xense-devel
[Xen-devel] Re: [Xense-devel] Infineon vtpm problem
xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/27/2008
04:02:41 PM:
> Hi
>
> I have checked out the 0.3.2cvs version of trousers and finally get
the
> tsstest working with very few differences from when it is run under
> non-xen host. My previous attempts was on 0.3.1 (stable).
>
> However when run tpm_sealdata, I still get
>
> Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275),
> Authorization failed.
So, I just tried this and I ran into the same problem.
I then used some tools that let me control whether to use TPM_LoadKey()
or TPM_LoadKey2(). Loading a key with TPM_LoadKey2() failed due to HMAC
authorization failing, TPM_LoadKey() worked. From what I saw is that the
TSS is using TPM_LoadKey2() and the TPM implementation then states that
TPM_LoadKey2() is emulated using TPM_LoadKey(). Well, it seems to be a
bug in the TPM_LoadKey2() implementation.
>
> This reminds me that maybe I am using vtpm wrong way. Is there a
> document about how to use vtpm?
>
No, you are using it correctly.
Stefan
> Here is what I do from sratch:
>
> 1. Clear and reactivate TPM from bios.
> 2. Run vtpm_managerd in dom0 and let it continue running on console.
> 3. Boot domU with vif statement in config file.
> 4. Run tcsd -f on domU and let it continue running on console.
>
> From now on every tpm operation I run on domU returns an error.
>
> Operations tried on domU
>
> 1. I tried tpm_takeownership with success (although I see an error
on
> tcsd -f output, I assume it is normal because I see exact same error
> when I run takeownership from non-xen host and actually prove ownership
> taken by using sealdata successfully) but when I try tpm_sealdata
I get
> above error.
>
> 2. After starting from scratch, I tried tpm_sealdata without first
try
> to take ownership. This time there is a different output:
>
> Enter SRK password:
> Tspi_Key_CreateKey failed: 0x00000003 - layer=tpm, code=0003 (3),
Bad
> Parameter
>
> I think I am not able to use vtpm because probably I am not doing
the
> right sequence of actions on domU. So if there is a document about
vtpm
> usage, please point me to it.
>
> And here is another question:
>
> I never run tpm_takeownership on dom0. Whenever I start from scratch
I
> let the vtpm_managerd to take ownership of tpm. However, I do not
know
> the owner or srk password it uses. When I use vtpm on domU and asked
for
> the srk pasword, which password should I enter? Also, should I take
> ownership of vtpm on domU every time I booted it? How do I save state
of
> the vtpm for a domain across boots?
>
> Thanks for time.
> Erdem Bayer
>
>
> Stefan Berger wrote On 27-02-2008 05:59:
> >
> > xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/26/2008 06:28:01
PM:
> >
> > > Hi
> > >
> > > I have successfully applied the patch mentioned here
> > >
> > (http://lists.xensource.com/archives/html/xense-devel/2007-04/msg00005.html
> )
> >
> > > to the xen v. 3.1.3 on an HP nx8325 with Infineon TPM.
> > >
> > > I cleared the tpm, deleted /var/vtpm/VTPM file and rebooted.
> > >
> > > After reboot, vtpm_managerd runs ok. (output is attched
to the mail.)
> > >
> > > I created a pv vm with the option vtpm = ['instance=1, backend=0']
The
> > > vm boots fine.
> > >
> > > I installed trousers-0.3.1 and tpm-tools-1.3.1 from sources
on the vm.
> > >
> > > I run tcsd -f on the vm. (output is attched to the mail.)
> > >
> > > I checkout and run the trousers test suite. 10 tests passed
with 230
> > > failed. (Is this expected?)
> >
> >
> > It is likely that this (v)TPM implementation has quite a few
bugs, but
> > I would not expect that many errors.
> >
> > >
> > > When I try tpm_takeownership on the vm, the command runs
fine.
> > (Although
> > > a strange warning appers on tcsd output which is attched).
> >
> > This error may be related to older versions of the TPM device
driver
> > having used an ioctl interface for sending/receiving commands
to/from
> > the TPM and the TSS still tries this interface first. This should
not
> > be a reason for the errors you are seeing.
> >
> > >
> > > But when I try tpm_sealdata < foo on the vm I get the
following error.
> > >
> > > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113
(275),
> > > Authorization failed
> > >
> > > But other tpm_version runs fine on vm.
> > >
> > > tpm-test:~# tpm_version
> > > TPM 1.2 Version Info:
> > > Chip Version: 1.2.0.4
> > > Spec Level: 2
> > > Errata Revision: 94
> > > TPM Vendor ID:
> > > TPM Version: 01010000
> > > Manufacturer Info: 4554485a
> > >
> > > Also this quote is from Xen User's Guide:
> > >
> > > "Similarly, the TPM frontend driver must be compiled
for the kernel
> > > trying to use TPM functionality. Its driver can be selected
in the
> > > kernel configuration section Device Driver / Character Devices
/ TPM
> > > Devices. Along with that the TPM driver for the built-in
TPM must be
> > > selected."
> > >
> > > According to my understanding driver for the built-in TPM
must be
> > > selected on the kernel where TPM frontend driver is used.
Am I correct
> > > about this assumption? (The problem is tpm_infineon driver
can not be
> >
> > The driver for the built-in Infineon TPM must be built into Domain-0,
> > the TPM frontend driver in the guest domain and the backend driver
> > also into Domain-0. This has probably been done correctly since
> > otherwise the vTPM would not work at all.
> >
> >
> > > selected on an unpriviledged kernel, it can only be selected
on a
> > > priviledged kernel)
> > >
> > > Am I missing something here? Why do I get auth errors?
> >
> >
> > Did you try to run the same sequence of comands (tpm commands,
test
> > suite etc.) on a plain Linux kernel with the TSS stack against
the
> > built-in Infineone TPM? From what I remember, the test suite
for the
> > TSS stack either tries to set a specific TPM owner password or
it must
> > previously have been set to it by the user, otherwise many
> > authentication errors will occur.
> >
> > Stefan
> >
> > >
> > > Thanks in advance.
> > >
> > > Erdem Bayer
> > > [attachment "vtpm_managerd.out" deleted by Stefan
Berger/Watson/IBM]
> > > [attachment "tcsd.out" deleted by Stefan Berger/Watson/IBM]
> > > _______________________________________________
> > > Xense-devel mailing list
> > > Xense-devel@xxxxxxxxxxxxxxxxxxx
> > > http://lists.xensource.com/xense-devel
>
> _______________________________________________
> Xense-devel mailing list
> Xense-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xense-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
|
|