From: Steven Clark [mailto:firstname.lastname@example.org]
Sent: Wednesday, November 13, 2019 12:30 PM
Subject: [tpm2] tpm2_startauthsession 4.x is using getrandom and I need to stop
We developed our boot scripts using a nightly build of tpm2-tools from before
the conversion to ESAPI. We now have multiple layers of storage encryption that
depend on policy authorization in our future production configuration. After
taking the time to upgrade to the stable release and rewrite all our commands
across the tree the system now hangs on boot.
I'm glad you were able to get through the painful upgrade path.
Somewhere in the call stack tpm2_startauthsession is now asking for random
numbers using the getrandom() syscall and hanging. Thanks to kernel patches
from a recent CVE getrandom() now blocks in the early boot before about 4000
interrupts have happened. Its going to be up to me to fix this, very quickly.
So the reason this happens is Esys_StartAuthSession, when nonceCaller is NULL, calls to
RAND_bytes (if configured for OSSL) to set the initial nonce. Sounds like you got the
source issues solved in your follow up email, which is really the better solution then
the nonce to something static or weak.
I'd like for whatever patch to be as high level as possible, and hopefully it's
oversight that could be integrated back into the project, but I don't see any
smoking guns yet in tpm2_startauthsession.c and there's a lot of time pressure. If
anyone has any suggestions where to start looking it would be nice.
You could send a patch to us to specify the nonceCaller and then the caller would
be responsible for the quality of the nonce. You could use it here, but you could
shoot yourself in the foot. But you could also then source the randomness
via a tpm2_getrandom call, but without encrypted sessions, you could be
getting an attacker controlled nonce.
Disabling the possibility of encryption for communication on a local bus may be a
much easier sell to the bosses than trusting all HWRNGs on the system explicitly.
The comms are not encrypted unless you specify a key. However, the nonce prevents
replays of session traffic, which is very important when you have an authorization
session. You don't want that traffic to be used to re-auth to the object.
Section 188.8.131.52 of
will give you all the gory details.
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org