Menu
▾
▴
Re: [tboot-devel] Infineon TPM problems and fixes
|
From: Wei, G. <gan...@in...> - 2008-01-08 02:13:45
|
Hal Finney <> scribbled on 2008-01-03 06:37 AM: > I tried launching tboot on my HP dc7800 vPro machine which uses an > Infineon TPM. It largely worked except that it got timeout errors > talking to the TPM. I did quite a bit of experimenting and found that > this TPM behaves a little differently than the code expects. Hal, thank you very much for your experimenting to figure out & resolve TPM related issues in current TBOOT code. >=20 > First, in tpm_wait_cmd_ready() the code expects the sts_valid bit in > the STS register to come on. However, this never happens. Apparently > Infineon feels that turning on the command_ready bit is enough of a > clue that the chip is ready to receive a command. After the first > write of data to the FIFO register, the sts_valid and expect bits do > come on as expected to indicate that the chip can accept more bytes, > but the code doesn't care at that point. I fixed this by patching the > code to ignore the failure of the sts_valid bit to appear, and just > proceed on. Seem like the Infineon TPM does not fully conform to TCG TPM SPEC, and your fix is acceptable. >=20 > Then, I got timeouts in tpm_write_cmd_fifo(), "wait for data > available timeout". This timeout happens after sending the command to > the chip and waiting for the response to appear. I notice that the > timeout counter, TPM_DATA_AVAIL_TIME_OUT, is only 0x100 which might be > a little low. I increased it to 0x10000 and that fixed it. I didn't > take much time to try different values. Some commands like unseal or > key load can take a long time with some TPMs, like hundreds of > milliseconds; and of course keygen can take a minute or more. So this > timer either needs to be a lot bigger in general, or else the code > needs to be smart about how long various commands are expected to > take. Increasing TPM_DATA_AVAIL_TIME_OUT from 0x100 to 0x10000 can be a workaround so far. We may need a better timing mechanism in TBOOT for timeout. >=20 > So with these two changes the tboot code appeared to work OK. I don't > actually have Xen installed so it dies at the end as expected, but it > does manage to launch the measured environment, talk to the TPM, print > out and extend the various PCRs, and even seal some data successfully. > It's nice to know that my TXT hardware is in working order! Your are lucky. And could you send out your patch for fixing Infineon issue and give us a chance to record your contribution to TBOOT project? >=20 > Hal Finney >=20 Jimmy |
