From mboxrd@z Thu Jan 1 00:00:00 1970 From: Erdem Bayer Subject: Re: [Xense-devel] Infineon vtpm problem Date: Wed, 27 Feb 2008 23:02:41 +0200 Message-ID: <47C5CFF1.1050401@bayer.gen.tr> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com Cc: xen-devel@lists.xensource.com, xense-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org Hi I have checked out the 0.3.2cvs version of trousers and finally get the tsstest working with very few differences from when it is run under non-xen host. My previous attempts was on 0.3.1 (stable). However when run tpm_sealdata, I still get Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275), Authorization failed. This reminds me that maybe I am using vtpm wrong way. Is there a document about how to use vtpm? Here is what I do from sratch: 1. Clear and reactivate TPM from bios. 2. Run vtpm_managerd in dom0 and let it continue running on console. 3. Boot domU with vif statement in config file. 4. Run tcsd -f on domU and let it continue running on console. From now on every tpm operation I run on domU returns an error. Operations tried on domU 1. I tried tpm_takeownership with success (although I see an error on tcsd -f output, I assume it is normal because I see exact same error when I run takeownership from non-xen host and actually prove ownership taken by using sealdata successfully) but when I try tpm_sealdata I get above error. 2. After starting from scratch, I tried tpm_sealdata without first try to take ownership. This time there is a different output: Enter SRK password: Tspi_Key_CreateKey failed: 0x00000003 - layer=tpm, code=0003 (3), Bad Parameter I think I am not able to use vtpm because probably I am not doing the right sequence of actions on domU. So if there is a document about vtpm usage, please point me to it. And here is another question: I never run tpm_takeownership on dom0. Whenever I start from scratch I let the vtpm_managerd to take ownership of tpm. However, I do not know the owner or srk password it uses. When I use vtpm on domU and asked for the srk pasword, which password should I enter? Also, should I take ownership of vtpm on domU every time I booted it? How do I save state of the vtpm for a domain across boots? Thanks for time. Erdem Bayer Stefan Berger wrote On 27-02-2008 05:59: > > xense-devel-bounces@lists.xensource.com wrote on 02/26/2008 06:28:01 PM: > > > Hi > > > > I have successfully applied the patch mentioned here > > > (http://lists.xensource.com/archives/html/xense-devel/2007-04/msg00005.html) > > > to the xen v. 3.1.3 on an HP nx8325 with Infineon TPM. > > > > I cleared the tpm, deleted /var/vtpm/VTPM file and rebooted. > > > > After reboot, vtpm_managerd runs ok. (output is attched to the mail.) > > > > I created a pv vm with the option vtpm = ['instance=1, backend=0'] The > > vm boots fine. > > > > I installed trousers-0.3.1 and tpm-tools-1.3.1 from sources on the vm. > > > > I run tcsd -f on the vm. (output is attched to the mail.) > > > > I checkout and run the trousers test suite. 10 tests passed with 230 > > failed. (Is this expected?) > > > It is likely that this (v)TPM implementation has quite a few bugs, but > I would not expect that many errors. > > > > > When I try tpm_takeownership on the vm, the command runs fine. > (Although > > a strange warning appers on tcsd output which is attched). > > This error may be related to older versions of the TPM device driver > having used an ioctl interface for sending/receiving commands to/from > the TPM and the TSS still tries this interface first. This should not > be a reason for the errors you are seeing. > > > > > But when I try tpm_sealdata < foo on the vm I get the following error. > > > > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275), > > Authorization failed > > > > But other tpm_version runs fine on vm. > > > > tpm-test:~# tpm_version > > TPM 1.2 Version Info: > > Chip Version: 1.2.0.4 > > Spec Level: 2 > > Errata Revision: 94 > > TPM Vendor ID: > > TPM Version: 01010000 > > Manufacturer Info: 4554485a > > > > Also this quote is from Xen User's Guide: > > > > "Similarly, the TPM frontend driver must be compiled for the kernel > > trying to use TPM functionality. Its driver can be selected in the > > kernel configuration section Device Driver / Character Devices / TPM > > Devices. Along with that the TPM driver for the built-in TPM must be > > selected." > > > > According to my understanding driver for the built-in TPM must be > > selected on the kernel where TPM frontend driver is used. Am I correct > > about this assumption? (The problem is tpm_infineon driver can not be > > The driver for the built-in Infineon TPM must be built into Domain-0, > the TPM frontend driver in the guest domain and the backend driver > also into Domain-0. This has probably been done correctly since > otherwise the vTPM would not work at all. > > > > selected on an unpriviledged kernel, it can only be selected on a > > priviledged kernel) > > > > Am I missing something here? Why do I get auth errors? > > > Did you try to run the same sequence of comands (tpm commands, test > suite etc.) on a plain Linux kernel with the TSS stack against the > built-in Infineone TPM? From what I remember, the test suite for the > TSS stack either tries to set a specific TPM owner password or it must > previously have been set to it by the user, otherwise many > authentication errors will occur. > > Stefan > > > > > Thanks in advance. > > > > Erdem Bayer > > [attachment "vtpm_managerd.out" deleted by Stefan Berger/Watson/IBM] > > [attachment "tcsd.out" deleted by Stefan Berger/Watson/IBM] > > _______________________________________________ > > Xense-devel mailing list > > Xense-devel@lists.xensource.com > > http://lists.xensource.com/xense-devel