vtpmmgr bug: fails to start if locality!=0

vtpmmgr bug: fails to start if locality!=0

[Emil Condrea]

[-- Attachment #1.1: Type: text/plain, Size: 1191 bytes --]

I am wondering if this is known issue that when I set locality!=0 to
vtpmmgr it does not start. It is a bit strange that every call to
tpm_tis_status returns 255 and device-id is also FFFF:
1.2 TPM (device-id=0xFFFF vendor-id = FFFF rev-id = FF).
TPM interface capabilities (0xffffffff):
I am configuring vtpmmgr using:

kernel="/usr/local/lib/xen/boot/vtpmmgr-stubdom.gz"
memory=8
disk=["file:/var/vtpmmgr-stubdom.img,hda,w"]
name="vtpmmgr"
iomem=["fed40,5"]
extra="tpmlocality=2"

I also tried using :
iomem=["fed40,1"]
extra="tpmlocality=0"//works well
or
iomem=["fed42,1"]
extra="tpmlocality=2"
It seems that everything that is not mapped at fed40-fed41 is FFFFFFFF.
I have an Atmel TPM chipset.
Could it be a chipset problem to not handle well different localities?
When I use locality=0, the device driver info is correct and everything
works fine:
1.2 TPM (device-id=0x3204 vendor-id = 1114 rev-id = 40)
TPM interface capabilities (0xfd)
In linux kernel this information is obtained using locality 0 and after
that other commands execute using specified locality.
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/drivers/char/tpm/tpm_tis.c#n558

Thanks,
Emil

[-- Attachment #1.2: Type: text/html, Size: 1961 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: vtpmmgr bug: fails to start if locality!=0

[Ian Campbell]

CCing Daniel.

On Fri, 2014-10-31 at 17:37 +0200, Emil Condrea wrote:
> 
> I am wondering if this is known issue that when I set locality!=0 to
> vtpmmgr it does not start. It is a bit strange that every call to
> tpm_tis_status returns 255 and device-id is also FFFF: 
> 1.2 TPM (device-id=0xFFFF vendor-id = FFFF rev-id = FF).
> TPM interface capabilities (0xffffffff):
> 
> I am configuring vtpmmgr using:
> 
> kernel="/usr/local/lib/xen/boot/vtpmmgr-stubdom.gz"
> memory=8
> disk=["file:/var/vtpmmgr-stubdom.img,hda,w"]
> name="vtpmmgr"
> iomem=["fed40,5"]
> extra="tpmlocality=2"
> 
> 
> I also tried using :
> iomem=["fed40,1"]
> extra="tpmlocality=0"//works well
> 
> or
> iomem=["fed42,1"]
> extra="tpmlocality=2"
> It seems that everything that is not mapped at fed40-fed41 is
> FFFFFFFF.
> 
> I have an Atmel TPM chipset. 
> 
> Could it be a chipset problem to not handle well different localities?
> 
> When I use locality=0, the device driver info is correct and
> everything works fine:
> 1.2 TPM (device-id=0x3204 vendor-id = 1114 rev-id = 40)
> TPM interface capabilities (0xfd)
> 
> In linux kernel this information is obtained using locality 0 and
> after that other commands execute using specified locality.
> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/drivers/char/tpm/tpm_tis.c#n558
> 
> 
> Thanks,
> 
> Emil
> 
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

Re: vtpmmgr bug: fails to start if locality!=0

[Daniel De Graaf]

On 11/05/2014 05:00 AM, Ian Campbell wrote:
> CCing Daniel.
>
> On Fri, 2014-10-31 at 17:37 +0200, Emil Condrea wrote:
>>
>> I am wondering if this is known issue that when I set locality!=0 to
>> vtpmmgr it does not start. It is a bit strange that every call to
>> tpm_tis_status returns 255 and device-id is also FFFF:
>> 1.2 TPM (device-id=0xFFFF vendor-id = FFFF rev-id = FF).
>> TPM interface capabilities (0xffffffff):
>>
>> I am configuring vtpmmgr using:
>>
>> kernel="/usr/local/lib/xen/boot/vtpmmgr-stubdom.gz"
>> memory=8
>> disk=["file:/var/vtpmmgr-stubdom.img,hda,w"]
>> name="vtpmmgr"
>> iomem=["fed40,5"]
>> extra="tpmlocality=2"
>>
>>
>> I also tried using :
>> iomem=["fed40,1"]
>> extra="tpmlocality=0"//works well
>>
>> or
>> iomem=["fed42,1"]
>> extra="tpmlocality=2"
>> It seems that everything that is not mapped at fed40-fed41 is
>> FFFFFFFF.
>>
>> I have an Atmel TPM chipset.
>>
>> Could it be a chipset problem to not handle well different localities?
>>
>> When I use locality=0, the device driver info is correct and
>> everything works fine:
>> 1.2 TPM (device-id=0x3204 vendor-id = 1114 rev-id = 40)
>> TPM interface capabilities (0xfd)

This may be an issue with locality 2 being unavailable unless a DRTM
launch (tboot) is performed.  Returning all-ones is the normal response
of the x86 chipset when unmapped MMIO regions are accessed; disabled
localities of the TPM may act like this.

Does your system support the DRTM launch?  If so, can you test it to see
if this is the issue?

In this case, to better support people who want to use the vTPM Manager
without a DRTM launch, the features of the vTPM Manager that use the TPM
1.2 PCRs may need to be disabled or implemented in an alternate manner
such as embedding the data in the quote instead of in PCRs.  The current
design was created with the assumption that systems using it would be
performing a DRTM launch in order to fully secure the boot process.

>> In linux kernel this information is obtained using locality 0 and
>> after that other commands execute using specified locality.
>> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/drivers/char/tpm/tpm_tis.c#n558

Have you tested that other localities work for your TPM under Linux?

>>
>> Thanks,
>>
>> Emil
>>

-- 
Daniel De Graaf
National Security Agency

Re: vtpmmgr bug: fails to start if locality!=0

[Xu, Quan]

> -----Original Message-----
> From: xen-devel-bounces@lists.xen.org
> [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Daniel De Graaf
> Sent: Friday, November 07, 2014 5:55 AM
> To: Emil Condrea
> Cc: Ian Campbell; xen-devel@lists.xen.org
> Subject: Re: [Xen-devel] vtpmmgr bug: fails to start if locality!=0
> 
> On 11/05/2014 05:00 AM, Ian Campbell wrote:
> > CCing Daniel.
> >
> > On Fri, 2014-10-31 at 17:37 +0200, Emil Condrea wrote:
> >>
> >> I am wondering if this is known issue that when I set locality!=0 to
> >> vtpmmgr it does not start. It is a bit strange that every call to
> >> tpm_tis_status returns 255 and device-id is also FFFF:
> >> 1.2 TPM (device-id=0xFFFF vendor-id = FFFF rev-id = FF).
> >> TPM interface capabilities (0xffffffff):
> >>
> >> I am configuring vtpmmgr using:
> >>
> >> kernel="/usr/local/lib/xen/boot/vtpmmgr-stubdom.gz"
> >> memory=8
> >> disk=["file:/var/vtpmmgr-stubdom.img,hda,w"]
> >> name="vtpmmgr"
> >> iomem=["fed40,5"]
> >> extra="tpmlocality=2"
> >>
> >>
> >> I also tried using :
> >> iomem=["fed40,1"]
> >> extra="tpmlocality=0"//works well
> >>
> >> or
> >> iomem=["fed42,1"]
> >> extra="tpmlocality=2"
> >> It seems that everything that is not mapped at fed40-fed41 is
> >> FFFFFFFF.
> >>
> >> I have an Atmel TPM chipset.
> >>
> >> Could it be a chipset problem to not handle well different localities?
> >>
> >> When I use locality=0, the device driver info is correct and
> >> everything works fine:
> >> 1.2 TPM (device-id=0x3204 vendor-id = 1114 rev-id = 40) TPM interface
> >> capabilities (0xfd)
> 
> This may be an issue with locality 2 being unavailable unless a DRTM launch
> (tboot) is performed.  Returning all-ones is the normal response of the x86
> chipset when unmapped MMIO regions are accessed; disabled localities of
> the TPM may act like this.
> 
> Does your system support the DRTM launch?  If so, can you test it to see if
> this is the issue?


Emil,
tboot supports Intel and OEM systems that are Intel TXT-capable. 
If your system does not support DRTM launch, I can test it in next week. 


> 
> In this case, to better support people who want to use the vTPM Manager
> without a DRTM launch, the features of the vTPM Manager that use the TPM
> 1.2 PCRs may need to be disabled or implemented in an alternate manner
> such as embedding the data in the quote instead of in PCRs.  The current
> design was created with the assumption that systems using it would be
> performing a DRTM launch in order to fully secure the boot process.
> 
> >> In linux kernel this information is obtained using locality 0 and
> >> after that other commands execute using specified locality.
> >> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
> >> tree/drivers/char/tpm/tpm_tis.c#n558
> 
> Have you tested that other localities work for your TPM under Linux?
> 
> >>
> >> Thanks,
> >>
> >> Emil
> >>
> 
> --
> Daniel De Graaf
> National Security Agency
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

Re: vtpmmgr bug: fails to start if locality!=0

[Emil Condrea]

[-- Attachment #1.1: Type: text/plain, Size: 3431 bytes --]

Xu, my system does not support DRTM launch so if you can test it next week
it would be great.
Thanks

On Fri, Nov 7, 2014 at 3:46 AM, Xu, Quan <quan.xu@intel.com> wrote:

>
>
> > -----Original Message-----
> > From: xen-devel-bounces@lists.xen.org
> > [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Daniel De Graaf
> > Sent: Friday, November 07, 2014 5:55 AM
> > To: Emil Condrea
> > Cc: Ian Campbell; xen-devel@lists.xen.org
> > Subject: Re: [Xen-devel] vtpmmgr bug: fails to start if locality!=0
> >
> > On 11/05/2014 05:00 AM, Ian Campbell wrote:
> > > CCing Daniel.
> > >
> > > On Fri, 2014-10-31 at 17:37 +0200, Emil Condrea wrote:
> > >>
> > >> I am wondering if this is known issue that when I set locality!=0 to
> > >> vtpmmgr it does not start. It is a bit strange that every call to
> > >> tpm_tis_status returns 255 and device-id is also FFFF:
> > >> 1.2 TPM (device-id=0xFFFF vendor-id = FFFF rev-id = FF).
> > >> TPM interface capabilities (0xffffffff):
> > >>
> > >> I am configuring vtpmmgr using:
> > >>
> > >> kernel="/usr/local/lib/xen/boot/vtpmmgr-stubdom.gz"
> > >> memory=8
> > >> disk=["file:/var/vtpmmgr-stubdom.img,hda,w"]
> > >> name="vtpmmgr"
> > >> iomem=["fed40,5"]
> > >> extra="tpmlocality=2"
> > >>
> > >>
> > >> I also tried using :
> > >> iomem=["fed40,1"]
> > >> extra="tpmlocality=0"//works well
> > >>
> > >> or
> > >> iomem=["fed42,1"]
> > >> extra="tpmlocality=2"
> > >> It seems that everything that is not mapped at fed40-fed41 is
> > >> FFFFFFFF.
> > >>
> > >> I have an Atmel TPM chipset.
> > >>
> > >> Could it be a chipset problem to not handle well different localities?
> > >>
> > >> When I use locality=0, the device driver info is correct and
> > >> everything works fine:
> > >> 1.2 TPM (device-id=0x3204 vendor-id = 1114 rev-id = 40) TPM interface
> > >> capabilities (0xfd)
> >
> > This may be an issue with locality 2 being unavailable unless a DRTM
> launch
> > (tboot) is performed.  Returning all-ones is the normal response of the
> x86
> > chipset when unmapped MMIO regions are accessed; disabled localities of
> > the TPM may act like this.
> >
> > Does your system support the DRTM launch?  If so, can you test it to see
> if
> > this is the issue?
>
>
> Emil,
> tboot supports Intel and OEM systems that are Intel TXT-capable.
> If your system does not support DRTM launch, I can test it in next week.
>
>
> >
> > In this case, to better support people who want to use the vTPM Manager
> > without a DRTM launch, the features of the vTPM Manager that use the TPM
> > 1.2 PCRs may need to be disabled or implemented in an alternate manner
> > such as embedding the data in the quote instead of in PCRs.  The current
> > design was created with the assumption that systems using it would be
> > performing a DRTM launch in order to fully secure the boot process.
> >
> > >> In linux kernel this information is obtained using locality 0 and
> > >> after that other commands execute using specified locality.
> > >> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
> > >> tree/drivers/char/tpm/tpm_tis.c#n558
> >
> > Have you tested that other localities work for your TPM under Linux?
> >
> > >>
> > >> Thanks,
> > >>
> > >> Emil
> > >>
> >
> > --
> > Daniel De Graaf
> > National Security Agency
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xen.org
> > http://lists.xen.org/xen-devel
>

[-- Attachment #1.2: Type: text/html, Size: 5112 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: vtpmmgr bug: fails to start if locality!=0

[Xu, Quan]

Okay, I will test it in next week. 

Thanks 
Quan Xu


From: xen-devel-bounces@lists.xen.org [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Emil Condrea
Sent: Friday, November 07, 2014 6:42 PM
To: Xu, Quan
Cc: Daniel De Graaf; Ian Campbell; xen-devel@lists.xen.org
Subject: Re: [Xen-devel] vtpmmgr bug: fails to start if locality!=0

Xu, my system does not support DRTM launch so if you can test it next week it would be great.
Thanks

On Fri, Nov 7, 2014 at 3:46 AM, Xu, Quan <quan.xu@intel.com> wrote:


> -----Original Message-----
> From: xen-devel-bounces@lists.xen.org
> [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Daniel De Graaf
> Sent: Friday, November 07, 2014 5:55 AM
> To: Emil Condrea
> Cc: Ian Campbell; xen-devel@lists.xen.org
> Subject: Re: [Xen-devel] vtpmmgr bug: fails to start if locality!=0
>
> On 11/05/2014 05:00 AM, Ian Campbell wrote:
> > CCing Daniel.
> >
> > On Fri, 2014-10-31 at 17:37 +0200, Emil Condrea wrote:
> >>
> >> I am wondering if this is known issue that when I set locality!=0 to
> >> vtpmmgr it does not start. It is a bit strange that every call to
> >> tpm_tis_status returns 255 and device-id is also FFFF:
> >> 1.2 TPM (device-id=0xFFFF vendor-id = FFFF rev-id = FF).
> >> TPM interface capabilities (0xffffffff):
> >>
> >> I am configuring vtpmmgr using:
> >>
> >> kernel="/usr/local/lib/xen/boot/vtpmmgr-stubdom.gz"
> >> memory=8
> >> disk=["file:/var/vtpmmgr-stubdom.img,hda,w"]
> >> name="vtpmmgr"
> >> iomem=["fed40,5"]
> >> extra="tpmlocality=2"
> >>
> >>
> >> I also tried using :
> >> iomem=["fed40,1"]
> >> extra="tpmlocality=0"//works well
> >>
> >> or
> >> iomem=["fed42,1"]
> >> extra="tpmlocality=2"
> >> It seems that everything that is not mapped at fed40-fed41 is
> >> FFFFFFFF.
> >>
> >> I have an Atmel TPM chipset.
> >>
> >> Could it be a chipset problem to not handle well different localities?
> >>
> >> When I use locality=0, the device driver info is correct and
> >> everything works fine:
> >> 1.2 TPM (device-id=0x3204 vendor-id = 1114 rev-id = 40) TPM interface
> >> capabilities (0xfd)
>
> This may be an issue with locality 2 being unavailable unless a DRTM launch
> (tboot) is performed.  Returning all-ones is the normal response of the x86
> chipset when unmapped MMIO regions are accessed; disabled localities of
> the TPM may act like this.
>
> Does your system support the DRTM launch?  If so, can you test it to see if
> this is the issue?

Emil,
tboot supports Intel and OEM systems that are Intel TXT-capable.
If your system does not support DRTM launch, I can test it in next week.


>
> In this case, to better support people who want to use the vTPM Manager
> without a DRTM launch, the features of the vTPM Manager that use the TPM
> 1.2 PCRs may need to be disabled or implemented in an alternate manner
> such as embedding the data in the quote instead of in PCRs.  The current
> design was created with the assumption that systems using it would be
> performing a DRTM launch in order to fully secure the boot process.
>
> >> In linux kernel this information is obtained using locality 0 and
> >> after that other commands execute using specified locality.
> >> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
> >> tree/drivers/char/tpm/tpm_tis.c#n558
>
> Have you tested that other localities work for your TPM under Linux?
>
> >>
> >> Thanks,
> >>
> >> Emil
> >>
>
> --
> Daniel De Graaf
> National Security Agency
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: vtpmmgr bug: fails to start if locality!=0

[Xu, Quan]

[-- Attachment #1: Type: text/plain, Size: 6713 bytes --]

Emil / Graaf,
	I have verified it, it is still not working when tboot is enabled. 
The attach file is txt-stat log. 
[...]

***********************************************************
         TXT measured launch: TRUE
         secrets flag set: TRUE
***********************************************************
[...]


Below is error when I boot vtpmmgr:


**********************************************************
[...]
IOMEM Machine Base Address: FED40000
Enabled Localities: 2
REQ LOCALITY FAILURE
Unable to request locality 2??
Shutting down tpm_tis device
Page fault at linear address 0xfed40008, rip 0x2f918, regs 0x10fc78, sp 0x10fd20, our_sp 0x10fc40, code 2
Thread: main
RIP: e030:[<000000000002f918>]
RSP: e02b:000000000010fd20  EFLAGS: 00010202
RAX: ffffffffffffffff RBX: 0000002000804c60 RCX: 000000000000072c
RDX: 000000000000001e RSI: 000000007fffffff RDI: 00000000fed40008
RBP: 000000000010fd20 R08: 000000000000000a R09: 00000000000af000
R10: 000000000000070e R11: 00000000000006d8 R12: 0000002000804c60
R13: 00000000fed42000 R14: 0000000000000000 R15: 0000000000000002
base is 0x10fd20 caller is 0x24977
base is 0x10fd40 caller is 0x24e32
base is 0x10fd80 caller is 0x5b4b
base is 0x10ff30 caller is 0x3510
base is 0x10ff50 caller is 0x287a2
base is 0x10ffe0 caller is 0x343b

10fd10: 20 fd 10 00 00 00 00 00 2b e0 00 00 00 00 00 00
10fd20: 40 fd 10 00 00 00 00 00 77 49 02 00 00 00 00 00
10fd30: 60 4c 80 00 20 00 00 00 02 00 00 00 00 00 00 00
10fd40: 80 fd 10 00 00 00 00 00 32 4e 02 00 00 00 00 00

10fd10: 20 fd 10 00 00 00 00 00 2b e0 00 00 00 00 00 00
10fd20: 40 fd 10 00 00 00 00 00 77 49 02 00 00 00 00 00
10fd30: 60 4c 80 00 20 00 00 00 02 00 00 00 00 00 00 00
10fd40: 80 fd 10 00 00 00 00 00 32 4e 02 00 00 00 00 00

2f900: 5d c3 55 48 89 e5 40 88 37 5d c3 55 48 89 e5 66
2f910: 89 37 5d c3 55 48 89 e5 89 37 5d c3 55 48 89 e5
2f920: 48 89 37 5d c3 55 48 89 e5 0f b6 07 5d c3 55 48
2f930: 89 e5 0f b7 07 5d c3 55 48 89 e5 8b 07 5d c3 55
Pagetable walk from virt fed40008, base b0000:
 L4 = 0000000127033067 (0xb1000)  [offset = 0]
  L3 = 0000000000000000 (0xfffffffffffff000)  [offset = 3]
Page fault in pagetable walk (access to invalid memory?).

************************************************ 

Thanks 
Quan Xu


> -----Original Message-----
> From: xen-devel-bounces@lists.xen.org
> [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Xu, Quan
> Sent: Sunday, November 09, 2014 4:30 PM
> To: Emil Condrea
> Cc: Daniel De Graaf; Ian Campbell; xen-devel@lists.xen.org
> Subject: Re: [Xen-devel] vtpmmgr bug: fails to start if locality!=0
> 
> Okay, I will test it in next week.
> 
> Thanks
> Quan Xu
> 
> 
> From: xen-devel-bounces@lists.xen.org
> [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Emil Condrea
> Sent: Friday, November 07, 2014 6:42 PM
> To: Xu, Quan
> Cc: Daniel De Graaf; Ian Campbell; xen-devel@lists.xen.org
> Subject: Re: [Xen-devel] vtpmmgr bug: fails to start if locality!=0
> 
> Xu, my system does not support DRTM launch so if you can test it next week
> it would be great.
> Thanks
> 
> On Fri, Nov 7, 2014 at 3:46 AM, Xu, Quan <quan.xu@intel.com> wrote:
> 
> 
> > -----Original Message-----
> > From: xen-devel-bounces@lists.xen.org
> > [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Daniel De Graaf
> > Sent: Friday, November 07, 2014 5:55 AM
> > To: Emil Condrea
> > Cc: Ian Campbell; xen-devel@lists.xen.org
> > Subject: Re: [Xen-devel] vtpmmgr bug: fails to start if locality!=0
> >
> > On 11/05/2014 05:00 AM, Ian Campbell wrote:
> > > CCing Daniel.
> > >
> > > On Fri, 2014-10-31 at 17:37 +0200, Emil Condrea wrote:
> > >>
> > >> I am wondering if this is known issue that when I set locality!=0 to
> > >> vtpmmgr it does not start. It is a bit strange that every call to
> > >> tpm_tis_status returns 255 and device-id is also FFFF:
> > >> 1.2 TPM (device-id=0xFFFF vendor-id = FFFF rev-id = FF).
> > >> TPM interface capabilities (0xffffffff):
> > >>
> > >> I am configuring vtpmmgr using:
> > >>
> > >> kernel="/usr/local/lib/xen/boot/vtpmmgr-stubdom.gz"
> > >> memory=8
> > >> disk=["file:/var/vtpmmgr-stubdom.img,hda,w"]
> > >> name="vtpmmgr"
> > >> iomem=["fed40,5"]
> > >> extra="tpmlocality=2"
> > >>
> > >>
> > >> I also tried using :
> > >> iomem=["fed40,1"]
> > >> extra="tpmlocality=0"//works well
> > >>
> > >> or
> > >> iomem=["fed42,1"]
> > >> extra="tpmlocality=2"
> > >> It seems that everything that is not mapped at fed40-fed41 is
> > >> FFFFFFFF.
> > >>
> > >> I have an Atmel TPM chipset.
> > >>
> > >> Could it be a chipset problem to not handle well different localities?
> > >>
> > >> When I use locality=0, the device driver info is correct and
> > >> everything works fine:
> > >> 1.2 TPM (device-id=0x3204 vendor-id = 1114 rev-id = 40) TPM interface
> > >> capabilities (0xfd)
> >
> > This may be an issue with locality 2 being unavailable unless a DRTM
> launch
> > (tboot) is performed.  Returning all-ones is the normal response of the
> x86
> > chipset when unmapped MMIO regions are accessed; disabled localities of
> > the TPM may act like this.
> >
> > Does your system support the DRTM launch?  If so, can you test it to see
> if
> > this is the issue?
> 
> Emil,
> tboot supports Intel and OEM systems that are Intel TXT-capable.
> If your system does not support DRTM launch, I can test it in next week.
> 
> 
> >
> > In this case, to better support people who want to use the vTPM Manager
> > without a DRTM launch, the features of the vTPM Manager that use the
> TPM
> > 1.2 PCRs may need to be disabled or implemented in an alternate manner
> > such as embedding the data in the quote instead of in PCRs.  The current
> > design was created with the assumption that systems using it would be
> > performing a DRTM launch in order to fully secure the boot process.
> >
> > >> In linux kernel this information is obtained using locality 0 and
> > >> after that other commands execute using specified locality.
> > >> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
> > >> tree/drivers/char/tpm/tpm_tis.c#n558
> >
> > Have you tested that other localities work for your TPM under Linux?
> >
> > >>
> > >> Thanks,
> > >>
> > >> Emil
> > >>
> >
> > --
> > Daniel De Graaf
> > National Security Agency
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xen.org
> > http://lists.xen.org/xen-devel
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

[-- Attachment #2: txt-stat.log --]
[-- Type: application/octet-stream, Size: 18250 bytes --]

[-- Attachment #3: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: vtpmmgr bug: fails to start if locality!=0

[Emil Condrea]

[-- Attachment #1.1: Type: text/plain, Size: 7578 bytes --]

It seems that tpm_tis_request_locality did not manage to wait enough for
locality change. I suspect that if timeout_a does not have correct value it
will not wait enough in that loop and it will exit too soon. Can you do
this test again replacing timeout_a value from tpm_tis_request_locality
=>(stop = NOW() + tpm->timeout_a;) with something much bigger?
I sent a patch that was committed this week, that fixes timeout problems
that could appear and resets them to the standard value if they are
incorrect.
At least it seems that the locality 2 on your chip is enabled since you got
here.

Thanks.
Emil Condrea

On Sun, Nov 16, 2014 at 9:15 AM, Xu, Quan <quan.xu@intel.com> wrote:

> Emil / Graaf,
>         I have verified it, it is still not working when tboot is enabled.
> The attach file is txt-stat log.
> [...]
>
> ***********************************************************
>          TXT measured launch: TRUE
>          secrets flag set: TRUE
> ***********************************************************
> [...]
>
>
> Below is error when I boot vtpmmgr:
>
>
> **********************************************************
> [...]
> IOMEM Machine Base Address: FED40000
> Enabled Localities: 2
> REQ LOCALITY FAILURE
> Unable to request locality 2??
> Shutting down tpm_tis device
> Page fault at linear address 0xfed40008, rip 0x2f918, regs 0x10fc78, sp
> 0x10fd20, our_sp 0x10fc40, code 2
> Thread: main
> RIP: e030:[<000000000002f918>]
> RSP: e02b:000000000010fd20  EFLAGS: 00010202
> RAX: ffffffffffffffff RBX: 0000002000804c60 RCX: 000000000000072c
> RDX: 000000000000001e RSI: 000000007fffffff RDI: 00000000fed40008
> RBP: 000000000010fd20 R08: 000000000000000a R09: 00000000000af000
> R10: 000000000000070e R11: 00000000000006d8 R12: 0000002000804c60
> R13: 00000000fed42000 R14: 0000000000000000 R15: 0000000000000002
> base is 0x10fd20 caller is 0x24977
> base is 0x10fd40 caller is 0x24e32
> base is 0x10fd80 caller is 0x5b4b
> base is 0x10ff30 caller is 0x3510
> base is 0x10ff50 caller is 0x287a2
> base is 0x10ffe0 caller is 0x343b
>
> 10fd10: 20 fd 10 00 00 00 00 00 2b e0 00 00 00 00 00 00
> 10fd20: 40 fd 10 00 00 00 00 00 77 49 02 00 00 00 00 00
> 10fd30: 60 4c 80 00 20 00 00 00 02 00 00 00 00 00 00 00
> 10fd40: 80 fd 10 00 00 00 00 00 32 4e 02 00 00 00 00 00
>
> 10fd10: 20 fd 10 00 00 00 00 00 2b e0 00 00 00 00 00 00
> 10fd20: 40 fd 10 00 00 00 00 00 77 49 02 00 00 00 00 00
> 10fd30: 60 4c 80 00 20 00 00 00 02 00 00 00 00 00 00 00
> 10fd40: 80 fd 10 00 00 00 00 00 32 4e 02 00 00 00 00 00
>
> 2f900: 5d c3 55 48 89 e5 40 88 37 5d c3 55 48 89 e5 66
> 2f910: 89 37 5d c3 55 48 89 e5 89 37 5d c3 55 48 89 e5
> 2f920: 48 89 37 5d c3 55 48 89 e5 0f b6 07 5d c3 55 48
> 2f930: 89 e5 0f b7 07 5d c3 55 48 89 e5 8b 07 5d c3 55
> Pagetable walk from virt fed40008, base b0000:
>  L4 = 0000000127033067 (0xb1000)  [offset = 0]
>   L3 = 0000000000000000 (0xfffffffffffff000)  [offset = 3]
> Page fault in pagetable walk (access to invalid memory?).
>
> ************************************************
>
> Thanks
> Quan Xu
>
>
> > -----Original Message-----
> > From: xen-devel-bounces@lists.xen.org
> > [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Xu, Quan
> > Sent: Sunday, November 09, 2014 4:30 PM
> > To: Emil Condrea
> > Cc: Daniel De Graaf; Ian Campbell; xen-devel@lists.xen.org
> > Subject: Re: [Xen-devel] vtpmmgr bug: fails to start if locality!=0
> >
> > Okay, I will test it in next week.
> >
> > Thanks
> > Quan Xu
> >
> >
> > From: xen-devel-bounces@lists.xen.org
> > [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Emil Condrea
> > Sent: Friday, November 07, 2014 6:42 PM
> > To: Xu, Quan
> > Cc: Daniel De Graaf; Ian Campbell; xen-devel@lists.xen.org
> > Subject: Re: [Xen-devel] vtpmmgr bug: fails to start if locality!=0
> >
> > Xu, my system does not support DRTM launch so if you can test it next
> week
> > it would be great.
> > Thanks
> >
> > On Fri, Nov 7, 2014 at 3:46 AM, Xu, Quan <quan.xu@intel.com> wrote:
> >
> >
> > > -----Original Message-----
> > > From: xen-devel-bounces@lists.xen.org
> > > [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Daniel De Graaf
> > > Sent: Friday, November 07, 2014 5:55 AM
> > > To: Emil Condrea
> > > Cc: Ian Campbell; xen-devel@lists.xen.org
> > > Subject: Re: [Xen-devel] vtpmmgr bug: fails to start if locality!=0
> > >
> > > On 11/05/2014 05:00 AM, Ian Campbell wrote:
> > > > CCing Daniel.
> > > >
> > > > On Fri, 2014-10-31 at 17:37 +0200, Emil Condrea wrote:
> > > >>
> > > >> I am wondering if this is known issue that when I set locality!=0 to
> > > >> vtpmmgr it does not start. It is a bit strange that every call to
> > > >> tpm_tis_status returns 255 and device-id is also FFFF:
> > > >> 1.2 TPM (device-id=0xFFFF vendor-id = FFFF rev-id = FF).
> > > >> TPM interface capabilities (0xffffffff):
> > > >>
> > > >> I am configuring vtpmmgr using:
> > > >>
> > > >> kernel="/usr/local/lib/xen/boot/vtpmmgr-stubdom.gz"
> > > >> memory=8
> > > >> disk=["file:/var/vtpmmgr-stubdom.img,hda,w"]
> > > >> name="vtpmmgr"
> > > >> iomem=["fed40,5"]
> > > >> extra="tpmlocality=2"
> > > >>
> > > >>
> > > >> I also tried using :
> > > >> iomem=["fed40,1"]
> > > >> extra="tpmlocality=0"//works well
> > > >>
> > > >> or
> > > >> iomem=["fed42,1"]
> > > >> extra="tpmlocality=2"
> > > >> It seems that everything that is not mapped at fed40-fed41 is
> > > >> FFFFFFFF.
> > > >>
> > > >> I have an Atmel TPM chipset.
> > > >>
> > > >> Could it be a chipset problem to not handle well different
> localities?
> > > >>
> > > >> When I use locality=0, the device driver info is correct and
> > > >> everything works fine:
> > > >> 1.2 TPM (device-id=0x3204 vendor-id = 1114 rev-id = 40) TPM
> interface
> > > >> capabilities (0xfd)
> > >
> > > This may be an issue with locality 2 being unavailable unless a DRTM
> > launch
> > > (tboot) is performed.  Returning all-ones is the normal response of the
> > x86
> > > chipset when unmapped MMIO regions are accessed; disabled localities of
> > > the TPM may act like this.
> > >
> > > Does your system support the DRTM launch?  If so, can you test it to
> see
> > if
> > > this is the issue?
> >
> > Emil,
> > tboot supports Intel and OEM systems that are Intel TXT-capable.
> > If your system does not support DRTM launch, I can test it in next week.
> >
> >
> > >
> > > In this case, to better support people who want to use the vTPM Manager
> > > without a DRTM launch, the features of the vTPM Manager that use the
> > TPM
> > > 1.2 PCRs may need to be disabled or implemented in an alternate manner
> > > such as embedding the data in the quote instead of in PCRs.  The
> current
> > > design was created with the assumption that systems using it would be
> > > performing a DRTM launch in order to fully secure the boot process.
> > >
> > > >> In linux kernel this information is obtained using locality 0 and
> > > >> after that other commands execute using specified locality.
> > > >>
> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
> > > >> tree/drivers/char/tpm/tpm_tis.c#n558
> > >
> > > Have you tested that other localities work for your TPM under Linux?
> > >
> > > >>
> > > >> Thanks,
> > > >>
> > > >> Emil
> > > >>
> > >
> > > --
> > > Daniel De Graaf
> > > National Security Agency
> > >
> > > _______________________________________________
> > > Xen-devel mailing list
> > > Xen-devel@lists.xen.org
> > > http://lists.xen.org/xen-devel
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xen.org
> > http://lists.xen.org/xen-devel
>

[-- Attachment #1.2: Type: text/html, Size: 10440 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: vtpmmgr bug: fails to start if locality!=0

[Emil Condrea]

[-- Attachment #1.1: Type: text/plain, Size: 3047 bytes --]

My system does not support DRTM so I can not test this. I am interested in
contributing to vtpm and making this to work without DRTM, can you give me
more details about PCRs that need to be implemented using an alternate
manner? When someone wants to use other locality than 0 it will run all
commands with PCRs disabled? Since the vtpmmgr is tying domU to hardware
TPM, deactivating PCRs will result that all commands issued by domU will
not use PCRs anymore, right?
Where should the new layer of PCR values stored? NVRAM ?


On Thu, Nov 6, 2014 at 11:55 PM, Daniel De Graaf <dgdegra@tycho.nsa.gov>
wrote:

> On 11/05/2014 05:00 AM, Ian Campbell wrote:
>
>> CCing Daniel.
>>
>> On Fri, 2014-10-31 at 17:37 +0200, Emil Condrea wrote:
>>
>>>
>>> I am wondering if this is known issue that when I set locality!=0 to
>>> vtpmmgr it does not start. It is a bit strange that every call to
>>> tpm_tis_status returns 255 and device-id is also FFFF:
>>> 1.2 TPM (device-id=0xFFFF vendor-id = FFFF rev-id = FF).
>>> TPM interface capabilities (0xffffffff):
>>>
>>> I am configuring vtpmmgr using:
>>>
>>> kernel="/usr/local/lib/xen/boot/vtpmmgr-stubdom.gz"
>>> memory=8
>>> disk=["file:/var/vtpmmgr-stubdom.img,hda,w"]
>>> name="vtpmmgr"
>>> iomem=["fed40,5"]
>>> extra="tpmlocality=2"
>>>
>>>
>>> I also tried using :
>>> iomem=["fed40,1"]
>>> extra="tpmlocality=0"//works well
>>>
>>> or
>>> iomem=["fed42,1"]
>>> extra="tpmlocality=2"
>>> It seems that everything that is not mapped at fed40-fed41 is
>>> FFFFFFFF.
>>>
>>> I have an Atmel TPM chipset.
>>>
>>> Could it be a chipset problem to not handle well different localities?
>>>
>>> When I use locality=0, the device driver info is correct and
>>> everything works fine:
>>> 1.2 TPM (device-id=0x3204 vendor-id = 1114 rev-id = 40)
>>> TPM interface capabilities (0xfd)
>>>
>>
> This may be an issue with locality 2 being unavailable unless a DRTM
> launch (tboot) is performed.  Returning all-ones is the normal response
> of the x86 chipset when unmapped MMIO regions are accessed; disabled
> localities of the TPM may act like this.
>
> Does your system support the DRTM launch?  If so, can you test it to see
> if this is the issue?
>
> In this case, to better support people who want to use the vTPM Manager
> without a DRTM launch, the features of the vTPM Manager that use the TPM
> 1.2 PCRs may need to be disabled or implemented in an alternate manner
> such as embedding the data in the quote instead of in PCRs.  The current
> design was created with the assumption that systems using it would be
> performing a DRTM launch in order to fully secure the boot process.
>
>  In linux kernel this information is obtained using locality 0 and
>>> after that other commands execute using specified locality.
>>> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-
>>> stable.git/tree/drivers/char/tpm/tpm_tis.c#n558
>>>
>>
> Have you tested that other localities work for your TPM under Linux?




>
>>> Thanks,
>>>
>>> Emil
>>>
>>>
> --
> Daniel De Graaf
> National Security Agency
>

[-- Attachment #1.2: Type: text/html, Size: 5356 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: vtpmmgr bug: fails to start if locality!=0

[Daniel De Graaf]

On 11/07/2014 05:40 AM, Emil Condrea wrote:
> My system does not support DRTM so I can not test this. I am interested in
> contributing to vtpm and making this to work without DRTM, can you give me
> more details about PCRs that need to be implemented using an alternate
> manner? When someone wants to use other locality than 0 it will run all
> commands with PCRs disabled? Since the vtpmmgr is tying domU to hardware
> TPM, deactivating PCRs will result that all commands issued by domU will
> not use PCRs anymore, right?

The PCRs seen by the domU are emulated by the vTPM, and the vTPM Manager has no information on any of their values or updates.  Deep quotes may include a hash of the vTPM's PCR values, but the vTPM Manager is only asserting that the hash was given by the vTPM.

> Where should the new layer of PCR values stored? NVRAM ?

They will be stored in the vtpmmgr domain's RAM; in fact, they are already stored there (they just need to be used more directly).

The PCRs in question are PCR 20-23, used by the vTPM Manager to store information about the vTPM making a deep quote request.  In order to support more than one vTPM, the values of these PCRs need to be reset when a different client connects.  However, the reset operation for PCR 20-22 is limited to locality 2.

An alternative to this is to embed this information in the externData field that is signed by the quote operation.  This requires a bit more work to provide the same flexibility that the PCRs provided, but it can be made equivalently secure.

A deep quote request currently contains a PCR mask and a requestData value (20 bytes) from the vTPM.  On a deep quote request, the vTPM Manager:
  1. Reset PCR 20-23
  2. Extend information about the requesting vTPM to PCR 20-23
    - Different information is extended into each PCR
    - Some clients want all information, some only want selected PCRs
  3. Perform a Quote with externData=requestData on the requested PCRs
  4. Return the result to the requesting vTPM

The change I am suggesting requires:
  - Add a field to the request - extraInfoFlags
  - Compute externData = SHA1 (
	requestData
	extraInfoFlags
	[UUIDs if requested]
	[vTPM measurements if requested]
	[vTPM group update policy if requested]
   )
  - Perform deep quotes using the above externData value instead of the value provided by the vTPM.

This change also has the benefit of increasing the flexibility of the request - it is simple to define additional flags and add data to the hash if needed.

> On Thu, Nov 6, 2014 at 11:55 PM, Daniel De Graaf <dgdegra@tycho.nsa.gov>
> wrote:
>
>> On 11/05/2014 05:00 AM, Ian Campbell wrote:
>>
>>> CCing Daniel.
>>>
>>> On Fri, 2014-10-31 at 17:37 +0200, Emil Condrea wrote:
>>>
>>>>
>>>> I am wondering if this is known issue that when I set locality!=0 to
>>>> vtpmmgr it does not start. It is a bit strange that every call to
>>>> tpm_tis_status returns 255 and device-id is also FFFF:
>>>> 1.2 TPM (device-id=0xFFFF vendor-id = FFFF rev-id = FF).
>>>> TPM interface capabilities (0xffffffff):
>>>>
>>>> I am configuring vtpmmgr using:
>>>>
>>>> kernel="/usr/local/lib/xen/boot/vtpmmgr-stubdom.gz"
>>>> memory=8
>>>> disk=["file:/var/vtpmmgr-stubdom.img,hda,w"]
>>>> name="vtpmmgr"
>>>> iomem=["fed40,5"]
>>>> extra="tpmlocality=2"
>>>>
>>>>
>>>> I also tried using :
>>>> iomem=["fed40,1"]
>>>> extra="tpmlocality=0"//works well
>>>>
>>>> or
>>>> iomem=["fed42,1"]
>>>> extra="tpmlocality=2"
>>>> It seems that everything that is not mapped at fed40-fed41 is
>>>> FFFFFFFF.
>>>>
>>>> I have an Atmel TPM chipset.
>>>>
>>>> Could it be a chipset problem to not handle well different localities?
>>>>
>>>> When I use locality=0, the device driver info is correct and
>>>> everything works fine:
>>>> 1.2 TPM (device-id=0x3204 vendor-id = 1114 rev-id = 40)
>>>> TPM interface capabilities (0xfd)
>>>>
>>>
>> This may be an issue with locality 2 being unavailable unless a DRTM
>> launch (tboot) is performed.  Returning all-ones is the normal response
>> of the x86 chipset when unmapped MMIO regions are accessed; disabled
>> localities of the TPM may act like this.
>>
>> Does your system support the DRTM launch?  If so, can you test it to see
>> if this is the issue?
>>
>> In this case, to better support people who want to use the vTPM Manager
>> without a DRTM launch, the features of the vTPM Manager that use the TPM
>> 1.2 PCRs may need to be disabled or implemented in an alternate manner
>> such as embedding the data in the quote instead of in PCRs.  The current
>> design was created with the assumption that systems using it would be
>> performing a DRTM launch in order to fully secure the boot process.
>>
>>   In linux kernel this information is obtained using locality 0 and
>>>> after that other commands execute using specified locality.
>>>> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-
>>>> stable.git/tree/drivers/char/tpm/tpm_tis.c#n558
>>>>
>>>
>> Have you tested that other localities work for your TPM under Linux?
>
>
>
>
>>
>>>> Thanks,
>>>>
>>>> Emil
>>>>
>>>>
>> --
>> Daniel De Graaf
>> National Security Agency
>>
>


-- 
Daniel De Graaf
National Security Agency

Re: vtpmmgr bug: fails to start if locality!=0

[Emil Condrea]

[-- Attachment #1.1: Type: text/plain, Size: 6482 bytes --]

I modified linux kernel tpm_tis driver to try to start with locality 2. I
did some logging and after taking a look with dmesg it seems that the IO
pages for other localities are full with 1.
in tpm_tis_init:
for(i=0;i<5;i++){
    release_locality(chip,i,1);
}
...
wait_startup(chip,2);
request_locality(chip,2)
...
TPM_RID(2);//FF
TPM_RID(0);//64
Would this mean that Atmel disabled other localities after manufacturing? I
tried to define a NVRAM index at F200 but I have the same results.

I see what you mean about changing the DeepQuote behaviour in order to
provide evidence of the VM launch but I am not sure that I understand what
is the type of extraInfoFlags and what should it contain. Will the UUIDs
and vTPM measurements be stored in extraInfoFlags?
If we take this as a solution for systems that do not support DRTM lanch,
they will still be forced to use locality 0 if any other is disabled and
the TPM might return busy if other commands are currently running.

Thanks.
Emil Condrea

On Sat, Nov 8, 2014 at 1:31 AM, Daniel De Graaf <dgdegra@tycho.nsa.gov>
wrote:

> On 11/07/2014 05:40 AM, Emil Condrea wrote:
>
>> My system does not support DRTM so I can not test this. I am interested in
>> contributing to vtpm and making this to work without DRTM, can you give me
>> more details about PCRs that need to be implemented using an alternate
>> manner? When someone wants to use other locality than 0 it will run all
>> commands with PCRs disabled? Since the vtpmmgr is tying domU to hardware
>> TPM, deactivating PCRs will result that all commands issued by domU will
>> not use PCRs anymore, right?
>>
>
> The PCRs seen by the domU are emulated by the vTPM, and the vTPM Manager
> has no information on any of their values or updates.  Deep quotes may
> include a hash of the vTPM's PCR values, but the vTPM Manager is only
> asserting that the hash was given by the vTPM.
>
>  Where should the new layer of PCR values stored? NVRAM ?
>>
>
> They will be stored in the vtpmmgr domain's RAM; in fact, they are already
> stored there (they just need to be used more directly).
>
> The PCRs in question are PCR 20-23, used by the vTPM Manager to store
> information about the vTPM making a deep quote request.  In order to
> support more than one vTPM, the values of these PCRs need to be reset when
> a different client connects.  However, the reset operation for PCR 20-22 is
> limited to locality 2.
>
> An alternative to this is to embed this information in the externData
> field that is signed by the quote operation.  This requires a bit more work
> to provide the same flexibility that the PCRs provided, but it can be made
> equivalently secure.
>
> A deep quote request currently contains a PCR mask and a requestData value
> (20 bytes) from the vTPM.  On a deep quote request, the vTPM Manager:
>  1. Reset PCR 20-23
>  2. Extend information about the requesting vTPM to PCR 20-23
>    - Different information is extended into each PCR
>    - Some clients want all information, some only want selected PCRs
>  3. Perform a Quote with externData=requestData on the requested PCRs
>  4. Return the result to the requesting vTPM
>
> The change I am suggesting requires:
>  - Add a field to the request - extraInfoFlags
>  - Compute externData = SHA1 (
>         requestData
>         extraInfoFlags
>         [UUIDs if requested]
>         [vTPM measurements if requested]
>         [vTPM group update policy if requested]
>   )
>  - Perform deep quotes using the above externData value instead of the
> value provided by the vTPM.
>
> This change also has the benefit of increasing the flexibility of the
> request - it is simple to define additional flags and add data to the hash
> if needed.
>
>
>  On Thu, Nov 6, 2014 at 11:55 PM, Daniel De Graaf <dgdegra@tycho.nsa.gov>
>> wrote:
>>
>>  On 11/05/2014 05:00 AM, Ian Campbell wrote:
>>>
>>>  CCing Daniel.
>>>>
>>>> On Fri, 2014-10-31 at 17:37 +0200, Emil Condrea wrote:
>>>>
>>>>
>>>>> I am wondering if this is known issue that when I set locality!=0 to
>>>>> vtpmmgr it does not start. It is a bit strange that every call to
>>>>> tpm_tis_status returns 255 and device-id is also FFFF:
>>>>> 1.2 TPM (device-id=0xFFFF vendor-id = FFFF rev-id = FF).
>>>>> TPM interface capabilities (0xffffffff):
>>>>>
>>>>> I am configuring vtpmmgr using:
>>>>>
>>>>> kernel="/usr/local/lib/xen/boot/vtpmmgr-stubdom.gz"
>>>>> memory=8
>>>>> disk=["file:/var/vtpmmgr-stubdom.img,hda,w"]
>>>>> name="vtpmmgr"
>>>>> iomem=["fed40,5"]
>>>>> extra="tpmlocality=2"
>>>>>
>>>>>
>>>>> I also tried using :
>>>>> iomem=["fed40,1"]
>>>>> extra="tpmlocality=0"//works well
>>>>>
>>>>> or
>>>>> iomem=["fed42,1"]
>>>>> extra="tpmlocality=2"
>>>>> It seems that everything that is not mapped at fed40-fed41 is
>>>>> FFFFFFFF.
>>>>>
>>>>> I have an Atmel TPM chipset.
>>>>>
>>>>> Could it be a chipset problem to not handle well different localities?
>>>>>
>>>>> When I use locality=0, the device driver info is correct and
>>>>> everything works fine:
>>>>> 1.2 TPM (device-id=0x3204 vendor-id = 1114 rev-id = 40)
>>>>> TPM interface capabilities (0xfd)
>>>>>
>>>>>
>>>>  This may be an issue with locality 2 being unavailable unless a DRTM
>>> launch (tboot) is performed.  Returning all-ones is the normal response
>>> of the x86 chipset when unmapped MMIO regions are accessed; disabled
>>> localities of the TPM may act like this.
>>>
>>> Does your system support the DRTM launch?  If so, can you test it to see
>>> if this is the issue?
>>>
>>> In this case, to better support people who want to use the vTPM Manager
>>> without a DRTM launch, the features of the vTPM Manager that use the TPM
>>> 1.2 PCRs may need to be disabled or implemented in an alternate manner
>>> such as embedding the data in the quote instead of in PCRs.  The current
>>> design was created with the assumption that systems using it would be
>>> performing a DRTM launch in order to fully secure the boot process.
>>>
>>>   In linux kernel this information is obtained using locality 0 and
>>>
>>>> after that other commands execute using specified locality.
>>>>> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-
>>>>> stable.git/tree/drivers/char/tpm/tpm_tis.c#n558
>>>>>
>>>>>
>>>>  Have you tested that other localities work for your TPM under Linux?
>>>
>>
>>
>>
>>
>>
>>>  Thanks,
>>>>>
>>>>> Emil
>>>>>
>>>>>
>>>>>  --
>>> Daniel De Graaf
>>> National Security Agency
>>>
>>>
>>
>
> --
> Daniel De Graaf
> National Security Agency
>

[-- Attachment #1.2: Type: text/html, Size: 8849 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: vtpmmgr bug: fails to start if locality!=0

[Daniel De Graaf]

On 11/14/2014 09:22 AM, Emil Condrea wrote:
> I modified linux kernel tpm_tis driver to try to start with locality 2. I
> did some logging and after taking a look with dmesg it seems that the IO
> pages for other localities are full with 1.
> in tpm_tis_init:
> for(i=0;i<5;i++){
>      release_locality(chip,i,1);
> }
> ...
> wait_startup(chip,2);
> request_locality(chip,2)
> ...
> TPM_RID(2);//FF
> TPM_RID(0);//64
> Would this mean that Atmel disabled other localities after manufacturing? I
> tried to define a NVRAM index at F200 but I have the same results.

My best guess is that locality 2 is disabled until a DRTM launch is
done.  Since your system does not support a DRTM launch, this guess
cannot easily be tested.

> I see what you mean about changing the DeepQuote behaviour in order to
> provide evidence of the VM launch but I am not sure that I understand what
> is the type of extraInfoFlags and what should it contain. Will the UUIDs
> and vTPM measurements be stored in extraInfoFlags?

extraInfoFlags would be a bitmask defined in a specification, like:

  1 - vTPM UUID present
  2 - vTPM Group UUID present
  4 - vTPM kernel measurement present
  8 - vTPM command line argument measurement present
16 - Group configuration hash present
32 - Group master public key hash present
...

This allows the later fields to be unambiguously decoded by a verifier
without requiring the disclosure of fields that are not needed (for
example, the UUIDs could be omitted for privacy reasons).

> If we take this as a solution for systems that do not support DRTM lanch,
> they will still be forced to use locality 0 if any other is disabled and
> the TPM might return busy if other commands are currently running.
>
> Thanks.
> Emil Condrea
>
> On Sat, Nov 8, 2014 at 1:31 AM, Daniel De Graaf <dgdegra@tycho.nsa.gov>
> wrote:
>
>> On 11/07/2014 05:40 AM, Emil Condrea wrote:
>>
>>> My system does not support DRTM so I can not test this. I am interested in
>>> contributing to vtpm and making this to work without DRTM, can you give me
>>> more details about PCRs that need to be implemented using an alternate
>>> manner? When someone wants to use other locality than 0 it will run all
>>> commands with PCRs disabled? Since the vtpmmgr is tying domU to hardware
>>> TPM, deactivating PCRs will result that all commands issued by domU will
>>> not use PCRs anymore, right?
>>>
>>
>> The PCRs seen by the domU are emulated by the vTPM, and the vTPM Manager
>> has no information on any of their values or updates.  Deep quotes may
>> include a hash of the vTPM's PCR values, but the vTPM Manager is only
>> asserting that the hash was given by the vTPM.
>>
>>   Where should the new layer of PCR values stored? NVRAM ?
>>>
>>
>> They will be stored in the vtpmmgr domain's RAM; in fact, they are already
>> stored there (they just need to be used more directly).
>>
>> The PCRs in question are PCR 20-23, used by the vTPM Manager to store
>> information about the vTPM making a deep quote request.  In order to
>> support more than one vTPM, the values of these PCRs need to be reset when
>> a different client connects.  However, the reset operation for PCR 20-22 is
>> limited to locality 2.
>>
>> An alternative to this is to embed this information in the externData
>> field that is signed by the quote operation.  This requires a bit more work
>> to provide the same flexibility that the PCRs provided, but it can be made
>> equivalently secure.
>>
>> A deep quote request currently contains a PCR mask and a requestData value
>> (20 bytes) from the vTPM.  On a deep quote request, the vTPM Manager:
>>   1. Reset PCR 20-23
>>   2. Extend information about the requesting vTPM to PCR 20-23
>>     - Different information is extended into each PCR
>>     - Some clients want all information, some only want selected PCRs
>>   3. Perform a Quote with externData=requestData on the requested PCRs
>>   4. Return the result to the requesting vTPM
>>
>> The change I am suggesting requires:
>>   - Add a field to the request - extraInfoFlags
>>   - Compute externData = SHA1 (
>>          requestData
>>          extraInfoFlags
>>          [UUIDs if requested]
>>          [vTPM measurements if requested]
>>          [vTPM group update policy if requested]
>>    )
>>   - Perform deep quotes using the above externData value instead of the
>> value provided by the vTPM.
>>
>> This change also has the benefit of increasing the flexibility of the
>> request - it is simple to define additional flags and add data to the hash
>> if needed.
>>
>>
>>   On Thu, Nov 6, 2014 at 11:55 PM, Daniel De Graaf <dgdegra@tycho.nsa.gov>
>>> wrote:
>>>
>>>   On 11/05/2014 05:00 AM, Ian Campbell wrote:
>>>>
>>>>   CCing Daniel.
>>>>>
>>>>> On Fri, 2014-10-31 at 17:37 +0200, Emil Condrea wrote:
>>>>>
>>>>>
>>>>>> I am wondering if this is known issue that when I set locality!=0 to
>>>>>> vtpmmgr it does not start. It is a bit strange that every call to
>>>>>> tpm_tis_status returns 255 and device-id is also FFFF:
>>>>>> 1.2 TPM (device-id=0xFFFF vendor-id = FFFF rev-id = FF).
>>>>>> TPM interface capabilities (0xffffffff):
>>>>>>
>>>>>> I am configuring vtpmmgr using:
>>>>>>
>>>>>> kernel="/usr/local/lib/xen/boot/vtpmmgr-stubdom.gz"
>>>>>> memory=8
>>>>>> disk=["file:/var/vtpmmgr-stubdom.img,hda,w"]
>>>>>> name="vtpmmgr"
>>>>>> iomem=["fed40,5"]
>>>>>> extra="tpmlocality=2"
>>>>>>
>>>>>>
>>>>>> I also tried using :
>>>>>> iomem=["fed40,1"]
>>>>>> extra="tpmlocality=0"//works well
>>>>>>
>>>>>> or
>>>>>> iomem=["fed42,1"]
>>>>>> extra="tpmlocality=2"
>>>>>> It seems that everything that is not mapped at fed40-fed41 is
>>>>>> FFFFFFFF.
>>>>>>
>>>>>> I have an Atmel TPM chipset.
>>>>>>
>>>>>> Could it be a chipset problem to not handle well different localities?
>>>>>>
>>>>>> When I use locality=0, the device driver info is correct and
>>>>>> everything works fine:
>>>>>> 1.2 TPM (device-id=0x3204 vendor-id = 1114 rev-id = 40)
>>>>>> TPM interface capabilities (0xfd)
>>>>>>
>>>>>>
>>>>>   This may be an issue with locality 2 being unavailable unless a DRTM
>>>> launch (tboot) is performed.  Returning all-ones is the normal response
>>>> of the x86 chipset when unmapped MMIO regions are accessed; disabled
>>>> localities of the TPM may act like this.
>>>>
>>>> Does your system support the DRTM launch?  If so, can you test it to see
>>>> if this is the issue?
>>>>
>>>> In this case, to better support people who want to use the vTPM Manager
>>>> without a DRTM launch, the features of the vTPM Manager that use the TPM
>>>> 1.2 PCRs may need to be disabled or implemented in an alternate manner
>>>> such as embedding the data in the quote instead of in PCRs.  The current
>>>> design was created with the assumption that systems using it would be
>>>> performing a DRTM launch in order to fully secure the boot process.
>>>>
>>>>    In linux kernel this information is obtained using locality 0 and
>>>>
>>>>> after that other commands execute using specified locality.
>>>>>> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-
>>>>>> stable.git/tree/drivers/char/tpm/tpm_tis.c#n558
>>>>>>
>>>>>>
>>>>>   Have you tested that other localities work for your TPM under Linux?
>>>>
>>>
>>>
>>>
>>>
>>>
>>>>   Thanks,
>>>>>>
>>>>>> Emil
>>>>>>
>>>>>>
>>>>>>   --
>>>> Daniel De Graaf
>>>> National Security Agency
>>>>
>>>>
>>>
>>
>> --
>> Daniel De Graaf
>> National Security Agency
>>
>


-- 
Daniel De Graaf
National Security Agency