[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] vtpmmgr bug: fails to start if locality!=0

My system does not support DRTM so I can not test this. I am interested in contributing to vtpm and making this to work without DRTM, can you give me more details about PCRs that need to be implemented using an alternate manner? When someone wants to use other locality than 0 it will run all commands with PCRs disabled? Since the vtpmmgr is tying domU to hardware TPM, deactivating PCRs will result that all commands issued by domU will not use PCRs anymore, right?
Where should the new layer of PCR values stored? NVRAM ?


On Thu, Nov 6, 2014 at 11:55 PM, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> wrote:
On 11/05/2014 05:00 AM, Ian Campbell wrote:
CCing Daniel.

On Fri, 2014-10-31 at 17:37 +0200, Emil Condrea wrote:

I am wondering if this is known issue that when I set locality!=0 to
vtpmmgr it does not start. It is a bit strange that every call to
tpm_tis_status returns 255 and device-id is also FFFF:
1.2 TPM (device-id=0xFFFF vendor-id = FFFF rev-id = FF).
TPM interface capabilities (0xffffffff):

I am configuring vtpmmgr using:

kernel="/usr/local/lib/xen/boot/vtpmmgr-stubdom.gz"
memory=8
disk=["file:/var/vtpmmgr-stubdom.img,hda,w"]
name="vtpmmgr"
iomem=["fed40,5"]
extra="tpmlocality=2"


I also tried using :
iomem=["fed40,1"]
extra="tpmlocality=0"//works well

or
iomem=["fed42,1"]
extra="tpmlocality=2"
It seems that everything that is not mapped at fed40-fed41 is
FFFFFFFF.

I have an Atmel TPM chipset.

Could it be a chipset problem to not handle well different localities?

When I use locality=0, the device driver info is correct and
everything works fine:
1.2 TPM (device-id=0x3204 vendor-id = 1114 rev-id = 40)
TPM interface capabilities (0xfd)

This may be an issue with locality 2 being unavailable unless a DRTM
launch (tboot) is performed. Returning all-ones is the normal response
of the x86 chipset when unmapped MMIO regions are accessed; disabled
localities of the TPM may act like this.

Does your system support the DRTM launch? If so, can you test it to see
if this is the issue?

In this case, to better support people who want to use the vTPM Manager
without a DRTM launch, the features of the vTPM Manager that use the TPM
1.2 PCRs may need to be disabled or implemented in an alternate manner
such as embedding the data in the quote instead of in PCRs. The current
design was created with the assumption that systems using it would be
performing a DRTM launch in order to fully secure the boot process.

In linux kernel this information is obtained using locality 0 and
after that other commands execute using specified locality.
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/drivers/char/tpm/tpm_tis.c#n558

 Have you tested that other localities work for your TPM under Linux?Â
Â


Thanks,

Emil


--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.