It looks like it was the active locality. The function "bool
is_tpm_ready(uint32_t locality)" in flicker-02/intel/kmod-2.6.30/tpm.c
was not setting the locality to inactive properly. I replaced this with
a call to "bool release_locality(uint32_t locality)" from
"tboot/common/tpm.c" and it seemed to have fixed it.
I'm now getting a weird issue where if I run go.sh twice, the second
time SENTER fails. I'll be investigating and post what I find.
On a separate note, in the future should I keep flicker related
discoveries and issues off this mailing list? I don't want to wear out
my welcome by posting unwanted messages related to a different project.
-Jeff
On 01/14/2011 02:39 PM, Jeff Cleveland wrote:
> I do not believe the tpm_tis driver was loaded, however if I do load the
> module I get the same error code.
>
> It does seem the TPM has an active locality. I'm getting the debug
> output from this snippet of code in tpm.c:
>
> /*
> * must ensure TPM_ACCESS_0.activeLocality bit is clear
> * (: locality is not active)
> */
> read_tpm_reg(locality, TPM_REG_ACCESS,®_acc);
> if ( reg_acc.active_locality != 0 ) {
> dbg("(in tpm.c) reg_acc.active_locality != 0\n");
> /* make inactive by writing a 1 */
> reg_acc.active_locality = 1;
> write_tpm_reg(locality, TPM_REG_ACCESS,®_acc);
> }
>
> At this point in the code before it enters the if statement and after it
> exits it reg_acc.active_locality is 1. I changed the line
>
> reg_acc.active_locality = 1;
>
> to
>
> reg_acc.active_locality = 0;
>
> but even after doing this the value of active_locality is 1. My guess is
> that there is something else I need to do to make it inactive.
>
> Thanks for the help, this has given me more of a direction to focus on.
> -Jeff
>
> On 01/14/2011 11:50 AM, Jonathan McCune wrote:
>> Although there are some distinct error codes for locality access
>> problems, you might check whether the Linux TPM driver is active. If
>> the TPM has an active locality (which would be locality 1 with Linux's
>> tpm_tis), then SENTER will not succeed. The easiest way to test if
>> this makes a difference is to boot Linux without loading tpm_tis, then
>> try a Flicker session, and see if it makes any difference.
>>
>> Also, with the SINIT module you're using, ACMOD_SIZE_MAX as defined in
>> flicker.h is too small in flicker-0.2. I generally use 64K instead of
>> 32K these days. Unfortunately the error handling in flicker-0.2 just
>> prints a small warning message and blindly keeps going with an
>> incomplete SINIT module if the buffer is too small. However, I would
>> expect that you would observe a different failure mode under those
>> conditions.
>>
>> Hope this helps,
>> -Jon
>>
>>
>>
>> On Fri, Jan 14, 2011 at 10:54 AM, Jeff Cleveland<jclevel...@bbn.com> wrote:
>>> Hi list,
>>>
>>> My question stems from a TXT error I'm getting while trying to run
>>> Flicker. I have a dual core i5 laptop I'm testing on and using the sinit
>>> module i5_i7_DUAL_SINIT_18.bin. During execution of Flicker my computer
>>> reboots, upon startup I see the TXT ERRORCODE 0xc0003cd1, which parses
>>> as acm_type=1, progress=0d, error=f, and according to sinit_errors.txt
>>> that is "TPM PCR 17 was not properly initialized"
>>>
>>> The MLE Software Development Guide is pretty clear on how PCR 17 should
>>> be initialized, and yet I can't find in the Flicker or tboot source code
>>> where this initialization is happening. I was hoping to use the tboot
>>> source as a reference because on this machine GETSEC[SENTER] does
>>> successfully execute when I try launching tboot (loading the operating
>>> system fails afterwards but I believe thats a kernel configuration issue
>>> I haven't fixed yet).
>>>
>>> Any advice or pointers to where tboot initializes PCR 17 would be
>>> greatly appreciated.
>>>
>>> Thanks,
>>> Jeff
>>>
>>> ------------------------------------------------------------------------------
>>> Protect Your Site and Customers from Malware Attacks
>>> Learn about various malware tactics and how to avoid them. Understand
>>> malware threats, the impact they can have on your business, and how you
>>> can protect your company and customers by using code signing.
>>> http://p.sf.net/sfu/oracle-sfdevnl
>>> _______________________________________________
>>> tboot-devel mailing list
>>> tboot-devel@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/tboot-devel
>>>
>
--
Jeff Cleveland
Raytheon - BBN Technologies
617-873-2515
jclevel...@bbn.com
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
