Re: [Xen-devel] Re: [Xense-devel] Infineon vtpm problem

[Stefan Berger <stefanb@xxxxxxxxxx>]

xen-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/28/2008
03:42:07 AM:

> Hi
> 
> I have looked through some source code and have the following questions:
> 
> 1)
> in tools/vtpm/vtpm/tpm/tpm_storage.c
> 
> TPM_RESULT TPM_LoadKey2(TPM_KEY_HANDLE parentHandle, TPM_KEY *inKey,
>                    
    TPM_AUTH *auth1, TPM_KEY_HANDLE *inkeyHandle)
> {
>   info("TPM_LoadKey2() is currently emulated by TPM_LoadKey()");
>   return TPM_LoadKey(parentHandle, inKey, auth1, inkeyHandle);
> }
> 
> So TPM_LoadKey2 is actually a wrapper around TPM_LoadKey() with exactly
> same parameters. My question is if they are using same parameters
why 
> one fails while the other succeeds?

It's (for example) the return path that's different.
TPM_LoadKey2() does NOT calculate the HMAC over the key's handle. And that's
actually the source of the bug.

> 
> And why is it necessary to wrap the TPM_LoadKey function with exactly
> same call? Any pointers would be highly appreciated.


Here's a link to a fairly recent version of the specification.


https://www.trustedcomputinggroup.org/specs/TPM/mainP3Commandsrev103.zip

> 
> 2)
> in tools/vtpm/vtpm/tpm/tpm_commands.h
> 
>  * Description: ([TPM_Part3], Section 10.5)
> 
> What is this TPM_Part3 document mentioned here and where can I locate
> it? Is this the document named "TPM Main Part3 IBM Commands"
written by 
> Ken Goldman and you? If that is correct, I have Revision 10 of this
> document dated 25 April 2005 and that document does not have Section
> 10.5. Is there a  more recent version that I am not aware of?

No, this is not referring to that document. It's referring
to the one link above.

> 
> 3) Is this problem specific to TPM hardware (ie only infinion tpm)
or 
> xen version?

It's a bug in the TPM emulator.

This patch here does the trick. When I have some time
I'll try to prepare a patch for the patch that the Xen build process applies
on top of the tpm emulator code. I'll also send it to the maintainer(s)
of the tpm emualtor.

--- ./tpm_emulator/tpm/tpm_cmd_handler.c    
   2008-02-27 16:35:41.000000000 -0500
+++ vtpm/tpm/tpm_cmd_handler.c      
 2008-02-28 14:43:28.000000000 -0500
@@ -94,12 +94,18 @@ void tpm_compute_out_param_digest(TPM_CO
   sha1_ctx_t sha1;
   UINT32 res = CPU_TO_BE32(rsp->result);
   UINT32 ord = CPU_TO_BE32(ordinal);
+  UINT32 offset = 0;
 
   /* compute SHA1 hash */
   sha1_init(&sha1);
   sha1_update(&sha1, (BYTE*)&res,
4);
   sha1_update(&sha1, (BYTE*)&ord,
4);
-  sha1_update(&sha1, rsp->param, rsp->paramSize);
+  if (ordinal == TPM_ORD_LoadKey2) {
+      offset = 4;
+  }
+  if (rsp->paramSize - offset > 0) {
+      sha1_update(&sha1, rsp->param
+ offset, rsp->paramSize - offset);
+  }
   sha1_final(&sha1, rsp->auth1->digest);
   if (rsp->auth2 != NULL) memcpy(rsp->auth2->digest,

     rsp->auth1->digest, sizeof(rsp->auth1->digest));

Please try it.


> 
> 4) You said you used some tools to trace and alter tss behaviour.
What 
> is this tool and how can I obtain it?

It's not a publicly available tool. It's basically
forming the TPM commands directly and writes them to /dev/tpm0 and so circumvents
the TSS stack.

   Stefan


> 
> Thanks for your time
> Erdem Bayer
> 
> Stefan Berger wrote On 28-02-2008 04:47:
> >
> > xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/27/2008 04:02:41
PM:
> >
> > > Hi
> > >
> > > I have checked out the 0.3.2cvs version of trousers and
finally get the
> > > tsstest working with very few differences from when it is
run under
> > > non-xen host. My previous attempts was on 0.3.1 (stable).
> > >
> > > However when run tpm_sealdata, I still get
> > >
> > > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113
(275),
> > > Authorization failed.
> >
> > So, I just tried this and I ran into the same problem. I then
used 
> > some tools that let me control whether to use TPM_LoadKey() or
> > TPM_LoadKey2(). Loading a key with TPM_LoadKey2() failed due
to HMAC 
> > authorization failing, TPM_LoadKey() worked. From what I saw
is that 
> > the TSS is using TPM_LoadKey2() and the TPM implementation then
states 
> > that TPM_LoadKey2() is emulated using TPM_LoadKey(). Well, it
seems to 
> > be a bug in the TPM_LoadKey2() implementation.
> >
> > >
> > > This reminds me that maybe I am using vtpm wrong way. Is
there a
> > > document about how to use vtpm?
> > >
> > No, you are using it correctly.
> >
> >   Stefan
> >
> >
> >
> > > Here is what I do from sratch:
> > >
> > > 1. Clear and reactivate TPM from bios.
> > > 2. Run vtpm_managerd in dom0 and let it continue running
on console.
> > > 3. Boot domU with vif statement in config file.
> > > 4. Run tcsd -f on domU and let it continue running on console.
> > >
> > >  From now on every tpm operation I run on domU returns
an error.
> > >
> > > Operations tried on domU
> > >
> > > 1. I tried tpm_takeownership with success (although I see
an error on
> > > tcsd -f output, I assume it is normal because I see exact
same error
> > > when I run takeownership from non-xen host and actually
prove ownership
> > > taken by using sealdata successfully) but when I try tpm_sealdata
I get
> > > above error.
> > >
> > > 2. After starting from scratch, I tried tpm_sealdata without
first try
> > > to take ownership. This time there is a different output:
> > >
> > > Enter SRK password:
> > > Tspi_Key_CreateKey failed: 0x00000003 - layer=tpm, code=0003
(3), Bad
> > > Parameter
> > >
> > > I think I am not able to use vtpm because probably I am
not doing the
> > > right sequence of actions on domU. So if there is a document
about vtpm
> > > usage, please point me to it.
> > >
> > > And here is another question:
> > >
> > > I never run tpm_takeownership on dom0. Whenever I start
from scratch I
> > > let the vtpm_managerd to take ownership of tpm. However,
I do not know
> > > the owner or srk password it uses. When I use vtpm on domU
and asked 
> > for
> > > the srk pasword, which password should I enter? Also, should
I take
> > > ownership of vtpm on domU every time I booted it? How do
I save 
> > state of
> > > the vtpm for a domain across boots?
> > >
> > > Thanks for time.
> > > Erdem Bayer
> > >
> > >
> > > Stefan Berger wrote On 27-02-2008 05:59:
> > > >
> > > > xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/26/2008
> > 06:28:01 PM:
> > > >
> > > > > Hi
> > > > >
> > > > > I have successfully applied the patch mentioned
here
> > > > >
> > > > 
> > (http://lists.xensource.com/archives/html/xense-devel/2007-04/msg00005.html
> > > )
> > > >
> > > > > to the xen v. 3.1.3 on an HP nx8325 with Infineon
TPM.
> > > > >
> > > > > I cleared the tpm, deleted /var/vtpm/VTPM file
and rebooted.
> > > > >
> > > > > After reboot, vtpm_managerd runs ok. (output is
attched to the 
> > mail.)
> > > > >
> > > > > I created a pv vm with the option vtpm = ['instance=1,
> > backend=0'] The
> > > > > vm boots fine.
> > > > >
> > > > > I installed trousers-0.3.1 and tpm-tools-1.3.1
from sources on 
> > the vm.
> > > > >
> > > > > I run tcsd -f on the vm. (output is attched to
the mail.)
> > > > >
> > > > > I checkout and run the trousers test suite. 10
tests passed with 230
> > > > > failed. (Is this expected?)
> > > >
> > > >
> > > > It is likely that this (v)TPM implementation has quite
a few bugs, 
> > but
> > > > I would not expect that many errors.
> > > >
> > > > >
> > > > > When I try tpm_takeownership on the vm, the command
runs fine.
> > > > (Although
> > > > > a strange warning appers on tcsd output which
is attched).
> > > >
> > > > This error may be related to older versions of the
TPM device driver
> > > > having used an ioctl interface for sending/receiving
commands to/from
> > > > the TPM and the TSS still tries this interface first.
This should not
> > > > be a reason for the errors you are seeing.
> > > >
> > > > >
> > > > > But when I try tpm_sealdata < foo on the vm
I get the following 
> > error.
> > > > >
> > > > > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp,
code=0113 (275),
> > > > > Authorization failed
> > > > >
> > > > > But other tpm_version runs fine on vm.
> > > > >
> > > > > tpm-test:~# tpm_version
> > > > >   TPM 1.2 Version Info:
> > > > >   Chip Version:        1.2.0.4
> > > > >   Spec Level:        
 2
> > > > >   Errata Revision:     94
> > > > >   TPM Vendor ID:
> > > > >   TPM Version:        
01010000
> > > > >   Manufacturer Info:   4554485a
> > > > >
> > > > > Also this quote is from Xen User's Guide:
> > > > >
> > > > > "Similarly, the TPM frontend driver must
be compiled for the kernel
> > > > > trying to use TPM functionality. Its driver can
be selected in the
> > > > > kernel configuration section Device Driver / Character
Devices / TPM
> > > > > Devices. Along with that the TPM driver for the
built-in TPM must be
> > > > > selected."
> > > > >
> > > > > According to my understanding driver for the built-in
TPM must be
> > > > > selected on the kernel where TPM frontend driver
is used. Am I 
> > correct
> > > > > about this assumption? (The problem is tpm_infineon
driver can 
> > not be
> > > >
> > > > The driver for the built-in Infineon TPM must be built
into Domain-0,
> > > > the TPM frontend driver in the guest domain and the
backend driver
> > > > also into Domain-0. This has probably been done correctly
since
> > > > otherwise the vTPM would not work at all.
> > > >
> > > >  
> > > > > selected on an unpriviledged kernel, it can only
be selected on a
> > > > > priviledged kernel)
> > > > >
> > > > > Am I missing something here? Why do I get auth
errors?
> > > >
> > > >
> > > > Did you try to run the same sequence of comands (tpm
commands, test
> > > > suite etc.) on a plain Linux kernel with the TSS stack
against the
> > > > built-in Infineone TPM? From what I remember, the test
suite for the
> > > > TSS stack either tries to set a specific TPM owner
password or it 
> > must
> > > > previously have been set to it by the user, otherwise
many
> > > > authentication errors will occur.
> > > >
> > > >    Stefan
> > > >
> > > > >
> > > > > Thanks in advance.
> > > > >
> > > > > Erdem Bayer
> > > > > [attachment "vtpm_managerd.out" deleted
by Stefan Berger/Watson/IBM]
> > > > > [attachment "tcsd.out" deleted by Stefan
Berger/Watson/IBM]
> > > > > _______________________________________________
> > > > > Xense-devel mailing list
> > > > > Xense-devel@xxxxxxxxxxxxxxxxxxx
> > > > > http://lists.xensource.com/xense-devel
> > >
> > > _______________________________________________
> > > Xense-devel mailing list
> > > Xense-devel@xxxxxxxxxxxxxxxxxxx
> > > http://lists.xensource.com/xense-devel
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel