tboot-devel

[tboot-devel] sealing or unsealing of hashes failed

[Lil E. <Lil...@gm...>]

Hi there,

I have encountered a new problem.
I have opened a box of worms :)
TBOOT boots and the verification of tboot,VMM,Dom0 is successful so far.
Then I am getting a sealing or unsealing of hashes failed and return value = 00000001
For my understanding the return value of the seal function indicates a TPM_AUTHFAIL.
I checked the source code and also noticed a significant difference between the mercurial (changeset:   81:601698c524fa) and stable release (tboot-20080613) in those functions- see below.

If the LCP is a non-fatal one, the platform boots fine and also reports a successful TXT launch.
If the policy is of any other type(continue,halt), the machine hangs(stops).

Any ideas? I am willing to try patches ;)

Cheers lIl

...
TBOOT: verifying VMM policy...
TBOOT: VMM is verified.
TBOOT: succeeded.
...
TBOOT: verifying dom0 policy...
TBOOT: dom0 is verified.
TBOOT: succeeded.
....

so good so far, then I am seeing a

TBOOT: invalid module # 

followed by 

TBOOT: PCRs before extending:
TBOOT: PCR 17: b8 2a 63 85 16 d3 96 d5 bc e7 24 e8 2b b7 6b 0a cd 7b d2 d2
TBOOT: PCR 18: b2 03 a0 ac b9 7d d1 0f d3 ec 64 ab dc 4d 08 24 17 2a 35 9a
TBOOT: PCR 19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
TBOOT: TPM: seal data, return value = 00000001
TBOOT: sealing or unsealing of hashes failed.
TBOOT: tboot_shared data:
TBOOT:   version: 2
TBOOT:   log_addr: 0x01019040
TBOOT:   shutdown_entry32: 0x010030a0
TBOOT:   shutdown_entry64: 0x010030f0
TBOOT:   shutdown_type: 0
TBOOT:   s3_tb_wakeup_entry: 0x0008a000
TBOOT:   s3_k_wakeup_entry: 0x00000000
TBOOT:   &acpi_sinfo: 0x0101f02c
TBOOT:   tboot_base: 0x01003000
TBOOT:   tboot_size: 0x33dbc
TBOOT: g_log:
TBOOT:   uuid={0xc0192526, 0x6b30, 0x4db4, 0x844c,
                {0xa3, 0xe9, 0x53, 0xb8, 0x81, 0x74}}
TBOOT:   max_size=3000
TBOOT:   curr_pos=8b6
TBOOT: transfering control to xen @0x00100000...
TBOOT: cpu 1 waking up, SIPI vector=8c000

-- 
GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen!
Jetzt dabei sein: http://www.shortview.de/wasistshortview.php?mc=sv_ext_mf@gmx

Re: [tboot-devel] sealing or unsealing of hashes failed

[Cihula, J. <jos...@in...>]

> From: Lil Evil [mailto:Lil...@gm...]
> Sent: Wednesday, October 01, 2008 1:57 AM
> 
> Hi there,
> 
> I have encountered a new problem.
> I have opened a box of worms :)
> TBOOT boots and the verification of tboot,VMM,Dom0 is successful so
> far.
> Then I am getting a sealing or unsealing of hashes failed and return
> value = 00000001
> For my understanding the return value of the seal function indicates a
> TPM_AUTHFAIL.

This is most likely due to the SRK auth not being the null (all 0s)
value.  If you take ownership using the '-z' flag to tpm_takeownership,
the will use null for the SRK auth.

> I checked the source code and also noticed a significant difference
> between the mercurial (changeset:   81:601698c524fa) and stable
release
> (tboot-20080613) in those functions- see below.
> 
> If the LCP is a non-fatal one, the platform boots fine and also
reports
> a successful TXT launch.
> If the policy is of any other type(continue,halt), the machine
> hangs(stops).

The failure of the seal operation is considered fatal for these other
policies, since it means that the PCR values may not get accurately
restored on S3 resume.  Try using the '-z' flag mentioned above and see
if that fixes it.

> 
> Any ideas? I am willing to try patches ;)
> 
> Cheers lIl
> 
> ...
> TBOOT: verifying VMM policy...
> TBOOT: VMM is verified.
> TBOOT: succeeded.
> ...
> TBOOT: verifying dom0 policy...
> TBOOT: dom0 is verified.
> TBOOT: succeeded.
> ....
> 
> so good so far, then I am seeing a
> 
> TBOOT: invalid module #

This was a quirk of the older code.  The latest tboot code has changed
the policy format and doesn't do this.

> 
> followed by
> 
> TBOOT: PCRs before extending:
> TBOOT: PCR 17: b8 2a 63 85 16 d3 96 d5 bc e7 24 e8 2b b7 6b 0a cd 7b
d2
> d2
> TBOOT: PCR 18: b2 03 a0 ac b9 7d d1 0f d3 ec 64 ab dc 4d 08 24 17 2a
35
> 9a
> TBOOT: PCR 19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
> 00
> TBOOT: TPM: seal data, return value = 00000001
> TBOOT: sealing or unsealing of hashes failed.
> TBOOT: tboot_shared data:
> TBOOT:   version: 2
> TBOOT:   log_addr: 0x01019040
> TBOOT:   shutdown_entry32: 0x010030a0
> TBOOT:   shutdown_entry64: 0x010030f0
> TBOOT:   shutdown_type: 0
> TBOOT:   s3_tb_wakeup_entry: 0x0008a000
> TBOOT:   s3_k_wakeup_entry: 0x00000000
> TBOOT:   &acpi_sinfo: 0x0101f02c
> TBOOT:   tboot_base: 0x01003000
> TBOOT:   tboot_size: 0x33dbc
> TBOOT: g_log:
> TBOOT:   uuid={0xc0192526, 0x6b30, 0x4db4, 0x844c,
>                 {0xa3, 0xe9, 0x53, 0xb8, 0x81, 0x74}}
> TBOOT:   max_size=3000
> TBOOT:   curr_pos=8b6
> TBOOT: transfering control to xen @0x00100000...
> TBOOT: cpu 1 waking up, SIPI vector=8c000
> 
> --
> GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen!
> Jetzt dabei sein:
> http://www.shortview.de/wasistshortview.php?mc=sv_ext_mf@gmx
> 
>
-----------------------------------------------------------------------
> --
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the
> world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> tboot-devel mailing list
> tbo...@li...
> https://lists.sourceforge.net/lists/listinfo/tboot-devel