Help Needed Building tpm2-abrmd to HIRS Baseline on Centos 7. #803
Comments
|
SELinux missing from the release tarball in commit 5468fc3 and is included in releases 2.0.0. My first inclination would be to tell you to try with a newer release, preferably 2.4.0 since its the most recent. |
|
To be clear, https://github.com/tpm2-software/tpm2-abrmd/tree/1.3.1 DOES contain selinux, it just doesn't build. The trouble with moving onto 2.4.0 looks to be that:
I'd really prefer to stick to the detailed baseline. Any other ideas? It'd be cool if 1.3.1 actually built. Thanks for your response, BTW. [jpitcher@justin tpm2-abrmd]$ git checkout 2.4.0 |
|
Update - I got tpm2-abrmd 1.3.1 to build by removing valgrind related code from the Makefile. After some playing trying to get rid of a dbus-daemon error, it now runs without complaint via sudo -u tss tpm2-abrmd --tcti=socket However, it is not connecting to the IBM tpm simulator, which is listening on ports 2321 and 2322. Any help with that would be welcome. |
|
OK I managed to get it to connect by issuing the above sudo whilst logged in as root. But there's trouble. You can see the IBM TPM simulator accepting connections from tpm2-abrmd here: [root@justin jpitcher]# tpm_server Bute when I run the HIRS provisioner, I get: [jpitcher@justin ~]$ sudo tpm_aca_provision And the provisioner log file says: [2022/02/24 15:10:06:481][WARN ][/hirs/HIRS/HIRS_ProvisionerTPM2/src/Logger.cpp: In other words it tried to get the public endorsement key cert from the simulator, but had a rough time doing so. tpm2-abrmd core dumped with: [root@justin jpitcher]# tpm2-abrmd --tcti=socket etc, etc, etc.... Has anyone seen this before? |
|
Exactly the same error encountered by the provisioner is also seen by issuing the following command: [jpitcher@justin ~]$ sudo tpm2_getpubek -H 0x81010000 -g 0x001 -f ek3.pub with tpm2-abrmd crashing as above. |
We need help trying to build and run tpm2-abrmd to the baseline defined at the following link. No matter what I try I can't get a decent result.
https://github.com/nsacyber/HIRS/wiki/custom_TPM2SoftwareStack
Let's deal with what I see as basic issues first.
This command: wget https://github.com/tpm2-software/tpm2-abrmd/releases/download/1.3.1/tpm2-abrmd-1.3.1.tar.gz appears to retrieve a file that does not contain the selinux directory.
I only noticed this because at some stage I was getting the problem identified by #408
So why is there a discrepancy? https://github.com/tpm2-software/tpm2-abrmd/tree/1.3.1 lists a different set of files to that contained in the tar.gz file above.
Furthermore, if I clone the repo, and checkout version 1.3.1 and try and build it using the commands in the HIRS thread, it doesn't build. Note I had to run bootstrap first (not detailed in the HIRS thread). See below.
Any help vastly appreciated, please:)
[jpitcher@justin tpm2-abrmd]$ ./bootstrap
libtoolize: putting auxiliary files in
.'. libtoolize: linking file./ltmain.sh'libtoolize: putting macros in AC_CONFIG_MACRO_DIR,
m4'. libtoolize: linking filem4/libtool.m4'libtoolize: linking file
m4/ltoptions.m4' libtoolize: linking filem4/ltsugar.m4'libtoolize: linking file
m4/ltversion.m4' libtoolize: linking filem4/lt~obsolete.m4'configure.ac:9: installing './config.guess'
configure.ac:9: installing './config.sub'
configure.ac:10: installing './install-sh'
configure.ac:10: installing './missing'
Makefile.am: installing './depcomp'
parallel-tests: installing './test-driver'
[jpitcher@justin tpm2-abrmd]$ ./configure --with-dbuspolicydir=/etc/dbus-1/system.d --with-udevrulesdir=/usr/lib/udev/rules.d --with-systemdsystemunitdir=/usr/lib/systemd/system --libdir=/usr/lib64 --prefix=/usr
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether ln -s works... yes
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/bin/sed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking the maximum length of command line arguments... 1572864
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @file support... @
checking for strip... strip
checking for ranlib... ranlib
checking for gawk... gawk
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for mt... no
checking if : is a manifest tool... no
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking whether make sets $(MAKE)... yes
checking for style of include used by make... GNU
checking whether make supports nested variables... yes
checking dependency style of gcc... gcc3
checking whether gcc is Clang... no
checking whether pthreads work with "-pthread" and "-lpthread"... yes
checking for joinable pthread attribute... PTHREAD_CREATE_JOINABLE
checking whether more special flags are required for pthreads... no
checking for PTHREAD_PRIO_INHERIT... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for DBUS... yes
checking for GIO... yes
checking for GLIB... yes
checking for GOBJECT... yes
checking for SAPI... yes
checking for gdbus-codegen... /usr/bin/gdbus-codegen
checking whether to build with code coverage support... no
checking for valgrind... valgrind
checking for Valgrind tool memcheck... yes
checking for TCTI_DEVICE... yes
checking for TCTI_SOCKET... yes
checking for simulator binary: ... no
configure: WARNING: No simulator binary or tpm hardware provided. Integration tests disabled.
checking whether C compiler accepts -Wall... yes
checking whether C compiler accepts -Werror... yes
checking whether C compiler accepts -std=gnu99... yes
checking whether C compiler accepts -Wformat... yes
checking whether C compiler accepts -Wformat-security... yes
checking whether C compiler accepts -Wno-missing-braces... yes
checking whether C compiler accepts -fdata-sections... yes
checking whether C compiler accepts -ffunction-sections... yes
checking whether C compiler accepts -fstack-protector-all... yes
checking whether C compiler accepts -fpic... yes
checking whether C compiler accepts -fPIC... yes
checking whether C preprocessor accepts -D_GNU_SOURCE... yes
checking whether C preprocessor accepts -U_FORTIFY_SOURCE... yes
checking whether C preprocessor accepts -D_FORTIFY_SOURCE=2... yes
checking whether the linker accepts -Wl,--gc-sections... yes
checking whether the linker accepts -Wl,--no-undefined... yes
checking whether the linker accepts -Wl,-z,noexecstack... yes
checking whether the linker accepts -Wl,-z,now... yes
checking whether the linker accepts -Wl,-z,relro... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: executing libtool commands
config.status: executing depfiles commands
[jpitcher@justin tpm2-abrmd]$ make -j5
Makefile:3849: *** missing separator. Stop.
The text was updated successfully, but these errors were encountered: