Months-long problem SOLVED!!!!!!
Okay this is just an update on a problem I had in the background. You can see
the original thread by searching on the subject or my name Bill Martin and
tpm_nvdefine.
What I wanted to do was lock a symmetric key in NVRAM. The key is the same key
to use to decrypt a LUKS drive. I changed some PCRs but still was able to do a
tpm_nvread.
The function nv_define_and_write() in tpm-luks has the first few lines:
--------------------------------------
function nv_define_and_write
{
PERMSFILE=${1}
DATAFILE=${TMPFS_KEYFILE}
NVPASS_OPTION=
OWNERPASS_OPTION="-y"
---------------------------------------------
As you can see, NVPASS_OPTION is blank! This is critical because the script
calls tpm_nvdefine and leaves out the -a parameter.
The solution is to provide something in the field, like NVPASS_OPTION="-y"
Let's assume your NVRAM password is nvpass and your owner password is beagle.
You want to use PCRs 9 and 10 perhaps to define a NVRAM area of 100 using index
3 :
root@debian:~# /usr/local/sbin/tpm_nvdefine -l debug -a nvpass -o beagle -i 3
--size=100 -r 9 -r 10 -w 9 -w 10 --permissions="AUTHREAD|AUTHWRITE"
permissions = 0x00040004
Tspi_Context_Create success
Tspi_Context_Connect success
Tspi_Context_GetTpmObject success
Tspi_Context_CreateObject success
Tspi_GetPolicyObject success
Tspi_Policy_SetSecret success
Tspi_Context_CreateObject success
Tspi_Policy_SetSecret success
Tspi_Context_CreateObject success
Tspi_TPM_PcrRead success
Tspi_PcrComposite_SetPcrValue success
Tspi_TPM_PcrRead success
Tspi_PcrComposite_SetPcrValue success
Tspi_Context_CreateObject success
Tspi_TPM_PcrRead success
Tspi_PcrComposite_SetPcrValue success
Tspi_TPM_PcrRead success
Tspi_PcrComposite_SetPcrValue success
Tspi_PcrComposite_SetPcrLocality success
Tspi_PcrComposite_SetPcrLocality success
Tspi_NV_DefineSpace success
Successfully created NVRAM area at index 0x3 (3).
Tspi_Context_FreeMemory success
Tspi_Context_Close succes
Note PCR 10 below.
root@debian:~# cat /sys/class/misc/tpm0/device/pcrs
PCR-00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-09: B0 0A 4D 3E EE 2E 3F 25 33 06 31 55 49 72 2C DF 78 A0 98 EB
PCR-10: 41 CE 83 A6 BF 4A BC BA B6 C8 C8 DB 49 51 93 48 A5 E1 4A 02
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
root@debian:~# /usr/local/sbin/tpm_nvwrite -p --data="Specialized Rockhopper"
-i 3 -s 22
Enter NVRAM access password:
Successfully wrote 22 bytes at offset 0 to NVRAM index 0x3 (3).
root@debian:~# /usr/local/sbin/tpm_nvinfo
NVRAM index : 0x1000f000 (268496896)
PCR read selection:
Localities : ALL
PCR write selection:
Localities : ALL
Permissions : 0x00020002 (OWNERREAD|OWNERWRITE)
bReadSTClear : FALSE
bWriteSTClear : FALSE
bWriteDefine : FALSE
Size : 1404 (0x57c)
NVRAM index : 0x30000001 (805306369)
PCR read selection:
Localities : ALL
PCR write selection:
Localities : ALL
Permissions : 0x00000002 (OWNERWRITE)
bReadSTClear : FALSE
bWriteSTClear : FALSE
bWriteDefine : FALSE
Size : 576 (0x240)
NVRAM index : 0x10000001 (268435457)
PCR read selection:
Localities : ALL
PCR write selection:
Localities : ALL
Permissions : 0x00001002 (WRITEALL|OWNERWRITE)
bReadSTClear : FALSE
bWriteSTClear : FALSE
bWriteDefine : FALSE
Size : 20 (0x14)
NVRAM index : 0x00000003 (3)
PCR read selection:
PCRs : 9, 10
Localities : ALL
Hash : b5aeafd09aa42799d192128337d50e51c97c086a
PCR write selection:
PCRs : 9, 10
Localities : ALL
Hash : b5aeafd09aa42799d192128337d50e51c97c086a
Permissions : 0x00040004 (AUTHREAD|AUTHWRITE)
bReadSTClear : FALSE
bWriteSTClear : FALSE
bWriteDefine : FALSE
Size : 100 (0x64)
I have a program I wrote called pcr10Extender to just extend PCR 10 so it can
be changed.
root@debian:/home/bmartin# ./pcr10Extender outout
Connect_Load_All returned 0x0
Testsuite_Transport_Init returned 0x1
Tspi_TPM_PcrExtend returned 0x0
Testsuite_Transport_Final returned 0x0
set PCR #10
Okay so now PCR 10 is extended
root@debian:/home/bmartin# cat /sys/class/misc/tpm0/device/pcrs PCR-00: 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-09: B0 0A 4D 3E EE 2E 3F 25 33 06 31 55 49 72 2C DF 78 A0 98 EB
PCR-10: 8F 3F DF F4 69 C1 8C 67 C6 62 76 F3 18 41 73 F0 9B EC F9 83
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
So now tpm_nvread fails!!!!!!
root@debian:/home/bmartin# /usr/local/sbin/tpm_nvread -i 3
Tspi_NV_ReadValue failed: 0x0000003b - layer=tpm, code=003b (59), NV_LoadKey
blob requires both owner and blob authorization
This is the thing I need! Now I have to put a tpm_nvread in initramfs. When I
boot up my Linux and if PCR 10 is altered, then I cannot decrypt my partition,
theoretically. I have not tried this again with tpm-luks but I am confident I
can now work this.
On my one system with U-boot and an Infineon TPM attached, It has an initrd.img
rather than an initramfs. I would have to add the activation sequence for my
TPM somehow in initrd.img. But my goal is to encrypt a partition on another
Linux device that does not have u-boot and does have an initramfs. It should
automatically come up with tcsd active by the time I need the initramfs call
tpm_nvread. I think.
I think i had a couple of threads on Trousers-Users pondering tpm_nvdefine. I
even altered my own tpm_nvdefine with debug statements to try to find out what
was wrong.
the -a option for tpm_nvdefine was not intuitively obvious to me those months
ago. I also referred to the TCG specs but got lost. I NOW have a lot more
confidence in TPM 1.2!
Thanks.
____________________________
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
