0/tools
sudo python3 setup.py install

cp -R ~/src/autoconf-archive-2019.01.06/m4 ~/src/tpm2-pkcs11-1.7.0/
cd ~/src/tpm2-pkcs11-1.7.0/
./configure
make "-j$(nproc)"
sudo make install

4. Setup the SSH key with `libtpm2_pkcs11`:

sudo usermod -a -G tss $USER
exec sudo su -l $USER
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --label=ssh --userpin=MySecretPassword --sopin=MyRecoveryPassword
tpm2_ptool addkey --label=ssh --userpin=MySecretPassword --algorithm=rsa2048
ssh-keygen -D /usr/local/lib/libtpm2_pkcs11.so 2>/dev/null | sudo tee -a /root/.ssh/authorized_keys

5. Try to use it:

ssh -I /usr/local/lib/libtpm2_pkcs11.so root@localhost

6. Enable proposed repos:

sudo tee "/etc/apt/sources.list.d/proposed.list" <<EOF
deb http://archive.ubuntu.com/ubuntu focal-proposed main restricted universe
EOF

sudo apt-get update
sudo apt-get install libtss2-esys0

7. Try to use the SSH key again:

ssh -I /usr/local/lib/libtpm2_pkcs11.so root@localhost

Revision history for this message
Ivan Kapelyukhin (ikapelyukhin) wrote :

I've tested with and without FIPS:

libtss2-esys0 v2.3.2-1 without FIPS: OK
libtss2-esys0 v2.3.2-1ubuntu0.20.04.1 without FIPS: OK
libtss2-esys0 v2.3.2-1 with FIPS: raises an error
libtss2-esys0 v2.3.2-1ubuntu0.20.04.1 with FIPS: OK

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Andrew Cloke (andrew-cloke)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tpm2-tss - 2.3.2-1ubuntu0.20.04.1

---------------
tpm2-tss (2.3.2-1ubuntu0.20.04.1) focal; urgency=medium

  * Fix LP: #1983160 - Cannot start a salted session using an RSA key in
    FIPS mode
    - add debian/patches/0001-Drop-support-for-OpenSSL-1.1.0.patch
    - add debian/patches/0002-Fix-RSA-secret-sharing-in-FIPS-mode.patch
    - update debian/patches/series

 -- Chris Coulson <email address hidden> Sat, 30 Jul 2022 01:06:05 +0100

Changed in tpm2-tss (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for tpm2-tss has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.