From: Petr Gotthard <petr.gotthard(a)centrum.cz>
Sent: Friday, October 8, 2021 11:44 AM
To: Roberts, William C <william.c.roberts(a)intel.com>; Chris Newman
<chris(a)mode51.software>; tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: Re: [tpm2] Re: CMP error: cannot duplicate context:2306 tpm:warn(2.0): out of
memory for object contexts
we solved this particular issue, but I expect more resource-related troubles are yet to
Oh, how exciting :-p
Example 1: OpenSSL often duplicates hash sequences: To hash sequences
A,B,C1 and then A,B,C2 they first hash A,B, then duplicate/fork the hash sequence and then
complete the hash first for C1 and then for C2. This is a great performance optimization,
but when too many dup (forks) are made, the TPM runs out of objects.
Why are we doing hashing with the TPM? If we're in an OpenSSL provider cant we just
use software provided hashing routines? I see hashing is configurable, but I would imagine
off be default is what you want. Do we use validation tickets or anything like that or
just the resulting digest? If all we use are the digests, I would make TPM not hash and
make that option a nop.
Example 2: The CMP key update needs 4 objects to operate (old client
key, new client key, server key and hash sequence), but the kernel RM
(tpm_space.context_tbl) allows only 3 objects. (If I am right.)
It does seem that way, but TPM commands only ever need 3 objects alive at once, so
that's likely why that was chosen.
Does CMP key really need all 4 of those things in the TPM at once, because currently today
that's not actually happening as abrmd is just swapping them in and out.
Also, doesn't CMP use public objects (x509 certs) for some of it?
Looking at the code here:
Are public key operations implemented in software? In tpm2-pkcs11 we implement them in
software and hash in software and I have yet to have someone hit a limit but perhaps they
are all using abrmd but I thought some were using in-kernel RM.
In general, the OpenSSL code often pre-loads or caches objects, which
will be used later, which causes troubles with the space-constrained TPM. I was not sure
whether the tpm2-openssl provider should act as another level of a resource manager and
swap the objects to simulate more space than available on the TPM hardware, or whether
this is something the resource manager could/should do.
It's something the RM should do, but the in-kernel RM will always be tightly
constrained by the amount of kernel memory space it can swap to. I wonder if we could give
it a real swap space :-p
It's definitely a nice problem to think about and most likely
something which will need to be addressed in the tpm2-openssl 2.0
Od: "Roberts, William C"
Komu: "Chris Newman" <chris(a)mode51.software>,
"tpm2(a)lists.01.org" <tpm2(a)lists.01.org>, "Petr Gotthard"
Datum: 08.10.2021 17:46
Předmět: [tpm2] Re: CMP error: cannot duplicate context:2306 tpm:warn(2.0): out of memory
for object contexts
tpm:warn(2.0): out of memory for object contexts
Are you running against a resource manager? You should probably either use /dev/tpmrm0 or
You can set the TCTI via the TPM2OPENSSL_TCTI which AFAICT takes strings like tpm2-tools,
so something like:
"device:/dev/tpmrm0" or "abrmd".
This also might be a bug, the provider is pretty new. Petr any other ideas I am missing?
From: Chris Newman <chris(a)mode51.software>
Sent: Sunday, October 3, 2021 6:40 PM
To: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] CMP error: cannot duplicate context:2306 tpm:warn(2.0): out of memory for
I create an EK and AK using tpm2_createek, tpm2_createak and tpm2_evictcontrol to persist
the AK in 0x81010002. The I use the following command with DigiCert's CMPv2 server:
openssl cmp -config /opt/sdk/openssl/current/ssl/openssl.cnf -provider tpm2 -provider
default -propquery ?provider=tpm2,tpm2.digest!=yes -cmd ir -server
-ref 1234 -secret pass:1234
-recipient "/CN=mode51.software" -key handle:0x81010002 -subject
"/CN=TestTest" -cacertsout ./capubs.pem -certout ./cl_cert.pem -tls_used
I get the following error:
ERROR:esys:src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish
CMP DEBUG: disconnected from CMP server
CMP error: cannot duplicate context:2306 tpm:warn(2.0): out of memory for object contexts
CMP error: not able to copy ctx
CMP error: internal error
CMP error: error sending
CMP error: shutdown while in init
CMP error: transfer error:request sent: IR, expected response: IP
I've tried tpm2_flushcontext -t.
I recompiled tpm2-openssl with the following option and that appears to have worked around
Is this what "?provider=tpm2,tpm2.digest!=yes" should effectively do?