Using swtpm in unit tests

[Anatol Pomozov]

Hi, First of all I would like say thank you for this great tool. It is really useful.

I am working on a golang library that communicates with a TPM chip. And I would like to add unit tests that help me verify this functionality without much hassle.

I have a test that can be run against /dev/tpmrm if it exists. Now I want to make tests working at systems that have no hardware chip. Using software emulator is a great way to do it.

So I started working on a test that starts swtpm, connects to it over TCP and then tries to use it. Unfortunately my test fails with "unable to load data: warning code 0x2 : out of memory for object contexts" error.

Is there a way to overcome this problem? I see two options here:

 1) increase the size of memory available for SWTPM

 2) add a resource manager on top of SWTPM

I did not find how to do 1). As of 2) I found `tpm2-abrmd` but unfortunately it also requires sudo permissions which is no-go for unit tests. Maybe there is a way to add some embedded resource manager into swtpm?

[Stefan Berger]

On Tuesday, October 20, 2020 at 5:09:21 PM UTC-4 Anatol Pomozov wrote:

Hi, First of all I would like say thank you for this great tool. It is really useful.

I am working on a golang library that communicates with a TPM chip. And I would like to add unit tests that help me verify this functionality without much hassle.

I have a test that can be run against /dev/tpmrm if it exists. Now I want to make tests working at systems that have no hardware chip. Using software emulator is a great way to do it.

So I started working on a test that starts swtpm, connects to it over TCP and then tries to use it. Unfortunately my test fails with "unable to load data: warning code 0x2 : out of memory for object contexts" error.

Is there a way to overcome this problem? I see two options here:

 1) increase the size of memory available for SWTPM

 2) add a resource manager on top of SWTPM

You can have a resource manager if you start it as described on this page here under ' Character device using tpm_vtpm_proxy': https://github.com/stefanberger/swtpm/wiki/Using-the-IBM-TSS-with-swtpm#character-device-using-tpm_vtpm_proxy

swtpm will have to be started as root unless you change the permissions on /dev/vtpm. If you start `swtpm` with `--tpm2` it will create a /dev/tpmX and /dev/tpmrmX and you then have the kernel resource manager again.

 

I did not find how to do 1). As of 2) I found `tpm2-abrmd` but unfortunately it also requires sudo permissions which is no-go for unit tests. Maybe there is a way to add some embedded resource manager into swtpm?

We already have enough resource managers in the kernel and with `tpm2-abrmd`, so I will not add one to `swtpm`.

    Stefan

[Anatol Pomozov]

Hello

On Thursday, October 22, 2020 at 12:17:02 PM UTC-7 stefa...@gmail.com wrote:

On Tuesday, October 20, 2020 at 5:09:21 PM UTC-4 Anatol Pomozov wrote:

Hi, First of all I would like say thank you for this great tool. It is really useful.

I am working on a golang library that communicates with a TPM chip. And I would like to add unit tests that help me verify this functionality without much hassle.

I have a test that can be run against /dev/tpmrm if it exists. Now I want to make tests working at systems that have no hardware chip. Using software emulator is a great way to do it.

So I started working on a test that starts swtpm, connects to it over TCP and then tries to use it. Unfortunately my test fails with "unable to load data: warning code 0x2 : out of memory for object contexts" error.

Is there a way to overcome this problem? I see two options here:

 1) increase the size of memory available for SWTPM

 2) add a resource manager on top of SWTPM

You can have a resource manager if you start it as described on this page here under ' Character device using tpm_vtpm_proxy': https://github.com/stefanberger/swtpm/wiki/Using-the-IBM-TSS-with-swtpm#character-device-using-tpm_vtpm_proxy

swtpm will have to be started as root unless you change the permissions on /dev/vtpm. If you start `swtpm` with `--tpm2` it will create a /dev/tpmX and /dev/tpmrmX and you then have the kernel resource manager again.

"sudo" requirements is a no-go for unit tests unfortunately.

 

I did not find how to do 1). As of 2) I found `tpm2-abrmd` but unfortunately it also requires sudo permissions which is no-go for unit tests. Maybe there is a way to add some embedded resource manager into swtpm?

We already have enough resource managers in the kernel and with `tpm2-abrmd`, so I will not add one to `swtpm`.

The kernel resource manager requires admin permissions for loading the module + creating a chardev. But in my case I want to find an automatic way to test my TPM2-specific code. Having a simple resource manager that can sit on top of the TCP connection would be handy in such situation.

Alright, what about the idea #1 - increase size of the memory available for handles? Is there a way to configure it?

[Stefan Berger]

You would have to modify the code but then nobody else can run your unit tests and I would not recommend that, either. src/tpm2/TpmProfile.h: MAX_HANDLE_NUM.

We have a large test suite for TPM 2 that uses the swtpm over sockets and it doesn't need more than 3 handles (https://sourceforge.net/p/ibmtpm20tss/tss/ci/master/tree/utils/regtests/). Maybe your test suite needs to do some house holding with the number of keys it uses.

[Anatol Pomozov]

Hi

Is this limitation a part of TPM spec? Would it be possible to make this limit configurable with a command line like "swtpm --max-handle-num 20" or "swtpm_setup --max-handle-num 20"?

We have a large test suite for TPM 2 that uses the swtpm over sockets and it doesn't need more than 3 handles (https://sourceforge.net/p/ibmtpm20tss/tss/ci/master/tree/utils/regtests/). Maybe your test suite needs to do some house holding with the number of keys it uses.

My tests are using some third-party tools (that are mostly outside of my control) plus Golang code. It looks like 3 handles are not enough for it.

[Stefan Berger]

On Thursday, October 22, 2020 at 8:49:40 PM UTC-4 anatol....@gmail.com wrote:

Hi

On Thu, Oct 22, 2020 at 5:03 PM Stefan Berger <stefa...@gmail.com> wrote:

On Thursday, October 22, 2020 at 4:41:15 PM UTC-4 anatol....@gmail.com wrote:

Hello

On Thursday, October 22, 2020 at 12:17:02 PM UTC-7 stefa...@gmail.com wrote:

On Tuesday, October 20, 2020 at 5:09:21 PM UTC-4 Anatol Pomozov wrote:

Hi, First of all I would like say thank you for this great tool. It is really useful.

I am working on a golang library that communicates with a TPM chip. And I would like to add unit tests that help me verify this functionality without much hassle.

I have a test that can be run against /dev/tpmrm if it exists. Now I want to make tests working at systems that have no hardware chip. Using software emulator is a great way to do it.

So I started working on a test that starts swtpm, connects to it over TCP and then tries to use it. Unfortunately my test fails with "unable to load data: warning code 0x2 : out of memory for object contexts" error.

Is there a way to overcome this problem? I see two options here:

 1) increase the size of memory available for SWTPM

 2) add a resource manager on top of SWTPM

You can have a resource manager if you start it as described on this page here under ' Character device using tpm_vtpm_proxy': https://github.com/stefanberger/swtpm/wiki/Using-the-IBM-TSS-with-swtpm#character-device-using-tpm_vtpm_proxy

swtpm will have to be started as root unless you change the permissions on /dev/vtpm. If you start `swtpm` with `--tpm2` it will create a /dev/tpmX and /dev/tpmrmX and you then have the kernel resource manager again.

"sudo" requirements is a no-go for unit tests unfortunately.

 

I did not find how to do 1). As of 2) I found `tpm2-abrmd` but unfortunately it also requires sudo permissions which is no-go for unit tests. Maybe there is a way to add some embedded resource manager into swtpm?

We already have enough resource managers in the kernel and with `tpm2-abrmd`, so I will not add one to `swtpm`.

The kernel resource manager requires admin permissions for loading the module + creating a chardev. But in my case I want to find an automatic way to test my TPM2-specific code. Having a simple resource manager that can sit on top of the TCP connection would be handy in such situation.

Alright, what about the idea #1 - increase size of the memory available for handles? Is there a way to configure it?

You would have to modify the code but then nobody else can run your unit tests and I would not recommend that, either. src/tpm2/TpmProfile.h: MAX_HANDLE_NUM.

Is this limitation a part of TPM spec? Would it be possible to make this limit configurable with a command line like "swtpm --max-handle-num 20" or "swtpm_setup --max-handle-num 20"?

I don't want to introduce runtime variables for possibly all kinds of TPM 2 parameters. These are compile-time variables right now and it would make the code a lot more complicated (also in terms of derivative of the original code) if they were becoming runtime variabes. Maybe someone could build a user-level proxy acting as a resource manager that one could put in front of swtpm with socket.