Menu
▾
▴
Re: [tboot-devel] Infineon TPM problems and fixes
|
From: David D. <tro...@gm...> - 2008-01-14 20:32:13
|
It fails without setting any policy. That's what I meant when I said the
default policy. I used that phrase since tboot uses that phrase when it
can't find the policy index in the tpm.
David
On Jan 14, 2008 1:23 PM, Cihula, Joseph <jos...@in...> wrote:
> David,
>
> Do you also get a failure if you don't set any policy (e.g. delete the one
> you have now)? And when you say that it "also does this with the default
> policy", which policy (index) is this and what are its contents (you can
> get that from lcp_readpol)?
>
> Joe
>
> ------------------------------
> *From:* David Dorsey [mailto:tro...@gm...]
> *Sent:* Monday, January 14, 2008 9:03 AM
> *To:* Cihula, Joseph
> *Cc:* Wei, Gang; Hal Finney; tbo...@li...
> *Subject:* Re: [tboot-devel] Infineon TPM problems and fixes
>
> I'm not sure if this is a related issue or not, but I have a HP dc7800 as
> well and I'm trying to get tboot to work. I successfully created the policy
> set by following the instructions in the docs folder. However, when tboot
> calls SENTER, the machine just reboots. The BIOS hangs so I can't read the
> error code. It also does this with the default policy. Any ideas to what
> the problem is or if there any BIOS settings I missed?
>
> I've included the console log.
>
> Thanks,
>
> David
>
>
> TBOOT: ***************************************
> TBOOT: begin launch()
> TBOOT: TPM is ready
> TBOOT: TPM: Access reg content: 0x81
> TBOOT: TPM: wait for cmd ready .
> TBOOT: TPM: get capability, return value = 00000000
> TBOOT: TPM: get nvindex size, return value = 00000000
> TBOOT: TPM: Access reg content: 0x81
> TBOOT: TPM: wait for cmd ready .
> TBOOT: TPM: read nv index 20000001 from offset 00000000, return value =
> 00000000
> TBOOT: TPM: Access reg content: 0x81
> TBOOT: TPM: wait for cmd ready .
> TBOOT: TPM: read nv index 20000001 from offset 00000100, return value =
> 00000000
> TBOOT: tb_policy_index:
> TBOOT: version = 1
> TBOOT: policy_type = 0
> TBOOT: num_policies = 2
> TBOOT: policy[0]:
> TBOOT: uuid = {0x756a5bfe, 0x5b0b, 0x4d33, 0xb867,
> {0xd7, 0x83, 0xfb, 0x46, 0x36, 0xbf}}
> TBOOT: hash_alg = 0
> TBOOT: hash_type = 1
> TBOOT: num_hashes = 1
> TBOOT: hashes[0] = 67 8a 89 be 3f 5d db ae 93 b4 fe b9 bb ba 3d
> 27 de 92 a
> TBOOT: policy[1]:
> TBOOT: uuid = {0x894c909f, 0xd614, 0x4625, 0x8a2d,
> {0x45, 0x3b, 0x80, 0x10, 0xca, 0x8c}}
> TBOOT: hash_alg = 0
> TBOOT: hash_type = 1
> TBOOT: num_hashes = 1
> TBOOT: hashes[0] = e7 a2 26 58 55 69 67 18 34 dc c4 58 2f 16 33
> 36 1f f9 0
> TBOOT: TPM: Access reg content: 0x81
> TBOOT: TPM: wait for cmd ready .
> TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return =
> 00000000
> TBOOT: succeeded.
> TBOOT: IA32_FEATURE_CONTROL_MSR: 0000ff07
> TBOOT: CPU is SMX-capable
> TBOOT: CPU is VMX-capable
> TBOOT: SMX is enabled
> TBOOT: TXT chipset and all needed capabilities present
> TBOOT: bios_os_data (@7df20008, 24):
> TBOOT: version=2
> TBOOT: bios_sinit_size=0
> TBOOT: lcp_pd_base=0
> TBOOT: lcp_pd_size=0
> TBOOT: num_logical_procs=2
> TBOOT: TPM: Access reg content: 0x81
> TBOOT: TPM: wait for cmd ready .
> TBOOT: TPM: write nv 20000002, offset 00000000, 00000004 bytes, return =
> 00000000
> TBOOT: succeeded.
> TBOOT: LT.ERRORCODE=0
> TBOOT: LT.ESTS=0
> TBOOT: CR0.NE not set
> TBOOT: CR0 and EFLAGS OK
> TBOOT: no machine check errors
> TBOOT: CPU is ready for SENTER
> TBOOT: checking previous errors on the last boot.
> TPM: Access reg content: 0x81
> TBOOT: TPM: wait for cmd ready .
> TBOOT: TPM: read nv index 20000002 from offset 00000000, return value =
> 00000000
> TBOOT: last boot has error.
> TBOOT: user-provided SINIT found: /BRLK_SINIT_20070910_release.BIN
> TBOOT: chipset ids: vendor=8086, device=8001, revision=7
> TBOOT: 1 ACM chipset id entries:
> TBOOT: vendor=8086, device=8001, flags=1, revision=7, extended=0
> TBOOT: copied SINIT (size=5f00) to 7df00000
> TBOOT: AC mod base alignment OK
> TBOOT: AC mod size OK
> TBOOT: AC module header dump for SINIT:
> TBOOT: type=2
> TBOOT: length=a1
> TBOOT: version=0
> TBOOT: id=29c0
> TBOOT: vendor=8086
> TBOOT: date=20070910
> TBOOT: size*4=5f00
> TBOOT: entry point=00000008:00003f5a
> TBOOT: scratch_size=8f
> TBOOT: info_table:
> TBOOT: uuid={0x8024d6cd, 0x4733, 0x2a62, 0xf1d1,
> {0x3a, 0x89, 0x3b, 0x11, 0x82, 0xbc}}
> TBOOT: chipset_acm_type=1
> TBOOT: version=2
> TBOOT: length=20
> TBOOT: chipset_id_list=4e0
> TBOOT: os_sinit_data_ver=3
> TBOOT: mle_hdr_ver=10001
> TBOOT: file addresses:
> TBOOT: &_start=01003000
> TBOOT: &_end=01033000
> TBOOT: &_mle_start=01003000
> TBOOT: &_mle_end=01018000
> TBOOT: &__start=01003020
> TBOOT: &_txt_wakeup=01003110
> TBOOT: &g_mle_hdr=01012680
> TBOOT: MLE header:
> TBOOT: guid={0x9082ac5a, 0x476f, 0x74a7, 0x5c0f,
> {0x55, 0xa2, 0xcb, 0x51, 0xb6, 0x42}}
> TBOOT: length=28
> TBOOT: version=00010001
> TBOOT: entry_point=00000020
> TBOOT: first_valid_page=00000000
> TBOOT: mle_start_off=0
> TBOOT: mle_end_off=15000
> TBOOT: MLE start=1003000, end=1018000, size=15000
> TBOOT: ptab_size=3000, ptab_base=01000000
> TBOOT: bios_os_data (@7df20008, 24):
> TBOOT: version=2
> TBOOT: bios_sinit_size=0
> TBOOT: lcp_pd_base=0
> TBOOT: lcp_pd_size=0
> TBOOT: num_logical_procs=2
> TBOOT: SINIT supports os_sinit_data version 3
> TBOOT: max_ram=7dcafe00
> TBOOT: no LCP manifest found
> TBOOT: os_sinit_data (@7df2014c, 58):
> TBOOT: version=3
> TBOOT: mle_ptab=1000000
> TBOOT: mle_size=15000
> TBOOT: mle_hdr_base=f680
> TBOOT: vtd_pmr_lo_base=1000000
> TBOOT: vtd_pmr_lo_size=200000
> TBOOT: vtd_pmr_hi_base=0
> TBOOT: vtd_pmr_hi_size=0
> TBOOT: lcp_po_base=0
> TBOOT: lcp_po_size=0
> TBOOT: setting MTRRs for acmod: base=7df00000, size=5f00, num_pages=6
> TBOOT: executing GETSEC[SENTER]...
>
>
> On Jan 8, 2008 4:32 PM, Cihula, Joseph <jos...@in...> wrote:
>
> > On Monday, January 07, 2008 6:04 PM, Wei, Gang wrote:
> > > Hal Finney <> scribbled on 2008-01-03 06:37 AM:
> > >
> > >> I tried launching tboot on my HP dc7800 vPro machine which uses an
> > >> Infineon TPM. It largely worked except that it got timeout errors
> > >> talking to the TPM. I did quite a bit of experimenting and found that
> > >> this TPM behaves a little differently than the code expects.
> > >
> > > Hal, thank you very much for your experimenting to figure out &
> > resolve
> > > TPM related issues in current TBOOT code.
> > >
> > >>
> > >> First, in tpm_wait_cmd_ready() the code expects the sts_valid bit in
> > >> the STS register to come on. However, this never happens. Apparently
> > >> Infineon feels that turning on the command_ready bit is enough of a
> > >> clue that the chip is ready to receive a command. After the first
> > >> write of data to the FIFO register, the sts_valid and expect bits do
> > >> come on as expected to indicate that the chip can accept more bytes,
> > >> but the code doesn't care at that point. I fixed this by patching the
> >
> > >> code to ignore the failure of the sts_valid bit to appear, and just
> > >> proceed on.
> > >
> > > Seem like the Infineon TPM does not fully conform to TCG TPM SPEC, and
> > > your fix is acceptable.
> >
> > According to my read of the spec, the stsValid bit does not need to be
> > set when querying the commandReady bit:
> > stsValid
> > This bit indicates that both TPM_STS_x.dataAvail and
> > TPM_STS_x.Expect are correct. If TPM_STS_x.stsValid is not set, then
> > TPM_STS_x.dataAvail and TPM_STS_x.Expect are not guaranteed to be
> > correct and software that is using TPM_STS_x.dataAvail or
> > TPM_STS_x.Expect must poll on TPM_STS_x register until
> > TPM_STS_x.stsValid is set. The TPM MUST set the TPM_STS_x.stsValid bit
> > within TIMEOUT_C after the last data cycle is received.
> >
> > >> Then, I got timeouts in tpm_write_cmd_fifo(), "wait for data
> > >> available timeout". This timeout happens after sending the command to
> >
> > >> the chip and waiting for the response to appear. I notice that the
> > >> timeout counter, TPM_DATA_AVAIL_TIME_OUT, is only 0x100 which might
> > be
> > >> a little low. I increased it to 0x10000 and that fixed it. I didn't
> > >> take much time to try different values. Some commands like unseal or
> > >> key load can take a long time with some TPMs, like hundreds of
> > >> milliseconds; and of course keygen can take a minute or more. So this
> >
> > >> timer either needs to be a lot bigger in general, or else the code
> > >> needs to be smart about how long various commands are expected to
> > >> take.
> > >
> > > Increasing TPM_DATA_AVAIL_TIME_OUT from 0x100 to 0x10000 can be a
> > > workaround so far. We may need a better timing mechanism in TBOOT for
> > > timeout.
> >
> > Timeouts can be determined by calling TPM_GetCapability,
> > TPM_CAP_PROPERTY/TPM_CAP_PROP_TIS_TIMEOUT. From the PC Client TPM Spec
> > you can then find out what operations each timeout applies to (by
> > searching). We can probably use the default value (< 2s), but will need
> > to map it to the spin loop.
> >
> > >> So with these two changes the tboot code appeared to work OK. I don't
> > >> actually have Xen installed so it dies at the end as expected, but it
> > >> does manage to launch the measured environment, talk to the TPM,
> > print
> > >> out and extend the various PCRs, and even seal some data
> > successfully.
> > >> It's nice to know that my TXT hardware is in working order!
> > >
> > > Your are lucky. And could you send out your patch for fixing Infineon
> > > issue and give us a chance to record your contribution to TBOOT
> > project?
> > >
> > >>
> > >> Hal Finney
> > >>
> > >
> > > Jimmy
> > >
> > >
> > ------------------------------------------------------------------------
> >
> > -
> > > Check out the new SourceForge.net Marketplace.
> > > It's the best place to buy or sell services for
> > > just about anything Open Source.
> > >
> > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketp
> > lace
> > > _______________________________________________
> > > tboot-devel mailing list
> > > tbo...@li...
> > > https://lists.sourceforge.net/lists/listinfo/tboot-devel
> >
> > -------------------------------------------------------------------------
> >
> > Check out the new SourceForge.net Marketplace.
> > It's the best place to buy or sell services for
> > just about anything Open Source.
> >
> > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> > _______________________________________________
> > tboot-devel mailing list
> > tbo...@li...
> > https://lists.sourceforge.net/lists/listinfo/tboot-devel
> >
>
>
|
