Hi Ken, I got it managed to set the nvLocked bit with the IBM SW TPM and now the NVRAM permissions work as expected - thank you very much!
But I'm a little bit confused: The TPM I'm working with is from an x61s Thinkpad - why doesn't the bit get set after activating the chip in the BIOS? Without investigating further one would think the NVRAM is secure, although it isn't... Is it usual that the bit isn't set in new devices? Best regards, Frank -----Ursprüngliche Nachricht----- Von: Ken Goldman [mailto:[email protected]] Gesendet: Dienstag, 13. Mai 2014 17:25 An: [email protected] Betreff: Re: [TrouSerS-users] NVRAM permissions On 5/13/2014 4:38 AM, Frank Grötzner wrote: > >> 1 - Read the nvLocked bit in the permanent flags. If it's clear (which >> should never occur on a shipped production platform), the NV protections >> are still disabled. > > As I didn't find a way to check the value via trousers (is there any?) I used > tpmj > (http://projects.csail.mit.edu/tc/tpmj/) and this did the trick: The nvLocked > bit > is set to false. > > The problem is that I can't find a way to enable the bit. I had a look at > Section 19.1.1 > in the TCG TPM Main Part 2 Document > (http://www.trustedcomputinggroup.org/files/resource_files/E14876A3-1A4B-B294-D086297A1ED38F96/mainP2Structrev103.pdf) > and if I understood it correctly I have to define a NVRAM area at index > TPM_NV_INDEX_LOCK (0xFFFFFF) with size 0 to enable the bit - but this > doesn't work: nvLocked false is the problem. If your production platform is delivered that way, I consider that a security bug. Your understanding is correct, except TPM_NV_INDEX_LOCK is 0xffffffff (8 ones, not 6 ones). I can't otherwise explain your problem, since I don't know tpmj. The utilities that come with the IBM SW TPM can set the nvLocked bit. It also has a utility to view the permanent flags. ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
