WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xense-devel

Re: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2

To: xense-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2
From: "Maximilian Loy" <maximilian.loy@xxxxxxxxx>
Date: Fri, 6 Apr 2007 10:03:21 +0200
Delivery-date: Fri, 06 Apr 2007 01:01:57 -0700
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=GJvVxUFKjgxFfKSpbwb08m9YuYWbIGOpG19NvujPjI63eDj4ZQtI8uW6JO1mqTdyfuf+JazM2SWHZ/8K1yNxDtjO+otsC443jrZUVnF04xndVdjMFlx0zF23FM5E/6YhRJdnkV1LNBuD5k+KKv99seXRRrF0QeQon7ojZPuXwjY=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=Wzg+mF/+r95os7UGR2HL3DcDsbKiwBZDx2NCOyB8HbBFthOqcZpUWnU45DhnQSNvXknPrLSfonZRTl8+yymTeCKWXu99mHi4pFyF2K/ivEFj02Dd6xpkrNw3AOb2Qzn8Gg5/02OhzntSqagwPliYikJoU77FsSZduTT7aR6XwuE=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <AEC554657A662A4880670EA30CB9488D018FBF70@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
References: <59e676e40703260440y40af4104h2efe4ff9584c6c34@xxxxxxxxxxxxxx> <AEC554657A662A4880670EA30CB9488D018FBF70@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
Hi Joseph,

first of all, thank you and Vinnie for the patch!
I did a fresh installation of my development partition and installed the patched Xen.
So, the patch solves the earlier problem, but another one surfaced. When i start vtpm_manager i get this output after it has loaded/created the keys:

ERROR[VTPM]: VTPM ERROR: Can't open /dev/vtpm for reading.
ERROR[VTPM]: [Backend Listener]: Backend Listener can't read from ipc. Aborting...
....

I get this message again and again till i abort it:

INFO[VTPM]: [BINFO[VTPM]: Child shutting down
INFO[VTPM]: VTPM Manager shutting down for signal 2.
INFO[VTPM]: Enveloping Input[624]: 0x2 c5 94 f9 e4 fa 88 e0 a4 8d 43 a3 b1 35 ee 43 3d 5e 5e f 50 e1 51 7a 59 9f cb 70 a4 fb 3c b5 41 56 ad 5d e2 37 3b a5
........
 6a 96 5b 1e 6b da a5 f4 ea 22 98 10 b0 b1 c8 b2 7c 27 10 51 a3 da 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
INFO[VTSP]: Binding 16 bytes of data.
INFO[VTPM]: Saved 256 bytes of E(symkey) + 656 bytes of E(data)
INFO[VTPM]: Enveloping Output[920]: 0x0 0 1 0 3a 85 a0 a2 7f cb 9a 1c 85 2b 6c ec 76 5c 2f 59 57 fd 16 94 1c c2 e a3 9b d1 b4 25 ca 4a f 5f 21 f2 2e 1f f4 ......
 88 1c 13 35 47 d8 e b0 93 1a b5 d2 d f1 5e ed ea 7e 69 2e b4 c2 21 f2 da 34 5c ea a5 6d f6
INFO[VTPM]: Child shutting down
INFO[VTPM]: Saved VTPM Manager state (status = 0, dmis = -1)
INFO[TCS]: Calling TCS_CloseContext.
INFO[VTPM]: Child shutting down
ERROR[TCS]: TCSP_EvictKey Failed with return code TPM_BAD_ORDINAL
ERROR[TCS]: Not all handles evicted from TPM.
INFO[TCS]: Destructing TCS:
INFO[TCS]: Calling TCS_CloseContext.
INFO[VTPM]: VTPM Manager stopped.


So i tried to solve the problem by clearing the ownership and deleting /var/vtpm/VTPM, but with the same result.

The /dev/vtpm directory is empty now with the following access rights:
drwxrwxr-x  2 root root        4096 Apr  5 22:15 vtpm

lsmod shows me tpmbk running, as well as the tpm drivers:
tpmbk                  17724  0 [permanent]
tpm_tis                14592  0
tpm_infineon           12312  0
tpm                    18848  2 tpm_tis,tpm_infineon
tpm_bios               10368  1 tpm


Maybe that helps.

Regards,
Max


2007/4/5, Cihula, Joseph <joseph.cihula@xxxxxxxxx>:
Max and Burak,

Sorry for the delay in responding (especially to Burak whose much
earlier posting we missed).  We don't have an Infineon TPM here to test
with, but the root cause of this error isn't specific to the TPM mfgr.
and we did verify it on our v1.2 TPMs.  Attached and inline is a patch
(including Vinnie's existing one) that should fix this problem.  You
should delete your /var/vtpm/VTPM file before re-running, but you don't
need to reset your owner.

Let me know how it works.  If this solves your problem then I will work
up an official patch that can support both v1.1b and v1.2 TPMs (this
patch will only work with v1.2 TPMs).

Vinnie Scarlata deserves all of the credit for root causing this and
providing the fix.

Joe

Patch:

diff -r 15ff55aab051 tools/vtpm_manager/manager/vtpm_manager.c
--- a/tools/vtpm_manager/manager/vtpm_manager.c Mon Mar 05 15:15:03 2007
-0800
+++ b/tools/vtpm_manager/manager/vtpm_manager.c Thu Apr 05 10:23:46 2007
-0700
@@ -90,22 +90,19 @@ TPM_RESULT VTPM_Create_Manager(){
   CRYPTO_INFO ek_cryptoInfo;

   status = VTSP_ReadPubek(vtpm_globals->manager_tcs_handle,
&ek_cryptoInfo);
-
+
   // If we can read PubEK then there is no owner and we should take it.
   // We use the abilty to read the pubEK to flag that the TPM is owned.
   // FIXME: Change to just trying to take ownership and react to the
status
   if (status == TPM_SUCCESS) {
-    TPMTRYRETURN(VTSP_TakeOwnership(vtpm_globals->manager_tcs_handle,
-                                   (const
TPM_AUTHDATA*)&vtpm_globals->owner_usage_auth,
-                                   &SRK_AUTH,
-                                   &ek_cryptoInfo,
-                                   &vtpm_globals->keyAuth));
-
-
TPMTRYRETURN(VTSP_DisablePubekRead(vtpm_globals->manager_tcs_handle,
-                                       (const
TPM_AUTHDATA*)&vtpm_globals->owner_usage_auth,
-                                       &vtpm_globals->keyAuth));
-  } else {
-    vtpmloginfo(VTPM_LOG_VTPM, "Failed to readEK meaning TPM has an
owner. Creating Keys off existing SRK.\n");
+    status = VTSP_TakeOwnership(vtpm_globals->manager_tcs_handle,
+                               (const
TPM_AUTHDATA*)&vtpm_globals->owner_usage_auth,
+                               &SRK_AUTH,
+                               &ek_cryptoInfo,
+                               &vtpm_globals->keyAuth);
+  }
+  if (status != TPM_SUCCESS) {
+    vtpmloginfo(VTPM_LOG_VTPM, "TPM has an owner. Creating Keys off
existing SRK.\n");
   }

   // Generate storage key's auth
diff -r 15ff55aab051 tools/vtpm_manager/manager/vtsp.c
--- a/tools/vtpm_manager/manager/vtsp.c Mon Mar 05 15:15:03 2007 -0800
+++ b/tools/vtpm_manager/manager/vtsp.c Thu Apr 05 10:24:01 2007 -0700
@@ -596,7 +596,7 @@ TPM_RESULT VTSP_LoadKey(const TCS_CONTEX
   vtpmloginfo(VTPM_LOG_VTSP, "Loading Key %s.\n", (!skipTPMLoad ? "into
TPM" : "only into memory"));

   TPM_RESULT status = TPM_SUCCESS;
-  TPM_COMMAND_CODE command = TPM_ORD_LoadKey;
+  TPM_COMMAND_CODE command = TPM_ORD_LoadKey2;

   BYTE *paramText=NULL;        // Digest to make Auth.
   UINT32 paramTextSize;
@@ -634,10 +634,9 @@ TPM_RESULT VTSP_LoadKey(const TCS_CONTEX
                                       &phKeyHMAC) );

     // Verify Auth
-    paramTextSize = BSG_PackList(paramText, 3,
+    paramTextSize = BSG_PackList(paramText, 2,
                                 BSG_TPM_RESULT, &status,
-                                BSG_TPM_COMMAND_CODE, &command,
-                                BSG_TPM_HANDLE, newKeyHandle);
+                                BSG_TPM_COMMAND_CODE, &command);

     TPMTRYRETURN( VerifyAuth( paramText, paramTextSize,
                              parentAuth, auth,
diff -r 15ff55aab051 tools/vtpm_manager/tcs/tcs.c
--- a/tools/vtpm_manager/tcs/tcs.c      Mon Mar 05 15:15:03 2007 -0800
+++ b/tools/vtpm_manager/tcs/tcs.c      Thu Apr 05 10:24:12 2007 -0700
@@ -901,7 +901,7 @@ TPM_RESULT TCSP_LoadKeyByBlob(TCS_CONTEX
   // setup input/output parameters block
   TPM_TAG tag = TPM_TAG_RQU_AUTH1_COMMAND;
   UINT32 paramSize = 0;
-  TPM_COMMAND_CODE ordinal = TPM_ORD_LoadKey;
+  TPM_COMMAND_CODE ordinal = TPM_ORD_LoadKey2;
   TPM_RESULT returnCode = TPM_SUCCESS;

   // setup the TPM driver input and output buffers
diff -r 15ff55aab051 tools/vtpm_manager/util/tcg.h
--- a/tools/vtpm_manager/util/tcg.h     Mon Mar 05 15:15:03 2007 -0800
+++ b/tools/vtpm_manager/util/tcg.h     Thu Apr 05 10:24:24 2007 -0700
@@ -250,6 +250,7 @@ typedef struct pack_constbuf_t {
#define TPM_ORD_ReadManuMaintPub         (48UL + TPM_PROTECTED_ORDINAL)
#define TPM_ORD_CertifyKey               (50UL + TPM_PROTECTED_ORDINAL)
#define TPM_ORD_Sign                     (60UL + TPM_PROTECTED_ORDINAL)
+#define TPM_ORD_LoadKey2                 (65UL + TPM_PROTECTED_ORDINAL)
#define TPM_ORD_GetRandom                (70UL + TPM_PROTECTED_ORDINAL)
#define TPM_ORD_StirRandom               (71UL + TPM_PROTECTED_ORDINAL)
#define TPM_ORD_SelfTestFull             (80UL + TPM_PROTECTED_ORDINAL)


________________________________

        From: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xense-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Maximilian
Loy
        Sent: Monday, March 26, 2007 4:40 AM
        To: xense-devel@xxxxxxxxxxxxxxxxxxx
        Subject: [Xense-devel] vtpm_managerd problem with Infineon TPM
1.2


        Hi everybody,

        i am having problems to get the vtpm_managerd (Xen 3.0.4.1) to
work with the Infineon TPM 1.2 (platform is a HP nx6325).

        I was having the BAD_ORDINAL problems like discussed earlier on
this list, but i could solve them with applying the patch from:

http://lists.xensource.com/archives/html/xense-devel/2006-12/msg00020.ht
ml

        This resulted in TPM_AUTHFAIL like in

http://lists.xensource.com/archives/html/xense-devel/2006-12/msg00024.ht
ml
        giving me the following output after taking the ownership:
        ...
        INFO[VTSP]: Loading Key into TPM.
        ERROR[TCS]: TCSP_LoadKeyByBlob Failed with return code
TPM_AUTHFAIL
        ERROR in VTSP_LoadKey at vtsp.c:634 code: TPM_AUTHFAIL.
        ERROR in VTPM_Init_Manager at vtpm_manager.c:240 code:
TPM_AUTHFAIL.
        ERROR[VTPM]: Closing vtpmd due to error during startup.

        Maybe it has something to do with the patch, as the line 634 in
vtsp.c has been modified by it.

        Any help would be very appreciated!

        Best regards, Max



_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel