Menu
▾
▴
Re: [Trustedjava-support] Sudden errors with TPM and JTSS
|
From: Arshad N. <ars...@st...> - 2012-09-05 12:45:06
|
I'm not sure why my browser does not display Ariel's full message, but I've copied it here in case others have similar problems: "At first glance, it sure looks like your TPM is out of key slots. The TSS is supposed to handle swapping keys in and out for you, so getting that from a TSS seems very odd. I'll also be honest and admit that I *thought* the TPM handled that for you (by simply dumping some loaded key for the new one) but it looks like LoadKey does, in fact, give back no space errors if there isn't room in memory for the key. At a glance, it looks like FlushSpecific is the command to use to explicitly force a key out. Presumably, your TSS isn't doing something right in its key management behind the scenes, although debugging that is going to be a pain in the neck, I'm afraid." Arshad On 09/05/2012 05:40 AM, Arshad Noor wrote: > Ronald, > > Any thoughts/comments on Ariel's response to my query on the Trousers > mailing list? > > http://sourceforge.net/mailarchive/forum.php?thread_name=7265F7B88E689F4B97101260F8F70B71013A99E2%40IMCMBX03.MITRE.ORG&forum_name=trousers-users > > Thanks. > > Arshad > > On 09/04/2012 07:30 AM, Ronald Tögl wrote: >> >> The jTSS test suite does not expect a general/systematic error. >> Actually, a TPM is expected to do a self-test at power-on, but I believe >> it is vendor specific what happens there. >> >> You could try to replace the TPM with the TPM Emulator to learn if the >> hardware or the software is failing. >> >> Ronald >> >> On 09/04/2012 02:53 PM, Arshad Noor wrote: >>> Thank you for your response, Ronald. >>> >>> I was afraid that your answer might be along these lines. The hardware >>> is about 2 years old and has been using the TPM everyday. So, it is >>> quite possible that the NVRAM has degraded. >>> >>> I will try your suggestions, but is there any test in the JTSS suite >>> that can confirm that the TPM has permanently failed? Or, must one >>> assume that if all/most of the tests fail? >>> >>> Thanks. >>> >>> Arshad >>> >>> On Sep 4, 2012, at 1:37 AM, Ronald Tögl<ron...@ia...> >>> wrote: >>> >>>> Hello Arshad, >>>> >>>> We have not encountered this before, but I'd guess that something in >>>> your ecosystem must have changed. >>>> >>>> Is it an issue with a specific piece of (old) hardware? Perhaps the >>>> TPM you use has aged and now encounters problems with its NV-storage >>>> memory. >>>> >>>> Or is it an issue that occurs in several devices? >>>> A not so obvious thing to check is the JCE library you use. Could >>>> there be a license issue? >>>> Some OS hotfix might also influence the setup, for instance a new TPM >>>> driver. >>>> >>>> Of course, you should also test if the newest jTSS version happens to >>>> fix for your issues. >>>> >>>> Ronald >>>> >>>> >>>> On 09/04/2012 06:14 AM, Arshad Noor wrote: >>>>> Hello, >>>>> >>>>> We've been using JTSS 0.5 for two years and it has been fairly >>>>> stable. However, suddenly without explanation, it has started >>>>> failing on almost all decryptions. Some of the error messages >>>>> are: >>>>> >>>>> ----------------------- >>>>> iaik.tc.tss.api.exceptions.tcs.TcTcsException: >>>>> TSS Error: >>>>> error layer: 0x3000 (TSP) >>>>> error code (without layer): 0x04 >>>>> error code (full): 0x3004 >>>>> error message: unknown >>>>> additional info: Unable to determine LRU key handle >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140) >>>>> >>>>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633) >>>>> ----------------------- >>>>> >>>>> Later on, similar attempts at the operation result in: >>>>> >>>>> ----------------------- >>>>> iaik.tc.tss.api.exceptions.tcs.TcTpmException: >>>>> >>>>> TSS Error: >>>>> error layer: 0x00 (TPM) >>>>> error code (without layer): 0x15 >>>>> error code (full): 0x15 >>>>> error message: The TPM has insufficient internal resources to perform >>>>> the requested action. >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720) >>>>> at >>>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064) >>>>> >>>>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629) >>>>> ----------------------- >>>>> >>>>> The details of our configuration: >>>>> >>>>> TPM: STM v1.2 >>>>> OS: CentOS 5.3 (64-bit) >>>>> JDK: 6 Update 16 (64-bit) >>>>> JTSS: 0.5 >>>>> >>>>> >>>>> Any suggestions on what might be causing these problems suddenly on >>>>> something that has been behaving well for nearly two years? Thanks. >>>>> >>>>> Arshad Noor >>>>> StrongAuth, Inc. >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> Live Security Virtual Conference >>>>> Exclusive live event will cover all the ways today's security and >>>>> threat landscape has changed and how IT managers can respond. >>>>> Discussions >>>>> will include endpoint security, mobile security and the latest in >>>>> malware >>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>>> _______________________________________________ >>>>> Trustedjava-support mailing list >>>>> Tru...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/trustedjava-support >>>> >>>> -- >>>> Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 >>>> Secure and Correct Systems fax +43 316/873-5520 >>>> IAIK ron...@ia... >>>> Graz University of Technology http://www.iaik.tugraz.at >>>> >>>> >> >> > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support |
