[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Re: [Xense-devel] Infineon vtpm problem

To: Erdem Bayer <ebayer@xxxxxxxxxxxx>
From: Stefan Berger <stefanb@xxxxxxxxxx>
Date: Wed, 27 Feb 2008 21:47:58 -0500
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 27 Feb 2008 18:49:16 -0800
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/27/2008 04:02:41 PM: > Hi > > I have checked out the 0.3.2cvs version of trousers and finally get the > tsstest working with very few differences from when it is run under > non-xen host. My previous attempts was on 0.3.1 (stable). > > However when run tpm_sealdata, I still get > > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275), > Authorization failed.

So, I just tried this and I ran into the same problem. I then used some tools that let me control whether to use TPM_LoadKey() or TPM_LoadKey2(). Loading a key with TPM_LoadKey2() failed due to HMAC authorization failing, TPM_LoadKey() worked. From what I saw is that the TSS is using TPM_LoadKey2() and the TPM implementation then states that TPM_LoadKey2() is emulated using TPM_LoadKey(). Well, it seems to be a bug in the TPM_LoadKey2() implementation.
> > This reminds me that maybe I am using vtpm wrong way. Is there a > document about how to use vtpm? >
No, you are using it correctly.

Stefan

> Here is what I do from sratch: > > 1. Clear and reactivate TPM from bios. > 2. Run vtpm_managerd in dom0 and let it continue running on console. > 3. Boot domU with vif statement in config file. > 4. Run tcsd -f on domU and let it continue running on console. > > From now on every tpm operation I run on domU returns an error. > > Operations tried on domU > > 1. I tried tpm_takeownership with success (although I see an error on > tcsd -f output, I assume it is normal because I see exact same error > when I run takeownership from non-xen host and actually prove ownership > taken by using sealdata successfully) but when I try tpm_sealdata I get > above error. > > 2. After starting from scratch, I tried tpm_sealdata without first try > to take ownership. This time there is a different output: > > Enter SRK password: > Tspi_Key_CreateKey failed: 0x00000003 - layer=tpm, code=0003 (3), Bad > Parameter > > I think I am not able to use vtpm because probably I am not doing the > right sequence of actions on domU. So if there is a document about vtpm > usage, please point me to it. > > And here is another question: > > I never run tpm_takeownership on dom0. Whenever I start from scratch I > let the vtpm_managerd to take ownership of tpm. However, I do not know > the owner or srk password it uses. When I use vtpm on domU and asked for > the srk pasword, which password should I enter? Also, should I take > ownership of vtpm on domU every time I booted it? How do I save state of > the vtpm for a domain across boots? > > Thanks for time. > Erdem Bayer > > > Stefan Berger wrote On 27-02-2008 05:59: > > > > xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/26/2008 06:28:01 PM: > > > > > Hi > > > > > > I have successfully applied the patch mentioned here > > > > > (http://lists.xensource.com/archives/html/xense-devel/2007-04/msg00005.html > ) > > > > > to the xen v. 3.1.3 on an HP nx8325 with Infineon TPM. > > > > > > I cleared the tpm, deleted /var/vtpm/VTPM file and rebooted. > > > > > > After reboot, vtpm_managerd runs ok. (output is attched to the mail.) > > > > > > I created a pv vm with the option vtpm = ['instance=1, backend=0'] The > > > vm boots fine. > > > > > > I installed trousers-0.3.1 and tpm-tools-1.3.1 from sources on the vm. > > > > > > I run tcsd -f on the vm. (output is attched to the mail.) > > > > > > I checkout and run the trousers test suite. 10 tests passed with 230 > > > failed. (Is this expected?) > > > > > > It is likely that this (v)TPM implementation has quite a few bugs, but > > I would not expect that many errors. > > > > > > > > When I try tpm_takeownership on the vm, the command runs fine. > > (Although > > > a strange warning appers on tcsd output which is attched). > > > > This error may be related to older versions of the TPM device driver > > having used an ioctl interface for sending/receiving commands to/from > > the TPM and the TSS still tries this interface first. This should not > > be a reason for the errors you are seeing. > > > > > > > > But when I try tpm_sealdata < foo on the vm I get the following error. > > > > > > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275), > > > Authorization failed > > > > > > But other tpm_version runs fine on vm. > > > > > > tpm-test:~# tpm_version > > > TPM 1.2 Version Info: > > > Chip Version: 1.2.0.4 > > > Spec Level: 2 > > > Errata Revision: 94 > > > TPM Vendor ID: > > > TPM Version: 01010000 > > > Manufacturer Info: 4554485a > > > > > > Also this quote is from Xen User's Guide: > > > > > > "Similarly, the TPM frontend driver must be compiled for the kernel > > > trying to use TPM functionality. Its driver can be selected in the > > > kernel configuration section Device Driver / Character Devices / TPM > > > Devices. Along with that the TPM driver for the built-in TPM must be > > > selected." > > > > > > According to my understanding driver for the built-in TPM must be > > > selected on the kernel where TPM frontend driver is used. Am I correct > > > about this assumption? (The problem is tpm_infineon driver can not be > > > > The driver for the built-in Infineon TPM must be built into Domain-0, > > the TPM frontend driver in the guest domain and the backend driver > > also into Domain-0. This has probably been done correctly since > > otherwise the vTPM would not work at all. > > > > > > > selected on an unpriviledged kernel, it can only be selected on a > > > priviledged kernel) > > > > > > Am I missing something here? Why do I get auth errors? > > > > > > Did you try to run the same sequence of comands (tpm commands, test > > suite etc.) on a plain Linux kernel with the TSS stack against the > > built-in Infineone TPM? From what I remember, the test suite for the > > TSS stack either tries to set a specific TPM owner password or it must > > previously have been set to it by the user, otherwise many > > authentication errors will occur. > > > > Stefan > > > > > > > > Thanks in advance. > > > > > > Erdem Bayer > > > [attachment "vtpm_managerd.out" deleted by Stefan Berger/Watson/IBM] > > > [attachment "tcsd.out" deleted by Stefan Berger/Watson/IBM] > > > _______________________________________________ > > > Xense-devel mailing list > > > Xense-devel@xxxxxxxxxxxxxxxxxxx > > > http://lists.xensource.com/xense-devel > > _______________________________________________ > Xense-devel mailing list > Xense-devel@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xense-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Follow-Ups:
- [Xen-devel] Re: [Xense-devel] Infineon vtpm problem
  - From: Erdem Bayer
- [Xen-devel] Re: [Xense-devel] Infineon vtpm problem
  - From: Erdem Bayer

References:
- [Xen-devel] Re: [Xense-devel] Infineon vtpm problem
  - From: Erdem Bayer

Prev by Date: [Xen-devel] Re: [Xense-devel] Infineon vtpm problem
Next by Date: [Xen-devel] Re: [Xense-devel] Infineon vtpm problem
Previous by thread: [Xen-devel] Re: [Xense-devel] Infineon vtpm problem
Next by thread: [Xen-devel] Re: [Xense-devel] Infineon vtpm problem
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.