WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xense-devel

Re: [Xense-devel] vtpm_managerd problem

To: "Scarlata, Vincent R" <vincent.r.scarlata@xxxxxxxxx>, Martin Hermanowski <lists@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xense-devel] vtpm_managerd problem
From: Burak OÐUZ <burakoguzs@xxxxxxxxx>
Date: Wed, 6 Dec 2006 09:34:29 -0800 (PST)
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 06 Dec 2006 09:34:27 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:MIME-Version:Content-Type; b=h87eMs4HOs9rQCTCfrJfjD1JKh37GoStfmlYSDT4HukQWrfk/QXaTCYoDU3SLlZ7Dkbm9swhwzLHeavWurmbpSXC7z/bkRS3fC5/SNonmwXM/Te85p/piaNocAbVyLc1+9J/bqcCWHhxcUDNh4QWuxPc2xKsj3BPmitwLV/qBMs= ;
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
I will answer your questions step by step :

1- I have Infenion SLB 9635 TPM 1.2
2- There is a patch provided by IAIK for Infineon 1.2 TPMs. Without this patch, trousers gives the same bad ordinal errors like vtpm_managerd. But after making this patch to trousers it works correctly.

https://sourceforge.net/project/showfiles.php?group_id=159083&package_id=196211

I am sure that my IFX TPM is working fine with trousers after applying the patch. But in vtpm_managerd it gives bad ordinal error. With my little experience I can say that there will be a special case for IFX TPM's for vtpm_managerd like in the case of trousers.

As a final word, vtpm_managerd can not read EK or can not load a key into tpm because of bad ordinal errors like trousers made just before applying the patch. But vtpm_managerd can take the ownership which means tpm is enabled and active.

Thanks for your interest..

Best regards..
 
-- burak()
(ps: bf)
METU CENG '06


----- Original Message ----
From: "Scarlata, Vincent R" <vincent.r.scarlata@xxxxxxxxx>
To: Burak OÐUZ <burakoguzs@xxxxxxxxx>; Martin Hermanowski <lists@xxxxxxxxxxxxxxxxxxxxxxx>
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx; "Cihula, Joseph" <joseph.cihula@xxxxxxxxx>
Sent: Wednesday, December 6, 2006 7:07:02 PM
Subject: RE: [Xense-devel] vtpm_managerd problem

Now that you have the vTPM consistently owning the TPM, there is something very wrong here. (Thanks Martin for providing guidance).
 
Which TPM exactly do you have? Are you claiming that Infinion's TPM doesn't follow the spec and requires special handling? We'll have to look into that. Currently there is no patch for the vTPM manager for this fix.
 
Do you have a reference to either a description of what the IFX TPM is or isn't doing, or the patch to trousers? We should be able to update the manager to work.
 
-Vinnie Scarlata

From: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xense-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Burak OÐUZ
Sent: Wednesday, December 06, 2006 2:30 AM
To: Martin Hermanowski
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xense-devel] vtpm_managerd problem

I have cleared the TPM and as you said vtpm_managerd tried to take the ownership of the IFX TPM. After clearing once, I tried 3 times and in all of them it gives different errors.

In the first time :

dungeon burak # vtpm_managerd
INFO[VTPM]: Starting VTPM.
INFO[TCS]: Constructing new TCS:
INFO[TCS]: Calling TCS_OpenContext:
INFO[VTSP]: OIAP.
ERROR[VTPM]: Failed to load service data with error = TPM_IOERROR
INFO[VTPM]: Failed to read manager file. Assuming first time initialization.
INFO[VTSP]: Reading Public EK.
INFO[VTSP]: Taking Ownership of TPM.
INFO[VTSP]: Disabling Pubek Read.
ERROR[TCS]: TCSP_DisablePubekRead Failed with return code TPM_BAD_ORDINAL
ERROR in VTSP_DisablePubekRead at vtsp.c:428 code: TPM_BAD_ORDINAL.
ERROR in VTPM_Create_Manager at vtpm_manager.c:106 code: TPM_BAD_ORDINAL.

In the second time :

It had created binding keys and while loading the keys into the tpm it gave bad ordinal error again.

INFO[VTPM]: Saved VTPM Manager state (status = 0, dmis = -1)
INFO[VTSP]: Loading Key into TPM.
ERROR[TCS]: TCSP_LoadKeyByBlob Failed with return code TPM_BAD_ORDINAL
ERROR in VTSP_LoadKey at vtsp.c:634 code: TPM_BAD_ORDINAL.
ERROR in VTPM_Init_Manager at vtpm_manager.c:243 code: TPM_BAD_ORDINAL.
ERROR[VTPM]: Closing vtpmd due to error during startup.


And in the third time :

dungeon burak # vtpm_managerd
INFO[VTPM]: Starting VTPM.
INFO[TCS]: Constructing new TCS:
INFO[TCS]: Calling TCS_OpenContext:
INFO[VTSP]: OIAP.
INFO[VTSP]: Loading Key into TPM.
ERROR[TCS]: TCSP_LoadKeyByBlob Failed with return code TPM_BAD_ORDINAL
ERROR in VTSP_LoadKey at vtsp.c:634 code: TPM_BAD_ORDINAL.
ERROR in VTPM_LoadManagerData at securestorage.c:453 code: TPM_BAD_ORDINAL.
ERROR[VTPM]: Failed to load service data with error = TPM_BAD_ORDINAL

Simply there is a situation with ordinals sent to TPM. In trousers there exists a patch for infineon tpms for these issues. Is this a similar sitution like this?

Thanks again...

Best regards..

 
-- burak()
(ps: bf)
METU CENG '06


----- Original Message ----
From: Martin Hermanowski <lists@xxxxxxxxxxxxxxxxxxxxxxx>
To: Burak OÐUZ <burakoguzs@xxxxxxxxx>
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Sent: Tuesday, December 5, 2006 6:34:40 PM
Subject: Re: [Xense-devel] vtpm_managerd problem

Burak OÐUZ schrieb:
[...]
dungeon burak # vtpm_managerd
INFO[VTPM]: Starting VTPM.
INFO[TCS]: Constructing new TCS:
INFO[TCS]: Calling TCS_OpenContext:
INFO[VTSP]: OIAP.
ERROR[VTPM]: Failed to load service data with error = TPM_IOERROR
INFO[VTPM]: Failed to read manager file. Assuming first time initialization
INFO[VTSP]: Reading Public EK.
ERROR[TCS]: TCSP_ReadPubek Failed with return code TPM_DISABLED_CMD
ERROR in VTSP_ReadPubek at vtsp.c:264 code: TPM_DISABLED_CMD.
INFO[VTPM]: Failed to readEK meaning TPM has an owner. Creating Keys off exg SRK.
INFO[VTSP]: OSAP.
INFO[VTSP]: Creating new key of type 20.
INFO[VTSP]: Creating Binding Key...
ERROR[TCS]: TCSP_CreateWrapKey Failed with return code TPM_AUTHFAIL
ERROR in VTSP_CreateWrapKey at vtsp.c:557 code: TPM_AUTHFAIL.
ERROR in VTPM_Create_Manager at vtpm_manager.c:134 code: TPM_AUTHFAIL.
This is correct: The vtpm manager tries to use the TPM, but can not take ownership because the TPM was in use before.
If you clear your TPM (should be a BIOS option, perhaps you need to press a special key on boot or set some jumper), and then start the vtpm manager again, you should be fine.

HTH,
Martin
-- 
Martin Hermanowski
http://martin.hermanowski.name https://www.openbc.com/hp/Martin_Hermanowski/



Need a quick answer? Get one in minutes from people who know. Ask your question on Yahoo! Answers.



Access over 1 million songs - Yahoo! Music Unlimited.
_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
<Prev in Thread] Current Thread [Next in Thread>