Bug 33175

Summary: tpm2-tools new security issues CVE-2024-2903[89]
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, sysadmin-bugs, tarazed25
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: tpm2-tools-5.5-1.mga9.src.rpm CVE: CVE-2024-29038, CVE-2024-29039
Status comment: Fixed upstream in 5.7

Description Nicolas Salguero 2024-05-02 16:51:06 CEST 
Fedora has issued an advisory on May 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EFR7SVEWCOXORHPCLLGXEMHFMIGG2MFE/

The problem is fixed in version 5.7.

Mageia 9 is also affected.
Nicolas Salguero 2024-05-02 16:51:41 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => tpm2-tools-5.5-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 5.7
CVE: (none) => CVE-2024-29038, CVE-2024-29039

Comment 1 Lewis Smith 2024-05-03 21:20:47 CEST 
No packager in evidence, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2024-05-04 07:27:46 CEST 
Fixed both mga9 and Cauldron!

Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
tpm2-tools-5.5.1-1.mga9

From SRPMS:
tpm2-tools-5.5.1-1.mga9.src.rpm

Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)
CC: (none) => geiger.david68210

Comment 3 Len Lawrence 2024-05-05 18:00:51 CEST 
Mageia9, x64
tpm2 deals with the Trusted Platform Module chip in the BIOS if there is one.
It is required for Windows 11 so is likely to be present on recently built computers.
$ tpm2 getrandom 8
comes up with a list of errors which might imply either that there is no such
module or it is not enabled.
Checked the BIOS on two mini-PCs and found no sign of TPM2.  One of them is probably about two years old.

No problem with updating the package.

I hesitate to pass this on since it affects basic hardware.  If anybody has anything more recent I would encourage them to test this if that is possible.  It would probably involve enabling the module but I have no idea how that might affect Linux.

CC: (none) => tarazed25

Len Lawrence 2024-05-06 16:18:19 CEST

Keywords: (none) => advisory

Len Lawrence 2024-05-07 10:33:35 CEST

Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2024-05-07 15:09:44 CEST 
My research indicates that the errors you saw, at least in the 2 year old laptop, were probably due to the TPM being disabled. Several articles on the subject, but according to https://redmondmag.com/articles/2021/10/20/does-your-computer-have-a-tpm-chip.aspx TPM2 is built into Intel processors 8th generation or newer, and AMD Ryzen 2nd generation and newer.

My newest machine just misses the cut.

CC: (none) => andrewsfarm

Comment 5 Len Lawrence 2024-05-07 16:21:36 CEST 
I am sure you are right Thomas.  A more thorough check does reveal TPM technology on my Intel 12 machine which I attempted to enable.  The getrandom test fails again with the same errors.  Need to check the setings again.
Comment 6 Len Lawrence 2024-05-07 16:34:22 CEST 
I am sure you are right Thomas.  A more thorough check does reveal TPM technology on my Intel 12 machine which I attempted to enable.  The getrandom test fails again with the same errors.  Need to check the setings again.

Did that and confirmed that TPM feature was enabled.  But I wonder if it has any effect if secure boot is disabled.  No way to test that because the machine cannot boot with secure boot enabled.

I do not intend to pursue this any further.
Comment 7 Len Lawrence 2024-05-07 18:19:53 CEST 
Having said that, I did look at my AMD Ryzen7 system and there the BIOS is quite explicit about the presence of the TPM2 device, which was already enabled.

After booting it shows up in the device list:
$ ls /dev/tpm*
/dev/tpm0  /dev/tpmrm0

On a whim I tried root operation:
$ sudo tpm2 getrandom 8
mߎ�C9�Mlcl@rutilicus:~ $ 

That looks like an attempt to show a binary quantity.
$ sudo tpm2 getrandom 8 > whatever
$ sudo vi whatever
ÂvÌÑç<99>Aý

Tried out some of the commands from the man page - most of them require some background knowledge.

$ sudo tpm2 getrandom 8 | xxd -p
f543fbbaeafa269e

Send a startup command  with flag TPM2_SU_CLEAR
$ sudo tpm2 startup -c

Did not get very far with tpm2 - there are dozens of tools but none adequately documented.  e.g.
$ tpm2 eventlog -h
Usage: eventlog [<options>] <arguments>
Where <options> are:
    [ --eventlog-version=<value>]

So, what are the arguments?

$ sudo tpm2 getpolicydigest -o --hex --session=1  
WARNING:esys:src/tss2-esys/api/Esys_ReadPublic.c:320:Esys_ReadPublic_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/esys_tr.c:278:Esys_TR_FromTPMPublic_Finish() Error ReadPublic ErrorCode (0x00000184) 
ERROR:esys:src/tss2-esys/esys_tr.c:402:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x00000184) 
ERROR: Esys_TR_FromTPMPublic(0x184) - tpm:handle(1):value is out of range or is not correct for the context
ERROR: Unable to run getpolicydigest

So, it is difficult to say anything constructive about this.  The simplest commands seem to work.
Comment 8 Thomas Andrews 2024-05-08 03:39:30 CEST 
Sounds like about as far as you can take it, Len. Thank you for giving it a go.

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2024-05-09 04:42:05 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0170.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED