This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] Re: [Xense-devel] Infineon vtpm problem

To: Erdem Bayer <ebayer@xxxxxxxxxxxx>
Subject: [Xen-devel] Re: [Xense-devel] Infineon vtpm problem
From: Stefan Berger <stefanb@xxxxxxxxxx>
Date: Tue, 26 Feb 2008 22:59:00 -0500
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 26 Feb 2008 19:59:36 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <47C4A081.3090404@xxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx

xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/26/2008 06:28:01 PM:

> Hi
> I have successfully applied the patch mentioned here
> (http://lists.xensource.com/archives/html/xense-devel/2007-04/msg00005.html)
> to the xen v. 3.1.3 on an HP nx8325 with Infineon TPM.
> I cleared the tpm, deleted /var/vtpm/VTPM file and rebooted.
> After reboot, vtpm_managerd runs ok. (output is attched to the mail.)
> I created a pv vm with the option vtpm = ['instance=1, backend=0'] The
> vm boots fine.
> I installed trousers-0.3.1 and tpm-tools-1.3.1 from sources on the vm.
> I run tcsd -f on the vm. (output is attched to the mail.)
> I checkout and run the trousers test suite. 10 tests passed with 230
> failed. (Is this expected?)

It is likely that this (v)TPM implementation has quite a few bugs, but I would not expect that many errors.

> When I try tpm_takeownership on the vm, the command runs fine. (Although
> a strange warning appers on tcsd output which is attched).

This error may be related to older versions of the TPM device driver having used an ioctl interface for sending/receiving commands to/from the TPM and the TSS still tries this interface first. This should not be a reason for the errors you are seeing.

> But when I try tpm_sealdata < foo on the vm I get the following error.
> Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275),
> Authorization failed
> But other tpm_version runs fine on vm.
> tpm-test:~# tpm_version
>   TPM 1.2 Version Info:
>   Chip Version:
>   Spec Level:          2
>   Errata Revision:     94
>   TPM Vendor ID:
>   TPM Version:         01010000
>   Manufacturer Info:   4554485a
> Also this quote is from Xen User's Guide:
> "Similarly, the TPM frontend driver must be compiled for the kernel
> trying to use TPM functionality. Its driver can be selected in the
> kernel configuration section Device Driver / Character Devices / TPM
> Devices. Along with that the TPM driver for the built-in TPM must be
> selected."
> According to my understanding driver for the built-in TPM must be
> selected on the kernel where TPM frontend driver is used. Am I correct
> about this assumption? (The problem is tpm_infineon driver can not be

The driver for the built-in Infineon TPM must be built into Domain-0, the TPM frontend driver in the guest domain and the backend driver also into Domain-0. This has probably been done correctly since otherwise the vTPM would not work at all.

> selected on an unpriviledged kernel, it can only be selected on a
> priviledged kernel)
> Am I missing something here? Why do I get auth errors?

Did you try to run the same sequence of comands (tpm commands, test suite etc.) on a plain Linux kernel with the TSS stack against the built-in Infineone TPM? From what I remember, the test suite for the TSS stack either tries to set a specific TPM owner password or it must previously have been set to it by the user, otherwise many authentication errors will occur.


> Thanks in advance.
> Erdem Bayer
> [attachment "vtpm_managerd.out" deleted by Stefan Berger/Watson/IBM]
> [attachment "tcsd.out" deleted by Stefan Berger/Watson/IBM]
> _______________________________________________
> Xense-devel mailing list
> Xense-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xense-devel
Xen-devel mailing list