|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] Re: [Xense-devel] Infineon vtpm problem
HiI have searched a little deeper and find out that tpm_emulator used in vtpm implementation is a little outdated. I have searched the recent changes from tpm-emulator and the last significant diff involving TPM_LoadKey() was the below one.
I want to know if applying this diff will inprove my situation.
Thanks in advance
Erdem Bayer
ebayer@erdem-d tpm $ svn diff -r 201:179 tpm_storage.c
Index: tpm_storage.c
===================================================================
--- tpm_storage.c (revision 201)
+++ tpm_storage.c (revision 179)
@@ -521,13 +521,15 @@
parent = tpm_get_key(parentHandle);
if (parent == NULL) return TPM_INVALID_KEYHANDLE;
/* verify authorization */
- if (auth1->authHandle != TPM_INVALID_HANDLE) {
- debug("[ authDataUsage=%.2x ]", parent->authDataUsage);
- res = tpm_verify_auth(auth1, parent->usageAuth, parentHandle);
- if (res != TPM_SUCCESS) return res;
- } else if (parent->authDataUsage != TPM_AUTH_NEVER) {
- debug("TPM_LoadKey(): parent key requires authorization.");
- return TPM_AUTHFAIL;
+ if (parent->authDataUsage != TPM_AUTH_NEVER) {
+ if (auth1->authHandle != TPM_INVALID_HANDLE) {
+ debug("[ authDataUsage=%.2x ]", parent->authDataUsage);
+ res = tpm_verify_auth(auth1, parent->usageAuth, parentHandle);
+ if (res != TPM_SUCCESS) return res;
+ } else {
+ debug("TPM_LoadKey(): parent key requires authorization.");
+ return TPM_AUTHFAIL;
+ }
}
if (parent->keyUsage != TPM_KEY_STORAGE) return TPM_INVALID_KEYUSAGE;
/* verify key properties */
Stefan Berger wrote On 28-02-2008 04:47:
xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/27/2008 04:02:41 PM: > Hi > > I have checked out the 0.3.2cvs version of trousers and finally get the > tsstest working with very few differences from when it is run under > non-xen host. My previous attempts was on 0.3.1 (stable). > > However when run tpm_sealdata, I still get > > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275), > Authorization failed.So, I just tried this and I ran into the same problem. I then used some tools that let me control whether to use TPM_LoadKey() or TPM_LoadKey2(). Loading a key with TPM_LoadKey2() failed due to HMAC authorization failing, TPM_LoadKey() worked. From what I saw is that the TSS is using TPM_LoadKey2() and the TPM implementation then states that TPM_LoadKey2() is emulated using TPM_LoadKey(). Well, it seems to be a bug in the TPM_LoadKey2() implementation.> > This reminds me that maybe I am using vtpm wrong way. Is there a > document about how to use vtpm? > No, you are using it correctly. Stefan > Here is what I do from sratch: > > 1. Clear and reactivate TPM from bios. > 2. Run vtpm_managerd in dom0 and let it continue running on console. > 3. Boot domU with vif statement in config file. > 4. Run tcsd -f on domU and let it continue running on console. > > From now on every tpm operation I run on domU returns an error. > > Operations tried on domU > > 1. I tried tpm_takeownership with success (although I see an error on > tcsd -f output, I assume it is normal because I see exact same error > when I run takeownership from non-xen host and actually prove ownership > taken by using sealdata successfully) but when I try tpm_sealdata I get > above error. > > 2. After starting from scratch, I tried tpm_sealdata without first try > to take ownership. This time there is a different output: > > Enter SRK password: > Tspi_Key_CreateKey failed: 0x00000003 - layer=tpm, code=0003 (3), Bad > Parameter > > I think I am not able to use vtpm because probably I am not doing the > right sequence of actions on domU. So if there is a document about vtpm > usage, please point me to it. > > And here is another question: > > I never run tpm_takeownership on dom0. Whenever I start from scratch I > let the vtpm_managerd to take ownership of tpm. However, I do not know> the owner or srk password it uses. When I use vtpm on domU and asked for> the srk pasword, which password should I enter? Also, should I take> ownership of vtpm on domU every time I booted it? How do I save state of> the vtpm for a domain across boots? > > Thanks for time. > Erdem Bayer > > > Stefan Berger wrote On 27-02-2008 05:59: > >> > xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 02/26/2008 06:28:01 PM:> > > > > Hi > > > > > > I have successfully applied the patch mentioned here > > >> > (http://lists.xensource.com/archives/html/xense-devel/2007-04/msg00005.html> ) > > > > > to the xen v. 3.1.3 on an HP nx8325 with Infineon TPM. > > > > > > I cleared the tpm, deleted /var/vtpm/VTPM file and rebooted. > > >> > > After reboot, vtpm_managerd runs ok. (output is attched to the mail.)> > >> > > I created a pv vm with the option vtpm = ['instance=1, backend=0'] The> > > vm boots fine. > > >> > > I installed trousers-0.3.1 and tpm-tools-1.3.1 from sources on the vm.> > > > > > I run tcsd -f on the vm. (output is attched to the mail.) > > > > > > I checkout and run the trousers test suite. 10 tests passed with 230 > > > failed. (Is this expected?) > > > >> > It is likely that this (v)TPM implementation has quite a few bugs, but> > I would not expect that many errors. > > > > > > > > When I try tpm_takeownership on the vm, the command runs fine. > > (Although > > > a strange warning appers on tcsd output which is attched). > > > > This error may be related to older versions of the TPM device driver > > having used an ioctl interface for sending/receiving commands to/from > > the TPM and the TSS still tries this interface first. This should not > > be a reason for the errors you are seeing. > > > > >> > > But when I try tpm_sealdata < foo on the vm I get the following error.> > > > > > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275), > > > Authorization failed > > > > > > But other tpm_version runs fine on vm. > > > > > > tpm-test:~# tpm_version > > > TPM 1.2 Version Info: > > > Chip Version: 1.2.0.4 > > > Spec Level: 2 > > > Errata Revision: 94 > > > TPM Vendor ID: > > > TPM Version: 01010000 > > > Manufacturer Info: 4554485a > > > > > > Also this quote is from Xen User's Guide: > > > > > > "Similarly, the TPM frontend driver must be compiled for the kernel > > > trying to use TPM functionality. Its driver can be selected in the > > > kernel configuration section Device Driver / Character Devices / TPM > > > Devices. Along with that the TPM driver for the built-in TPM must be > > > selected." > > > > > > According to my understanding driver for the built-in TPM must be> > > selected on the kernel where TPM frontend driver is used. Am I correct > > > about this assumption? (The problem is tpm_infineon driver can not be> > > > The driver for the built-in Infineon TPM must be built into Domain-0, > > the TPM frontend driver in the guest domain and the backend driver > > also into Domain-0. This has probably been done correctly since > > otherwise the vTPM would not work at all. > >> > > > > selected on an unpriviledged kernel, it can only be selected on a> > > priviledged kernel) > > > > > > Am I missing something here? Why do I get auth errors? > > > > > > Did you try to run the same sequence of comands (tpm commands, test > > suite etc.) on a plain Linux kernel with the TSS stack against the > > built-in Infineone TPM? From what I remember, the test suite for the> > TSS stack either tries to set a specific TPM owner password or it must> > previously have been set to it by the user, otherwise many > > authentication errors will occur. > > > > Stefan > > > > > > > > Thanks in advance. > > > > > > Erdem Bayer > > > [attachment "vtpm_managerd.out" deleted by Stefan Berger/Watson/IBM] > > > [attachment "tcsd.out" deleted by Stefan Berger/Watson/IBM] > > > _______________________________________________ > > > Xense-devel mailing list > > > Xense-devel@xxxxxxxxxxxxxxxxxxx > > > http://lists.xensource.com/xense-devel > > _______________________________________________ > Xense-devel mailing list > Xense-devel@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xense-devel _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |