From: Patrick Ohly <patrick.ohly at intel.com>
To: tpm2@lists.01.org
Subject: Re: [tpm2] using TPM2 NVRAM for storing LUKS password
Date: Thu, 09 Nov 2017 21:40:16 +0100 [thread overview]
Message-ID: <1510260016.22094.42.camel@intel.com> (raw)
In-Reply-To: daad79b4-05ac-1e08-0f06-abd7d7bbe940@linux.vnet.ibm.com
[-- Attachment #1: Type: text/plain, Size: 2267 bytes --]
On Thu, 2017-11-09 at 10:17 -0500, Stefan Berger wrote:
> On 11/09/2017 10:10 AM, Patrick Ohly wrote:
> > On Thu, 2017-11-09 at 09:55 -0500, Stefan Berger wrote:
> > > I did all of this with the latest versions of libtpms and swtpm
> > > and
> > > it works fine for me.
> >
> > Which TPM tools (project and revision?) did you use?
> >
>
> I used the tpm2-tools and tpm2-tss available from Fedora 26.
That's 2.1.1, which is a bit more recent than the 2.1.0 that I am
currently building with meta-measured. But that difference is minor.
How did you connect to swtpm from inside QEMU? Did your test involve
restarting swtpm?
When I reboot the virtual machine without restarting QEMU and swtpm,
then NVRAM survives the reboot.
But when I stop QEMU and swtpm and then boot up again, swtpm modifies
the tpm2-00.permall data file when QEMU connects and the previously
defined NVRAM entry is gone. This can already be reproduced with just
"tpm2_nvdefine".
Here's roughly what I ran:
swtpm socket --ctrl type=unixio,path=/tmp/swtpm.sock --tpmstate dir=tpm --log file=swtpm.log --tpm2 &
qemu ... -chardev 'socket,id=chrtpm0,path=/tmp/swtpm.sock' -tpmdev emulator,id=tpm0,chardev=chrtpm0 -device tpm-tis,tpmdev=tpm0 ...
# export TPM2TOOLS_TCTI_NAME=device
# tpm2_nvdefine -x 0x1500001 -s 40 -a 0x40000001 -t 0x80020002
^ac
(qemu) q
swtpm terminates now and one can take a copy of the current state:
cp tpm/tpm2-00.permall /tmp
Then start both swtpm and qemu again as above, without any TPM
operations from userspace, and check:
cmp tpm/tpm2-00.permall /tmp/tpm2-00.permall
tpm/tpm2-00.permall /tmp/tpm2-00.permall differ: byte 313, line 1
BTW, should the swtpm instance above really terminate when qemu
disconnects? It currently does, although -terminate is not given.
How can I enable more debug logging inside swtpm? Increasing the level
does not really provide much useful information.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
next reply other threads:[~2017-11-09 20:40 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-09 20:40 Patrick Ohly [this message]
-- strict thread matches above, loose matches on Subject: below --
2017-11-27 11:50 [tpm2] using TPM2 NVRAM for storing LUKS password Stefan Berger
2017-11-27 10:03 Patrick Ohly
2017-11-10 15:27 Stefan Berger
2017-11-10 12:53 Patrick Ohly
2017-11-10 12:44 Patrick Ohly
2017-11-10 12:04 Stefan Berger
2017-11-10 11:53 Stefan Berger
2017-11-10 9:07 Patrick Ohly
2017-11-09 20:43 Patrick Ohly
2017-11-09 19:51 Patrick Ohly
2017-11-09 15:25 flihp
2017-11-09 15:17 Stefan Berger
2017-11-09 15:10 Patrick Ohly
2017-11-09 14:12 Javier Martinez Canillas
2017-11-09 12:53 Patrick Ohly
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1510260016.22094.42.camel@intel.com \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.