SOLVED: Force use of engine all the time

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SOLVED: Force use of engine all the time

Frederick Gotham

I know I've called this "solved", but I've achieved my objective about 98%
so there's only a little bit left to go.

My changes to the source code for LibOpenSSL are confined to the file
"rand_lib.c".

Firstly, I've added the following code:

#include <assert.h>
#include <sys/stat.h>
#include <fcntl.h>

static int Dummy__seed(const void *buf, int num) { (void)buf; (void)num;
return 1; }

static void Dummy__cleanup(void) { /* Do Nothing */ return; }

static int Dummy__add(const void *buf, int num, double randomness) {
(void)buf; (void)num; (void)randomness; return 1; }

static int Dummy__status(void) { /* Do Nothing */ return 1; }

static void Do_Whatever_Needs_Done_For_TPM2(void)
{
        CRYPTO_THREAD_write_lock(rand_meth_lock);
        CRYPTO_THREAD_write_lock(rand_engine_lock);

        /* Initialize the dynamic engine loader */
        ENGINE_load_dynamic();

        ENGINE *tpm2_engine;
 
        /* If the first fails, try the second one */
        (tpm2_engine = ENGINE_by_id("tpm2tss")) || (tpm2_engine =
ENGINE_by_id("libtpm2tss"));
       
        if ( NULL == tpm2_engine )
        {
                assert( 0 == "Do_Whatever_Needs_Done_For_TPM2: NULL ==
ENGINE_by_id" );
                abort();
        }

#   define TPM2TSS_SET_TCTI  (ENGINE_CMD_BASE + 1)
       
    if ( 0 == ENGINE_ctrl(tpm2_engine, TPM2TSS_SET_TCTI, 0, "device",
NULL) )
    {
                assert( 0 == "Do_Whatever_Needs_Done_For_TPM2: 0 ==
ENGINE_ctrl(tcti:device)" );
                abort();
    }
   
        int const init_res = ENGINE_init(tpm2_engine);
       
        if ( 0 == init_res )
        {
                assert( 0 == "Do_Whatever_Needs_Done_For_TPM2: 0 ==
ENGINE_init" );
                abort();
        }
               
        RAND_METHOD const *const p_rm = ENGINE_get_RAND(tpm2_engine);

        if ( NULL == p_rm )
        {
                assert( 0 == "Do_Whatever_Needs_Done_For_TPM2: NULL ==
ENGINE_get_RAND" );
                abort();
        }
       
        static RAND_METHOD funcptrs = {
                Dummy__seed,          /* seed() */
                0, /* bytes() */
                Dummy__cleanup,       /* cleanup() */
                Dummy__add,           /* add() */
                0,                /* pseudorand() */
                Dummy__status         /* status() */
        };
       
        funcptrs.bytes = p_rm->bytes;  //rand_meth.bytes;
        funcptrs.pseudorand = p_rm->bytes;  //rand_meth.pseudorand;
        funct_ref = tpm2_engine;
        default_RAND_meth = &funcptrs;
        rand_meth = funcptrs;  /* Even set the Drbg func pointers */

        /* DON'T DO THIS - - - ENGINE_set_default(tpm2_engine,
ENGINE_METHOD_RAND); */
       
        CRYPTO_THREAD_unlock(rand_meth_lock);
        CRYPTO_THREAD_unlock(rand_engine_lock);
}


And then I add one line to the funciton "do_rand_init":

    Do_Whatever_Needs_Done_For_TPM2();

So my device starts up just fine, and the first thing I notice is that it
takes a little longer to boot up (maybe because it takes a long longer to
get random numbers from hardware?).

So, when I do the following at the command line:

    openssl rand -hex 128

It sometimes gives me back 128 bytes immediately, although sometimes it
gives this:

ERROR:tcti:src/tss2-tcti/tcti-device.c:319:Tss2_Tcti_Device_Init() Failed
to open device file /dev/tpm0: Device or resource busy
WARNING:esys:src/tss2-esys/esys_tcti_default.c:83:tcti_from_init() TCTI
init for function 0x7f6528b376f6 failed with a000a
WARNING:esys:src/tss2-esys/esys_tcti_default.c:113:tcti_from_info() Could
not initialize TCTI named: tcti-device
ERROR:esys:src/tss2-esys/esys_tcti_default.c:150:tcti_from_file() Could
not initialize TCTI file: libtss2-tcti-default.so
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could
not load TCTI file: libtss2-tcti-tabrmd.so

In order to try get around this problem of more than one thread (or
process) acessing /dev/tpm0 simultaneously, I added a global named mutex
to my code, and while it does improve things, it doesn't irradicate the
problem completely.

I don't think any code other than "libcrypto.so" is using the TPM2, and so
I don't know why I'm getting "device or resource busy" (considering I'm
using a global named mutex)". I see that there's also a TPM2 tcti called
"abrmd", and I'm not sure if this purpose is exactly what it's for.

Any ideas?


Reply | Threaded
Open this post in threaded view
|

Re: SOLVED: Force use of engine all the time

Frederick Gotham
Frederick Gotham wrote:

> I don't think any code other than "libcrypto.so" is using the TPM2, and so
> I don't know why I'm getting "device or resource busy" (considering I'm
> using a global named mutex)". I see that there's also a TPM2 tcti called
> "abrmd", and I'm not sure if this purpose is exactly what it's for.



I tweaked my global mutex a bit and now it's working fine.

Reply | Threaded
Open this post in threaded view
|

RE: SOLVED: Force use of engine all the time

Kenneth Goldman

Inactive hide details for Frederick Gotham ---11/07/2019 10:39:59 AM---Frederick Gotham wrote: > I don't think any code other tFrederick Gotham ---11/07/2019 10:39:59 AM---Frederick Gotham wrote: > I don't think any code other than "libcrypto.so" is using the TPM2, and so

From: Frederick Gotham <[hidden email]>
To: [hidden email]
Date: 11/07/2019 10:39 AM
Subject: [EXTERNAL] Re: SOLVED: Force use of engine all the time
Sent by: "openssl-users" <[hidden email]>





Frederick Gotham wrote:

> I don't think any code other than "libcrypto.so" is using the TPM2, and so
> I don't know why I'm getting "device or resource busy" (considering I'm
> using a global named mutex)". I see that there's also a TPM2 tcti called
> "abrmd", and I'm not sure if this purpose is exactly what it's for.

Just FYI, abrmd was a TPM 2.0 user space resource manager, similar to the

TPM 1.2 tcsd.  Recent Linux kernels have a kernel driver resource manager
at /dev/tpmrm0 that removes the need for a user space daemon.

/dev/tpmrm0 supports multiple opens and does the swapping and
scheduling.  /dev/tpm0 is the original single open entry point, and
would not normally be used.