Menu
▾
▴
trustedjava-support
|
From: Nektarios I. <ine...@gm...> - 2007-08-17 16:42:36
|
Hello I run on to this problem while I was trying to perform an "aik_create" cycle using jTPMTools but I decided to open a new mail thread for it since this seems to be a different issue. So this happens when my TPM emulator and TCSD are up and running. Btw.. all jTSSWrapper 0.3 tests have run successfully with this configuration. Although at a first glance this might seem to be an error with TrouSerS I have a suspicion that this is caused by jTpmTools since 1) The first line of output (look below) reports that TrouSerS TSS is found therefore although the error message is the same with that in the case of Carl ( https://sourceforge.net/mailarchive/message.php?msg_id=300eed510707111800h71eadba1xf0113bd4b433ce65%40mail.gmail.combut), it does NOT seem to be caused by the same reason. 2) all other commands using the exact same configuration work fine. (e.g"pcr_read", "read_pubek", "version", "take_owner", "clear_owner"). I have looked at jTpmTools source code but unfortunately am not savvy enough to figure out where the problem lies (or if it lies with jTpmTools at all). Here is my input: ./jtt.sh aik_create -o theBIGsecret -a theAIKsecret -l myAIK_0 And what I get is: 15:50:28:601 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found. Using JNI bindings... 15:50:28:684 [WARN] TcTddlLinux::open (-1): Unable to open TPM device file /dev/tpm. Reason: /dev/tpm (Device or resource busy) 15:50:28:685 [ERROR] TcTcsi::<clinit> (-1): TCS startup failed. 15:50:28:685 [ERROR] TcTcsi::<clinit> (-1): TSS Error: error layer: 0x1000 (TDDL) error code (without layer): 0x87 error code (full): 0x1087 error message: The request could not be performed because of an IO device error. additional info: Unable to open TPM device file /dev/tpm. Reason: /dev/tpm (Device or resource busy) iaik.tc.tss.api.exceptions.tcs.TcTddlException: TSS Error: error layer: 0x1000 (TDDL) error code (without layer): 0x87 error code (full): 0x1087 error message: The request could not be performed because of an IO device error. additional info: Unable to open TPM device file /dev/tpm. Reason: /dev/tpm (Device or resource busy) at iaik.tc.tss.impl.java.tddl.TcTddlLinux.open(Unknown Source) at iaik.tc.tss.impl.java.tddl.TcTddl.getInstance(Unknown Source) at iaik.tc.tss.impl.java.tcs.TcTcsCommon.isOrdinalSupported(Unknown Source) at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.<clinit>(Unknown Source) at iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsiOpenContext (Unknown Source) at iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspContextOpen_Internal( TcTspInternal.java:378) at iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source) at iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source) at iaik.tc.apps.jtt.ek.ReadEkCert.getEkCert(ReadEkCert.java:41) at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:255) at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69) at iaik.tc.utils.cmdline.SubCommandParser.parse( SubCommandParser.java:41) at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110) Any ideas? Regards, Nektarios |
|
From: Nektarios I. <ine...@gm...> - 2007-08-18 09:04:25
|
>Only one process can use /dev/tpm at a time.
>a) standalone/native JTSS directly accesses /dev/tpm
>or
>b) tcsd is sitting on /dev/tpm, JTssWrapper talks to tcsd on port 30003.
Yes I am aware of that.
>To see who is currently using /dev/tpm use the lsof command, e.g.:
>$ sudo lsof /dev/tpm
>COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
>tcsd 26753 root 3u CHR 10,224 29876 /dev/tpm
Yes I have tried that and I get a similar output showing that tcsd is in
control (when I have TrouSerS running), otherwise I don't get any output.
>If you want to test your access/permission/setup try a simple command, e.g
.:
OK here's a small experiment. I am writing it here as I perform the steps in
my terminal:
1) I load my TPM emulator
2) I load TCSD
3) I run a jTPMTools command:
./jtt.sh pcr_read
09:46:55:455 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found.
Using JNI bindings...
number of PCRs: 24
00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
01: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
...
4) I unload TCSD (so that jTSS gets picked up by jTPMTools)
5) I run the SAME command:
./jtt.sh pcr_read
09:49:55:260 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or jTSS
Wrapper not found. Trying IAIK jTSS.
09:49:55:382 [INFO] TcTcsi::<clinit> (-1): Unable to instantiate system
persistent storage (iaik.tc.tss.impl.ps.TcTssPsFileSystem). Disabling system
persistent storage.
09:49:55:394 [INFO] CommonSettings::getTssFactory (47): IAIK jTSS found.
Using local bindings...
number of PCRs: 24
00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
01: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
...
This shows that both configurations (jTSS and TrouSerS-jTSSWrapper) work
fine.
Now, lets try "aik_create"...
6) I reload TCSD
I run
./jtt.sh aik_create -a theAIKsecret -o theBIGsecret -l myAIK_0
and I get:
09:52:31:305 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found.
Using JNI bindings...
09:52:31:425 [WARN] TcTddlLinux::open (-1): Unable to open TPM device
file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)
09:52:31:427 [ERROR] TcTcsi::<clinit> (-1): TCS startup failed.
09:52:31:427 [ERROR] TcTcsi::<clinit> (-1):
TSS Error:
error layer: 0x1000 (TDDL)
error code (without layer): 0x87
error code (full): 0x1087
error message: The request could not be performed because of an IO device
error.
additional info: Unable to open TPM device file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)
iaik.tc.tss.api.exceptions.tcs.TcTddlException:
TSS Error:
error layer: 0x1000 (TDDL)
error code (without layer): 0x87
error code (full): 0x1087
error message: The request could not be performed because of an IO device
error.
additional info: Unable to open TPM device file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)
at iaik.tc.tss.impl.java.tddl.TcTddlLinux.open(Unknown Source)
at iaik.tc.tss.impl.java.tddl.TcTddl.getInstance(Unknown Source)
at iaik.tc.tss.impl.java.tcs.TcTcsCommon.isOrdinalSupported(Unknown
Source)
at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.<clinit>(Unknown Source)
at
iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsiOpenContext(Unknown
Source)
at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspContextOpen_Internal(
TcTspInternal.java:378)
at iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source)
at iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source)
at iaik.tc.apps.jtt.ek.ReadEkCert.getEkCert(ReadEkCert.java:41)
at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:255)
at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:41)
at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)
7) I unload the TCSD and try the SAME EXACT command:
./jtt.sh aik_create -a theAIKsecret -o theBIGsecret -l myAIK_0
and I get a DIFFERENT output !!! :
09:54:07:897 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or jTSS
Wrapper not found. Trying IAIK jTSS.
09:54:08:020 [INFO] TcTcsi::<clinit> (-1): Unable to instantiate system
persistent storage (iaik.tc.tss.impl.ps.TcTssPsFileSystem). Disabling system
persistent storage.
09:54:08:032 [INFO] CommonSettings::getTssFactory (47): IAIK jTSS found.
Using local bindings...
***
09:54:09:121 [INFO] AikUtil::createEKCertificate (123): created EK
certificate on-the-fly
09:54:09:197 [INFO] Client::overrideCertificates (113): overriding default
EK certificate used by TSS
09:54:10:792 [INFO] PrivacyCa::processRequest (180): included EK
certificate size: 1065 bytes
09:54:10:800 [INFO] PrivacyCa::processRequest (181): SubjAltName:
id:49465800,SLD9630TT1.1,id:0104
09:54:10:800 [INFO] PrivacyCa::processRequest (188): PE: not included
09:54:10:800 [INFO] PrivacyCa::processRequest (196): CC: not included
09:54:10:852 [INFO] AikUtil::createPECertificate (176): created PE
certificate on-the-fly
09:54:10:860 [INFO] AikUtil::createAIKCertificate (213): created AIK
certificate on-the-fly
09:54:10:862 [INFO] PrivacyCa::processRequest (212): AIK blob size: 1386
iaik.tc.tss.api.exceptions.tsp.TcTspException:
TSS Error:
error layer: 0x3000 (TSP)
error code (without layer): 0x0113
error code (full): 0x3113
error message: Authorization failed.
at iaik.tc.tss.impl.java.tsp.internal.TcTspCommon.validateRespAuth(Unknown
Source)
at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKeyByBlob_Internal(
TcTspInternal.java:105)
at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(Unknown Source)
at iaik.tc.apps.jtt.aik.Client.activateIdentity(Client.java:153)
at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:322)
at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:41)
at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)
09:54:11:123 [ERROR] AikCreate::execute (326): client: ActivateIdentity
failed
It seems that when the pure jTSS is running "aik_create" does not get the IO
devife error and goes on... OK I haven't the reason I am getting the 0x3113
error yet BUT THE ISSUE REMAINS:
The only explanation I can give is that jTPMTools is trying to use jTSS with
"aik_create" when it SHOULD have been using TrouSerS and jTSSWrapper...
>Sorry, I cannot reproduce your problem.
As I said, the problem appears ONLY when i try to use "aik_create"! -->
could this be bug then with jTpmTools ???
Please, try it with "aik_create" as well ... this is giving me a big
headache :-) !
>a full set of libraries:
Yes I have multi-checked. I have all the necessary libraries.
Many thanks,
Nektarios
|
|
From: Martin P. <Mar...@ia...> - 2007-08-20 07:59:48
Attachments:
smime.p7s
|
Nektarios Ioannides wrote:
> The only explanation I can give is that jTPMTools is trying to use jTSS with
> "aik_create" when it SHOULD have been using TrouSerS and jTSSWrapper...
While in the shower I thought about it again.... ;-)
JTpmTools simulates a full AIK cycle, not only keys but also with certificates.
case a) JTSS contains EK cert handling
case b) JTssWrapper does not (because TrouSerS does not)
a) works because JTpmTools looks for an EK cert on-chip and
if you don't have one builds a fake one on-the-fly.
b) does not work because JTpmTools does not know which stack version is
running (remember, the top level API is the same). JTT tries to fetch
the certificate from the chip, but this method only exists in a native
version (=JTSS code), but running both obviously conflicts with usage of /dev/tpm.
So the solution for the JTssWrapper case is to tell JTT to have faith
that the stack already has an EK cert loaded, or as the command-line docu says:
--noek ... EK certificate is already known by TSS (e.g. via tcsd.conf
of TrouSerS)
I still cannot reproduce your validation problem...
HTH
--
Martin Pirker
IAIK, TU Graz
|
|
From: Martin P. <Mar...@ia...> - 2007-08-18 07:34:47
Attachments:
smime.p7s
|
Nektarios Ioannides wrote: > 15:50:28:601 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found. > Using JNI bindings... > 15:50:28:684 [WARN] TcTddlLinux::open (-1): Unable to open TPM device file /dev/tpm. > Reason: /dev/tpm (Device or resource busy) Only one process can use /dev/tpm at a time. a) standalone/native JTSS directly accesses /dev/tpm or b) tcsd is sitting on /dev/tpm, JTssWrapper talks to tcsd on port 30003. To see who is currently using /dev/tpm use the lsof command, e.g.: $ sudo lsof /dev/tpm COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME tcsd 26753 root 3u CHR 10,224 29876 /dev/tpm JTpmTools autodetects in which mode to run. If you want to test your access/permission/setup try a simple command, e.g.: with tcsd running: /jTpmTools_0.3$ ./jttcut.sh pcr_read 09:26:44:499 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found. Using JNI bindings... number of PCRs: 24 00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 01: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [...] without tcsd running: /jTpmTools_0.3$ ./jttcut.sh pcr_read 09:27:35:197 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or jTSS Wrapper not found. Trying IAIK jTSS. 09:27:35:318 [INFO] TcTcsi::<clinit> (-1): Unable to open TCS configuration file for system persistent storage information. Disabling system persistent storage. 09:27:35:345 [INFO] CommonSettings::getTssFactory (47): IAIK jTSS found. Using local bindings... number of PCRs: 24 00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 01: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [...] a full set of libraries: /jTpmTools_0.3$ find ext_libs/ |sort ext_libs/iaik_jce.jar ext_libs/iaik_jtss_tcs.jar ext_libs/iaik_jtss_tsp.jar ext_libs/iaik_jtss_wrapper.jar ext_libs/iaik_jtss_wrapper_swig.jar ext_libs/iaik_tccert.jar ext_libs/iaik_xkms.jar ext_libs/iaik_xsect.jar ext_libs/jaxb/activation.jar ext_libs/jaxb/jaxb-api.jar ext_libs/jaxb/jaxb-impl.jar ext_libs/jaxb/jsr173_1.0_api.jar ext_libs/libtspiwrapper.so Sorry, I cannot reproduce your problem. HTH -- Martin Pirker IAIK, TU Graz |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X