On 5/13/2014 4:38 AM, Frank Grötzner wrote: > >> 1 - Read the nvLocked bit in the permanent flags. If it's clear (which >> should never occur on a shipped production platform), the NV protections >> are still disabled. > > As I didn't find a way to check the value via trousers (is there any?) I used > tpmj > (http://projects.csail.mit.edu/tc/tpmj/) and this did the trick: The nvLocked > bit > is set to false. > > The problem is that I can't find a way to enable the bit. I had a look at > Section 19.1.1 > in the TCG TPM Main Part 2 Document > (http://www.trustedcomputinggroup.org/files/resource_files/E14876A3-1A4B-B294-D086297A1ED38F96/mainP2Structrev103.pdf) > and if I understood it correctly I have to define a NVRAM area at index > TPM_NV_INDEX_LOCK (0xFFFFFF) with size 0 to enable the bit - but this > doesn't work:
nvLocked false is the problem. If your production platform is delivered that way, I consider that a security bug. Your understanding is correct, except TPM_NV_INDEX_LOCK is 0xffffffff (8 ones, not 6 ones). I can't otherwise explain your problem, since I don't know tpmj. The utilities that come with the IBM SW TPM can set the nvLocked bit. It also has a utility to view the permanent flags. ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
