trustedjava-support

[Trustedjava-support] nv_definespace fails

[Raja <raj...@ho...>]

Hi, 
 
 I tried using jTPM to define NVRam space using both Local binding and SOAP binding (by changing the binding Type in jtss_tsp.ini file). SOAP works but Local bindind does not. Any ideas?
 
C:\Jtt\jTpmTools\jTpmTools_0.7>jtt nv_definespace --index 0x00000013 --size 20 -
o test1234
  ---------------------
   IAIK Java TPM Tools
  ---------------------
11:51:16:456 [INFO] TcTddlVista::<clinit> (34): Windows Vista or higher detected
. Using TBS based TPM access.
11:51:16:472 [INFO] TcTddlVista::loadLibFromPath (60):  Native 32-bit Windows DL
L loading from path failed. Attempting 64-bit version.
11:51:16:972 [INFO] TcTddlVista::loadLibFromJar (84):   Native 32-bit Windows DL
L loading from jar file failed. Attempting 64-bit version.
11:51:17:035 [INFO] TcTddlVista::<clinit> (39): Native Windows DLL loaded from j
ar file.
iaik.tc.tss.api.exceptions.tcs.TcTpmException:
TSS Error:
error layer:                0x00 (TPM)
error code (without layer): 0x0400
error code (full):          0x80280400
error message: unknown
        at iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCo
mmon.java:73)
        at iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdNvStorage.TpmNvDefineSpace(TcTp
mCmdNvStorage.java:81)
        at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipNvDefineOrReleaseSpace(TcT
csi.java:3039)
        at iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipNvD
efineOrReleaseSpace(TcTcsBindingLocal.java:815)
        at iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspNvDefineSpace_Int
ernal(TcTspInternal.java:4612)
        at iaik.tc.tss.impl.java.tsp.TcNvRam.defineSpace(TcNvRam.java:200)
        at iaik.tc.apps.jtt.tboot.NvDefineSpace.execute(NvDefineSpace.java:240)
        at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
        at iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41
)
        at iaik.tc.apps.JTpmTools.main(JTpmTools.java:224)
11:51:22:988 [ERROR] JTpmTools::main (235):     application exits with error:
TSS Error:
error layer:                0x00 (TPM)
error code (without layer): 0x0400
error code (full):          0x80280400
error message: unknown
 (return: -1)
 
 
 
Here is output for the same command using SOAP binding.
 
C:\Jtt\jTpmTools\jTpmTools_0.7>jtt nv_definespace --index 0x00000013 --size 20 -o test1234
  ---------------------
   IAIK Java TPM Tools
  ---------------------
successfully defined index 0x13
 
 
What is going wrong? I can't use SOAP binding for my implementation. 
 
Thanks
Raja
 
 
 		 	   		  

Re: [Trustedjava-support] nv_definespace fails

[Johannes W. <joh...@ia...>]

Hi,

Am 12.03.2015 um 22:25 schrieb Raja:
[...]
> Hi,
>
> I tried using jTPM to define NVRam space using both Local binding and
> SOAP binding (by changing the binding Type in jtss_tsp.ini file).
> SOAP works but Local bindind does not. Any ideas?
[...]

This likely is related to the windows user account / permissions used to
run your application, respectively the SOAP service daemon. TPM base
services by default block access to a number of TPM ordinals
(for good reason!) by non-administrator users. Check [1] for more details.

As far as I recall, the SOAP service daemon is run under the "Local
System" account - therefore access to the blocked ordinals should be
possible.

When you run your application with local bindings, the TBS syscalls will
be done from within your application, which (likely) runs under
your (unprivileged?) user account - therefore access to the blocked
ordinals will fail (with the errors you mentioned).

To work around this issues, you can try to run your application with
administrator privileges (e.g. using [2]) - this should resolve your
problems.

Best,
Johannes

[1]https://msdn.microsoft.com/en-us/library/windows/desktop/aa965898(v=vs.85).aspx

[2]https://technet.microsoft.com/en-us/library/bb490994.aspx
-- 
Johannes Winter, IAIK - Graz University of Technology       __
Inffeldgasse 16a, 8010 Graz, Austria                  __  _|  |_
Phone: +43 316 873 5578                              |  ||      |
Fax: +43 316 873 5520                                |_    _||__|
http://www.iaik.tugraz.at/                             |__| IAIK

Re: [Trustedjava-support] nv_definespace fails

[Raja <raj...@ho...>]

Hi Johannes, 
 Thanks, that was it. It did work when jtt.cmd was called from a Admin cmd window. 
ThanksRaja

> Date: Fri, 13 Mar 2015 10:45:51 +0100
> From: joh...@ia...
> To: tru...@li...
> Subject: Re: [Trustedjava-support] nv_definespace fails
> 
> Hi,
> 
> Am 12.03.2015 um 22:25 schrieb Raja:
> [...]
> > Hi,
> >
> > I tried using jTPM to define NVRam space using both Local binding and
> > SOAP binding (by changing the binding Type in jtss_tsp.ini file).
> > SOAP works but Local bindind does not. Any ideas?
> [...]
> 
> This likely is related to the windows user account / permissions used to
> run your application, respectively the SOAP service daemon. TPM base
> services by default block access to a number of TPM ordinals
> (for good reason!) by non-administrator users. Check [1] for more details.
> 
> As far as I recall, the SOAP service daemon is run under the "Local
> System" account - therefore access to the blocked ordinals should be
> possible.
> 
> When you run your application with local bindings, the TBS syscalls will
> be done from within your application, which (likely) runs under
> your (unprivileged?) user account - therefore access to the blocked
> ordinals will fail (with the errors you mentioned).
> 
> To work around this issues, you can try to run your application with
> administrator privileges (e.g. using [2]) - this should resolve your
> problems.
> 
> Best,
> Johannes
> 
> [1]https://msdn.microsoft.com/en-us/library/windows/desktop/aa965898(v=vs.85).aspx
> 
> [2]https://technet.microsoft.com/en-us/library/bb490994.aspx
> -- 
> Johannes Winter, IAIK - Graz University of Technology       __
> Inffeldgasse 16a, 8010 Graz, Austria                  __  _|  |_
> Phone: +43 316 873 5578                              |  ||      |
> Fax: +43 316 873 5520                                |_    _||__|
> http://www.iaik.tugraz.at/                             |__| IAIK
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support