You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
run tpm2_pcrread or some other tpm2 tool and confirm that it fails with an "access denied" error:
root@tpm-device-test:/# tpm2_pcrread
ERROR:tcti:src/tss2-tcti/tcti-device.c:452:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0
ERROR:tcti:src/tss2-tcti/tcti-device.c:452:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 99: Cannot assign requested address
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:614:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 99: Cannot assign requested address
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:254:tctildr_get_default() No standard TCTI could be loaded
ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
ERROR: Could not load tcti, got: "(null)"
Proposed fix
Add one capability to the example pod.
...
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
add: ["CAP_DAC_OVERRIDE"] <--------this will allow directory access for tpm2-tools
Confirm that the started pod has the added capability:
I find that the example specified in your README does not work on my particular version of kubernetes.
How to produce the problem
lunar
) substratedocker.io
tpm2-tools
capsh --print
or check/proc/1/status
inside the container)tpm2_pcrread
or some other tpm2 tool and confirm that it fails with an "access denied" error:Proposed fix
tpm2_pcrread
now works correctly.The text was updated successfully, but these errors were encountered: