Menu
▾
▴
Re: [TrouSerS-users] NVRAM permissions
|
From: Frank G. <FGr...@ni...> - 2014-05-13 08:40:13
|
Hi Ken! Thanks for your fast response! > 1 - Read the nvLocked bit in the permanent flags. If it's clear (which > should never occur on a shipped production platform), the NV protections > are still disabled. As I didn't find a way to check the value via trousers (is there any?) I used tpmj (http://projects.csail.mit.edu/tc/tpmj/) and this did the trick: The nvLocked bit is set to false. The problem is that I can't find a way to enable the bit. I had a look at Section 19.1.1 in the TCG TPM Main Part 2 Document (http://www.trustedcomputinggroup.org/files/resource_files/E14876A3-1A4B-B294-D086297A1ED38F96/mainP2Structrev103.pdf) and if I understood it correctly I have to define a NVRAM area at index TPM_NV_INDEX_LOCK (0xFFFFFF) with size 0 to enable the bit - but this doesn't work: root@debian:~# java edu.mit.csail.tpmj.tools.TPMInfo | grep nvLocked nvLocked: false root@debian:~# java edu.mit.csail.tpmj.tools.TPMInfo ownerPwd = null, Encoded (NULL [no authorization]) = null ***** Getting manufacturer ID ... TPM VENDOR ID = 0x41544d4c (ATML) ---- Getting version via TPM 1.1 way ... Returned: edu.mit.csail.tpmj.structs.TPM_STRUCT_VER: 01 01 00 00 ---- Getting version via TPM 1.2 way ... Returned: edu.mit.csail.tpmj.structs.TPM_CAP_VERSION_INFO: 00 30 01 02 0d 09 00 02 01 41 54 4d 4c 00 00 tag: 0x30 version: edu.mit.csail.tpmj.structs.TPM_VERSION: 01 02 0d 09 specLevel: 0x2 errataRev: 0x1 tpmVendorID: 0x41544d4c vendorSpecificSize: 0x0 vendorSpecific: ---- Getting TPM Flags (TPM 1.2 only) ... Getting TPM Permanent Flags ... Returned: TPM_PERMANENT_FLAGS: disable: false ownership: true deactivated: false readPubek: false disableOwnerClear: false allowMaintenance: false physicalPresenceLifetimeLock: true physicalPresenceHWEnable: false physicalPresenceCMDEnable: true CEKPUsed: true TPMpost: false TPMpostLock: false FIPS: false operator: false enableRevokeEK: false nvLocked: false readSRKPub: true tpmEstablished: false Getting TPM Volatile Flags ... Returned: TPM_STCLEAR_FLAGS: deactivated: false disableForceClear: true physicalPresence: false physicalPresenceLock: true bGlobalLock: false ---- Reading Public Endorsement Key using TPM_OwnerReadInternalPub (TPM 1.2 only) ... Error: java.lang.IllegalArgumentException: TPMAdminFuncs.TPM_OwnerReadInternalPub: ownerAuth can't be null. Reading Public Endorsement Key using TPM_ReadPubek ... (using all-zeros as nonce) TPM Exception: edu.mit.csail.tpmj.TPMErrorReturnCodeException Occured on input: edu.mit.csail.tpmj.commands.TPM_ReadPubek: 00 c1 00 00 00 1e 00 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Output (if any): edu.mit.csail.tpmj.structs.ByteArrayTPMOutputStruct: 00 c4 00 00 00 0a 00 00 00 08 Return Code (if any): 8 (TPM_DISABLED_CMD) ---- Getting number of PCRS: numPcrs = 24 Reading PCRs PCR 0: 822fd69a5147f6328c7f6fbd4e3ef348c1174961 PCR 1: eed329a598faba535a4a0e64d5c63e349930a41b PCR 2: 53de584dcef03f6a7dac1a240a835893896f218d PCR 3: 3a3f780f11a4b49969fcaa80cd6e3957c33b2275 PCR 4: 7766977bda50cc15d009d6c92c2b96214cf11ba2 PCR 5: 240516ad0912f35327cd34e7f75f1c8e1bb3382d PCR 6: 585e579e48997fee8efd20830c6a841eb353c628 PCR 7: 3a3f780f11a4b49969fcaa80cd6e3957c33b2275 PCR 8: 0000000000000000000000000000000000000000 PCR 9: 0000000000000000000000000000000000000000 PCR 10: 0000000000000000000000000000000000000000 PCR 11: 0000000000000000000000000000000000000000 PCR 12: 0000000000000000000000000000000000000000 PCR 13: 0000000000000000000000000000000000000000 PCR 14: 0000000000000000000000000000000000000000 PCR 15: 0000000000000000000000000000000000000000 PCR 16: 0000000000000000000000000000000000000000 PCR 17: ffffffffffffffffffffffffffffffffffffffff PCR 18: ffffffffffffffffffffffffffffffffffffffff PCR 19: ffffffffffffffffffffffffffffffffffffffff PCR 20: ffffffffffffffffffffffffffffffffffffffff PCR 21: ffffffffffffffffffffffffffffffffffffffff PCR 22: ffffffffffffffffffffffffffffffffffffffff PCR 23: 0000000000000000000000000000000000000000 ---- Reading Key handles TPM 1.1 style TPM_KEY_HANDLES_LIST: 0 loaded handles ---- Reading KEY handles (TPM 1.2 style) ... (0 handles): ---- Reading CONTEXT handles (TPM 1.2 style) ... (0 handles): ---- Reading AUTH SESSION handles (TPM 1.2 style) ... (0 handles): ---- Reading TRANSPORT SESSION handles (TPM 1.2 style) ... (0 handles): ---- Reading monotonic counters (TPM 1.2 only) ... (0 counters): ---- root@debian:~# tcsd root@debian:~# tpm_nvinfo NVRAM index : 0x10000001 (268435457) PCR read selection: Localities : ALL PCR write selection: Localities : ALL Permissions : 0x00001002 (WRITEALL|OWNERWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 20 (0x14) NVRAM index : 0x00000007 (7) PCR read selection: Localities : ALL PCR write selection: Localities : ALL Permissions : 0x00040004 (AUTHREAD|AUTHWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 32 (0x20) root@debian:~# tpm_nvdefine -l debug -i 0xFFFFFFF -s 0 -p 'OWNERWRITE' -o test permissions = 0x00000002 Tspi_Context_Create success Tspi_Context_Connect success Tspi_Context_GetTpmObject success Tspi_Context_CreateObject success Tspi_GetPolicyObject success Tspi_Policy_SetSecret success Tspi_NV_DefineSpace failed: 0x00000002 - layer=tpm, code=0002 (2), Bad memory index Tspi_Context_FreeMemory success Tspi_Context_Close success root@debian:~# pkill tcsd root@debian:~# java edu.mit.csail.tpmj.tools.TPMInfo | grep nvLocked nvLocked: false root@debian:~# Any further clues? Best regards, Frank |