Device Provisioning with Azure IoTHub for Ubuntu 22.04 using Trusted Platform Module(TPM)

[techpanda3]

Expected Behavior

We have been using the following packages for device provisioning using IoTHub for Ubuntu 20.04

aziot-edge=1.5.0-1
aziot-identity-service=1.5.0-1

In order to utilize TPM(Trusted Platform Module) functionality, we generate a Certificate Signing Request utilizing OpenSSL and tpm2tss engine. For this, the below Linux TPM2 & TSS2 Software implementations are used

tpm2-tss Release: 3.1.0
tpm2-tools Release: 5.2 2021-09-28
tpm2-pkcs11 Release: 1.6.0
tpm2-tss-engine Release: v1.1.0
tpm2-abrmd Release: 2.4.0

Further Details: OpenSSL version in Ubuntu 20.04 is 1.1.1f

With these packages, generation of CSR and provisioning would be successful.

Observed Behaviour

We want to achieve the same functionality for Ubuntu 22.04
For iotedge versions same as above, when we use the same versions of tpm packages, we face OpenSSL errors. This is due to the fact that Ubuntu 22.04 comes with OpenSSL version 3.0.2 amd the older tpm packages that we are using are not anymore compatible. We have tried to upgrade the packages which are tightly dependent on OpenSSL, but we are still facing problems.

Output when executing the following command in 20.04

$ openssl req -new -key 0x81000002 -engine tpm2tss -keyform engine -subj "/CN=xxxxxxxxx"
engine "tpm2tss" set.

Output when executing the same command in 22.04

$ openssl req -new -key 0x81000002 -engine tpm2tss -keyform engine -subj "/CN=xxxxxxxx"
Invalid engine "tpm2tss"

Are there any recommended Releases for the TPM packages mentioned above which would be compatible with?
aziot-edge=1.5.0-1
aziot-identity-service=1.5.0-1

[techpanda3]

@vipeller Any update on this issue?

[vipeller]

Sorry about answering this slowly. It is in the queue, but we did not get there to work on this

[MattCosturos]

Will it get done before April 2025 when Ubuntu 20.04 is out of support?

[techipank]

@vipeller @MattCosturos why this issue is depending upon 20.04?
we are following below document
https://github.com/Azure/iot-identity-service/blob/main/docs/pkcs11/tpm2-pkcs11.md
and this document works fine in Ubuntu 20.04, but same document is not working in Ubuntu 22.04, and Azure supports Ubuntu 22.04 in Tier 1, i believe.

Also this document was introduced in 1.3 and later Azure released 1.4,1.5 etc. and 1.5 is compatible with Ubuntu 22.04 but this document is not updated.
Last update on this document was 3 years ago?

Shouldn't we update document with new releases??

Note: This is blocking our release and delaying customer onboarding.

[wudiqiang2024]

Use tpm2-openssl to generate CSR

like

openssl req -provider tpm2 -provider default -propquery '?provider=tpm2' -new -subj "/CN=xxxxxxxxx" -key handle:0x81000000 -out your.csr

tpm2-tss-engine -> openssl 1
tpm2-openssl -> openssl 3

[ryanwinter]

Thanks for the update @wudiqiang2024 : We will review the doc internally.