Marcel -

Thanks for the response.

For your questions:   We're not using TrouSerS or any TSS stack for our tests - we're directly executing TPM commands using a version of TPM/J that we've instrumented with some timing routines.  We've checked this against several other ways of doing the timing, and it seems very accurate.  We've got a paper mostly written that describes all this - I can send you a copy if you're interested.  It's a good point about the Infineon driver - I'll see if I can run our tests with that driver and see what the difference is.  Most of the things we're interested in are pretty costly TPM operations (sign, unseal, etc) which take roughly 300-700 ms on the various TPMs, so I doubt the driver makes much difference.

The chip is indeed soldered on the motherboard.  I'm not really familiar with what ACPI tables are supposed to look like, but it looks like there are two devices that claim the TPM address space (base address 0xFED40000).  One is obviously the ST Microelectronics TPM - it starts like this:
        Device (TPM)
        {
            Name (_HID, EisaId ("SMO1200"))
            Name (_CID, EisaId ("PNP0C31"))

I'm not sure what the other is...  It starts like this:

        Device (TCM)
        {
            Name (_HID, EisaId ("ZIC0101"))

Could this be an entry for the iTPM?  That might suggest that there's some way to enable it...

Final question:  When you refer to the Lenovo T500, that's a standard Lenovo T500 laptop?  I don't mind buying another machine if I'm certain I can directly use the iTPM, but none of the specs that I could find for the T500 say what the chipset is (or say much of anything for that matter).

--

Steve


On Fri, Jan 29, 2010 at 2:56 AM, Marcel Selhorst <m.selhorst@sirrix.com> wrote:
Good morning Steve,

> As part of my research I have a collection of machines with TPMs from
> different manufacturers - I create "performance profiles" so I can
> estimate the performance of different TPM-using protocols on
> different platforms.

this sounds interesting. May I ask, which commands / protocols you
are testing and which software you use for it? TrouSerS et.al.?
In case you are testing the Infineon TPM, I noticed that the tpm_infineon
device driver is a bit faster (about 30%) than the tpm_tis driver.
This is because it uses a different (legacy) communication mechanism
instead of shared memory and is not so bound to timing constraints.

> One thing I've been missing is the Intel iTPM - the TPM embedded in a
> few Intel chipsets.  In particular, Intel documentation says it's in
> the ICH10DO chip, so when I noticed that the Dell Optiplex 960 used
> this chipset I thought I'd add to my collection.  So the machine gets

I have a Lenovo T500 in my office, which is equipped with the ICH-10
chipset providing an iTPM. After patching the TPM drivers, the chip
works fine.

> in and I run my tests and it shows up as an ST Microelectronics TPM.
> Hmmm... that's strange.  But I did notice in the Intel documentation
> that it said that even with the ICH10DO you could still hook an
> external TPM up via the LPC bus.  I open up the box, and examine the
> motherboard - and there it is, an ST Microelectronics TPM, plain as
> day.

Is the chip soldered to the board or plugged with a 20-Pin testboard?

> So now what?  Is there a way to disable this external TPM?  Am I just
> screwed and have bought a system that I can't access the one little
> part that I bought it for?  Does anyone know?

To be honest, I think you're screwed. Even if you remove the chip from the
LPC bus, still the iTPM has to be enabled in the chipset and the BIOS needs
to map the according shared memory region 0xfed40000 used for communication
with the TPM to the iTPM's memory. The first thing I'd do is to disassemble
the DSDT table and check whether the iTPM is even mentioned there:

# cp /proc/acpi/dsdt .
# iasl -d dsdt
# -> check dsdt.dsl for TPM devices.

Best regards,
Marcel Selhorst
--
Sirrix AG security technologies -- http://www.sirrix.com
Dipl.-Ing. Marcel Selhorst  eMail: m.selhorst@sirrix.com
Tel: +49 (234) 610071-126   Fax: +49 (234) 610071-526
Tel: +49 (681)  95986-126   Fax: +49 (681)  95986-526
Get my public key from keyserver, KeyId: 0x7C9821CC
Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC

Vorstand: Ammar Alkassar (Vors.), Christian Stueble
Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg
Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken

This message may contain confidential and/or privileged information.
If you are not the addressee, you must not use, copy, disclose or
take any action based on this message or any information herein.
If you have received this message in error, please advise the sender
immediately by reply e-mail and delete this message.