WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xense-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2

from [Maximilian Loy] [Permanent Link][Original]
To: xense-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2
From: "Maximilian Loy" <maximilian.loy@xxxxxxxxx>
Date: Fri, 6 Apr 2007 15:52:12 -0400
Delivery-date: Fri, 06 Apr 2007 12:50:47 -0700
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=VJyS85Jg9FOOvCJZgQ+5tBQIDfGAyHlYNOxmK+lZWDufeOa52HwlxlbPLEBPrcgTIPFFari+PToJ0ppRiszRyV7oyp7/CdzEuxxt88LFNcBO7dZtPdw7Vps71pEql/NZVoww/qLp3vLaj35FJAOaWOGMT5xclK+Z8cfzgkfEGd8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=GLXWQwP36Ha7BSZtY9nqUj+r+Ln4nQXe2HKg4t7800hIra10weETA3mRpdZN8rYy2npKgP9F75CiYZMTHIUrbEfPgk0MoYSYnNgoXJBRcFxlmh+VwZ1JrCzpMHWLgvcSav1FWf5iiypXz1YsvpNtFZhMh4DxEnRVTEHq19siqB8=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <AEC554657A662A4880670EA30CB9488D018FCB1A@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
References: <59e676e40704061153x7fbd7039kcd518aedb0c5f767@xxxxxxxxxxxxxx> <OFCA9669C3.AF619047-ON852572B5.0068D94E-852572B5.0068FF87@xxxxxxxxxx> <AEC554657A662A4880670EA30CB9488D018FCB1A@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
So now i found two mistakes i made:
First the TPM was not correctly activated.
Second, yesterday i created a /dev/vtpm directory because vtpm_manager was complaining he couldnt access it. I removed it.

The problem is now, that i dont get a /dev/vtpm entry when i modprobe tpmbk, although lsmod shows that it is running.


2007/4/6, Cihula, Joseph <joseph.cihula@xxxxxxxxx>:
Hopefully if you unload tpmbk, delete your current /dev/vtpm entry, and then re- modprobe tpmbk it will create the proper entry for you.
 
It also looks like there is one more v1.1b command in the code (TPM_EvictKey).  Since the basic v1.2 patch worked for you, I will generate a patch that can handle both versions and fix the TPM_EvictKey usage in the v1.2 path of this new patch (rather than sending out another v1.2 only patch).
 
Joe

From: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xense-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Stefan Berger
Sent: Friday, April 06, 2007 12:07 PM
To: Maximilian Loy
Cc: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx; xense-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2


xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 04/06/2007 02:53:48 PM:

>
> > So, the patch solves the earlier problem, but another one surfaced.
> > When i start vtpm_manager i get this output after it has
> > loaded/created the keys:
> >
> > ERROR[VTPM]: VTPM ERROR: Can't open /dev/vtpm for reading.
> > ERROR[VTPM]: [Backend Listener]: Backend Listener can't read from
> > ipc. Aborting...
> > ....
>
> Did you do 'modprobe tpmbk'? That should make /dev/vtpm available.
>
> I did, and lsmod shows me tpmbk running, as well as the tpm drivers:
> tpmbk                  17724  0 [permanent]
> tpm_tis                14592  0
> tpm_infineon           12312  0
> tpm                    18848  2 tpm_tis,tpm_infineon
> tpm_bios               10368  1 tpm
>
> Although the /dev/vtpm directory exists, it is completly empty. Is
> this normal?

/dev/vtpm is a character device, not a directory.

'ls /dev/vtpm' should show something like this:

crw------- 1 root root 10, 225 Apr  6 11:50 /dev/vtpm


   Stefan

>
> Regards,
> Max

>
>
> >
> > I get this message again and again till i abort it:
> >
> > INFO[VTPM]: [BINFO[VTPM]: Child shutting down
> > INFO[VTPM]: VTPM Manager shutting down for signal 2.
> > INFO[VTPM]: Enveloping Input[624]: 0x2 c5 94 f9 e4 fa 88 e0 a4 8d 43
> > a3 b1 35 ee 43 3d 5e 5e f 50 e1 51 7a 59 9f cb 70 a4 fb 3c b5 41 56
> > ad 5d e2 37 3b a5
> > ........
> >  6a 96 5b 1e 6b da a5 f4 ea 22 98 10 b0 b1 c8 b2 7c 27 10 51 a3 da 0
> > 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
> > INFO[VTSP]: Binding 16 bytes of data.
> > INFO[VTPM]: Saved 256 bytes of E(symkey) + 656 bytes of E(data)
> > INFO[VTPM]: Enveloping Output[920]: 0x0 0 1 0 3a 85 a0 a2 7f cb 9a
> > 1c 85 2b 6c ec 76 5c 2f 59 57 fd 16 94 1c c2 e a3 9b d1 b4 25 ca 4a
> > f 5f 21 f2 2e 1f f4 ......
> >  88 1c 13 35 47 d8 e b0 93 1a b5 d2 d f1 5e ed ea 7e 69 2e b4 c2 21
> > f2 da 34 5c ea a5 6d f6
> > INFO[VTPM]: Child shutting down
> > INFO[VTPM]: Saved VTPM Manager state (status = 0, dmis = -1)
> > INFO[TCS]: Calling TCS_CloseContext.
> > INFO[VTPM]: Child shutting down
> > ERROR[TCS]: TCSP_EvictKey Failed with return code TPM_BAD_ORDINAL
> > ERROR[TCS]: Not all handles evicted from TPM.
> > INFO[TCS]: Destructing TCS:
> > INFO[TCS]: Calling TCS_CloseContext.
> > INFO[VTPM]: VTPM Manager stopped.
> >
> >
> > So i tried to solve the problem by clearing the ownership and
> > deleting /var/vtpm/VTPM, but with the same result.
> >
> > The /dev/vtpm directory is empty now with the following access rights:
> > drwxrwxr-x  2 root root        4096 Apr  5 22:15 vtpm
> >
> > lsmod shows me tpmbk running, as well as the tpm drivers:
> > tpmbk                  17724  0 [permanent]
> > tpm_tis                14592  0
> > tpm_infineon           12312  0
> > tpm                    18848  2 tpm_tis,tpm_infineon
> > tpm_bios               10368  1 tpm
> >
> >
> > Maybe that helps.
> >
> > Regards,
> > Max
> >
>
> > 2007/4/5, Cihula, Joseph <joseph.cihula@xxxxxxxxx>:
> > Max and Burak,
> >
> > Sorry for the delay in responding (especially to Burak whose much
> > earlier posting we missed).  We don't have an Infineon TPM here to test
> > with, but the root cause of this error isn't specific to the TPM mfgr.
> > and we did verify it on our v1.2 TPMs.  Attached and inline is a patch
> > (including Vinnie's existing one) that should fix this problem.  You
> > should delete your /var/vtpm/VTPM file before re-running, but you don't
> > need to reset your owner.
> >
> > Let me know how it works.  If this solves your problem then I will work
> > up an official patch that can support both v1.1b and v1.2 TPMs (this
> > patch will only work with v1.2 TPMs).
> >
> > Vinnie Scarlata deserves all of the credit for root causing this and
> > providing the fix.
> >
> > Joe
> >
> > Patch:
> >
> > diff -r 15ff55aab051 tools/vtpm_manager/manager/vtpm_manager.c
> > --- a/tools/vtpm_manager/manager/vtpm_manager.c Mon Mar 05 15:15:03 2007
> > -0800
> > +++ b/tools/vtpm_manager/manager/vtpm_manager.c Thu Apr 05 10:23:46 2007
> > -0700
> > @@ -90,22 +90,19 @@ TPM_RESULT VTPM_Create_Manager(){
> >    CRYPTO_INFO ek_cryptoInfo;
> >
> >    status = VTSP_ReadPubek(vtpm_globals->manager_tcs_handle,
> > &ek_cryptoInfo);
> > -
> > +
> >    // If we can read PubEK then there is no owner and we should take it.
> >    // We use the abilty to read the pubEK to flag that the TPM is owned.
> >    // FIXME: Change to just trying to take ownership and react to the
> > status
> >    if (status == TPM_SUCCESS) {
> > -    TPMTRYRETURN(VTSP_TakeOwnership(vtpm_globals->manager_tcs_handle,
> > -                                   (const
> > TPM_AUTHDATA*)&vtpm_globals->owner_usage_auth,
> > -                                   &SRK_AUTH,
> > -                                   &ek_cryptoInfo,
> > -                                   &vtpm_globals->keyAuth));
> > -
> > -
> > TPMTRYRETURN(VTSP_DisablePubekRead(vtpm_globals->manager_tcs_handle,
> > -                                       (const
> > TPM_AUTHDATA*)&vtpm_globals->owner_usage_auth,
> > -                                       &vtpm_globals->keyAuth));
> > -  } else {
> > -    vtpmloginfo(VTPM_LOG_VTPM, "Failed to readEK meaning TPM has an
> > owner. Creating Keys off existing SRK.\n");
> > +    status = VTSP_TakeOwnership(vtpm_globals->manager_tcs_handle,
> > +                               (const
> > TPM_AUTHDATA*)&vtpm_globals->owner_usage_auth,
> > +                               &SRK_AUTH,
> > +                               &ek_cryptoInfo,
> > +                               &vtpm_globals->keyAuth);
> > +  }
> > +  if (status != TPM_SUCCESS) {
> > +    vtpmloginfo(VTPM_LOG_VTPM, "TPM has an owner. Creating Keys off
> > existing SRK.\n");
> >    }
> >
> >    // Generate storage key's auth
> > diff -r 15ff55aab051 tools/vtpm_manager/manager/vtsp.c
> > --- a/tools/vtpm_manager/manager/vtsp.c Mon Mar 05 15:15:03 2007 -0800
> > +++ b/tools/vtpm_manager/manager/vtsp.c Thu Apr 05 10:24:01 2007 -0700
> > @@ -596,7 +596,7 @@ TPM_RESULT VTSP_LoadKey(const TCS_CONTEX
> >    vtpmloginfo(VTPM_LOG_VTSP, "Loading Key %s.\n", (!skipTPMLoad ? "into
> > TPM" : "only into memory"));
> >
> >    TPM_RESULT status = TPM_SUCCESS;
> > -  TPM_COMMAND_CODE command = TPM_ORD_LoadKey;
> > +  TPM_COMMAND_CODE command = TPM_ORD_LoadKey2;
> >
> >    BYTE *paramText=NULL;        // Digest to make Auth.
> >    UINT32 paramTextSize;
> > @@ -634,10 +634,9 @@ TPM_RESULT VTSP_LoadKey(const TCS_CONTEX
> >                                        &phKeyHMAC) );
> >
> >      // Verify Auth
> > -    paramTextSize = BSG_PackList(paramText, 3,
> > +    paramTextSize = BSG_PackList(paramText, 2,
> >                                  BSG_TPM_RESULT, &status,
> > -                                BSG_TPM_COMMAND_CODE, &command,
> > -                                BSG_TPM_HANDLE, newKeyHandle);
> > +                                BSG_TPM_COMMAND_CODE, &command);
> >
> >      TPMTRYRETURN( VerifyAuth( paramText, paramTextSize,
> >                               parentAuth, auth,
> > diff -r 15ff55aab051 tools/vtpm_manager/tcs/tcs.c
> > --- a/tools/vtpm_manager/tcs/tcs.c      Mon Mar 05 15:15:03 2007 -0800
> > +++ b/tools/vtpm_manager/tcs/tcs.c      Thu Apr 05 10:24:12 2007 -0700
> > @@ -901,7 +901,7 @@ TPM_RESULT TCSP_LoadKeyByBlob(TCS_CONTEX
> >    // setup input/output parameters block
> >    TPM_TAG tag = TPM_TAG_RQU_AUTH1_COMMAND;
> >    UINT32 paramSize = 0;
> > -  TPM_COMMAND_CODE ordinal = TPM_ORD_LoadKey;
> > +  TPM_COMMAND_CODE ordinal = TPM_ORD_LoadKey2;
> >    TPM_RESULT returnCode = TPM_SUCCESS;
> >
> >    // setup the TPM driver input and output buffers
> > diff -r 15ff55aab051 tools/vtpm_manager/util/tcg.h
> > --- a/tools/vtpm_manager/util/tcg.h     Mon Mar 05 15:15:03 2007 -0800
> > +++ b/tools/vtpm_manager/util/tcg.h     Thu Apr 05 10:24:24 2007 -0700
> > @@ -250,6 +250,7 @@ typedef struct pack_constbuf_t {
> > #define TPM_ORD_ReadManuMaintPub         (48UL + TPM_PROTECTED_ORDINAL)
> > #define TPM_ORD_CertifyKey               (50UL + TPM_PROTECTED_ORDINAL)
> > #define TPM_ORD_Sign                     (60UL + TPM_PROTECTED_ORDINAL)
> > +#define TPM_ORD_LoadKey2                 (65UL + TPM_PROTECTED_ORDINAL)
> > #define TPM_ORD_GetRandom                (70UL + TPM_PROTECTED_ORDINAL)
> > #define TPM_ORD_StirRandom               (71UL + TPM_PROTECTED_ORDINAL)
> > #define TPM_ORD_SelfTestFull             (80UL + TPM_PROTECTED_ORDINAL)
> >
> >
> > ________________________________
> >
> >         From: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
> > [mailto:xense-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Maximilian
> > Loy
> >         Sent: Monday, March 26, 2007 4:40 AM
> >         To: xense-devel@xxxxxxxxxxxxxxxxxxx
> >         Subject: [Xense-devel] vtpm_managerd problem with Infineon TPM
> > 1.2
> >
> >
> >         Hi everybody,
> >
> >         i am having problems to get the vtpm_managerd (Xen 3.0.4.1) to
> > work with the Infineon TPM 1.2 (platform is a HP nx6325).
> >
> >         I was having the BAD_ORDINAL problems like discussed earlier on
> > this list, but i could solve them with applying the patch from:
> >
> > http://lists.xensource.com/archives/html/xense-devel/2006-12/msg00020.ht
> > ml
> >
> >         This resulted in TPM_AUTHFAIL like in
> >
> > http://lists.xensource.com/archives/html/xense-devel/2006-12/msg00024.ht
> > ml
> >         giving me the following output after taking the ownership:
> >         ...
> >         INFO[VTSP]: Loading Key into TPM.
> >         ERROR[TCS]: TCSP_LoadKeyByBlob Failed with return code
> > TPM_AUTHFAIL
> >         ERROR in VTSP_LoadKey at vtsp.c:634 code: TPM_AUTHFAIL.
> >         ERROR in VTPM_Init_Manager at vtpm_manager.c:240 code:
> > TPM_AUTHFAIL.
> >         ERROR[VTPM]: Closing vtpmd due to error during startup.
> >
> >         Maybe it has something to do with the patch, as the line 634 in
> > vtsp.c has been modified by it.
> >
> >         Any help would be very appreciated!
> >
> >         Best regards, Max
> >

> > _______________________________________________
> > Xense-devel mailing list
> > Xense-devel@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xense-devel
> _______________________________________________
> Xense-devel mailing list
> Xense-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xense-devel

_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2, Cihula, Joseph
Next by Date:  Re: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2, Stefan Berger
Previous by Thread:  RE: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2, Cihula, Joseph
Next by Thread:  Re: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2, Stefan Berger
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy