What IFX model is this? We use several models in Chromebooks and haven't run into this problem.
One thing that's slightly suspicious is that the physical presence lifetime lock is still set to FALSE. Normally it should get set to TRUE in some factory flow, depending on whether you use the PP pin, or (optionally) enable PP in the firmware. I wonder if there are other uninitialized lifetime flags. On Thu, Sep 10, 2015 at 5:44 PM, Todd Griggins <[email protected]> wrote: > At our company, we use TPMs to protect some data in an automated fashion. > For us we don't want user entry, just need to maintain chain of trust > through the OS booting. We've used mostly dells, and on all of them > everything has worked without a hitch, however, now we needed to use a > GIGABYTE motherboard with a plug-in TPM. > > The general idea is on install, we take ownership, create some data in the > NVRAM and reboot. On reboot, the PCRs are in the state we want them > (mostly) thus we read the data out of the NVRAM, delete the entries, define > new ones, keyed to PCRs and write the data back. > > On reboot, the data is safely locked away, should someone boot into > another OS, the TPM shouldn't give them the data. On the Dells, if > anything changes, TPM won't give anyone data, on these IFX parts, no matter > how much I mess with the PCRs, it just gives the data to anyone. In fact, > nothing I do seems to secure the NVRAM at all! What's more is I bought > another TPM module. The TPMs have the same lettering on them (same lot?) > > I found elsewhere someone recommending to someone to look at nvLocked, for > them it was false (using the IBM tools). When they set it to true, > everything was fine. No such luck for me. It then says NV Locked: True, > however the data remains readable. > > # ./tpminit > # ./tpmbios > # ./getcapability -cap 4 -scap 108 > Disabled: FALSE > Ownership: TRUE > Deactivated: FALSE > Read Pubek: TRUE > Disable Owner Clear: FALSE > Allow Maintenance: TRUE > Physical Presence Lifetime Lock: FALSE > Physical Presence HW Enable: FALSE > Physical Presence CMD Enable: TRUE > CEKPUsed: FALSE > TPMpost: FALSE > TPMpost Lock: FALSE > FIPS: FALSE > Operator: FALSE > Enable Revoke EK: TRUE > NV Locked: TRUE (or FALSE before) > Read SRK pub: FALSE > TPM established: FALSE > Maintenance done: FALSE > Disable full DA logic info: FALSE > # ./nv_definespace -in ffffffff -sz 0 > (NV Locked reads true, but still gives anyone data) > > From my current configuration: > > # tpm_version > TPM 1.2 Version Info: > Chip Version: 1.2.3.19 > Spec Level: 2 > Errata Revision: 2 > TPM Vendor ID: IFX > Vendor Specific data: 0313000b 00 > TPM Version: 01010000 > Manufacturer Info: 49465800 > > > > We use index 4 and 5, the others seem to have come with the chip. > > # tpm_nvinfo > NVRAM index : 0x10000001 (268435457) > PCR read selection: > Localities : ALL > PCR write selection: > Localities : ALL > Permissions : 0x00001002 (WRITEALL|OWNERWRITE) > bReadSTClear : FALSE > bWriteSTClear : FALSE > bWriteDefine : FALSE > Size : 20 (0x14) > > NVRAM index : 0x00000005 (5) > PCR read selection: > PCRs : 3, 4, 5, 8, 9, 12, 14 > Localities : ALL > Hash : .........[redacted]........... > PCR write selection: > Localities : ALL > Permissions : 0x00040002 (AUTHREAD|OWNERWRITE) > bReadSTClear : FALSE > bWriteSTClear : FALSE > bWriteDefine : FALSE > Size : 20 (0x14) > > NVRAM index : 0x1000f000 (268496896) > PCR read selection: > Localities : ALL > PCR write selection: > Localities : ALL > Permissions : 0x00020002 (OWNERREAD|OWNERWRITE) > bReadSTClear : FALSE > bWriteSTClear : FALSE > bWriteDefine : FALSE > Size : 1704 (0x6a8) > > NVRAM index : 0x00000004 (4) > PCR read selection: > PCRs : 2, 4, 5, 8, 9, 12, 14 > Localities : ALL > Hash : .........[redacted]........... > PCR write selection: > Localities : ALL > Permissions : 0x00040002 (AUTHREAD|OWNERWRITE) > bReadSTClear : FALSE > bWriteSTClear : FALSE > bWriteDefine : FALSE > Size : 20 (0x14) > > NVRAM index : 0x30000001 (805306369) > PCR read selection: > Localities : ALL > PCR write selection: > Localities : ALL > Permissions : 0x00000002 (OWNERWRITE) > bReadSTClear : FALSE > bWriteSTClear : FALSE > bWriteDefine : FALSE > Size : 576 (0x240) > > Has anyone else seen where the NV Definitions can seem to be set up > correctly, but the TPM always lets everyone have its secrets? > > Todd > > > ------------------------------------------------------------------------------ > > _______________________________________________ > TrouSerS-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/trousers-users > >
------------------------------------------------------------------------------
_______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
