Re: [tboot-devel] does tboot must know TPM srk and owner password

Tue, 16 Oct 2012 21:15:39 -0700 

Oh, for s3, that totally makes sense. I was trying to raise the security
bar by setting both password for owner and srk. However, without giving out
owner password, the srk password doesn't matter so much. Thanks a lot!

Best wishes,
--
Ning Qu


On Tue, Oct 16, 2012 at 7:02 PM, Wei, Gang <gang....@intel.com> wrote:

> Ning Qu wrote on 2012-10-17:
> > Already setup TPM trusted boot with Linux Kernel, seems whenever I
> > change the tboot binary/parameters or kernel binary/parameters, the boot
> > will fail as expected.
> >
> > However, I do see some logging information that indicates tboot might use
> > seal
> > operations, or try to write tpm nv ram, e.g.
> >
> > TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return =
> > 00000002^M TBOOT: Error: write TPM error: 0x2.
>
> This indicates that the optional tboot error index was not defined, it is
> acceptable.
>
> > TBOOT: TPM: seal data, return value = 00000001^M
> > TBOOT: failed to seal data
> >
> > TBOOT: creation or verification of S3 measurements failed.
>
> As you can see in the last line, the seal operation is to prepare some
> secret
> for S3(suspend to memory) to protect memory integrity during S3. Tboot
> needs
> SRK auth to do sealing/unsealing, so it requires set the SRK auth to
> Well-Know-Value(20byte of 0s), this could be done with tpm tools cmd
> "tpm_takeownership -z".
>
> I guess you took ownership w/o -z.
>
> > Why tboot needs to seal something after/for verification? In that case,
> is
> > there
> > any other way to pass the TPM password to tboot instead of simply
> setting it
> > as all zero?
>
> The owner password is not needed in tboot, so it is still safe for user to
> give owner passwd as what he/she like.
>
> Jimmy
>

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to