Just a followup Make sure as some folks have said on the Trousers Users list discussion that your nvLock is defined. I think I ruined a TPM chip by setting the lock wrong.
Here is a link to a discussion that is the key: https://www.mail-archive.com/[email protected]/msg00750.html Here is the quote from the link: "> and if I understood it correctly I have to define a NVRAM area at index > TPM_NV_INDEX_LOCK (0xFFFFFF) with size 0 to enable the bit - but this > doesn't work: nvLocked false is the problem. If your production platform is delivered that way, I consider that a security bug. Your understanding is correct, except TPM_NV_INDEX_LOCK is 0xffffffff (8 ones, not 6 ones)." You need to do a command as follows: /usr/local/sbin/tpm_nvdefine -i 0xFFFFFFFF --size=0 The size is critical. I defined a size of 100 on my other TPM chip and could not go back. The locking of PCRs did not work at all. I had no means of detecting the permanent flags but had to do the above command before I could get the success. By the way my printout below was on the chip that did not work. What I really got when I tried to do the tpm_nvread after extending a PCR is the following: /usr/local/sbin/tpm_nvread -i 3 -p Enter NVRAM access password: Tspi_NV_ReadValue failed: 0x00000018 - layer=tpm, code=0018 (24), Wrong PCR value Now I am having problems releasing that index. A new problem? ________________________________________ From: Bill Martin Sent: Tuesday, September 16, 2014 4:50 PM To: [email protected] Subject: RE: TPM Support for LUKS Partitions. [SOLVED!] Months-long problem SOLVED!!!!!! Okay this is just an update on a problem I had in the background. You can see the original thread by searching on the subject or my name Bill Martin and tpm_nvdefine. What I wanted to do was lock a symmetric key in NVRAM. The key is the same key to use to decrypt a LUKS drive. I changed some PCRs but still was able to do a tpm_nvread. The function nv_define_and_write() in tpm-luks has the first few lines: -------------------------------------- function nv_define_and_write { PERMSFILE=${1} DATAFILE=${TMPFS_KEYFILE} NVPASS_OPTION= OWNERPASS_OPTION="-y" --------------------------------------------- As you can see, NVPASS_OPTION is blank! This is critical because the script calls tpm_nvdefine and leaves out the -a parameter. The solution is to provide something in the field, like NVPASS_OPTION="-y" Let's assume your NVRAM password is nvpass and your owner password is beagle. You want to use PCRs 9 and 10 perhaps to define a NVRAM area of 100 using index 3 : root@debian:~# /usr/local/sbin/tpm_nvdefine -l debug -a nvpass -o beagle -i 3 --size=100 -r 9 -r 10 -w 9 -w 10 --permissions="AUTHREAD|AUTHWRITE" permissions = 0x00040004 Tspi_Context_Create success Tspi_Context_Connect success Tspi_Context_GetTpmObject success Tspi_Context_CreateObject success Tspi_GetPolicyObject success Tspi_Policy_SetSecret success Tspi_Context_CreateObject success Tspi_Policy_SetSecret success Tspi_Context_CreateObject success Tspi_TPM_PcrRead success Tspi_PcrComposite_SetPcrValue success Tspi_TPM_PcrRead success Tspi_PcrComposite_SetPcrValue success Tspi_Context_CreateObject success Tspi_TPM_PcrRead success Tspi_PcrComposite_SetPcrValue success Tspi_TPM_PcrRead success Tspi_PcrComposite_SetPcrValue success Tspi_PcrComposite_SetPcrLocality success Tspi_PcrComposite_SetPcrLocality success Tspi_NV_DefineSpace success Successfully created NVRAM area at index 0x3 (3). Tspi_Context_FreeMemory success Tspi_Context_Close succes Note PCR 10 below. root@debian:~# cat /sys/class/misc/tpm0/device/pcrs PCR-00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-09: B0 0A 4D 3E EE 2E 3F 25 33 06 31 55 49 72 2C DF 78 A0 98 EB PCR-10: 41 CE 83 A6 BF 4A BC BA B6 C8 C8 DB 49 51 93 48 A5 E1 4A 02 PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 root@debian:~# /usr/local/sbin/tpm_nvwrite -p --data="Specialized Rockhopper" -i 3 -s 22 Enter NVRAM access password: Successfully wrote 22 bytes at offset 0 to NVRAM index 0x3 (3). root@debian:~# /usr/local/sbin/tpm_nvinfo NVRAM index : 0x1000f000 (268496896) PCR read selection: Localities : ALL PCR write selection: Localities : ALL Permissions : 0x00020002 (OWNERREAD|OWNERWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 1404 (0x57c) NVRAM index : 0x30000001 (805306369) PCR read selection: Localities : ALL PCR write selection: Localities : ALL Permissions : 0x00000002 (OWNERWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 576 (0x240) NVRAM index : 0x10000001 (268435457) PCR read selection: Localities : ALL PCR write selection: Localities : ALL Permissions : 0x00001002 (WRITEALL|OWNERWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 20 (0x14) NVRAM index : 0x00000003 (3) PCR read selection: PCRs : 9, 10 Localities : ALL Hash : b5aeafd09aa42799d192128337d50e51c97c086a PCR write selection: PCRs : 9, 10 Localities : ALL Hash : b5aeafd09aa42799d192128337d50e51c97c086a Permissions : 0x00040004 (AUTHREAD|AUTHWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 100 (0x64) I have a program I wrote called pcr10Extender to just extend PCR 10 so it can be changed. root@debian:/home/bmartin# ./pcr10Extender outout Connect_Load_All returned 0x0 Testsuite_Transport_Init returned 0x1 Tspi_TPM_PcrExtend returned 0x0 Testsuite_Transport_Final returned 0x0 set PCR #10 Okay so now PCR 10 is extended root@debian:/home/bmartin# cat /sys/class/misc/tpm0/device/pcrs PCR-00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-09: B0 0A 4D 3E EE 2E 3F 25 33 06 31 55 49 72 2C DF 78 A0 98 EB PCR-10: 8F 3F DF F4 69 C1 8C 67 C6 62 76 F3 18 41 73 F0 9B EC F9 83 PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 So now tpm_nvread fails!!!!!! root@debian:/home/bmartin# /usr/local/sbin/tpm_nvread -i 3 Tspi_NV_ReadValue failed: 0x0000003b - layer=tpm, code=003b (59), NV_LoadKey blob requires both owner and blob authorization This is the thing I need! Now I have to put a tpm_nvread in initramfs. When I boot up my Linux and if PCR 10 is altered, then I cannot decrypt my partition, theoretically. I have not tried this again with tpm-luks but I am confident I can now work this. On my one system with U-boot and an Infineon TPM attached, It has an initrd.img rather than an initramfs. I would have to add the activation sequence for my TPM somehow in initrd.img. But my goal is to encrypt a partition on another Linux device that does not have u-boot and does have an initramfs. It should automatically come up with tcsd active by the time I need the initramfs call tpm_nvread. I think. I think i had a couple of threads on Trousers-Users pondering tpm_nvdefine. I even altered my own tpm_nvdefine with debug statements to try to find out what was wrong. the -a option for tpm_nvdefine was not intuitively obvious to me those months ago. I also referred to the TCG specs but got lost. I NOW have a lot more confidence in TPM 1.2! Thanks. ____________________________ ------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
