LeapMicro5.5 TPM2 issue

Hi,

I would like to use the TPM chip of my computer running OpenSUSE Leap Micro 5.5.

I have noticed this problem:

/usr/sbin/tpm2-abrmd

** (process:6230): WARNING **: 10:24:06.612: tcti_conf before: "(null)"

** (tpm2-abrmd:6230): WARNING **: 10:24:06.612: tcti_conf after: "device:/dev/tpm0"
Refusing to run as root. Pass --allow-root if you know what you are doing.

So I used the command systemctl edit tpm2-abrmd.service to add:

[Service]
ExecStart=
ExecStart=/usr/sbin/tpm2-abrmd --allow-root
User=
User=root

It is supposed to override the readonly file /usr/lib/systemd/system/tpm2-abrmd.service

But communicating with the TPM still has issue:

# tpm2_getcap  handles-persistent

** (process:1750): WARNING **: 19:07:11.335: Failed to create connection with service: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
- 0x81000001
- 0x81000002
- 0x81000009
- 0x81010001

It seems to be related to DBus.

Do you have any idea how to fix it?

Thank you

and is it installed?

I had to install tpm2.0-tools package and add my user to the tss group, then reboot for my user to access TPM without root or other workarounds.

FYI, I was trying out the tpm-fido package, but it didn’t work out for me as it only supports the older FIDO/U2F protocol and not FIDO2.

tpm2_getcap command is from tpm2.0-tools.

Good to know, while I was researching FIDO2 and TPM, I also read on the Arch wiki not to enable tpm2-abrmd as it was deprecated. I see on my system that it is disabled by default. Though running Gnome’s device security settings turns it on.

It is:

/usr/lib64/libtss2-tcti-tabrmd.so.0
/usr/lib64/libtss2-tcti-tabrmd.so.0.0.0

No issues on TW Slowroll:

pavin@suse-pc:~> sudo journalctl -u tpm2-abrmd.service
Please enter the PIN: 
Please touch the device.
Mar 05 04:17:54 suse-pc systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
Mar 05 04:17:54 suse-pc systemd[1]: Started TPM2 Access Broker and Resource Management Daemon.
Mar 05 04:20:24 suse-pc systemd[1]: Stopping TPM2 Access Broker and Resource Management Daemon...
Mar 05 04:20:24 suse-pc systemd[1]: tpm2-abrmd.service: Deactivated successfully.
Mar 05 04:20:24 suse-pc systemd[1]: Stopped TPM2 Access Broker and Resource Management Daemon.
-- Boot d3a47d27f69545f5b63071aeacf1da93 --
Mar 05 04:21:52 suse-pc systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
Mar 05 04:21:52 suse-pc systemd[1]: Started TPM2 Access Broker and Resource Management Daemon.
Mar 05 11:14:43 suse-pc systemd[1]: Stopping TPM2 Access Broker and Resource Management Daemon...
Mar 05 11:14:44 suse-pc systemd[1]: tpm2-abrmd.service: Deactivated successfully.
Mar 05 11:14:44 suse-pc systemd[1]: Stopped TPM2 Access Broker and Resource Management Daemon.
-- Boot c6fe55c591c043829fb634a59f921678 --
Mar 06 08:49:28 suse-pc systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
Mar 06 08:49:28 suse-pc systemd[1]: Started TPM2 Access Broker and Resource Management Daemon.
Mar 06 09:47:40 suse-pc systemd[1]: Stopping TPM2 Access Broker and Resource Management Daemon...
Mar 06 09:47:41 suse-pc systemd[1]: tpm2-abrmd.service: Deactivated successfully.
Mar 06 09:47:41 suse-pc systemd[1]: Stopped TPM2 Access Broker and Resource Management Daemon.
-- Boot 65461e78a66c4cd98a3616eb899c884b --
Mar 06 12:07:19 suse-pc systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
Mar 06 12:07:19 suse-pc systemd[1]: Started TPM2 Access Broker and Resource Management Daemon.
Mar 06 15:11:51 suse-pc systemd[1]: Stopping TPM2 Access Broker and Resource Management Daemon...
Mar 06 15:11:52 suse-pc systemd[1]: tpm2-abrmd.service: Deactivated successfully.
Mar 06 15:11:52 suse-pc systemd[1]: Stopped TPM2 Access Broker and Resource Management Daemon.
pavin@suse-pc:~> systemctl cat tpm2-abrmd.service
# /usr/lib/systemd/system/tpm2-abrmd.service
[Unit]
Description=TPM2 Access Broker and Resource Management Daemon
# These settings are needed when using the device TCTI. If the
# TCP mssim is used then the settings should be commented out.
After=dev-tpm0.device
Requires=dev-tpm0.device

[Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=read-only
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions 
Type=dbus
BusName=com.intel.tss2.Tabrmd
ExecStart=/usr/sbin/tpm2-abrmd
User=tss

[Install]
WantedBy=multi-user.target

Perhaps a package issue on Leap?

There was an old issue which got closed with a workaround:

No.

I get the same error as the TO on an up to date TW machine…

abrmd is not supposed to run as root and it should not be needed. Do you have any reason to do it? The systemd service (as opposed to your attempt to run it manually) should work without any change.

Which issue? It is just a warning and you got 4 handles in response. If you want to troubleshoot the warning - start with reverting your changes to tpm2-abrmd.service and run it normally and if you still haму this warning - capture D-Bus traffic (e.g. using busctl monitor) to see what service it attempts to contact. If you do not know how to interpret the result - post complete output here

What is the reason you need tpm2-abrmd in the first place? Neither FDE nor OpenSSL engine needs it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.