Oh, for s3, that totally makes sense. I was trying to raise the security bar by setting both password for owner and srk. However, without giving out owner password, the srk password doesn't matter so much. Thanks a lot!

Best wishes,
Ning Qu

On Tue, Oct 16, 2012 at 7:02 PM, Wei, Gang <gang.wei@intel.com> wrote:
Ning Qu wrote on 2012-10-17:
> Already setup TPM trusted boot with Linux Kernel, seems whenever I
> change the tboot binary/parameters or kernel binary/parameters, the boot
> will fail as expected.
> However, I do see some logging information that indicates tboot might use
> seal
> operations, or try to write tpm nv ram, e.g.
> TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return =
> 00000002^M TBOOT: Error: write TPM error: 0x2.

This indicates that the optional tboot error index was not defined, it is

> TBOOT: TPM: seal data, return value = 00000001^M
> TBOOT: failed to seal data
> TBOOT: creation or verification of S3 measurements failed.

As you can see in the last line, the seal operation is to prepare some secret
for S3(suspend to memory) to protect memory integrity during S3. Tboot needs
SRK auth to do sealing/unsealing, so it requires set the SRK auth to
Well-Know-Value(20byte of 0s), this could be done with tpm tools cmd
"tpm_takeownership -z".

I guess you took ownership w/o -z.

> Why tboot needs to seal something after/for verification? In that case, is
> there
> any other way to pass the TPM password to tboot instead of simply setting it
> as all zero?

The owner password is not needed in tboot, so it is still safe for user to
give owner passwd as what he/she like.