tickets #160754
closedkanidm-unixd TPM error
0%
Description
On falkor2{0,1,2}.i.o.o the following is observed during boot:
falkor20 (Hypervisor):~ # journalctl -u kanidm-unixd --no-pager
May 23 01:32:51 falkor20.infra.opensuse.org systemd[1]: Starting Kanidm Local Client Resolver...
May 23 01:33:07 falkor20.infra.opensuse.org kanidm_unixd[19212]: 00000000-0000-0000-0000-000000000000 WARN 🚧 [warn]: WARNING: DB folder /var/cache/kanidm-unixd has 'everyone' permission bits in the mode. This could be a security risk ...
May 23 01:33:07 falkor20.infra.opensuse.org kanidm_unixd[19212]: ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
May 23 01:33:07 falkor20.infra.opensuse.org kanidm_unixd[19212]: 00000000-0000-0000-0000-000000000000 ERROR 🚨 [error]: | tpm_err: TssError(Tcti(TctiReturnCode { base_error: NotSupported }))
May 23 01:33:07 falkor20.infra.opensuse.org kanidm_unixd[19212]: 00000000-0000-0000-0000-000000000000 WARN 🚧 [warn]: Unable to open requested tpm device, falling back to soft tpm | tpm_err: TpmContextCreate
May 23 01:33:07 falkor20.infra.opensuse.org kanidm_unixd[19212]: 00000000-0000-0000-0000-000000000000 INFO i [info]: Server started ...
May 23 01:33:07 falkor20.infra.opensuse.org systemd[1]: Started Kanidm Local Client Resolver.
It seems to work regardless, but gives the impression of something being wrong.
The machines have physical TPM modules.
Files
Updated by crameleon about 1 month ago
- Category set to Physical infrastructure / Hardware
- Assignee set to firstyear
- Private changed from Yes to No
Updated by firstyear about 1 month ago
I'm probably going to need to see the dmesg from the server to look into this. Can you tell me what model of TPM the machine has too?
Updated by crameleon about 1 month ago
- File falkor20.dmesg falkor20.dmesg added
dmesg output is attached .. upon reading it myself, it seems to not actually find a physical TPM chip?
There's also lots of:
systemd[1]: Couldn't stat device /dev/tpmrm0: No such file or directory
Updated by firstyear about 1 month ago
From that dmesg it appears there is no tpm on the system. A working dmesg should have lines such as:
[ 0.014234] ACPI: TPM2 0x000000006D6D1258 000034 (v04 ALASKA A M I 00000001 AMI 00000000)
[ 0.014315] ACPI: Reserving TPM2 table memory at [mem 0x6d6d1258-0x6d6d128b]
And you should also have:
ls -al /dev/tpm*¶
crw-rw---- 1 tss root 10, 224 Mar 14 10:20 /dev/tpm0
crw-rw---- 1 tss tss 253, 65536 Mar 14 10:20 /dev/tpmrm0
Updated by firstyear about 1 month ago
Consider also checking sudo tpm2_getcap algorithms
Updated by crameleon about 1 month ago
You're right .. then I might be mistaken and we only have it for one machine and not all.
How come the error message though if there is no device at all?
The tpm2_getcap call is quite similar to what unixd reports as well:
# tpm2_getcap algorithms
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:254:tctildr_get_default() No standard TCTI could be loaded
ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
ERROR: Could not load tcti, got: "(null)"
Updated by firstyear about 1 month ago
Because there is no way to check for a TPM on the system without trying to open it. So we report that and then based on your configuration we make a decision of "do we proceed with the software cryptographic TPM or do we hard-error".
But also importantly, if you use a hardware TPM at least once, then if someone attempts to remove that or it fails, then we need to report the error and cease startup. So we have to report the error at that point because it could be a sign of something.
Updated by crameleon about 1 month ago
Ah ok, so then it is expected and we can just ignore it?
The BTO for squanchy has a TPM module, but seems not the one for falkor*. :-( Sorry about the false assessment. On squanchy we do have the situation that the TPM was removed during a motherboard replacement, but that I have to sort separately.
Updated by firstyear about 1 month ago
Yeah, in the case the TPM is removed you just have to clear the cache.db and start up again and it's all happy. it's more about "making noise".
In this case, you absolutely can ignore the error :)
Updated by crameleon about 1 month ago
- Status changed from New to Closed
Okay, thank you very much for the input!