From: Kent Y. <shp...@gm...> - 2012-09-06 14:59:02
|
On Wed, Sep 5, 2012 at 6:18 PM, Arshad Noor <ars...@st...> wrote: > I appreciate the responses, thank you. > > Given that we are not using tcsd - but a native Java equivalent (jTSS) - > it would appear that jTSS might be the culprit for not managing the key- > swaps. However, what makes this perplexing is that there are other > machines - more than a hundred of them - using an identical configuration > and are NOT reporting this error under even heavier loads. > > What is stranger is that we are now seeing this error even when the very > first key is loaded into the TPM to be decrypted. > > Since I'm not knowledgeable too much about hardware, is it possible that > the TPM can return such an error when the part where the SRK is stored > is defective, but the PCRs are reporting OK? Or, is that a contradiction > because the PCRs and SRK are using the same storage components? Your best bet in helping the jTSS team debug is probably to download the swtpm tools from [1] nad use those to take a look at the state the tpm is in. Those tools don't use a TSS, they'll open /dev/tpm0 directly. Take a look at how many key slots the TPM supports, how many keys are loaded, etc, and you should be able to get an idea of why the tpm is out of resources. Kent [1] https://sourceforge.net/projects/ibmswtpm/ > TIA. > > Arshad > > ----- Original Message ----- > From: "Kent Yoder" <shp...@gm...> > To: "Ariel E Segall" <as...@mi...> > Cc: "Arshad Noor" <ars...@st...>, tro...@li... > Sent: Wednesday, September 5, 2012 7:41:59 AM (GMT-0800) America/Los_Angeles > Subject: Re: [TrouSerS-users] TSS Errors with TPM > > On Tue, Sep 4, 2012 at 11:30 PM, Segall, Ariel E <as...@mi...> wrote: >> At first glance, it sure looks like your TPM is out of key slots. The TSS is supposed to handle swapping keys in and out for you, so getting that from a TSS seems very odd. I'll also be honest and admit that I *thought* the TPM handled that for you (by simply dumping some loaded key for the new one) but it looks like LoadKey does, in fact, give back no space errors if there isn't room in memory for the key. At a glance, it looks like FlushSpecific is the command to use to explicitly force a key out. Presumably, your TSS isn't doing something right in its key management behind the scenes, although debugging that is going to be a pain in the neck, I'm afraid. >> >> Ariel > > Agree. Just to clarify, this is tcsd's responsibility (key caching > and swapping), so under the covers tcsd will be calling flush/load as > it context switches between processes serving the applications > connected to it. You can think of an app connected to tcsd in the > same way as you might think of multiple processes executing on the > same cpu - they all think they have exclusive access to the TPM and as > long as tcsd is doing its job correctly, they'll be none the wiser. > > Kent > >> ________________________________________ >> From: Arshad Noor [ars...@st...] >> Sent: Tuesday, September 04, 2012 4:46 PM >> To: tro...@li... >> Subject: [TrouSerS-users] TSS Errors with TPM >> >> Hi, >> >> I realize I'm on the wrong forum - since we use the TPM with the Trusted >> Java (JTSS) stack - but, I'm hoping for a little more insight, if anyone >> can provide it. (if someone from Dell TPM Engineering is on the list), >> I would definitely welcome hearing from them directly. >> >> We've been using a TPM with an application without any trouble for 2+ >> years. Two days ago - without any changes to the hardware or software - >> it (presumably the OS driver) started throwing up the following errors >> when the software library attempted loading a binding key: >> >> TSS Error: >> error layer: 0x3000 (TSP) >> error code (without layer): 0x04 >> error code (full): 0x3004 >> error message: unknown >> additional info: Unable to determine LRU key handle >> >> Subsequent attempts to decrypt other binding keys result in this error: >> >> TSS Error: >> error layer: 0x00 (TPM) >> error code (without layer): 0x15 >> error code (full): 0x15 >> error message: The TPM has insufficient internal resources to perform >> the requested action. >> >> The details of our configuration: >> >> TPM: STM v1.2 >> OS: CentOS 5.3 (64-bit) >> JDK: 6 Update 16 (64-bit) >> JTSS: 0.5 >> >> The people on JTSS have not seen this before either, and have given >> us a few suggestions (using a newer library). We have also contacted >> Dell for support and are working with them. >> >> I would appreciate any information that forum members can provide that >> sheds light on these errors - finding it within the voluminous TPM >> specs and resources is challenging. >> >> Thanks in advance. >> >> Arshad Noor >> StrongAuth, Inc. >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> TrouSerS-users mailing list >> Tro...@li... >> https://lists.sourceforge.net/lists/listinfo/trousers-users >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> TrouSerS-users mailing list >> Tro...@li... >> https://lists.sourceforge.net/lists/listinfo/trousers-users > > > > -- > IBM LTC Security > -- IBM LTC Security |