I investigated a bug report, and I can't find anything wrong in the user space side. Does anyone know of any issues or see
anything wrong?

Follow Up Questions for benzhu88899:
Does your TPM support TPM2_EncryptDecrypt2 or the original command? You can look by running

tpm2_getcap commands | grep EncryptDecrypt


Below is a script that was sent to reproduce a bug it. I don't have the exact environemnt, but I reproduced the user space components, but ran
against an emulator (no kernel).

I just had to tweak this line in the script, as the --iv option is wrong:
tpm2_encryptdecrypt -d -c 0x81010000 -p ${pswd} --iv-iv.input:iv.output -o

It needs an equal in between --iv and the argument.
tpm2_encryptdecrypt -d -c 0x81010000 -p ${pswd} --iv=iv.input:iv.output -o

Otherwise, then that, it ran and the diff seemed to be ok.

Since that worked, I bumped my tss version forward (3.1.0-rc0) to have the pcap tcti for ease of digging into the bytes sent.
I added an export TPM2TOOLS_TCTI=pcap to the script right before the enc/dec calls so I had less things to wade through with wireshark.

First EncryptDecrypt2 call (which I assume yours fails at, because the second command won't run due to iv option issue):

0000   80 02 00 00 00 7c 00 00 01 93 81 01 00 00 00 00
0010   00 49 02 00 00 00 00 20 b1 28 17 58 5b 03 28 6e
0020   a2 c6 0d 1e 16 01 a2 3b ac 7f 87 da 07 55 25 90
0030   08 e6 2a 9f 29 d1 32 40 01 00 20 95 85 0d c8 75
0040   f4 2a 40 f5 da a1 6e 64 5a 05 0a a4 f5 6a 83 9d
0050   de 94 2f 68 31 ca bb ab 4a 82 de 00 0a 74 65 73
0060   74 20 64 61 74 61 0a 00 00 40 00 10 33 33 34 32
0070   30 37 37 33 39 39 33 32 39 37 36 0a

The structure the kernel defines is:
struct tpm_header {
	__be16 tag;
	__be32 length;
	union {
		__be32 ordinal;
		__be32 return_code;
} __packed;

So tag is: 80 02
Length is: 00 00 00 7c (which is Big Endian decimal value 124)

Peter has touched code in that area, perhaps Peter or someone else spots something I didnt?

From: Chat Overlay Streaming <>
Sent: Friday, April 9, 2021 1:25 PM
To: <>
Subject: [tpm2] Re: Help - invalid count value
Here is my test code:


#!/bin/env bash

function pause() {
   read -s -n 1 -p "Press any key to continue ..."
   echo ""

function check_return() {
   if [ $? != 0 ]; then
      echo failed with return code: $?
      exit 1

echo tpm2 startup
tpm2_startup -c

echo Clear the Authorization value.

echo Create the local keystore folder
if [ ! -d  ${HOME}/.local/share/tpm2-tss/user/keystore ]; then
mkdir -p ${HOME}/.local/tpm2-tss/user/keystore

echo Set the algothrims for the SRK hierarchy.

echo Create the primary key object for SRK. This will take a while...
tpm2_createprimary -Q -G "${key_alg}" -g "${hash_alg}" -C o -c srk.ctx

echo Create an AES key object with CTR mode
tpm2_create -C srk.ctx -G aes256ctr -p ${pswd} -u -r aes256_key.priv

echo Load it into TPM module memory
tpm2_load -Q -C srk.ctx -u -r aes256_key.priv -n aes256ctr_key -c aes256_key.ctx

echo Erase/evict any key at 0x81010000 if there is
tpm2_evictcontrol -C o 0x81010000 > /dev/null 2>&1

echo Make the key persistent with handle 0x81010000
tpm2_evictcontrol -C o -c aes256_key.ctx 0x81010000

echo AES encryption and decryption test.
echo "test data" >

echo Create an IV data file
iv_part1=`od -Ad -N8 -t u -i /dev/random | awk '{ print $2; exit }'`
iv_part2=`od -Ad -N8 -t u -i /dev/random | awk '{ print $2; exit }'`
echo ${iv} > iv.input
cat iv.input


echo Encrypt the test data file with the persistent key handle
tpm2_encryptdecrypt -c 0x81010000 --iv=iv.input:iv.output -p ${pswd} -o

echo Decrypt the encrypted test file with the persistent key handle
tpm2_encryptdecrypt -d -c 0x81010000 -p ${pswd} --iv-iv.input:iv.output -o

diff > /dev/null
if [ $? != 0 ]; then
   echo tpm2 encrypt/decrypt with key handle failed!
   exit 1
echo ==================E=N=D=====================

On Fri, Apr 9, 2021 at 11:11 AM Chat Overlay Streaming <> wrote:
Hi there,
I tried to use the TPM2 AES256 / AES256CTR to encrypt a file. When I ran the following command, I got an error message in an infinite loop and had to reboot my machine.

$ tpm2_encryptdecrypt -c 0x81010000 --iv=iv.input:iv.output -p ${pswd} -o

The error message was
   tpm tpm0 invalid count value ffffffff 1000
   tpm tpm0 invalid count value ffffffff 1000 
   tpm tpm0 invalid count value ffffffff 1000

Digging the location where the error message comes from, I found it was in the tpm driver file: file tpm-interface.c

static ssize_t tpm_try_transmit(struct tpm_chip *chip, void *buf, size_t bufsiz)
struct tpm_header *header = buf;

count = be32_to_cpu(header->length); // ---> count = ffffffff  

if (count > bufsiz) {   // ---> bufsiz = 1000
                  "invalid count value %x %zx\n", count, bufsiz);
return -E2BIG;

My question is did someone meet the same problem? And how can I debug this problem?
I double checked the tpm2-abrmd service. It was running okay.

The builds for my test are:
1. rpi-kernel: 5.4.y
2. tpm2-tss: 3.0.x
3. tpm2-abrmd: 2.3.2
4. tpm2-tools: 4.2.X
5. tpm2-tss-engine: v1.1.x

My test environments:
RPI 3B & 4B
AES in the TPM was enabled.

Attached is my test script.

Thanks a lot,