This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] Re: [Xense-devel] Infineon vtpm problem

Subject: [Xen-devel] Re: [Xense-devel] Infineon vtpm problem
From: Erdem Bayer <ebayer@xxxxxxxxxxxx>
Date: Wed, 27 Feb 2008 23:02:41 +0200
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 27 Feb 2008 13:02:08 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <OFCB8F7084.73EA8239-ON852573FC.001496FA-852573FC.0015ECCF@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <OFCB8F7084.73EA8239-ON852573FC.001496FA-852573FC.0015ECCF@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird (X11/20071115)

I have checked out the 0.3.2cvs version of trousers and finally get the tsstest working with very few differences from when it is run under non-xen host. My previous attempts was on 0.3.1 (stable).

However when run tpm_sealdata, I still get

Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275), Authorization failed.

This reminds me that maybe I am using vtpm wrong way. Is there a document about how to use vtpm?

Here is what I do from sratch:

1. Clear and reactivate TPM from bios.
2. Run vtpm_managerd in dom0 and let it continue running on console.
3. Boot domU with vif statement in config file.
4. Run tcsd -f on domU and let it continue running on console.

From now on every tpm operation I run on domU returns an error.

Operations tried on domU

1. I tried tpm_takeownership with success (although I see an error on tcsd -f output, I assume it is normal because I see exact same error when I run takeownership from non-xen host and actually prove ownership taken by using sealdata successfully) but when I try tpm_sealdata I get above error.

2. After starting from scratch, I tried tpm_sealdata without first try to take ownership. This time there is a different output:

Enter SRK password:
Tspi_Key_CreateKey failed: 0x00000003 - layer=tpm, code=0003 (3), Bad Parameter

I think I am not able to use vtpm because probably I am not doing the right sequence of actions on domU. So if there is a document about vtpm usage, please point me to it.

And here is another question:

I never run tpm_takeownership on dom0. Whenever I start from scratch I let the vtpm_managerd to take ownership of tpm. However, I do not know the owner or srk password it uses. When I use vtpm on domU and asked for the srk pasword, which password should I enter? Also, should I take ownership of vtpm on domU every time I booted it? How do I save state of the vtpm for a domain across boots?

Thanks for time.
Erdem Bayer

Stefan Berger wrote On 27-02-2008 05:59:

xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/26/2008 06:28:01 PM:

> Hi
> I have successfully applied the patch mentioned here
> (http://lists.xensource.com/archives/html/xense-devel/2007-04/msg00005.html)
> to the xen v. 3.1.3 on an HP nx8325 with Infineon TPM.
> I cleared the tpm, deleted /var/vtpm/VTPM file and rebooted.
> After reboot, vtpm_managerd runs ok. (output is attched to the mail.)
> I created a pv vm with the option vtpm = ['instance=1, backend=0'] The
> vm boots fine.
> I installed trousers-0.3.1 and tpm-tools-1.3.1 from sources on the vm.
> I run tcsd -f on the vm. (output is attched to the mail.)
> I checkout and run the trousers test suite. 10 tests passed with 230
> failed. (Is this expected?)

It is likely that this (v)TPM implementation has quite a few bugs, but I would not expect that many errors.

> When I try tpm_takeownership on the vm, the command runs fine. (Although
> a strange warning appers on tcsd output which is attched).

This error may be related to older versions of the TPM device driver having used an ioctl interface for sending/receiving commands to/from the TPM and the TSS still tries this interface first. This should not be a reason for the errors you are seeing.

> But when I try tpm_sealdata < foo on the vm I get the following error.
> Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275),
> Authorization failed
> But other tpm_version runs fine on vm.
> tpm-test:~# tpm_version
>   TPM 1.2 Version Info:
>   Chip Version:
>   Spec Level:          2
>   Errata Revision:     94
>   TPM Vendor ID:
>   TPM Version:         01010000
>   Manufacturer Info:   4554485a
> Also this quote is from Xen User's Guide:
> "Similarly, the TPM frontend driver must be compiled for the kernel
> trying to use TPM functionality. Its driver can be selected in the
> kernel configuration section Device Driver / Character Devices / TPM
> Devices. Along with that the TPM driver for the built-in TPM must be
> selected."
> According to my understanding driver for the built-in TPM must be
> selected on the kernel where TPM frontend driver is used. Am I correct
> about this assumption? (The problem is tpm_infineon driver can not be

The driver for the built-in Infineon TPM must be built into Domain-0, the TPM frontend driver in the guest domain and the backend driver also into Domain-0. This has probably been done correctly since otherwise the vTPM would not work at all.

> selected on an unpriviledged kernel, it can only be selected on a
> priviledged kernel)
> Am I missing something here? Why do I get auth errors?

Did you try to run the same sequence of comands (tpm commands, test suite etc.) on a plain Linux kernel with the TSS stack against the built-in Infineone TPM? From what I remember, the test suite for the TSS stack either tries to set a specific TPM owner password or it must previously have been set to it by the user, otherwise many authentication errors will occur.


> Thanks in advance.
> Erdem Bayer
> [attachment "vtpm_managerd.out" deleted by Stefan Berger/Watson/IBM]
> [attachment "tcsd.out" deleted by Stefan Berger/Watson/IBM]
> _______________________________________________
> Xense-devel mailing list
> Xense-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xense-devel

Xen-devel mailing list