From: Arshad N. <ars...@st...> - 2012-09-04 04:14:21
|
Hello, We've been using JTSS 0.5 for two years and it has been fairly stable. However, suddenly without explanation, it has started failing on almost all decryptions. Some of the error messages are: ----------------------- iaik.tc.tss.api.exceptions.tcs.TcTcsException: TSS Error: error layer: 0x3000 (TSP) error code (without layer): 0x04 error code (full): 0x3004 error message: unknown additional info: Unable to determine LRU key handle at iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196) at iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43) at iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205) at iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100) at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626) at iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121) at iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140) at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633) ----------------------- Later on, similar attempts at the operation result in: ----------------------- iaik.tc.tss.api.exceptions.tcs.TcTpmException: TSS Error: error layer: 0x00 (TPM) error code (without layer): 0x15 error code (full): 0x15 error message: The TPM has insufficient internal resources to perform the requested action. at iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) at iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52) at iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27) at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720) at iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739) at iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064) at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629) ----------------------- The details of our configuration: TPM: STM v1.2 OS: CentOS 5.3 (64-bit) JDK: 6 Update 16 (64-bit) JTSS: 0.5 Any suggestions on what might be causing these problems suddenly on something that has been behaving well for nearly two years? Thanks. Arshad Noor StrongAuth, Inc. |
From: Ronald T. <ron...@ia...> - 2012-09-04 09:08:19
|
Hello Arshad, We have not encountered this before, but I'd guess that something in your ecosystem must have changed. Is it an issue with a specific piece of (old) hardware? Perhaps the TPM you use has aged and now encounters problems with its NV-storage memory. Or is it an issue that occurs in several devices? A not so obvious thing to check is the JCE library you use. Could there be a license issue? Some OS hotfix might also influence the setup, for instance a new TPM driver. Of course, you should also test if the newest jTSS version happens to fix for your issues. Ronald On 09/04/2012 06:14 AM, Arshad Noor wrote: > Hello, > > We've been using JTSS 0.5 for two years and it has been fairly > stable. However, suddenly without explanation, it has started > failing on almost all decryptions. Some of the error messages > are: > > ----------------------- > iaik.tc.tss.api.exceptions.tcs.TcTcsException: > TSS Error: > error layer: 0x3000 (TSP) > error code (without layer): 0x04 > error code (full): 0x3004 > error message: unknown > additional info: Unable to determine LRU key handle > > at > iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196) > at > iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43) > at > iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205) > at > iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100) > at > iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626) > at > iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121) > at > iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140) > at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633) > ----------------------- > > Later on, similar attempts at the operation result in: > > ----------------------- > iaik.tc.tss.api.exceptions.tcs.TcTpmException: > > TSS Error: > error layer: 0x00 (TPM) > error code (without layer): 0x15 > error code (full): 0x15 > error message: The TPM has insufficient internal resources to perform > the requested action. > > at > iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) > at > iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52) > at > iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27) > at > iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720) > at > iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739) > at > iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064) > at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629) > ----------------------- > > The details of our configuration: > > TPM: STM v1.2 > OS: CentOS 5.3 (64-bit) > JDK: 6 Update 16 (64-bit) > JTSS: 0.5 > > > Any suggestions on what might be causing these problems suddenly on > something that has been behaving well for nearly two years? Thanks. > > Arshad Noor > StrongAuth, Inc. > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
From: Arshad N. <ars...@st...> - 2012-09-04 12:53:36
|
Thank you for your response, Ronald. I was afraid that your answer might be along these lines. The hardware is about 2 years old and has been using the TPM everyday. So, it is quite possible that the NVRAM has degraded. I will try your suggestions, but is there any test in the JTSS suite that can confirm that the TPM has permanently failed? Or, must one assume that if all/most of the tests fail? Thanks. Arshad On Sep 4, 2012, at 1:37 AM, Ronald Tögl <ron...@ia...> wrote: > Hello Arshad, > > We have not encountered this before, but I'd guess that something in your ecosystem must have changed. > > Is it an issue with a specific piece of (old) hardware? Perhaps the TPM you use has aged and now encounters problems with its NV-storage memory. > > Or is it an issue that occurs in several devices? > A not so obvious thing to check is the JCE library you use. Could there be a license issue? > Some OS hotfix might also influence the setup, for instance a new TPM driver. > > Of course, you should also test if the newest jTSS version happens to fix for your issues. > > Ronald > > > On 09/04/2012 06:14 AM, Arshad Noor wrote: >> Hello, >> >> We've been using JTSS 0.5 for two years and it has been fairly >> stable. However, suddenly without explanation, it has started >> failing on almost all decryptions. Some of the error messages >> are: >> >> ----------------------- >> iaik.tc.tss.api.exceptions.tcs.TcTcsException: >> TSS Error: >> error layer: 0x3000 (TSP) >> error code (without layer): 0x04 >> error code (full): 0x3004 >> error message: unknown >> additional info: Unable to determine LRU key handle >> >> at >> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196) >> at >> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43) >> at >> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205) >> at >> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100) >> at >> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626) >> at >> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121) >> at >> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140) >> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633) >> ----------------------- >> >> Later on, similar attempts at the operation result in: >> >> ----------------------- >> iaik.tc.tss.api.exceptions.tcs.TcTpmException: >> >> TSS Error: >> error layer: 0x00 (TPM) >> error code (without layer): 0x15 >> error code (full): 0x15 >> error message: The TPM has insufficient internal resources to perform >> the requested action. >> >> at >> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) >> at >> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52) >> at >> iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27) >> at >> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720) >> at >> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739) >> at >> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064) >> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629) >> ----------------------- >> >> The details of our configuration: >> >> TPM: STM v1.2 >> OS: CentOS 5.3 (64-bit) >> JDK: 6 Update 16 (64-bit) >> JTSS: 0.5 >> >> >> Any suggestions on what might be causing these problems suddenly on >> something that has been behaving well for nearly two years? Thanks. >> >> Arshad Noor >> StrongAuth, Inc. >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Trustedjava-support mailing list >> Tru...@li... >> https://lists.sourceforge.net/lists/listinfo/trustedjava-support > > > -- > Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 > Secure and Correct Systems fax +43 316/873-5520 > IAIK ron...@ia... > Graz University of Technology http://www.iaik.tugraz.at > > |
From: Ronald T. <ron...@ia...> - 2012-09-04 14:30:46
|
The jTSS test suite does not expect a general/systematic error. Actually, a TPM is expected to do a self-test at power-on, but I believe it is vendor specific what happens there. You could try to replace the TPM with the TPM Emulator to learn if the hardware or the software is failing. Ronald On 09/04/2012 02:53 PM, Arshad Noor wrote: > Thank you for your response, Ronald. > > I was afraid that your answer might be along these lines. The hardware is about 2 years old and has been using the TPM everyday. So, it is quite possible that the NVRAM has degraded. > > I will try your suggestions, but is there any test in the JTSS suite that can confirm that the TPM has permanently failed? Or, must one assume that if all/most of the tests fail? > > Thanks. > > Arshad > > On Sep 4, 2012, at 1:37 AM, Ronald Tögl <ron...@ia...> wrote: > >> Hello Arshad, >> >> We have not encountered this before, but I'd guess that something in your ecosystem must have changed. >> >> Is it an issue with a specific piece of (old) hardware? Perhaps the TPM you use has aged and now encounters problems with its NV-storage memory. >> >> Or is it an issue that occurs in several devices? >> A not so obvious thing to check is the JCE library you use. Could there be a license issue? >> Some OS hotfix might also influence the setup, for instance a new TPM driver. >> >> Of course, you should also test if the newest jTSS version happens to fix for your issues. >> >> Ronald >> >> >> On 09/04/2012 06:14 AM, Arshad Noor wrote: >>> Hello, >>> >>> We've been using JTSS 0.5 for two years and it has been fairly >>> stable. However, suddenly without explanation, it has started >>> failing on almost all decryptions. Some of the error messages >>> are: >>> >>> ----------------------- >>> iaik.tc.tss.api.exceptions.tcs.TcTcsException: >>> TSS Error: >>> error layer: 0x3000 (TSP) >>> error code (without layer): 0x04 >>> error code (full): 0x3004 >>> error message: unknown >>> additional info: Unable to determine LRU key handle >>> >>> at >>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196) >>> at >>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43) >>> at >>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205) >>> at >>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100) >>> at >>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626) >>> at >>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121) >>> at >>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140) >>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633) >>> ----------------------- >>> >>> Later on, similar attempts at the operation result in: >>> >>> ----------------------- >>> iaik.tc.tss.api.exceptions.tcs.TcTpmException: >>> >>> TSS Error: >>> error layer: 0x00 (TPM) >>> error code (without layer): 0x15 >>> error code (full): 0x15 >>> error message: The TPM has insufficient internal resources to perform >>> the requested action. >>> >>> at >>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) >>> at >>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52) >>> at >>> iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27) >>> at >>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720) >>> at >>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739) >>> at >>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064) >>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629) >>> ----------------------- >>> >>> The details of our configuration: >>> >>> TPM: STM v1.2 >>> OS: CentOS 5.3 (64-bit) >>> JDK: 6 Update 16 (64-bit) >>> JTSS: 0.5 >>> >>> >>> Any suggestions on what might be causing these problems suddenly on >>> something that has been behaving well for nearly two years? Thanks. >>> >>> Arshad Noor >>> StrongAuth, Inc. >>> >>> ------------------------------------------------------------------------------ >>> Live Security Virtual Conference >>> Exclusive live event will cover all the ways today's security and >>> threat landscape has changed and how IT managers can respond. Discussions >>> will include endpoint security, mobile security and the latest in malware >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>> _______________________________________________ >>> Trustedjava-support mailing list >>> Tru...@li... >>> https://lists.sourceforge.net/lists/listinfo/trustedjava-support >> >> -- >> Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 >> Secure and Correct Systems fax +43 316/873-5520 >> IAIK ron...@ia... >> Graz University of Technology http://www.iaik.tugraz.at >> >> -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
From: Arshad N. <ars...@st...> - 2012-09-05 12:40:29
|
Ronald, Any thoughts/comments on Ariel's response to my query on the Trousers mailing list? http://sourceforge.net/mailarchive/forum.php?thread_name=7265F7B88E689F4B97101260F8F70B71013A99E2%40IMCMBX03.MITRE.ORG&forum_name=trousers-users Thanks. Arshad On 09/04/2012 07:30 AM, Ronald Tögl wrote: > > The jTSS test suite does not expect a general/systematic error. > Actually, a TPM is expected to do a self-test at power-on, but I believe > it is vendor specific what happens there. > > You could try to replace the TPM with the TPM Emulator to learn if the > hardware or the software is failing. > > Ronald > > On 09/04/2012 02:53 PM, Arshad Noor wrote: >> Thank you for your response, Ronald. >> >> I was afraid that your answer might be along these lines. The hardware >> is about 2 years old and has been using the TPM everyday. So, it is >> quite possible that the NVRAM has degraded. >> >> I will try your suggestions, but is there any test in the JTSS suite >> that can confirm that the TPM has permanently failed? Or, must one >> assume that if all/most of the tests fail? >> >> Thanks. >> >> Arshad >> >> On Sep 4, 2012, at 1:37 AM, Ronald Tögl <ron...@ia...> >> wrote: >> >>> Hello Arshad, >>> >>> We have not encountered this before, but I'd guess that something in >>> your ecosystem must have changed. >>> >>> Is it an issue with a specific piece of (old) hardware? Perhaps the >>> TPM you use has aged and now encounters problems with its NV-storage >>> memory. >>> >>> Or is it an issue that occurs in several devices? >>> A not so obvious thing to check is the JCE library you use. Could >>> there be a license issue? >>> Some OS hotfix might also influence the setup, for instance a new TPM >>> driver. >>> >>> Of course, you should also test if the newest jTSS version happens to >>> fix for your issues. >>> >>> Ronald >>> >>> >>> On 09/04/2012 06:14 AM, Arshad Noor wrote: >>>> Hello, >>>> >>>> We've been using JTSS 0.5 for two years and it has been fairly >>>> stable. However, suddenly without explanation, it has started >>>> failing on almost all decryptions. Some of the error messages >>>> are: >>>> >>>> ----------------------- >>>> iaik.tc.tss.api.exceptions.tcs.TcTcsException: >>>> TSS Error: >>>> error layer: 0x3000 (TSP) >>>> error code (without layer): 0x04 >>>> error code (full): 0x3004 >>>> error message: unknown >>>> additional info: Unable to determine LRU key handle >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140) >>>> >>>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633) >>>> ----------------------- >>>> >>>> Later on, similar attempts at the operation result in: >>>> >>>> ----------------------- >>>> iaik.tc.tss.api.exceptions.tcs.TcTpmException: >>>> >>>> TSS Error: >>>> error layer: 0x00 (TPM) >>>> error code (without layer): 0x15 >>>> error code (full): 0x15 >>>> error message: The TPM has insufficient internal resources to perform >>>> the requested action. >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720) >>>> at >>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064) >>>> >>>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629) >>>> ----------------------- >>>> >>>> The details of our configuration: >>>> >>>> TPM: STM v1.2 >>>> OS: CentOS 5.3 (64-bit) >>>> JDK: 6 Update 16 (64-bit) >>>> JTSS: 0.5 >>>> >>>> >>>> Any suggestions on what might be causing these problems suddenly on >>>> something that has been behaving well for nearly two years? Thanks. >>>> >>>> Arshad Noor >>>> StrongAuth, Inc. >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> Live Security Virtual Conference >>>> Exclusive live event will cover all the ways today's security and >>>> threat landscape has changed and how IT managers can respond. >>>> Discussions >>>> will include endpoint security, mobile security and the latest in >>>> malware >>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>> _______________________________________________ >>>> Trustedjava-support mailing list >>>> Tru...@li... >>>> https://lists.sourceforge.net/lists/listinfo/trustedjava-support >>> >>> -- >>> Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 >>> Secure and Correct Systems fax +43 316/873-5520 >>> IAIK ron...@ia... >>> Graz University of Technology http://www.iaik.tugraz.at >>> >>> > > |
From: Arshad N. <ars...@st...> - 2012-09-05 12:45:06
|
I'm not sure why my browser does not display Ariel's full message, but I've copied it here in case others have similar problems: "At first glance, it sure looks like your TPM is out of key slots. The TSS is supposed to handle swapping keys in and out for you, so getting that from a TSS seems very odd. I'll also be honest and admit that I *thought* the TPM handled that for you (by simply dumping some loaded key for the new one) but it looks like LoadKey does, in fact, give back no space errors if there isn't room in memory for the key. At a glance, it looks like FlushSpecific is the command to use to explicitly force a key out. Presumably, your TSS isn't doing something right in its key management behind the scenes, although debugging that is going to be a pain in the neck, I'm afraid." Arshad On 09/05/2012 05:40 AM, Arshad Noor wrote: > Ronald, > > Any thoughts/comments on Ariel's response to my query on the Trousers > mailing list? > > http://sourceforge.net/mailarchive/forum.php?thread_name=7265F7B88E689F4B97101260F8F70B71013A99E2%40IMCMBX03.MITRE.ORG&forum_name=trousers-users > > Thanks. > > Arshad > > On 09/04/2012 07:30 AM, Ronald Tögl wrote: >> >> The jTSS test suite does not expect a general/systematic error. >> Actually, a TPM is expected to do a self-test at power-on, but I believe >> it is vendor specific what happens there. >> >> You could try to replace the TPM with the TPM Emulator to learn if the >> hardware or the software is failing. >> >> Ronald >> >> On 09/04/2012 02:53 PM, Arshad Noor wrote: >>> Thank you for your response, Ronald. >>> >>> I was afraid that your answer might be along these lines. The hardware >>> is about 2 years old and has been using the TPM everyday. So, it is >>> quite possible that the NVRAM has degraded. >>> >>> I will try your suggestions, but is there any test in the JTSS suite >>> that can confirm that the TPM has permanently failed? Or, must one >>> assume that if all/most of the tests fail? >>> >>> Thanks. >>> >>> Arshad >>> >>> On Sep 4, 2012, at 1:37 AM, Ronald Tögl<ron...@ia...> >>> wrote: >>> >>>> Hello Arshad, >>>> >>>> We have not encountered this before, but I'd guess that something in >>>> your ecosystem must have changed. >>>> >>>> Is it an issue with a specific piece of (old) hardware? Perhaps the >>>> TPM you use has aged and now encounters problems with its NV-storage >>>> memory. >>>> >>>> Or is it an issue that occurs in several devices? >>>> A not so obvious thing to check is the JCE library you use. Could >>>> there be a license issue? >>>> Some OS hotfix might also influence the setup, for instance a new TPM >>>> driver. >>>> >>>> Of course, you should also test if the newest jTSS version happens to >>>> fix for your issues. >>>> >>>> Ronald >>>> >>>> >>>> On 09/04/2012 06:14 AM, Arshad Noor wrote: >>>>> Hello, >>>>> >>>>> We've been using JTSS 0.5 for two years and it has been fairly >>>>> stable. However, suddenly without explanation, it has started >>>>> failing on almost all decryptions. Some of the error messages >>>>> are: >>>>> >>>>> ----------------------- >>>>> iaik.tc.tss.api.exceptions.tcs.TcTcsException: >>>>> TSS Error: >>>>> error layer: 0x3000 (TSP) >>>>> error code (without layer): 0x04 >>>>> error code (full): 0x3004 >>>>> error message: unknown >>>>> additional info: Unable to determine LRU key handle >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140) >>>>> >>>>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633) >>>>> ----------------------- >>>>> >>>>> Later on, similar attempts at the operation result in: >>>>> >>>>> ----------------------- >>>>> iaik.tc.tss.api.exceptions.tcs.TcTpmException: >>>>> >>>>> TSS Error: >>>>> error layer: 0x00 (TPM) >>>>> error code (without layer): 0x15 >>>>> error code (full): 0x15 >>>>> error message: The TPM has insufficient internal resources to perform >>>>> the requested action. >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720) >>>>> at >>>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064) >>>>> >>>>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629) >>>>> ----------------------- >>>>> >>>>> The details of our configuration: >>>>> >>>>> TPM: STM v1.2 >>>>> OS: CentOS 5.3 (64-bit) >>>>> JDK: 6 Update 16 (64-bit) >>>>> JTSS: 0.5 >>>>> >>>>> >>>>> Any suggestions on what might be causing these problems suddenly on >>>>> something that has been behaving well for nearly two years? Thanks. >>>>> >>>>> Arshad Noor >>>>> StrongAuth, Inc. >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> Live Security Virtual Conference >>>>> Exclusive live event will cover all the ways today's security and >>>>> threat landscape has changed and how IT managers can respond. >>>>> Discussions >>>>> will include endpoint security, mobile security and the latest in >>>>> malware >>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>>> _______________________________________________ >>>>> Trustedjava-support mailing list >>>>> Tru...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/trustedjava-support >>>> >>>> -- >>>> Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 >>>> Secure and Correct Systems fax +43 316/873-5520 >>>> IAIK ron...@ia... >>>> Graz University of Technology http://www.iaik.tugraz.at >>>> >>>> >> >> > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support |
From: Ronald T. <ron...@ia...> - 2012-09-05 12:57:40
|
Arshad, You only gave us a selection of your error messages to look at and so there's plenty of room for interpretation and speculations... jTSS has of course been doing resource management, key swapping and all that stuff since before there was a TPM 1.2 and ever since. There are some special cases when running on Windows, but this should not affect your setup at all. So, all we really know is that something in your platform is broken that was not broken before... I suggest you get a fresh box either with an up-to-date HW-TPM or Emulator to set up your OS, old and recent jTSS and your application step-by-step and report on the point where it fails, if ever. Ronald On 09/05/2012 02:44 PM, Arshad Noor wrote: > I'm not sure why my browser does not display Ariel's full message, but > I've copied it here in case others have similar problems: > > "At first glance, it sure looks like your TPM is out of key slots. The > TSS is supposed to handle swapping keys in and out for you, so getting > that from a TSS seems very odd. I'll also be honest and admit that I > *thought* the TPM handled that for you (by simply dumping some loaded > key for the new one) but it looks like LoadKey does, in fact, give back > no space errors if there isn't room in memory for the key. At a glance, > it looks like FlushSpecific is the command to use to explicitly force a > key out. Presumably, your TSS isn't doing something right in its key > management behind the scenes, although debugging that is going to be a > pain in the neck, I'm afraid." > > Arshad > > On 09/05/2012 05:40 AM, Arshad Noor wrote: >> Ronald, >> >> Any thoughts/comments on Ariel's response to my query on the Trousers >> mailing list? >> >> http://sourceforge.net/mailarchive/forum.php?thread_name=7265F7B88E689F4B97101260F8F70B71013A99E2%40IMCMBX03.MITRE.ORG&forum_name=trousers-users >> >> Thanks. >> >> Arshad >> >> On 09/04/2012 07:30 AM, Ronald Tögl wrote: >>> The jTSS test suite does not expect a general/systematic error. >>> Actually, a TPM is expected to do a self-test at power-on, but I believe >>> it is vendor specific what happens there. >>> >>> You could try to replace the TPM with the TPM Emulator to learn if the >>> hardware or the software is failing. >>> >>> Ronald >>> >>> On 09/04/2012 02:53 PM, Arshad Noor wrote: >>>> Thank you for your response, Ronald. >>>> >>>> I was afraid that your answer might be along these lines. The hardware >>>> is about 2 years old and has been using the TPM everyday. So, it is >>>> quite possible that the NVRAM has degraded. >>>> >>>> I will try your suggestions, but is there any test in the JTSS suite >>>> that can confirm that the TPM has permanently failed? Or, must one >>>> assume that if all/most of the tests fail? >>>> >>>> Thanks. >>>> >>>> Arshad >>>> >>>> On Sep 4, 2012, at 1:37 AM, Ronald Tögl<ron...@ia...> >>>> wrote: >>>> >>>>> Hello Arshad, >>>>> >>>>> We have not encountered this before, but I'd guess that something in >>>>> your ecosystem must have changed. >>>>> >>>>> Is it an issue with a specific piece of (old) hardware? Perhaps the >>>>> TPM you use has aged and now encounters problems with its NV-storage >>>>> memory. >>>>> >>>>> Or is it an issue that occurs in several devices? >>>>> A not so obvious thing to check is the JCE library you use. Could >>>>> there be a license issue? >>>>> Some OS hotfix might also influence the setup, for instance a new TPM >>>>> driver. >>>>> >>>>> Of course, you should also test if the newest jTSS version happens to >>>>> fix for your issues. >>>>> >>>>> Ronald >>>>> >>>>> >>>>> On 09/04/2012 06:14 AM, Arshad Noor wrote: >>>>>> Hello, >>>>>> >>>>>> We've been using JTSS 0.5 for two years and it has been fairly >>>>>> stable. However, suddenly without explanation, it has started >>>>>> failing on almost all decryptions. Some of the error messages >>>>>> are: >>>>>> >>>>>> ----------------------- >>>>>> iaik.tc.tss.api.exceptions.tcs.TcTcsException: >>>>>> TSS Error: >>>>>> error layer: 0x3000 (TSP) >>>>>> error code (without layer): 0x04 >>>>>> error code (full): 0x3004 >>>>>> error message: unknown >>>>>> additional info: Unable to determine LRU key handle >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140) >>>>>> >>>>>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633) >>>>>> ----------------------- >>>>>> >>>>>> Later on, similar attempts at the operation result in: >>>>>> >>>>>> ----------------------- >>>>>> iaik.tc.tss.api.exceptions.tcs.TcTpmException: >>>>>> >>>>>> TSS Error: >>>>>> error layer: 0x00 (TPM) >>>>>> error code (without layer): 0x15 >>>>>> error code (full): 0x15 >>>>>> error message: The TPM has insufficient internal resources to perform >>>>>> the requested action. >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720) >>>>>> at >>>>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064) >>>>>> >>>>>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629) >>>>>> ----------------------- >>>>>> >>>>>> The details of our configuration: >>>>>> >>>>>> TPM: STM v1.2 >>>>>> OS: CentOS 5.3 (64-bit) >>>>>> JDK: 6 Update 16 (64-bit) >>>>>> JTSS: 0.5 >>>>>> >>>>>> >>>>>> Any suggestions on what might be causing these problems suddenly on >>>>>> something that has been behaving well for nearly two years? Thanks. >>>>>> >>>>>> Arshad Noor >>>>>> StrongAuth, Inc. >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >>>>>> Live Security Virtual Conference >>>>>> Exclusive live event will cover all the ways today's security and >>>>>> threat landscape has changed and how IT managers can respond. >>>>>> Discussions >>>>>> will include endpoint security, mobile security and the latest in >>>>>> malware >>>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>>>> _______________________________________________ >>>>>> Trustedjava-support mailing list >>>>>> Tru...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/trustedjava-support >>>>> -- >>>>> Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 >>>>> Secure and Correct Systems fax +43 316/873-5520 >>>>> IAIK ron...@ia... >>>>> Graz University of Technology http://www.iaik.tugraz.at >>>>> >>>>> >>> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Trustedjava-support mailing list >> Tru...@li... >> https://lists.sourceforge.net/lists/listinfo/trustedjava-support > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |