WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xense-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2

from [Maximilian Loy] [Permanent Link][Original]
To: "Cihula, Joseph" <joseph.cihula@xxxxxxxxx>
Subject: Re: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2
From: "Maximilian Loy" <maximilian.loy@xxxxxxxxx>
Date: Fri, 6 Apr 2007 17:47:39 -0400
Cc: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 06 Apr 2007 14:46:16 -0700
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=puY/l+ThTdHKQb+T/yct4okTSl4NtZDxvVCHMSU8qC++kj8HqQrh8SIK/opr/K8Tgu2mCkT6t/F3qS74sqlqQ7aSGFsItUrffaifDR3q97SNehQ95Zn23n/9UFAstijiax3vWMmIO1a7I86Z0TkO7Itjr6i6FPAqHsX3wAKCmlA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=t4ExQ1tNPE97yDhVeU09lF4sb15PzwErXIry0qHLdhDNphDhwT27B1nXDqg3uypUo1GFxjtK6e1Vmf/2J19iVbNo4s0AF+ScvR39is90caaZF6dmxv3krdHXxJUeifNpPm7Ff8+j/1eJqPPz8wJlfVoovw5ho1x6P2aqVazSRVg=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <AEC554657A662A4880670EA30CB9488D018FCC9F@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
References: <59e676e40704061252i53cec59co22f746f02837bfd8@xxxxxxxxxxxxxx> <OF2F1AD161.C59D4900-ON852572B5.006EC480-852572B5.006F169F@xxxxxxxxxx> <59e676e40704061354m5c1c9f61g630ba321a7e00a3a@xxxxxxxxxxxxxx> <AEC554657A662A4880670EA30CB9488D018FCC9F@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx

I forget ot note that when Manager takes ownership it uses all FF's as the SRK auth (I'll fix that too).  So if that's not what you specifed when you manually took ownership, then you shoudl clear it and let the Manager take ownership.

That solved the problem!
As far as i can see, vtpm_manager is functioning right now (waits for messages and creates a new tpm when i start a domU with vtpm).

Thanks a lot!
Max



From: Cihula, Joseph
Sent: Friday, April 06, 2007 2:06 PM
To: 'Maximilian Loy'; Stefan Berger
Cc: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx; xense-devel@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2

vTPM Manager will take ownership if the TPM is not already owned; it also works fine it is owned.  Either way, make sure to delete /var/vtpm/VTPM before running Manager so that it doesn't try to use an old state.
 
Joe

From: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xense-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Maximilian Loy
Sent: Friday, April 06, 2007 1:54 PM
To: Stefan Berger
Cc: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx; xense-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2


Unless you reboot your machine and do a modprobe tpmbk again you will need to do

mknod /dev/vtpm c 10 225

to get that device entry. The TPM backend device is  a 'permanent' device and cannot be 'rmmod'ed.

I don't get the entry even when i reboot and modprobe tpmbk.

So i made the entry manually. Now I was tried two things:

With a cleaned and activated TPM i get the following output:
# vtpm_managerd
INFO[VTPM]: Starting VTPM.
INFO[TCS]: Constructing new TCS:
INFO[TCS]: Calling TCS_OpenContext:
INFO[VTSP]: OIAP.
INFO[VTSP]: Loading Key into TPM.
ERROR[TCS]: TCSP_LoadKeyByBlob Failed with return code TPM_NOSRK
ERROR in VTSP_LoadKey at vtsp.c:634 code: TPM_NOSRK.
ERROR in VTPM_LoadManagerData at securestorage.c:453 code: TPM_NOSRK.
ERROR[VTPM]: Failed to load service data with error = TPM_NOSRK
ERROR[VTPM]: Failed to read existing manager file

After taking ownership (and stopping tcsd again) i get:
# vtpm_managerd
INFO[VTPM]: Starting VTPM.
INFO[TCS]: Constructing new TCS:
INFO[TCS]: Calling TCS_OpenContext:
INFO[VTSP]: OIAP.
INFO[VTSP]: Loading Key into TPM.
ERROR[TCS]: TCSP_LoadKeyByBlob Failed with return code TPM_AUTHFAIL
ERROR in VTSP_LoadKey at vtsp.c:634 code: TPM_AUTHFAIL.
ERROR in VTPM_LoadManagerData at securestorage.c:453 code: TPM_AUTHFAIL.
ERROR[VTPM]: Failed to load service data with error = TPM_AUTHFAIL
ERROR[VTPM]: Failed to read existing manager file

I am not shure if i have to take ownership or not?!

Thanks,
Max
 

> 2007/4/6, Cihula, Joseph < joseph.cihula@xxxxxxxxx>:
> Hopefully if you unload tpmbk, delete your current /dev/vtpm entry,
> and then re- modprobe tpmbk it will create the proper entry for you.
>  
> It also looks like there is one more v1.1b command in the code
> (TPM_EvictKey).  Since the basic v1.2 patch worked for you, I will
> generate a patch that can handle both versions and fix the
> TPM_EvictKey usage in the v1.2 path of this new patch (rather than
> sending out another v1.2 only patch).
>  
> Joe
>
> From: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx [mailto: xense-devel-
> bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Stefan Berger
> Sent: Friday, April 06, 2007 12:07 PM
> To: Maximilian Loy
> Cc: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx; xense-devel@xxxxxxxxxxxxxxxxxxx
> Subject: Re: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2

>
> xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 04/06/2007 02:53:48 PM:
>
> >
> > > So, the patch solves the earlier problem, but another one surfaced.
> > > When i start vtpm_manager i get this output after it has
> > > loaded/created the keys:
> > >
> > > ERROR[VTPM]: VTPM ERROR: Can't open /dev/vtpm for reading.
> > > ERROR[VTPM]: [Backend Listener]: Backend Listener can't read from
> > > ipc. Aborting...
> > > ....
> >
> > Did you do 'modprobe tpmbk'? That should make /dev/vtpm available.
> >
> > I did, and lsmod shows me tpmbk running, as well as the tpm drivers:
> > tpmbk                  17724  0 [permanent]
> > tpm_tis                14592  0
> > tpm_infineon           12312  0
> > tpm                    18848  2 tpm_tis,tpm_infineon
> > tpm_bios               10368  1 tpm
> >
> > Although the /dev/vtpm directory exists, it is completly empty. Is
> > this normal?
>
> /dev/vtpm is a character device, not a directory.
>
> 'ls /dev/vtpm' should show something like this:
>
> crw------- 1 root root 10, 225 Apr  6 11:50 /dev/vtpm
>
>
>    Stefan
>
> >
> > Regards,
> > Max
>
> >
> >
> > >
> > > I get this message again and again till i abort it:
> > >
> > > INFO[VTPM]: [BINFO[VTPM]: Child shutting down
> > > INFO[VTPM]: VTPM Manager shutting down for signal 2.
> > > INFO[VTPM]: Enveloping Input[624]: 0x2 c5 94 f9 e4 fa 88 e0 a4 8d 43
> > > a3 b1 35 ee 43 3d 5e 5e f 50 e1 51 7a 59 9f cb 70 a4 fb 3c b5 41 56
> > > ad 5d e2 37 3b a5
> > > ........
> > >  6a 96 5b 1e 6b da a5 f4 ea 22 98 10 b0 b1 c8 b2 7c 27 10 51 a3 da 0
> > > 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
> > > INFO[VTSP]: Binding 16 bytes of data.
> > > INFO[VTPM]: Saved 256 bytes of E(symkey) + 656 bytes of E(data)
> > > INFO[VTPM]: Enveloping Output[920]: 0x0 0 1 0 3a 85 a0 a2 7f cb 9a
> > > 1c 85 2b 6c ec 76 5c 2f 59 57 fd 16 94 1c c2 e a3 9b d1 b4 25 ca 4a
> > > f 5f 21 f2 2e 1f f4 ......
> > >  88 1c 13 35 47 d8 e b0 93 1a b5 d2 d f1 5e ed ea 7e 69 2e b4 c2 21
> > > f2 da 34 5c ea a5 6d f6
> > > INFO[VTPM]: Child shutting down
> > > INFO[VTPM]: Saved VTPM Manager state (status = 0, dmis = -1)
> > > INFO[TCS]: Calling TCS_CloseContext.
> > > INFO[VTPM]: Child shutting down
> > > ERROR[TCS]: TCSP_EvictKey Failed with return code TPM_BAD_ORDINAL
> > > ERROR[TCS]: Not all handles evicted from TPM.
> > > INFO[TCS]: Destructing TCS:
> > > INFO[TCS]: Calling TCS_CloseContext.
> > > INFO[VTPM]: VTPM Manager stopped.
> > >
> > >
> > > So i tried to solve the problem by clearing the ownership and
> > > deleting /var/vtpm/VTPM, but with the same result.
> > >
> > > The /dev/vtpm directory is empty now with the following access rights:
> > > drwxrwxr-x  2 root root        4096 Apr  5 22:15 vtpm
> > >
> > > lsmod shows me tpmbk running, as well as the tpm drivers:
> > > tpmbk                  17724  0 [permanent]
> > > tpm_tis                14592  0
> > > tpm_infineon           12312  0
> > > tpm                    18848  2 tpm_tis,tpm_infineon
> > > tpm_bios               10368  1 tpm
> > >
> > >
> > > Maybe that helps.
> > >
> > > Regards,
> > > Max
> > >
> >
> > > 2007/4/5, Cihula, Joseph <joseph.cihula@xxxxxxxxx>:
> > > Max and Burak,
> > >
> > > Sorry for the delay in responding (especially to Burak whose much
> > > earlier posting we missed).  We don't have an Infineon TPM here to test
> > > with, but the root cause of this error isn't specific to the TPM mfgr.
> > > and we did verify it on our v1.2 TPMs.  Attached and inline is a patch
> > > (including Vinnie's existing one) that should fix this problem.  You
> > > should delete your /var/vtpm/VTPM file before re-running, but you don't
> > > need to reset your owner.
> > >
> > > Let me know how it works.  If this solves your problem then I will work
> > > up an official patch that can support both v1.1b and v1.2 TPMs (this
> > > patch will only work with v1.2 TPMs).
> > >
> > > Vinnie Scarlata deserves all of the credit for root causing this and
> > > providing the fix.
> > >
> > > Joe
> > >
> > > Patch:
> > >
> > > diff -r 15ff55aab051 tools/vtpm_manager/manager/vtpm_manager.c
> > > --- a/tools/vtpm_manager/manager/vtpm_manager.c Mon Mar 05 15:15:03 2007
> > > -0800
> > > +++ b/tools/vtpm_manager/manager/vtpm_manager.c Thu Apr 05 10:23:46 2007
> > > -0700
> > > @@ -90,22 +90,19 @@ TPM_RESULT VTPM_Create_Manager(){
> > >    CRYPTO_INFO ek_cryptoInfo;
> > >
> > >    status = VTSP_ReadPubek(vtpm_globals->manager_tcs_handle,
> > > &ek_cryptoInfo);
> > > -
> > > +
> > >    // If we can read PubEK then there is no owner and we should take it.
> > >    // We use the abilty to read the pubEK to flag that the TPM is owned.
> > >    // FIXME: Change to just trying to take ownership and react to the
> > > status
> > >    if (status == TPM_SUCCESS) {
> > > -    TPMTRYRETURN(VTSP_TakeOwnership(vtpm_globals->manager_tcs_handle,
> > > -                                   (const
> > > TPM_AUTHDATA*)&vtpm_globals->owner_usage_auth,
> > > -                                   &SRK_AUTH,
> > > -                                   &ek_cryptoInfo,
> > > -                                   &vtpm_globals->keyAuth));
> > > -
> > > -
> > > TPMTRYRETURN(VTSP_DisablePubekRead(vtpm_globals->manager_tcs_handle,
> > > -                                       (const
> > > TPM_AUTHDATA*)&vtpm_globals->owner_usage_auth,
> > > -                                       &vtpm_globals->keyAuth));
> > > -  } else {
> > > -    vtpmloginfo(VTPM_LOG_VTPM, "Failed to readEK meaning TPM has an
> > > owner. Creating Keys off existing SRK.\n");
> > > +    status = VTSP_TakeOwnership(vtpm_globals->manager_tcs_handle,
> > > +                               (const
> > > TPM_AUTHDATA*)&vtpm_globals->owner_usage_auth,
> > > +                               &SRK_AUTH,
> > > +                               &ek_cryptoInfo,
> > > +                               &vtpm_globals->keyAuth);
> > > +  }
> > > +  if (status != TPM_SUCCESS) {
> > > +    vtpmloginfo(VTPM_LOG_VTPM, "TPM has an owner. Creating Keys off
> > > existing SRK.\n");
> > >    }
> > >
> > >    // Generate storage key's auth
> > > diff -r 15ff55aab051 tools/vtpm_manager/manager/vtsp.c
> > > --- a/tools/vtpm_manager/manager/vtsp.c Mon Mar 05 15:15:03 2007 -0800
> > > +++ b/tools/vtpm_manager/manager/vtsp.c Thu Apr 05 10:24:01 2007 -0700
> > > @@ -596,7 +596,7 @@ TPM_RESULT VTSP_LoadKey(const TCS_CONTEX
> > >    vtpmloginfo(VTPM_LOG_VTSP, "Loading Key %s.\n", (!skipTPMLoad ? "into
> > > TPM" : "only into memory"));
> > >
> > >    TPM_RESULT status = TPM_SUCCESS;
> > > -  TPM_COMMAND_CODE command = TPM_ORD_LoadKey;
> > > +  TPM_COMMAND_CODE command = TPM_ORD_LoadKey2;
> > >
> > >    BYTE *paramText=NULL;        // Digest to make Auth.
> > >    UINT32 paramTextSize;
> > > @@ -634,10 +634,9 @@ TPM_RESULT VTSP_LoadKey(const TCS_CONTEX
> > >                                        &phKeyHMAC) );
> > >
> > >      // Verify Auth
> > > -    paramTextSize = BSG_PackList(paramText, 3,
> > > +    paramTextSize = BSG_PackList(paramText, 2,
> > >                                  BSG_TPM_RESULT, &status,
> > > -                                BSG_TPM_COMMAND_CODE, &command,
> > > -                                BSG_TPM_HANDLE, newKeyHandle);
> > > +                                BSG_TPM_COMMAND_CODE, &command);
> > >
> > >      TPMTRYRETURN( VerifyAuth( paramText, paramTextSize,
> > >                               parentAuth, auth,
> > > diff -r 15ff55aab051 tools/vtpm_manager/tcs/tcs.c
> > > --- a/tools/vtpm_manager/tcs/tcs.c      Mon Mar 05 15:15:03 2007 -0800
> > > +++ b/tools/vtpm_manager/tcs/tcs.c      Thu Apr 05 10:24:12 2007 -0700
> > > @@ -901,7 +901,7 @@ TPM_RESULT TCSP_LoadKeyByBlob(TCS_CONTEX
> > >    // setup input/output parameters block
> > >    TPM_TAG tag = TPM_TAG_RQU_AUTH1_COMMAND;
> > >    UINT32 paramSize = 0;
> > > -  TPM_COMMAND_CODE ordinal = TPM_ORD_LoadKey;
> > > +  TPM_COMMAND_CODE ordinal = TPM_ORD_LoadKey2;
> > >    TPM_RESULT returnCode = TPM_SUCCESS;
> > >
> > >    // setup the TPM driver input and output buffers
> > > diff -r 15ff55aab051 tools/vtpm_manager/util/tcg.h
> > > --- a/tools/vtpm_manager/util/tcg.h     Mon Mar 05 15:15:03 2007 -0800
> > > +++ b/tools/vtpm_manager/util/tcg.h     Thu Apr 05 10:24:24 2007 -0700
> > > @@ -250,6 +250,7 @@ typedef struct pack_constbuf_t {
> > > #define TPM_ORD_ReadManuMaintPub         (48UL + TPM_PROTECTED_ORDINAL)
> > > #define TPM_ORD_CertifyKey               (50UL + TPM_PROTECTED_ORDINAL)
> > > #define TPM_ORD_Sign                     (60UL + TPM_PROTECTED_ORDINAL)
> > > +#define TPM_ORD_LoadKey2                 (65UL + TPM_PROTECTED_ORDINAL)
> > > #define TPM_ORD_GetRandom                (70UL + TPM_PROTECTED_ORDINAL)
> > > #define TPM_ORD_StirRandom               (71UL + TPM_PROTECTED_ORDINAL)
> > > #define TPM_ORD_SelfTestFull             (80UL + TPM_PROTECTED_ORDINAL)
> > >
> > >
> > > ________________________________
> > >
> > >         From: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
> > > [mailto:xense-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Maximilian
> > > Loy
> > >         Sent: Monday, March 26, 2007 4:40 AM
> > >         To: xense-devel@xxxxxxxxxxxxxxxxxxx
> > >         Subject: [Xense-devel] vtpm_managerd problem with Infineon TPM
> > > 1.2
> > >
> > >
> > >         Hi everybody,
> > >
> > >         i am having problems to get the vtpm_managerd (Xen 3.0.4.1) to
> > > work with the Infineon TPM 1.2 (platform is a HP nx6325).
> > >
> > >         I was having the BAD_ORDINAL problems like discussed earlier on
> > > this list, but i could solve them with applying the patch from:
> > >
> > > http://lists.xensource.com/archives/html/xense-devel/2006-12/msg00020.ht
> > > ml
> > >
> > >         This resulted in TPM_AUTHFAIL like in
> > >
> > > http://lists.xensource.com/archives/html/xense-devel/2006-12/msg00024.ht
> > > ml
> > >         giving me the following output after taking the ownership:
> > >         ...
> > >         INFO[VTSP]: Loading Key into TPM.
> > >         ERROR[TCS]: TCSP_LoadKeyByBlob Failed with return code
> > > TPM_AUTHFAIL
> > >         ERROR in VTSP_LoadKey at vtsp.c:634 code: TPM_AUTHFAIL.
> > >         ERROR in VTPM_Init_Manager at vtpm_manager.c:240 code:
> > > TPM_AUTHFAIL.
> > >         ERROR[VTPM]: Closing vtpmd due to error during startup.
> > >
> > >         Maybe it has something to do with the patch, as the line 634 in
> > > vtsp.c has been modified by it.
> > >
> > >         Any help would be very appreciated!
> > >
> > >         Best regards, Max
> > >
>
> > > _______________________________________________
> > > Xense-devel mailing list
> > > Xense-devel@xxxxxxxxxxxxxxxxxxx
> > > http://lists.xensource.com/xense-devel
> > _______________________________________________
> > Xense-devel mailing list
> > Xense-devel@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xense-devel
> _______________________________________________
> Xense-devel mailing list
> Xense-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xense-devel


_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2, Maximilian Loy
Next by Date:  [Xense-devel] Running shype in xen open source build, Praveen Kushwaha
Previous by Thread:  RE: [Xense-devel] vtpm_managerd problem with Infineon TPM 1.2, Cihula, Joseph
Next by Thread:  [Xense-devel] Running shype in xen open source build, Praveen Kushwaha
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy