Thanks for your reply and help!

Now I'm getting

$ parse_err
ERRORCODE: 0xc0001c41
AC module error : acm_type=0x1, progress=0x04, error=0x7

I have turned on TXT, fixed the presence issue, setup owner, with LCP, 0x2000001 with verified boot policy, and defined 0x20000002.

I then *removed* all of those indexes so 'tpm_nvinfo' is identical to what I quoted above, and I still get the same error code

According to the 3rd_gen_i5_i7-SINIT_67 documentation (which is not correct for this system - I'm using Haswell on an Intel S1200V3RPS), class 4 = TPM and error=7 is "Invalid TPM NV index".

Maybe the Haswell SINIT error codes are completely different or maybe there is an NV index that is wrong.   Do you know where I can find documentation on ERRORCODE for Haswell?

The system won't boot using tboot now.  It will always reboot on GETSEC[SENTER].

Alexander



On Tue, Aug 27, 2013 at 10:07 AM, Wei, Gang <gang.wei@intel.com> wrote:

Yes, your tpm nvram was already locked. No way to unlock it. But it is just fine.

 

To define the LCP policy “owner” index, you should install tpm-tools and execute “tpm_takeownership -z” first, then followed by “tpmnv_defindex -i owner -p <OWNERPWD>”.

 

BTW, your booting with tboot failed because you didn’t enabled TXT in BIOS which is indicated by:

 

TBOOT: ERR: SENTER disabled by feature control MSR (5)
TBOOT: SMX not supported.

Jimmy

 

From: Alexander Kjeldaas [mailto:alexander.kjeldaas@gmail.com]
Sent: Friday, August 23, 2013 11:41 PM
To: tboot-devel@lists.sourceforge.net
Subject: [tboot-devel] tpmnv_defindex establish physical presence

 

I'm having the following issue on a Intel server board (Haswell): S1200V3RPS

tboot seems to indicate that nvram is locked.

Is my nvram locked?  How is it unlocked?  How do I establish physical presence, there is nothing in the BIOS except TPM ON/OFF.

$ tpmnv_defindex -i owner
Haven't input permission value, use default value 0x2
Haven't input data size, use default value 54
Tspi_NV_DefineSpace failed failed: Bad physical presence value (0x082d)

$ tpm_nvinfo
NVRAM index   : 0x10000001 (268435457)
PCR read  selection:
 Localities   : ALL
PCR write selection:
 Localities   : ALL
Permissions   : 0x00001002 (WRITEALL|OWNERWRITE)
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 20 (0x14)

NVRAM index   : 0x1000f000 (268496896)
PCR read  selection:
 Localities   : ALL
PCR write selection:
 Localities   : ALL
Permissions   : 0x00020002 (OWNERREAD|OWNERWRITE)
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 1129 (0x469)

NVRAM index   : 0x50000003 (1342177283)
PCR read  selection:
 Localities   : ALL
PCR write selection:
 Localities   : 0x18
Permissions   : 0x00000000 ()
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 96 (0x60)

NVRAM index   : 0x50000001 (1342177281)
PCR read  selection:
 Localities   : ALL
PCR write selection:
 Localities   : ALL
Permissions   : 0x00002000 (WRITEDEFINE)
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : TRUE
Size          : 54 (0x36)


$ txt-stat
Intel(r) TXT Configuration Registers:
        STS: 0x00000002
            senter_done: FALSE
            sexit_done: TRUE
            mem_config_lock: FALSE
            private_open: FALSE
            locality_1_open: FALSE
            locality_2_open: FALSE
        ESTS: 0x00
            txt_reset: FALSE
        E2STS: 0x0000000000000004
            secrets: FALSE
        ERRORCODE: 0x00000000
        DIDVID: 0x00000001b0028086
            vendor_id: 0x8086
            device_id: 0xb002
            revision_id: 0x1
        FSBIF: 0xffffffffffffffff
        QPIIF: 0x000000009d003000
        SINIT.BASE: 0x00000000
        SINIT.SIZE: 0B (0x0)
        HEAP.BASE: 0x00000000
        HEAP.SIZE: 0B (0x0)
        DPR: 0x0000000000000000
            lock: FALSE
            top: 0x00000000
            size: 0MB (0B)
        PUBLIC.KEY:
            ...

***********************************************************
         TXT measured launch: FALSE
         secrets flag set: FALSE
***********************************************************
TBOOT log:
         max_size=7fe8
         curr_pos=abd
         buf:
TBOOT: ******************* TBOOT *******************
TBOOT:    2013-07-05 12:00 +0800 1.7.4
TBOOT: *********************************************
TBOOT: command line: logging=serial,vga,memory
TBOOT: BSP is cpu 0
TBOOT: original e820 map:
TBOOT:  0000000000000000 - 000000000009bc00  (1)
TBOOT:  000000000009bc00 - 00000000000a0000  (2)
TBOOT:  00000000000e0000 - 0000000000100000  (2)
TBOOT:  0000000000100000 - 000000009e828000  (1)
TBOOT:  000000009e828000 - 00000000ae8a9000  (4)
TBOOT:  00000000ae8a9000 - 00000000b21c8000  (1)
TBOOT:  00000000b21c8000 - 00000000b4d2f000  (2)
TBOOT:  00000000b4d2f000 - 00000000b4f2f000  (4)
TBOOT:  00000000b4f2f000 - 00000000b4ff0000  (3)
TBOOT:  00000000b4ff0000 - 00000000b5000000  (1)
TBOOT:  00000000b5000000 - 00000000c0000000  (2)
TBOOT:  00000000f8000000 - 00000000fc000000  (2)
TBOOT:  00000000fec00000 - 00000000fec01000  (2)
TBOOT:  00000000fed19000 - 00000000fed1a000  (2)
TBOOT:  00000000fed1c000 - 00000000fed20000  (2)
TBOOT:  00000000fee00000 - 00000000fee01000  (2)
TBOOT:  00000000ff400000 - 0000000100000000  (2)
TBOOT:  0000000100000000 - 0000000440000000  (1)
TBOOT: TPM is ready
TBOOT: TPM nv_locked: TRUE
TBOOT: TPM timeout values: A: 750, B: 750, C: 750, D: 750
TBOOT: Wrong timeout B, fallback to 2000
TBOOT: reading Verified Launch Policy from TPM NV...
TBOOT: TPM: get capability, return value = 00000002
TBOOT: TPM: fail to get public data of 0x20000001 in TPM NV
TBOOT:  :reading failed
TBOOT: reading Launch Control Policy from TPM NV...
TBOOT: TPM: get capability, return value = 00000002
TBOOT: TPM: fail to get public data of 0x40000001 in TPM NV
TBOOT:  :reading failed
TBOOT: failed to read policy from TPM NV, using default
TBOOT: policy:
TBOOT:   version: 2
TBOOT:   policy_type: TB_POLTYPE_CONT_NON_FATAL
TBOOT:   hash_alg: TB_HALG_SHA1
TBOOT:   policy_control: 00000001 (EXTEND_PCR17)
TBOOT:   num_entries: 2
TBOOT:   policy entry[0]:
TBOOT:           mod_num: 0
TBOOT:           pcr: none
TBOOT:           hash_type: TB_HTYPE_ANY
TBOOT:           num_hashes: 0
TBOOT:   policy entry[1]:
TBOOT:           mod_num: any
TBOOT:           pcr: 19
TBOOT:           hash_type: TB_HTYPE_ANY
TBOOT:           num_hashes: 0
TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return = 00000002
TBOOT: Error: write TPM error: 0x2.
TBOOT: no policy in TPM NV.
TBOOT: IA32_FEATURE_CONTROL_MSR: 00000005
TBOOT: CPU is SMX-capable
TBOOT: ERR: SENTER disabled by feature control MSR (5)
TBOOT: SMX not supported.
TBOOT: no LCP module found
TBOOT: Error: ELF magic number is not matched.
TBOOT: assuming kernel is Linux format
TBOOT: Initrd from 0x7f06d000 to 0x7ffff800
TBOOT: Kernel (protected mode) from 0x1000000 to 0x1316860
TBOOT: Kernel (real mode) from 0x90000 to 0x94200
TBOOT: transfering control to kernel @0x1000000...

Alexander