Oh, for s3, that totally makes sense. I was trying to raise the security bar by setting both password for owner and srk. However, without giving out owner password, the srk password doesn't matter so much. Thanks a lot!
Ning Qu wrote on 2012-10-17:
> Already setup TPM trusted boot with Linux Kernel, seems whenever IThis indicates that the optional tboot error index was not defined, it is
> change the tboot binary/parameters or kernel binary/parameters, the boot
> will fail as expected.
> However, I do see some logging information that indicates tboot might use
> operations, or try to write tpm nv ram, e.g.
> TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return =
> 00000002^M TBOOT: Error: write TPM error: 0x2.
As you can see in the last line, the seal operation is to prepare some secret
> TBOOT: TPM: seal data, return value = 00000001^M
> TBOOT: failed to seal data
> TBOOT: creation or verification of S3 measurements failed.
for S3(suspend to memory) to protect memory integrity during S3. Tboot needs
SRK auth to do sealing/unsealing, so it requires set the SRK auth to
Well-Know-Value(20byte of 0s), this could be done with tpm tools cmd
I guess you took ownership w/o -z.
The owner password is not needed in tboot, so it is still safe for user to
> Why tboot needs to seal something after/for verification? In that case, is
> any other way to pass the TPM password to tboot instead of simply setting it
> as all zero?
give owner passwd as what he/she like.