[tboot-devel] Infineon TPM problems and fixes

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I tried launching tboot on my HP dc7800 vPro machine which uses an
Infineon TPM. It largely worked except that it got timeout errors
talking to the TPM. I did quite a bit of experimenting and found that
this TPM behaves a little differently than the code expects.

First, in tpm_wait_cmd_ready() the code expects the sts_valid bit in
the STS register to come on. However, this never happens. Apparently
Infineon feels that turning on the command_ready bit is enough of a
clue that the chip is ready to receive a command. After the first
write of data to the FIFO register, the sts_valid and expect bits do
come on as expected to indicate that the chip can accept more bytes,
but the code doesn't care at that point. I fixed this by patching the
code to ignore the failure of the sts_valid bit to appear, and just
proceed on.

Then, I got timeouts in tpm_write_cmd_fifo(),  "wait for data
available timeout". This timeout happens after sending the command to
the chip and waiting for the response to appear. I notice that the
timeout counter, TPM_DATA_AVAIL_TIME_OUT, is only 0x100 which might be
a little low. I increased it to 0x10000 and that fixed it. I didn't
take much time to try different values. Some commands like unseal or
key load can take a long time with some TPMs, like hundreds of
milliseconds; and of course keygen can take a minute or more. So this
timer either needs to be a lot bigger in general, or else the code
needs to be smart about how long various commands are expected to
take.

So with these two changes the tboot code appeared to work OK. I don't
actually have Xen installed so it dies at the end as expected, but it
does manage to launch the measured environment, talk to the TPM, print
out and extend the various PCRs, and even seal some data successfully.
It's nice to know that my TXT hardware is in working order!

Hal Finney