Re: [Xense-devel] Infineon vtpm problem

[Erdem Bayer <ebayer@bayer.gen.tr>]

Hi

I have searched a little deeper and find out that tpm_emulator used in 
vtpm implementation is a little outdated. I have searched the recent 
changes from tpm-emulator and the last significant diff involving 
TPM_LoadKey() was the below one.

I want to know if applying this diff will inprove my situation.

Thanks in advance
Erdem Bayer

ebayer@erdem-d tpm $ svn diff -r 201:179 tpm_storage.c
Index: tpm_storage.c
===================================================================
--- tpm_storage.c       (revision 201)
+++ tpm_storage.c       (revision 179)
@@ -521,13 +521,15 @@
   parent = tpm_get_key(parentHandle);
   if (parent == NULL) return TPM_INVALID_KEYHANDLE;
   /* verify authorization */
-  if (auth1->authHandle != TPM_INVALID_HANDLE) {
-    debug("[ authDataUsage=%.2x ]", parent->authDataUsage);
-    res = tpm_verify_auth(auth1, parent->usageAuth, parentHandle);
-    if (res != TPM_SUCCESS) return res;
-  } else if (parent->authDataUsage != TPM_AUTH_NEVER) {
-    debug("TPM_LoadKey(): parent key requires authorization.");
-    return TPM_AUTHFAIL;
+  if (parent->authDataUsage != TPM_AUTH_NEVER) {
+    if (auth1->authHandle != TPM_INVALID_HANDLE) {
+      debug("[ authDataUsage=%.2x ]", parent->authDataUsage);
+      res = tpm_verify_auth(auth1, parent->usageAuth, parentHandle);
+      if (res != TPM_SUCCESS) return res;
+    } else {
+      debug("TPM_LoadKey(): parent key requires authorization.");
+      return TPM_AUTHFAIL;
+    }
   }
   if (parent->keyUsage != TPM_KEY_STORAGE) return TPM_INVALID_KEYUSAGE;
   /* verify key properties */


Stefan Berger wrote On 28-02-2008 04:47:
>
> xense-devel-bounces@lists.xensource.com wrote on 02/27/2008 04:02:41 PM:
>
> > Hi
> >
> > I have checked out the 0.3.2cvs version of trousers and finally get the
> > tsstest working with very few differences from when it is run under
> > non-xen host. My previous attempts was on 0.3.1 (stable).
> >
> > However when run tpm_sealdata, I still get
> >
> > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275),
> > Authorization failed.
>
> So, I just tried this and I ran into the same problem. I then used 
> some tools that let me control whether to use TPM_LoadKey() or 
> TPM_LoadKey2(). Loading a key with TPM_LoadKey2() failed due to HMAC 
> authorization failing, TPM_LoadKey() worked. From what I saw is that 
> the TSS is using TPM_LoadKey2() and the TPM implementation then states 
> that TPM_LoadKey2() is emulated using TPM_LoadKey(). Well, it seems to 
> be a bug in the TPM_LoadKey2() implementation.
>
> >
> > This reminds me that maybe I am using vtpm wrong way. Is there a
> > document about how to use vtpm?
> >
> No, you are using it correctly.
>
>   Stefan
>
>
>
> > Here is what I do from sratch:
> >
> > 1. Clear and reactivate TPM from bios.
> > 2. Run vtpm_managerd in dom0 and let it continue running on console.
> > 3. Boot domU with vif statement in config file.
> > 4. Run tcsd -f on domU and let it continue running on console.
> >
> >  From now on every tpm operation I run on domU returns an error.
> >
> > Operations tried on domU
> >
> > 1. I tried tpm_takeownership with success (although I see an error on
> > tcsd -f output, I assume it is normal because I see exact same error
> > when I run takeownership from non-xen host and actually prove ownership
> > taken by using sealdata successfully) but when I try tpm_sealdata I get
> > above error.
> >
> > 2. After starting from scratch, I tried tpm_sealdata without first try
> > to take ownership. This time there is a different output:
> >
> > Enter SRK password:
> > Tspi_Key_CreateKey failed: 0x00000003 - layer=tpm, code=0003 (3), Bad
> > Parameter
> >
> > I think I am not able to use vtpm because probably I am not doing the
> > right sequence of actions on domU. So if there is a document about vtpm
> > usage, please point me to it.
> >
> > And here is another question:
> >
> > I never run tpm_takeownership on dom0. Whenever I start from scratch I
> > let the vtpm_managerd to take ownership of tpm. However, I do not know
> > the owner or srk password it uses. When I use vtpm on domU and asked 
> for
> > the srk pasword, which password should I enter? Also, should I take
> > ownership of vtpm on domU every time I booted it? How do I save 
> state of
> > the vtpm for a domain across boots?
> >
> > Thanks for time.
> > Erdem Bayer
> >
> >
> > Stefan Berger wrote On 27-02-2008 05:59:
> > >
> > > xense-devel-bounces@lists.xensource.com wrote on 02/26/2008 
> 06:28:01 PM:
> > >
> > > > Hi
> > > >
> > > > I have successfully applied the patch mentioned here
> > > >
> > > 
> (http://lists.xensource.com/archives/html/xense-devel/2007-04/msg00005.html
> > )
> > >
> > > > to the xen v. 3.1.3 on an HP nx8325 with Infineon TPM.
> > > >
> > > > I cleared the tpm, deleted /var/vtpm/VTPM file and rebooted.
> > > >
> > > > After reboot, vtpm_managerd runs ok. (output is attched to the 
> mail.)
> > > >
> > > > I created a pv vm with the option vtpm = ['instance=1, 
> backend=0'] The
> > > > vm boots fine.
> > > >
> > > > I installed trousers-0.3.1 and tpm-tools-1.3.1 from sources on 
> the vm.
> > > >
> > > > I run tcsd -f on the vm. (output is attched to the mail.)
> > > >
> > > > I checkout and run the trousers test suite. 10 tests passed with 230
> > > > failed. (Is this expected?)
> > >
> > >
> > > It is likely that this (v)TPM implementation has quite a few bugs, 
> but
> > > I would not expect that many errors.
> > >
> > > >
> > > > When I try tpm_takeownership on the vm, the command runs fine.
> > > (Although
> > > > a strange warning appers on tcsd output which is attched).
> > >
> > > This error may be related to older versions of the TPM device driver
> > > having used an ioctl interface for sending/receiving commands to/from
> > > the TPM and the TSS still tries this interface first. This should not
> > > be a reason for the errors you are seeing.
> > >
> > > >
> > > > But when I try tpm_sealdata < foo on the vm I get the following 
> error.
> > > >
> > > > Tspi_Key_LoadKey failed: 0x00003113 - layer=tsp, code=0113 (275),
> > > > Authorization failed
> > > >
> > > > But other tpm_version runs fine on vm.
> > > >
> > > > tpm-test:~# tpm_version
> > > >   TPM 1.2 Version Info:
> > > >   Chip Version:        1.2.0.4
> > > >   Spec Level:          2
> > > >   Errata Revision:     94
> > > >   TPM Vendor ID:
> > > >   TPM Version:         01010000
> > > >   Manufacturer Info:   4554485a
> > > >
> > > > Also this quote is from Xen User's Guide:
> > > >
> > > > "Similarly, the TPM frontend driver must be compiled for the kernel
> > > > trying to use TPM functionality. Its driver can be selected in the
> > > > kernel configuration section Device Driver / Character Devices / TPM
> > > > Devices. Along with that the TPM driver for the built-in TPM must be
> > > > selected."
> > > >
> > > > According to my understanding driver for the built-in TPM must be
> > > > selected on the kernel where TPM frontend driver is used. Am I 
> correct
> > > > about this assumption? (The problem is tpm_infineon driver can 
> not be
> > >
> > > The driver for the built-in Infineon TPM must be built into Domain-0,
> > > the TPM frontend driver in the guest domain and the backend driver
> > > also into Domain-0. This has probably been done correctly since
> > > otherwise the vTPM would not work at all.
> > >
> > >  
> > > > selected on an unpriviledged kernel, it can only be selected on a
> > > > priviledged kernel)
> > > >
> > > > Am I missing something here? Why do I get auth errors?
> > >
> > >
> > > Did you try to run the same sequence of comands (tpm commands, test
> > > suite etc.) on a plain Linux kernel with the TSS stack against the
> > > built-in Infineone TPM? From what I remember, the test suite for the
> > > TSS stack either tries to set a specific TPM owner password or it 
> must
> > > previously have been set to it by the user, otherwise many
> > > authentication errors will occur.
> > >
> > >    Stefan
> > >
> > > >
> > > > Thanks in advance.
> > > >
> > > > Erdem Bayer
> > > > [attachment "vtpm_managerd.out" deleted by Stefan Berger/Watson/IBM]
> > > > [attachment "tcsd.out" deleted by Stefan Berger/Watson/IBM]
> > > > _______________________________________________
> > > > Xense-devel mailing list
> > > > Xense-devel@lists.xensource.com
> > > > http://lists.xensource.com/xense-devel
> >
> > _______________________________________________
> > Xense-devel mailing list
> > Xense-devel@lists.xensource.com
> > http://lists.xensource.com/xense-devel