xense-devel
[Xen-devel] Re: [Xense-devel] Infineon vtpm problem
Erdem Bayer <ebayer@xxxxxxxxxxxx> wrote on 02/28/2008
07:28:14 AM:
> Hi
>
> I have searched a little deeper and find out that tpm_emulator used
in
> vtpm implementation is a little outdated. I have searched the recent
> changes from tpm-emulator and the last significant diff involving
> TPM_LoadKey() was the below one.
>
> I want to know if applying this diff will inprove my situation.
This is already part of the tpm emulator version 0.4
that is automatically downloaded by the Xen build process.
Stefan
>
> Thanks in advance
> Erdem Bayer
>
> ebayer@erdem-d tpm $ svn diff -r 201:179 tpm_storage.c
> Index: tpm_storage.c
> ===================================================================
> --- tpm_storage.c (revision 201)
> +++ tpm_storage.c (revision 179)
> @@ -521,13 +521,15 @@
> parent = tpm_get_key(parentHandle);
> if (parent == NULL) return TPM_INVALID_KEYHANDLE;
> /* verify authorization */
> - if (auth1->authHandle != TPM_INVALID_HANDLE) {
> - debug("[ authDataUsage=%.2x ]", parent->authDataUsage);
> - res = tpm_verify_auth(auth1, parent->usageAuth,
parentHandle);
> - if (res != TPM_SUCCESS) return res;
> - } else if (parent->authDataUsage != TPM_AUTH_NEVER) {
> - debug("TPM_LoadKey(): parent key requires authorization.");
> - return TPM_AUTHFAIL;
> + if (parent->authDataUsage != TPM_AUTH_NEVER) {
> + if (auth1->authHandle != TPM_INVALID_HANDLE) {
> + debug("[ authDataUsage=%.2x ]", parent->authDataUsage);
> + res = tpm_verify_auth(auth1, parent->usageAuth,
parentHandle);
> + if (res != TPM_SUCCESS) return res;
> + } else {
> + debug("TPM_LoadKey(): parent key requires
authorization.");
> + return TPM_AUTHFAIL;
> + }
> }
> if (parent->keyUsage != TPM_KEY_STORAGE) return TPM_INVALID_KEYUSAGE;
> /* verify key properties */
>
>
> Stefan Berger wrote On 28-02-2008 04:47:
> >
> > xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/27/2008 04:02:41
PM:
> >
> > > Hi
> > >
> > > I have checked out the 0.3.2cvs version of trousers and
finally get the
> > > tsstest working with very few differences from when it is
run under
> > > non-xen host. My previous attempts was on 0.3.1 (stable).
> > >
> > > However when run tpm_sealdata, I still get
> > >
> > > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113
(275),
> > > Authorization failed.
> >
> > So, I just tried this and I ran into the same problem. I then
used
> > some tools that let me control whether to use TPM_LoadKey() or
> > TPM_LoadKey2(). Loading a key with TPM_LoadKey2() failed due
to HMAC
> > authorization failing, TPM_LoadKey() worked. From what I saw
is that
> > the TSS is using TPM_LoadKey2() and the TPM implementation then
states
> > that TPM_LoadKey2() is emulated using TPM_LoadKey(). Well, it
seems to
> > be a bug in the TPM_LoadKey2() implementation.
> >
> > >
> > > This reminds me that maybe I am using vtpm wrong way. Is
there a
> > > document about how to use vtpm?
> > >
> > No, you are using it correctly.
> >
> > Stefan
> >
> >
> >
> > > Here is what I do from sratch:
> > >
> > > 1. Clear and reactivate TPM from bios.
> > > 2. Run vtpm_managerd in dom0 and let it continue running
on console.
> > > 3. Boot domU with vif statement in config file.
> > > 4. Run tcsd -f on domU and let it continue running on console.
> > >
> > > From now on every tpm operation I run on domU returns
an error.
> > >
> > > Operations tried on domU
> > >
> > > 1. I tried tpm_takeownership with success (although I see
an error on
> > > tcsd -f output, I assume it is normal because I see exact
same error
> > > when I run takeownership from non-xen host and actually
prove ownership
> > > taken by using sealdata successfully) but when I try tpm_sealdata
I get
> > > above error.
> > >
> > > 2. After starting from scratch, I tried tpm_sealdata without
first try
> > > to take ownership. This time there is a different output:
> > >
> > > Enter SRK password:
> > > Tspi_Key_CreateKey failed: 0x00000003 - layer=tpm, code=0003
(3), Bad
> > > Parameter
> > >
> > > I think I am not able to use vtpm because probably I am
not doing the
> > > right sequence of actions on domU. So if there is a document
about vtpm
> > > usage, please point me to it.
> > >
> > > And here is another question:
> > >
> > > I never run tpm_takeownership on dom0. Whenever I start
from scratch I
> > > let the vtpm_managerd to take ownership of tpm. However,
I do not know
> > > the owner or srk password it uses. When I use vtpm on domU
and asked
> > for
> > > the srk pasword, which password should I enter? Also, should
I take
> > > ownership of vtpm on domU every time I booted it? How do
I save
> > state of
> > > the vtpm for a domain across boots?
> > >
> > > Thanks for time.
> > > Erdem Bayer
> > >
> > >
> > > Stefan Berger wrote On 27-02-2008 05:59:
> > > >
> > > > xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/26/2008
> > 06:28:01 PM:
> > > >
> > > > > Hi
> > > > >
> > > > > I have successfully applied the patch mentioned
here
> > > > >
> > > >
> > (http://lists.xensource.com/archives/html/xense-devel/2007-04/msg00005.html
> > > )
> > > >
> > > > > to the xen v. 3.1.3 on an HP nx8325 with Infineon
TPM.
> > > > >
> > > > > I cleared the tpm, deleted /var/vtpm/VTPM file
and rebooted.
> > > > >
> > > > > After reboot, vtpm_managerd runs ok. (output is
attched to the
> > mail.)
> > > > >
> > > > > I created a pv vm with the option vtpm = ['instance=1,
> > backend=0'] The
> > > > > vm boots fine.
> > > > >
> > > > > I installed trousers-0.3.1 and tpm-tools-1.3.1
from sources on
> > the vm.
> > > > >
> > > > > I run tcsd -f on the vm. (output is attched to
the mail.)
> > > > >
> > > > > I checkout and run the trousers test suite. 10
tests passed with 230
> > > > > failed. (Is this expected?)
> > > >
> > > >
> > > > It is likely that this (v)TPM implementation has quite
a few bugs,
> > but
> > > > I would not expect that many errors.
> > > >
> > > > >
> > > > > When I try tpm_takeownership on the vm, the command
runs fine.
> > > > (Although
> > > > > a strange warning appers on tcsd output which
is attched).
> > > >
> > > > This error may be related to older versions of the
TPM device driver
> > > > having used an ioctl interface for sending/receiving
commands to/from
> > > > the TPM and the TSS still tries this interface first.
This should not
> > > > be a reason for the errors you are seeing.
> > > >
> > > > >
> > > > > But when I try tpm_sealdata < foo on the vm
I get the following
> > error.
> > > > >
> > > > > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp,
code=0113 (275),
> > > > > Authorization failed
> > > > >
> > > > > But other tpm_version runs fine on vm.
> > > > >
> > > > > tpm-test:~# tpm_version
> > > > > TPM 1.2 Version Info:
> > > > > Chip Version: 1.2.0.4
> > > > > Spec Level:
2
> > > > > Errata Revision: 94
> > > > > TPM Vendor ID:
> > > > > TPM Version:
01010000
> > > > > Manufacturer Info: 4554485a
> > > > >
> > > > > Also this quote is from Xen User's Guide:
> > > > >
> > > > > "Similarly, the TPM frontend driver must
be compiled for the kernel
> > > > > trying to use TPM functionality. Its driver can
be selected in the
> > > > > kernel configuration section Device Driver / Character
Devices / TPM
> > > > > Devices. Along with that the TPM driver for the
built-in TPM must be
> > > > > selected."
> > > > >
> > > > > According to my understanding driver for the built-in
TPM must be
> > > > > selected on the kernel where TPM frontend driver
is used. Am I
> > correct
> > > > > about this assumption? (The problem is tpm_infineon
driver can
> > not be
> > > >
> > > > The driver for the built-in Infineon TPM must be built
into Domain-0,
> > > > the TPM frontend driver in the guest domain and the
backend driver
> > > > also into Domain-0. This has probably been done correctly
since
> > > > otherwise the vTPM would not work at all.
> > > >
> > > >
> > > > > selected on an unpriviledged kernel, it can only
be selected on a
> > > > > priviledged kernel)
> > > > >
> > > > > Am I missing something here? Why do I get auth
errors?
> > > >
> > > >
> > > > Did you try to run the same sequence of comands (tpm
commands, test
> > > > suite etc.) on a plain Linux kernel with the TSS stack
against the
> > > > built-in Infineone TPM? From what I remember, the test
suite for the
> > > > TSS stack either tries to set a specific TPM owner
password or it
> > must
> > > > previously have been set to it by the user, otherwise
many
> > > > authentication errors will occur.
> > > >
> > > > Stefan
> > > >
> > > > >
> > > > > Thanks in advance.
> > > > >
> > > > > Erdem Bayer
> > > > > [attachment "vtpm_managerd.out" deleted
by Stefan Berger/Watson/IBM]
> > > > > [attachment "tcsd.out" deleted by Stefan
Berger/Watson/IBM]
> > > > > _______________________________________________
> > > > > Xense-devel mailing list
> > > > > Xense-devel@xxxxxxxxxxxxxxxxxxx
> > > > > http://lists.xensource.com/xense-devel
> > >
> > > _______________________________________________
> > > Xense-devel mailing list
> > > Xense-devel@xxxxxxxxxxxxxxxxxxx
> > > http://lists.xensource.com/xense-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
|
|