WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xense-devel

[Xen-devel] Re: [Xense-devel] Infineon vtpm problem

To: Erdem Bayer <ebayer@xxxxxxxxxxxx>
Subject: [Xen-devel] Re: [Xense-devel] Infineon vtpm problem
From: Stefan Berger <stefanb@xxxxxxxxxx>
Date: Thu, 28 Feb 2008 14:55:27 -0500
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 28 Feb 2008 11:57:49 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <47C6A8DE.7030408@xxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx

Erdem Bayer <ebayer@xxxxxxxxxxxx> wrote on 02/28/2008 07:28:14 AM:

> Hi
>
> I have searched a little deeper and find out that tpm_emulator used in
> vtpm implementation is a little outdated. I have searched the recent
> changes from tpm-emulator and the last significant diff involving
> TPM_LoadKey() was the below one.
>
> I want to know if applying this diff will inprove my situation.


This is already part of the tpm emulator version 0.4 that is automatically downloaded by the Xen build process.

   Stefan


>
> Thanks in advance
> Erdem Bayer
>
> ebayer@erdem-d tpm $ svn diff -r 201:179 tpm_storage.c
> Index: tpm_storage.c
> ===================================================================
> --- tpm_storage.c       (revision 201)
> +++ tpm_storage.c       (revision 179)
> @@ -521,13 +521,15 @@
>    parent = tpm_get_key(parentHandle);
>    if (parent == NULL) return TPM_INVALID_KEYHANDLE;
>    /* verify authorization */
> -  if (auth1->authHandle != TPM_INVALID_HANDLE) {
> -    debug("[ authDataUsage=%.2x ]", parent->authDataUsage);
> -    res = tpm_verify_auth(auth1, parent->usageAuth, parentHandle);
> -    if (res != TPM_SUCCESS) return res;
> -  } else if (parent->authDataUsage != TPM_AUTH_NEVER) {
> -    debug("TPM_LoadKey(): parent key requires authorization.");
> -    return TPM_AUTHFAIL;
> +  if (parent->authDataUsage != TPM_AUTH_NEVER) {
> +    if (auth1->authHandle != TPM_INVALID_HANDLE) {
> +      debug("[ authDataUsage=%.2x ]", parent->authDataUsage);
> +      res = tpm_verify_auth(auth1, parent->usageAuth, parentHandle);
> +      if (res != TPM_SUCCESS) return res;
> +    } else {
> +      debug("TPM_LoadKey(): parent key requires authorization.");
> +      return TPM_AUTHFAIL;
> +    }
>    }
>    if (parent->keyUsage != TPM_KEY_STORAGE) return TPM_INVALID_KEYUSAGE;
>    /* verify key properties */
>
>
> Stefan Berger wrote On 28-02-2008 04:47:
> >
> > xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/27/2008 04:02:41 PM:
> >
> > > Hi
> > >
> > > I have checked out the 0.3.2cvs version of trousers and finally get the
> > > tsstest working with very few differences from when it is run under
> > > non-xen host. My previous attempts was on 0.3.1 (stable).
> > >
> > > However when run tpm_sealdata, I still get
> > >
> > > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275),
> > > Authorization failed.
> >
> > So, I just tried this and I ran into the same problem. I then used
> > some tools that let me control whether to use TPM_LoadKey() or
> > TPM_LoadKey2(). Loading a key with TPM_LoadKey2() failed due to HMAC
> > authorization failing, TPM_LoadKey() worked. From what I saw is that
> > the TSS is using TPM_LoadKey2() and the TPM implementation then states
> > that TPM_LoadKey2() is emulated using TPM_LoadKey(). Well, it seems to
> > be a bug in the TPM_LoadKey2() implementation.
> >
> > >
> > > This reminds me that maybe I am using vtpm wrong way. Is there a
> > > document about how to use vtpm?
> > >
> > No, you are using it correctly.
> >
> >   Stefan
> >
> >
> >
> > > Here is what I do from sratch:
> > >
> > > 1. Clear and reactivate TPM from bios.
> > > 2. Run vtpm_managerd in dom0 and let it continue running on console.
> > > 3. Boot domU with vif statement in config file.
> > > 4. Run tcsd -f on domU and let it continue running on console.
> > >
> > >  From now on every tpm operation I run on domU returns an error.
> > >
> > > Operations tried on domU
> > >
> > > 1. I tried tpm_takeownership with success (although I see an error on
> > > tcsd -f output, I assume it is normal because I see exact same error
> > > when I run takeownership from non-xen host and actually prove ownership
> > > taken by using sealdata successfully) but when I try tpm_sealdata I get
> > > above error.
> > >
> > > 2. After starting from scratch, I tried tpm_sealdata without first try
> > > to take ownership. This time there is a different output:
> > >
> > > Enter SRK password:
> > > Tspi_Key_CreateKey failed: 0x00000003 - layer=tpm, code=0003 (3), Bad
> > > Parameter
> > >
> > > I think I am not able to use vtpm because probably I am not doing the
> > > right sequence of actions on domU. So if there is a document about vtpm
> > > usage, please point me to it.
> > >
> > > And here is another question:
> > >
> > > I never run tpm_takeownership on dom0. Whenever I start from scratch I
> > > let the vtpm_managerd to take ownership of tpm. However, I do not know
> > > the owner or srk password it uses. When I use vtpm on domU and asked
> > for
> > > the srk pasword, which password should I enter? Also, should I take
> > > ownership of vtpm on domU every time I booted it? How do I save
> > state of
> > > the vtpm for a domain across boots?
> > >
> > > Thanks for time.
> > > Erdem Bayer
> > >
> > >
> > > Stefan Berger wrote On 27-02-2008 05:59:
> > > >
> > > > xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/26/2008
> > 06:28:01 PM:
> > > >
> > > > > Hi
> > > > >
> > > > > I have successfully applied the patch mentioned here
> > > > >
> > > >
> > (http://lists.xensource.com/archives/html/xense-devel/2007-04/msg00005.html
> > > )
> > > >
> > > > > to the xen v. 3.1.3 on an HP nx8325 with Infineon TPM.
> > > > >
> > > > > I cleared the tpm, deleted /var/vtpm/VTPM file and rebooted.
> > > > >
> > > > > After reboot, vtpm_managerd runs ok. (output is attched to the
> > mail.)
> > > > >
> > > > > I created a pv vm with the option vtpm = ['instance=1,
> > backend=0'] The
> > > > > vm boots fine.
> > > > >
> > > > > I installed trousers-0.3.1 and tpm-tools-1.3.1 from sources on
> > the vm.
> > > > >
> > > > > I run tcsd -f on the vm. (output is attched to the mail.)
> > > > >
> > > > > I checkout and run the trousers test suite. 10 tests passed with 230
> > > > > failed. (Is this expected?)
> > > >
> > > >
> > > > It is likely that this (v)TPM implementation has quite a few bugs,
> > but
> > > > I would not expect that many errors.
> > > >
> > > > >
> > > > > When I try tpm_takeownership on the vm, the command runs fine.
> > > > (Although
> > > > > a strange warning appers on tcsd output which is attched).
> > > >
> > > > This error may be related to older versions of the TPM device driver
> > > > having used an ioctl interface for sending/receiving commands to/from
> > > > the TPM and the TSS still tries this interface first. This should not
> > > > be a reason for the errors you are seeing.
> > > >
> > > > >
> > > > > But when I try tpm_sealdata < foo on the vm I get the following
> > error.
> > > > >
> > > > > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275),
> > > > > Authorization failed
> > > > >
> > > > > But other tpm_version runs fine on vm.
> > > > >
> > > > > tpm-test:~# tpm_version
> > > > >   TPM 1.2 Version Info:
> > > > >   Chip Version:        1.2.0.4
> > > > >   Spec Level:          2
> > > > >   Errata Revision:     94
> > > > >   TPM Vendor ID:
> > > > >   TPM Version:         01010000
> > > > >   Manufacturer Info:   4554485a
> > > > >
> > > > > Also this quote is from Xen User's Guide:
> > > > >
> > > > > "Similarly, the TPM frontend driver must be compiled for the kernel
> > > > > trying to use TPM functionality. Its driver can be selected in the
> > > > > kernel configuration section Device Driver / Character Devices / TPM
> > > > > Devices. Along with that the TPM driver for the built-in TPM must be
> > > > > selected."
> > > > >
> > > > > According to my understanding driver for the built-in TPM must be
> > > > > selected on the kernel where TPM frontend driver is used. Am I
> > correct
> > > > > about this assumption? (The problem is tpm_infineon driver can
> > not be
> > > >
> > > > The driver for the built-in Infineon TPM must be built into Domain-0,
> > > > the TPM frontend driver in the guest domain and the backend driver
> > > > also into Domain-0. This has probably been done correctly since
> > > > otherwise the vTPM would not work at all.
> > > >
> > > >  
> > > > > selected on an unpriviledged kernel, it can only be selected on a
> > > > > priviledged kernel)
> > > > >
> > > > > Am I missing something here? Why do I get auth errors?
> > > >
> > > >
> > > > Did you try to run the same sequence of comands (tpm commands, test
> > > > suite etc.) on a plain Linux kernel with the TSS stack against the
> > > > built-in Infineone TPM? From what I remember, the test suite for the
> > > > TSS stack either tries to set a specific TPM owner password or it
> > must
> > > > previously have been set to it by the user, otherwise many
> > > > authentication errors will occur.
> > > >
> > > >    Stefan
> > > >
> > > > >
> > > > > Thanks in advance.
> > > > >
> > > > > Erdem Bayer
> > > > > [attachment "vtpm_managerd.out" deleted by Stefan Berger/Watson/IBM]
> > > > > [attachment "tcsd.out" deleted by Stefan Berger/Watson/IBM]
> > > > > _______________________________________________
> > > > > Xense-devel mailing list
> > > > > Xense-devel@xxxxxxxxxxxxxxxxxxx
> > > > > http://lists.xensource.com/xense-devel
> > >
> > > _______________________________________________
> > > Xense-devel mailing list
> > > Xense-devel@xxxxxxxxxxxxxxxxxxx
> > > http://lists.xensource.com/xense-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel