Hi
everybody,
For a while now I've been working on a project to do data sealing to TPM PCRs in
a Xen Dom U using the vtpm. I finally got everything set up, I'm using
xen-unstable, the tpm_tis driver in Dom 0, and trousers 0.2.8 in Dom U (having
patched Trousers with the TPM_PCR_INFO_LONG patch from Trusted Java that allows
data sealing on Winbond/Infineon TPMs).
I booted my Dom U
image, modprobe tpm_xenu, ran tcsd, and tpm_takeownership.
For the
test I ran:
ps auwx > foo
tpm_sealdata < foo
This returns a
TPM_BAD_PARAMETER. However, executing:
tpm_sealdata -p 1 < foo
works
completely.
Further
investigation in the vtpmd code revealed a block in tpm_cmd_handler.c that looks
like:
if
(tpm_unmarshal_TPM_KEY_HANDLE(&ptr, &len,
&keyHandle)
|| tpm_unmarshal_TPM_ENCAUTH(&ptr, &len,
&encAuth) ||
tpm_unmarshal_UINT32(&ptr, &len,
&pcrInfoSize) ||
tpm_unmarshal_TPM_PCR_INFO(&ptr, &len, &pcrInfo)
||
tpm_unmarshal_UINT32(&ptr, &len,
&inDataSize) ||
tpm_unmarshal_BLOB(&ptr, &len, &inData,
inDataSize) ||
len != 0) return TPM_BAD_PARAMETER;
vtpmd tries to
unpackage everything regardless of pcrInfoSize. So essentially what
happens is, if not sealing to PCRs, trousers sends pcrInfoSize as 0, and then
doesn't include the pcrInfo. However, the vtpm is looking for the pcrInfo
no matter what, and it tries to read past the end of the data. It
would appear that trousers is not breaking spec to do this
because without vtpm data sealing works. Perhaps the vtpm
should unmarshal everything up to the pcrInfo and then check pcrInfoSize before
trying to unmarshal pcrInfo?
For now I'm just
always sealing to PCRs. :-)
Let me know if that
makes sense.
Thanks,
Justin
P.S.
I'm completely new to TCG/TPM, so please excuse any
naivete.
_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
|