1

Configuring IoT Edge to use TPM, I am getting the error: Error: No such file or directory (os error 2)

I have run tpm2_takeownership before, so this is probably a contributing factor.

OS: Yocto 2.3 (Linux reliagate-10-12 4.9.148-eurotech-ti #1 Tue May 21 12:52:42 UTC 2019 armv7l armv7l armv7l GNU/Linux)

IoT Edge runs fine if I do not use the TPM.

I have been able to follow the instruction for tpm_device_provision listed here: https://learn.microsoft.com/en-us/azure/iot-edge/how-to-auto-provision-simulated-device-linux and get the following output (meaning I can successfull communicate with the TPM ).

root@reliagate-10-12:eMMC:~# ./tpm_device_provision
Gathering the registration information...

Registration Id:
2upzntec--REMOVED--drlxrtza

Endorsement Key:
AToAAQAL--REMOVED--9zGxyw==

Press any key to continue:

I have made the following changes to my config.yaml

provisioning:
  source: "dps"
  global_endpoint: "https://global.azure-devices-provisioning.net"
  scope_id: "0ne00045676"
  attestation:
    method: "tpm"
    registration_id: "2upzntec--REMOVED--drlxrtza"

I have made the needed permission changes to the tpm:

root@reliagate-10-12:eMMC:~# ls -all /dev/tpm0
crw-rw----. 1 tss iotedge 10, 224 May 16 14:44 /dev/tpm0

I have granted the settings in iotedge.service 

root@reliagate-10-12:eMMC:~# systemctl cat iotedge.service
[Unit]
Description=Azure IoT Edge daemon
After=network-online.target docker.service iotedge.socket     iotedge.mgmt.socket
Requires=iotedge.socket iotedge.mgmt.socket
Wants=network-online.target docker.service
Documentation=man:iotedged(8)

[Service]
ExecStart=/usr/bin/iotedged -c /etc/iotedge/config.yaml
KillMode=process
TimeoutStartSec=600
TimeoutStopSec=40
Restart=on-failure
User=iotedge
Group=iotedge

[Install]
WantedBy=multi-user.target
Also=iotedge.socket iotedge.mgmt.socket

# /etc/systemd/system/iotedge.service.d/override.conf
[Service]
Environment=IOTEDGE_USE_TPM_DEVICE=ON

I have enabled the tpmaccess rules:

root@reliagate-10-12:eMMC:~# cat /etc/udev/rules.d/tpmaccess.rules
#allow iotedge access to tpm0
KERNEL=="tpm0", SUBSYSTEM=="tpm", GROUP="iotedge", MODE="0660"

Yet when I run journalctl -u iotedge --no-pager --no-full, I see the following error

Aug 20 20:38:22 reliagate-10-12 systemd[1]: Started Azure IoT Edge daemon. Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Using config file: /etc/iotedge/config.yaml Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Starting Azure IoT Edge Security Daemon Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Version - 1.0.7 Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Using runtime network id azure-iot-edge Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Initializing the module runtime... Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Initializing module runtime... Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Successfully initialized module runtime Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Finished initializing the module runtime. Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Configuring /var/lib/iotedge as the home directory. Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Configuring certificates... Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Transparent gateway certificates not found, operating in quick start mode... Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Finished configuring certificates. Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Initializing hsm... Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Finished initializing hsm. Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Detecting if configuration file has changed... Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - No change to configuration file detected. Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Obtaining workload CA succeeded. Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Provisioning edge device... Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Starting provisioning edge device via TPM... Aug 20 20:38:22 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:22Z [INFO] - Starting DPS registration with scope_id "0ne00045676", registration_id "2upzntec--REMOVED--drlxrtza" Aug 20 20:38:23 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:23Z [WARN] - Could not provision device Aug 20 20:38:23 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:23Z [WARN] - caused by: Could not get TPM challenge key Aug 20 20:38:23 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:23Z [WARN] - caused by: A error occurred in the key store. Aug 20 20:38:23 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:23Z [WARN] - caused by: HSM failure Aug 20 20:38:23 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:23Z [WARN] - caused by: HSM API failure occurred: 342 Aug 20 20:38:23 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:23Z [ERR!] - The daemon could not start up successfully: Could not initialize DPS provisioning client Aug 20 20:38:23 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:23Z [ERR!] - caused by: Could not restore previous provisioning result Aug 20 20:38:23 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:23Z [ERR!] - caused by: No such file or directory (os error 2) Aug 20 20:38:23 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:23Z [ERR!] (/home/build/my_project/yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/libiothsm-std/1.0.7-r0/iotedge-1.0.7/edgelet/hsm-sys/azure-…icySecret() for EK Aug 20 20:38:23 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:23Z [ERR!] (/home/build/my_project/yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/libiothsm-std/1.0.7-r0/iotedge-1.0.7/edgelet/hsm-sys/azure-… EK policy session Aug 20 20:38:23 reliagate-10-12 iotedged[3466]: 2019-08-20T20:38:23Z [ERR!] (/home/build/my_project/yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/libiothsm-std/1.0.7-r0/iotedge-1.0.7/edgelet/hsm-sys/azure-…rting key into tpm Aug 20 20:38:23 reliagate-10-12 systemd[1]: iotedge.service: Main process exited, code=exited, status=1/FAILURE Aug 20 20:38:23 reliagate-10-12 systemd[1]: iotedge.service: Failed with result 'exit-code'. Aug 20 20:38:23 reliagate-10-12 systemd[1]: iotedge.service: Service RestartSec=100ms expired, scheduling restart. Aug 20 20:38:23 reliagate-10-12 systemd[1]: iotedge.service: Scheduled restart job, restart counter is at 5. Aug 20 20:38:23 reliagate-10-12 systemd[1]: Stopped Azure IoT Edge daemon.

Kevin Saye
  • 299
  • 1
  • 8

2 Answers2

0

A few thoughts:

  1. Are you running the latest IoT Edge bits (1.0.8)?
  2. Double-check the scop and endorsement key in DPS.
  3. We have seen issues with initialization where IoT Edge comes up before the TPM is ready. You may have to configure systemd to have iotedged start slower. In this case, iotedged has a dependency on the TPM.
  4. Are you running a TPM Resource Manager?

Thanks, Kevin

Kevin
  • 11
  • 2
  • the Yocto Layers are only version 1.0.7 (https://github.com/Azure/meta-iotedge). I have checked the scope and device id and they are accurate. If it were a race issue, I would think when I attempt to restart it would work, and that is not the case. Lastly, no TPM resource manager. I would guesss the './tpm_device_provision' would fail if that were the case. I really do think it is the fact that in the past I have run 'tpm2_takeowership' and I wish I knew how to factor reset the TPM -- if there is such a thing. – Kevin Saye Aug 30 '19 at 16:09
0

For others, it appears that running

tpm2_takeownership -c

solved the issue.

Kevin Saye
  • 299
  • 1
  • 8