WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xense-devel

Re: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2

To: "Maximilian Loy" <maximilian.loy@xxxxxxxxx>
Subject: Re: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2
From: Stefan Berger <stefanb@xxxxxxxxxx>
Date: Fri, 6 Apr 2007 08:13:12 -0400
Cc: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 06 Apr 2007 05:11:51 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <59e676e40704060103i2ef25f05g6c39d1a30b719fb1@xxxxxxxxxxxxxx>
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx

xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 04/06/2007 04:03:21 AM:

> Hi Joseph,
>
> first of all, thank you and Vinnie for the patch!
> I did a fresh installation of my development partition and installed
> the patched Xen.
> So, the patch solves the earlier problem, but another one surfaced.
> When i start vtpm_manager i get this output after it has
> loaded/created the keys:
>
> ERROR[VTPM]: VTPM ERROR: Can't open /dev/vtpm for reading.
> ERROR[VTPM]: [Backend Listener]: Backend Listener can't read from
> ipc. Aborting...
> ....


Did you do 'modprobe tpmbk'? That should make /dev/vtpm available.

  Stefan


>
> I get this message again and again till i abort it:
>
> INFO[VTPM]: [BINFO[VTPM]: Child shutting down
> INFO[VTPM]: VTPM Manager shutting down for signal 2.
> INFO[VTPM]: Enveloping Input[624]: 0x2 c5 94 f9 e4 fa 88 e0 a4 8d 43
> a3 b1 35 ee 43 3d 5e 5e f 50 e1 51 7a 59 9f cb 70 a4 fb 3c b5 41 56
> ad 5d e2 37 3b a5
> ........
>  6a 96 5b 1e 6b da a5 f4 ea 22 98 10 b0 b1 c8 b2 7c 27 10 51 a3 da 0
> 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
> INFO[VTSP]: Binding 16 bytes of data.
> INFO[VTPM]: Saved 256 bytes of E(symkey) + 656 bytes of E(data)
> INFO[VTPM]: Enveloping Output[920]: 0x0 0 1 0 3a 85 a0 a2 7f cb 9a
> 1c 85 2b 6c ec 76 5c 2f 59 57 fd 16 94 1c c2 e a3 9b d1 b4 25 ca 4a
> f 5f 21 f2 2e 1f f4 ......
>  88 1c 13 35 47 d8 e b0 93 1a b5 d2 d f1 5e ed ea 7e 69 2e b4 c2 21
> f2 da 34 5c ea a5 6d f6
> INFO[VTPM]: Child shutting down
> INFO[VTPM]: Saved VTPM Manager state (status = 0, dmis = -1)
> INFO[TCS]: Calling TCS_CloseContext.
> INFO[VTPM]: Child shutting down
> ERROR[TCS]: TCSP_EvictKey Failed with return code TPM_BAD_ORDINAL
> ERROR[TCS]: Not all handles evicted from TPM.
> INFO[TCS]: Destructing TCS:
> INFO[TCS]: Calling TCS_CloseContext.
> INFO[VTPM]: VTPM Manager stopped.
>
>
> So i tried to solve the problem by clearing the ownership and
> deleting /var/vtpm/VTPM, but with the same result.
>
> The /dev/vtpm directory is empty now with the following access rights:
> drwxrwxr-x  2 root root        4096 Apr  5 22:15 vtpm
>
> lsmod shows me tpmbk running, as well as the tpm drivers:
> tpmbk                  17724  0 [permanent]
> tpm_tis                14592  0
> tpm_infineon           12312  0
> tpm                    18848  2 tpm_tis,tpm_infineon
> tpm_bios               10368  1 tpm
>
>
> Maybe that helps.
>
> Regards,
> Max
>

> 2007/4/5, Cihula, Joseph <joseph.cihula@xxxxxxxxx>:
> Max and Burak,
>
> Sorry for the delay in responding (especially to Burak whose much
> earlier posting we missed).  We don't have an Infineon TPM here to test
> with, but the root cause of this error isn't specific to the TPM mfgr.
> and we did verify it on our v1.2 TPMs.  Attached and inline is a patch
> (including Vinnie's existing one) that should fix this problem.  You
> should delete your /var/vtpm/VTPM file before re-running, but you don't
> need to reset your owner.
>
> Let me know how it works.  If this solves your problem then I will work
> up an official patch that can support both v1.1b and v1.2 TPMs (this
> patch will only work with v1.2 TPMs).
>
> Vinnie Scarlata deserves all of the credit for root causing this and
> providing the fix.
>
> Joe
>
> Patch:
>
> diff -r 15ff55aab051 tools/vtpm_manager/manager/vtpm_manager.c
> --- a/tools/vtpm_manager/manager/vtpm_manager.c Mon Mar 05 15:15:03 2007
> -0800
> +++ b/tools/vtpm_manager/manager/vtpm_manager.c Thu Apr 05 10:23:46 2007
> -0700
> @@ -90,22 +90,19 @@ TPM_RESULT VTPM_Create_Manager(){
>    CRYPTO_INFO ek_cryptoInfo;
>
>    status = VTSP_ReadPubek(vtpm_globals->manager_tcs_handle,
> &ek_cryptoInfo);
> -
> +
>    // If we can read PubEK then there is no owner and we should take it.
>    // We use the abilty to read the pubEK to flag that the TPM is owned.
>    // FIXME: Change to just trying to take ownership and react to the
> status
>    if (status == TPM_SUCCESS) {
> -    TPMTRYRETURN(VTSP_TakeOwnership(vtpm_globals->manager_tcs_handle,
> -                                   (const
> TPM_AUTHDATA*)&vtpm_globals->owner_usage_auth,
> -                                   &SRK_AUTH,
> -                                   &ek_cryptoInfo,
> -                                   &vtpm_globals->keyAuth));
> -
> -
> TPMTRYRETURN(VTSP_DisablePubekRead(vtpm_globals->manager_tcs_handle,
> -                                       (const
> TPM_AUTHDATA*)&vtpm_globals->owner_usage_auth,
> -                                       &vtpm_globals->keyAuth));
> -  } else {
> -    vtpmloginfo(VTPM_LOG_VTPM, "Failed to readEK meaning TPM has an
> owner. Creating Keys off existing SRK.\n");
> +    status = VTSP_TakeOwnership(vtpm_globals->manager_tcs_handle,
> +                               (const
> TPM_AUTHDATA*)&vtpm_globals->owner_usage_auth,
> +                               &SRK_AUTH,
> +                               &ek_cryptoInfo,
> +                               &vtpm_globals->keyAuth);
> +  }
> +  if (status != TPM_SUCCESS) {
> +    vtpmloginfo(VTPM_LOG_VTPM, "TPM has an owner. Creating Keys off
> existing SRK.\n");
>    }
>
>    // Generate storage key's auth
> diff -r 15ff55aab051 tools/vtpm_manager/manager/vtsp.c
> --- a/tools/vtpm_manager/manager/vtsp.c Mon Mar 05 15:15:03 2007 -0800
> +++ b/tools/vtpm_manager/manager/vtsp.c Thu Apr 05 10:24:01 2007 -0700
> @@ -596,7 +596,7 @@ TPM_RESULT VTSP_LoadKey(const TCS_CONTEX
>    vtpmloginfo(VTPM_LOG_VTSP, "Loading Key %s.\n", (!skipTPMLoad ? "into
> TPM" : "only into memory"));
>
>    TPM_RESULT status = TPM_SUCCESS;
> -  TPM_COMMAND_CODE command = TPM_ORD_LoadKey;
> +  TPM_COMMAND_CODE command = TPM_ORD_LoadKey2;
>
>    BYTE *paramText=NULL;        // Digest to make Auth.
>    UINT32 paramTextSize;
> @@ -634,10 +634,9 @@ TPM_RESULT VTSP_LoadKey(const TCS_CONTEX
>                                        &phKeyHMAC) );
>
>      // Verify Auth
> -    paramTextSize = BSG_PackList(paramText, 3,
> +    paramTextSize = BSG_PackList(paramText, 2,
>                                  BSG_TPM_RESULT, &status,
> -                                BSG_TPM_COMMAND_CODE, &command,
> -                                BSG_TPM_HANDLE, newKeyHandle);
> +                                BSG_TPM_COMMAND_CODE, &command);
>
>      TPMTRYRETURN( VerifyAuth( paramText, paramTextSize,
>                               parentAuth, auth,
> diff -r 15ff55aab051 tools/vtpm_manager/tcs/tcs.c
> --- a/tools/vtpm_manager/tcs/tcs.c      Mon Mar 05 15:15:03 2007 -0800
> +++ b/tools/vtpm_manager/tcs/tcs.c      Thu Apr 05 10:24:12 2007 -0700
> @@ -901,7 +901,7 @@ TPM_RESULT TCSP_LoadKeyByBlob(TCS_CONTEX
>    // setup input/output parameters block
>    TPM_TAG tag = TPM_TAG_RQU_AUTH1_COMMAND;
>    UINT32 paramSize = 0;
> -  TPM_COMMAND_CODE ordinal = TPM_ORD_LoadKey;
> +  TPM_COMMAND_CODE ordinal = TPM_ORD_LoadKey2;
>    TPM_RESULT returnCode = TPM_SUCCESS;
>
>    // setup the TPM driver input and output buffers
> diff -r 15ff55aab051 tools/vtpm_manager/util/tcg.h
> --- a/tools/vtpm_manager/util/tcg.h     Mon Mar 05 15:15:03 2007 -0800
> +++ b/tools/vtpm_manager/util/tcg.h     Thu Apr 05 10:24:24 2007 -0700
> @@ -250,6 +250,7 @@ typedef struct pack_constbuf_t {
> #define TPM_ORD_ReadManuMaintPub         (48UL + TPM_PROTECTED_ORDINAL)
> #define TPM_ORD_CertifyKey               (50UL + TPM_PROTECTED_ORDINAL)
> #define TPM_ORD_Sign                     (60UL + TPM_PROTECTED_ORDINAL)
> +#define TPM_ORD_LoadKey2                 (65UL + TPM_PROTECTED_ORDINAL)
> #define TPM_ORD_GetRandom                (70UL + TPM_PROTECTED_ORDINAL)
> #define TPM_ORD_StirRandom               (71UL + TPM_PROTECTED_ORDINAL)
> #define TPM_ORD_SelfTestFull             (80UL + TPM_PROTECTED_ORDINAL)
>
>
> ________________________________
>
>         From: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
> [mailto:xense-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Maximilian
> Loy
>         Sent: Monday, March 26, 2007 4:40 AM
>         To: xense-devel@xxxxxxxxxxxxxxxxxxx
>         Subject: [Xense-devel] vtpm_managerd problem with Infineon TPM
> 1.2
>
>
>         Hi everybody,
>
>         i am having problems to get the vtpm_managerd (Xen 3.0.4.1) to
> work with the Infineon TPM 1.2 (platform is a HP nx6325).
>
>         I was having the BAD_ORDINAL problems like discussed earlier on
> this list, but i could solve them with applying the patch from:
>
> http://lists.xensource.com/archives/html/xense-devel/2006-12/msg00020.ht
> ml
>
>         This resulted in TPM_AUTHFAIL like in
>
> http://lists.xensource.com/archives/html/xense-devel/2006-12/msg00024.ht
> ml
>         giving me the following output after taking the ownership:
>         ...
>         INFO[VTSP]: Loading Key into TPM.
>         ERROR[TCS]: TCSP_LoadKeyByBlob Failed with return code
> TPM_AUTHFAIL
>         ERROR in VTSP_LoadKey at vtsp.c:634 code: TPM_AUTHFAIL.
>         ERROR in VTPM_Init_Manager at vtpm_manager.c:240 code:
> TPM_AUTHFAIL.
>         ERROR[VTPM]: Closing vtpmd due to error during startup.
>
>         Maybe it has something to do with the patch, as the line 634 in
> vtsp.c has been modified by it.
>
>         Any help would be very appreciated!
>
>         Best regards, Max
>

> _______________________________________________
> Xense-devel mailing list
> Xense-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xense-devel
_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel