At our company, we use TPMs to protect some data in an automated fashion.
For us we don't want user entry, just need to maintain chain of trust
through the OS booting. We've used mostly dells, and on all of them
everything has worked without a hitch, however, now we needed to use a
GIGABYTE motherboard with a plug-in TPM.
The general idea is on install, we take ownership, create some data in the
NVRAM and reboot. On reboot, the PCRs are in the state we want them
(mostly) thus we read the data out of the NVRAM, delete the entries, define
new ones, keyed to PCRs and write the data back.
On reboot, the data is safely locked away, should someone boot into another
OS, the TPM shouldn't give them the data. On the Dells, if anything
changes, TPM won't give anyone data, on these IFX parts, no matter how much
I mess with the PCRs, it just gives the data to anyone. In fact, nothing I
do seems to secure the NVRAM at all! What's more is I bought another TPM
module. The TPMs have the same lettering on them (same lot?)
I found elsewhere someone recommending to someone to look at nvLocked, for
them it was false (using the IBM tools). When they set it to true,
everything was fine. No such luck for me. It then says NV Locked: True,
however the data remains readable.
# ./tpminit
# ./tpmbios
# ./getcapability -cap 4 -scap 108
Disabled: FALSE
Ownership: TRUE
Deactivated: FALSE
Read Pubek: TRUE
Disable Owner Clear: FALSE
Allow Maintenance: TRUE
Physical Presence Lifetime Lock: FALSE
Physical Presence HW Enable: FALSE
Physical Presence CMD Enable: TRUE
CEKPUsed: FALSE
TPMpost: FALSE
TPMpost Lock: FALSE
FIPS: FALSE
Operator: FALSE
Enable Revoke EK: TRUE
NV Locked: TRUE (or FALSE before)
Read SRK pub: FALSE
TPM established: FALSE
Maintenance done: FALSE
Disable full DA logic info: FALSE
# ./nv_definespace -in ffffffff -sz 0
(NV Locked reads true, but still gives anyone data)
>From my current configuration:
# tpm_version
TPM 1.2 Version Info:
Chip Version: 1.2.3.19
Spec Level: 2
Errata Revision: 2
TPM Vendor ID: IFX
Vendor Specific data: 0313000b 00
TPM Version: 01010000
Manufacturer Info: 49465800
We use index 4 and 5, the others seem to have come with the chip.
# tpm_nvinfo
NVRAM index : 0x10000001 (268435457)
PCR read selection:
Localities : ALL
PCR write selection:
Localities : ALL
Permissions : 0x00001002 (WRITEALL|OWNERWRITE)
bReadSTClear : FALSE
bWriteSTClear : FALSE
bWriteDefine : FALSE
Size : 20 (0x14)
NVRAM index : 0x00000005 (5)
PCR read selection:
PCRs : 3, 4, 5, 8, 9, 12, 14
Localities : ALL
Hash : .........[redacted]...........
PCR write selection:
Localities : ALL
Permissions : 0x00040002 (AUTHREAD|OWNERWRITE)
bReadSTClear : FALSE
bWriteSTClear : FALSE
bWriteDefine : FALSE
Size : 20 (0x14)
NVRAM index : 0x1000f000 (268496896)
PCR read selection:
Localities : ALL
PCR write selection:
Localities : ALL
Permissions : 0x00020002 (OWNERREAD|OWNERWRITE)
bReadSTClear : FALSE
bWriteSTClear : FALSE
bWriteDefine : FALSE
Size : 1704 (0x6a8)
NVRAM index : 0x00000004 (4)
PCR read selection:
PCRs : 2, 4, 5, 8, 9, 12, 14
Localities : ALL
Hash : .........[redacted]...........
PCR write selection:
Localities : ALL
Permissions : 0x00040002 (AUTHREAD|OWNERWRITE)
bReadSTClear : FALSE
bWriteSTClear : FALSE
bWriteDefine : FALSE
Size : 20 (0x14)
NVRAM index : 0x30000001 (805306369)
PCR read selection:
Localities : ALL
PCR write selection:
Localities : ALL
Permissions : 0x00000002 (OWNERWRITE)
bReadSTClear : FALSE
bWriteSTClear : FALSE
bWriteDefine : FALSE
Size : 576 (0x240)
Has anyone else seen where the NV Definitions can seem to be set up
correctly, but the TPM always lets everyone have its secrets?
Todd
------------------------------------------------------------------------------
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
