Re: [Xense-devel] Infineon vtpm problem

[Erdem Bayer <ebayer@bayer.gen.tr>]

Hi

I have checked out the 0.3.2cvs version of trousers and finally get the 
tsstest working with very few differences from when it is run under 
non-xen host. My previous attempts was on 0.3.1 (stable).

However when run tpm_sealdata, I still get

Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275), 
Authorization failed.

This reminds me that maybe I am using vtpm wrong way. Is there a 
document about how to use vtpm?

Here is what I do from sratch:

1. Clear and reactivate TPM from bios.
2. Run vtpm_managerd in dom0 and let it continue running on console.
3. Boot domU with vif statement in config file.
4. Run tcsd -f on domU and let it continue running on console.

 From now on every tpm operation I run on domU returns an error.

Operations tried on domU

1. I tried tpm_takeownership with success (although I see an error on 
tcsd -f output, I assume it is normal because I see exact same error 
when I run takeownership from non-xen host and actually prove ownership 
taken by using sealdata successfully) but when I try tpm_sealdata I get 
above error.

2. After starting from scratch, I tried tpm_sealdata without first try 
to take ownership. This time there is a different output:

Enter SRK password:
Tspi_Key_CreateKey failed: 0x00000003 - layer=tpm, code=0003 (3), Bad 
Parameter

I think I am not able to use vtpm because probably I am not doing the 
right sequence of actions on domU. So if there is a document about vtpm 
usage, please point me to it.

And here is another question:

I never run tpm_takeownership on dom0. Whenever I start from scratch I 
let the vtpm_managerd to take ownership of tpm. However, I do not know 
the owner or srk password it uses. When I use vtpm on domU and asked for 
the srk pasword, which password should I enter? Also, should I take 
ownership of vtpm on domU every time I booted it? How do I save state of 
the vtpm for a domain across boots?

Thanks for time.
Erdem Bayer


Stefan Berger wrote On 27-02-2008 05:59:
>
> xense-devel-bounces@lists.xensource.com wrote on 02/26/2008 06:28:01 PM:
>
> > Hi
> >
> > I have successfully applied the patch mentioned here
> > 
> (http://lists.xensource.com/archives/html/xense-devel/2007-04/msg00005.html) 
>
> > to the xen v. 3.1.3 on an HP nx8325 with Infineon TPM.
> >
> > I cleared the tpm, deleted /var/vtpm/VTPM file and rebooted.
> >
> > After reboot, vtpm_managerd runs ok. (output is attched to the mail.)
> >
> > I created a pv vm with the option vtpm = ['instance=1, backend=0'] The
> > vm boots fine.
> >
> > I installed trousers-0.3.1 and tpm-tools-1.3.1 from sources on the vm.
> >
> > I run tcsd -f on the vm. (output is attched to the mail.)
> >
> > I checkout and run the trousers test suite. 10 tests passed with 230
> > failed. (Is this expected?)
>
>
> It is likely that this (v)TPM implementation has quite a few bugs, but 
> I would not expect that many errors.
>
> >
> > When I try tpm_takeownership on the vm, the command runs fine. 
> (Although
> > a strange warning appers on tcsd output which is attched).
>
> This error may be related to older versions of the TPM device driver 
> having used an ioctl interface for sending/receiving commands to/from 
> the TPM and the TSS still tries this interface first. This should not 
> be a reason for the errors you are seeing.
>
> >
> > But when I try tpm_sealdata < foo on the vm I get the following error.
> >
> > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275),
> > Authorization failed
> >
> > But other tpm_version runs fine on vm.
> >
> > tpm-test:~# tpm_version
> >   TPM 1.2 Version Info:
> >   Chip Version:        1.2.0.4
> >   Spec Level:          2
> >   Errata Revision:     94
> >   TPM Vendor ID:
> >   TPM Version:         01010000
> >   Manufacturer Info:   4554485a
> >
> > Also this quote is from Xen User's Guide:
> >
> > "Similarly, the TPM frontend driver must be compiled for the kernel
> > trying to use TPM functionality. Its driver can be selected in the
> > kernel configuration section Device Driver / Character Devices / TPM
> > Devices. Along with that the TPM driver for the built-in TPM must be
> > selected."
> >
> > According to my understanding driver for the built-in TPM must be
> > selected on the kernel where TPM frontend driver is used. Am I correct
> > about this assumption? (The problem is tpm_infineon driver can not be
>
> The driver for the built-in Infineon TPM must be built into Domain-0, 
> the TPM frontend driver in the guest domain and the backend driver 
> also into Domain-0. This has probably been done correctly since 
> otherwise the vTPM would not work at all.
>
>  
> > selected on an unpriviledged kernel, it can only be selected on a
> > priviledged kernel)
> >
> > Am I missing something here? Why do I get auth errors?
>
>
> Did you try to run the same sequence of comands (tpm commands, test 
> suite etc.) on a plain Linux kernel with the TSS stack against the 
> built-in Infineone TPM? From what I remember, the test suite for the 
> TSS stack either tries to set a specific TPM owner password or it must 
> previously have been set to it by the user, otherwise many 
> authentication errors will occur.
>
>    Stefan
>
> >
> > Thanks in advance.
> >
> > Erdem Bayer
> > [attachment "vtpm_managerd.out" deleted by Stefan Berger/Watson/IBM]
> > [attachment "tcsd.out" deleted by Stefan Berger/Watson/IBM]
> > _______________________________________________
> > Xense-devel mailing list
> > Xense-devel@lists.xensource.com
> > http://lists.xensource.com/xense-devel