Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working

[Mimi Zohar <zohar@linux.ibm.com>]

Hi Michael,

On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote:

> Well, there are at least two implementations I know of:
> For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT TPM 2.0
> This here is my ThinkStation P320 which can choose between PTT 1.2, PTT 2.0,
> Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton gets
> reflashed with the appropriate firmware.

With IBM's LTC help, we finally found a Lenovo with the Nuvoton
NCPT650.  It's a System x3550 M5[1], not a ThinkStation P320, running
Fedora (vmlinuz-4.16.14-300.fc28.x86_64). I replaced the 4.16 kernel
with the latest stable 4.19.y kernel.  Both the TPM and IMA seem to be
working properly.  Not sure if this helps...

From dmesg:
# dmesg | grep -i tpm 
[    0.000000] Linux version 4.19.14 (mimi@x86tpm2Server.rtp.stglabs.i
bm.com) (gcc version 8.1.1 20180502 (Red Hat 8.1.1-1) (GCC)) #6 SMP
Thu Jan 10 22:32:54 EST 2019
[    0.000000] efi:  ACPI=0x7b786000  ACPI 2.0=0x7b786014 
SMBIOS=0x793fe000  TPMEventLog=0x426fa018 
[    0.014413] ACPI: SSDT 0x000000007B784000 0003A7 (v02 INTEL 
Tpm2Tabl 00001000 INTL 20130328)
[    0.014416] ACPI: TPM2 0x000000007B783000 000034 (v03 INTEL  EDK2  
  00000002 INTL 01000013)
[    2.667052] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2

# cat /sys/kernel/security/ima/ascii_runtime_measurements | head -2
10 5425744ce804c8cae89a08d53b41ab20ff1b3ea6 ima-sig
sha1:7996f7339c3ce64e63f1232ef1aa6033247af784 boot_aggregate

I installed the ibmtpm2tss[2], built (eg. autoreconf -i; configure --
enable-hwtpm) and installed it.

# export LD_LIBRARY_PATH=/usr/local/lib/
# cd /usr/local/bin
# ./tsspcrread -ha 10 -halg sha256 -ns
f73ff9109b06d4f7a7cbe7eac32b20d2ca662e55cb4c81e152beea261989ad4b

Mimi

[1] https://lenovopress.com/lp0599.pdf
[2] https://git.code.sf.net/p/ibmtpm20tss/tss