qemu-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-discuss] Trustedgrub2 reports No TPM found

From: anshul makkar
Subject: Re: [Qemu-discuss] Trustedgrub2 reports No TPM found
Date: Wed, 10 May 2017 14:29:39 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 
Thanks Stefan, that's useful information.
I am using seabios from https://github.com/ts468/seabios-tpm master branch which is quite old . I chose it as I found to be recommended for TPM 1.2 and then didn't switch to newer seabios for TPM 2.0.
Just checked that the latest upstream Seabios has TPM2.0 support. Will switch to that . 

Anshul

On 10/05/17 14:18, Stefan Berger wrote:
For TPM 1.2 you are seeing the right menu. In case of a TPM 2 you should only see a single menu entry: 
1. Clear TPM
If you are not seeing this entry in case of TPM 2, something is wrong. For sure you should not see the same entries for TPM 1.2 in case of a TPM 2. 
With the IBM TPM tools you should do the following:
export TPM_INTERFACE_TYPE=dev
pcrread -ha 1
That show something like this:
count 1
 digest length 32
 00 00 00 00 ...
Regards,
   Stefan

    ----- Original message -----
    From: anshul makkar <address@hidden>
    To: Stefan Berger <address@hidden>
    Cc: <address@hidden>
    Subject: Re: [Qemu-discuss] Trustedgrub2 reports No TPM found
    Date: Wed, May 10, 2017 8:19 AM

    Hi Stefan,

    Its the same number of entries for TPM 1.2 and TPM 2.0

    TPM menu during boot:

    /The current state of TPM is:/
    /Enabled and active/
    /Ownership has not be taken/
    /A user can take ownership of the TPM/

    /Available options are:/
    /d) disable the TPM/
    /v Deactivate the TPM/
    /p) Prevent installation of an owner./

    Just did a quick runthrough with the IBM tools (the link that you
    shared)
    ##>createprimary

    Error: TSS_SOcket_Open: Error on connect to localhost:2321
    TSS_Socket_Open: client connect: error 111 Connection refused.
    createprimary: failed, rc 000b0008
    TSS_RC_NO_CONNECTION - Failure connecting to lower layer.

    I believe this error is due to the fact that tool is trying to
    connect using socket while I need to
    change it to direct device access. I saw this option in Makefile.

    Anshul
    On 10/05/17 12:56, Stefan Berger wrote:

       Hi Anshul,

        so does the SeaBIOS menu show several entries in case of TPM
    1.2 and
       the single entry in case of TPM 2?

        I don't know these TPM 2 tools and how they work. You may
    want to try
       these tools here as an alternative:
[1]https://sourceforge.net/projects/ibmtpm20tss/files/?source=navbar 

       Regards,
          Stefan

         ----- Original message -----
         From: anshul makkar <address@hidden>
    <mailto:address@hidden>
         To: Stefan Berger <address@hidden>
    <mailto:address@hidden>
         Cc: <address@hidden> <mailto:address@hidden>
         Subject: Re: Trustedgrub2 reports No TPM found
         Date: Wed, May 10, 2017 4:41 AM

         Hi Stefan,
         Thanks..

         " swtpm: ./configure --prefix=/usr --with-openssl ; make ;
    sudo make
         check -j16 ; sudo make install" . Don't we need to specify
         "--with-cuse" or its typo from you ?

         While building libtpm, even though we specify "--with-tpm2" flag
         during configuration phase, it builds libtpm for both 1.2
    and 2.0
         and when I did make install I found that only 1.2 libraries were
         getting installed. Its kind of weird but I worked around this by
         deleting the 1.2 libraries after doing make and then did make
         install.
         swtpm_cuse --name vtpm0 --tpmstate dir=/tmp/vtpm0 --log
         file=/root/out.log
         sudo qemu-system-x86_64  -enable-kvm -display sdl  -m 2048
    -boot b
         -bios /local/home/anshulma/tpm/seabios-tpm/out/bios.bin -boot
         menu=on -tpmdev cuse-tpm,id=tpm0,path=/dev/vtpm0 -device
         tpm-tis,tpmdev=tpm0 -drive
    format=raw,file=../../stefanberger_qemu_tpm/qemu-tpm/ubuntu.img

         After following the above steps, my ubuntu guest and trusted
    grub
         can see TPM. I installed TPM2-tss and tpm-tools in the
    guest. But I
         am not able to execute tpm2 commands.

         ##>tpm2_takeownership

         Error: Failed to initialize tcti context: 0x1 //trying to
         communicate over socket. initsocketTCTI failed.
         ##> resourcemgr
          Resource Mgr, device TCTI, failed initialization: 0xa000a.
         Exiting....
         ./tpm2_rc_decode 0xa000a : TSS2_BASE_RC_IO_ERROR.
         Then I read that I can remove resourcemgr from the
    configuration and
         can use direct TCTI mechanism introduced in TPM 2.0.
         ##>tpm2_takeownership -T device
         Error: Failed to initialize device TCTI context. //directly
         communicate with TCTI device. initdeviceTCTI failed.
         ./tpm2_rc_decode: 0xa00a: TSS2_BASE_RC_IO_ERROR, IO failure.
         I think I am missing some library or configuration which
    prevents
         initialization of TCTI interface.
         Please can you suggest.
         Thanks
         Anshul Makkar

       On 05/05/17 18:36, Stefan Berger wrote:

       I would use the following configure lines. You may want to
    watch out so
       you don't have two versions of the library on your system, though:

       libtpms: ./configure --prefix=/usr --with-tpm2 --with-openssl
    ; make ;
       make check ; sudo make install
       swtpm: ./configure --prefix=/usr --with-openssl ; make ; sudo make
       check -j16 ; sudo make install

       Please run a 'make check -j16' on the swtpm project before
    running a
       'make install'.

       Can you follow the setup steps that the person raising this issue
       followed: [2]https://github.com/stefanberger/swtpm/issues/21


         ----- Original message -----
         From: anshul makkar [3]<address@hidden>
    <mailto:address@hidden>
         To: [4]<address@hidden>
    <mailto:address@hidden>, [5]<address@hidden>
    <mailto:address@hidden>
         Cc:
         Subject: Trustedgrub2 reports No TPM found
         Date: Fri, May 5, 2017 12:32 PM

       Hi,
       I had a working vTPM solution with TPM 1.2 using swtpm, libtpm
    qemu2.8,
       cuse.
       I wanted to try TPM 2.0 so I switched to:
       swtpm: tpm2-preview branch. Compiled using ./configure --with-tpm2
       --enable-debug --enable-cuse
       libtpm: tpm2-preview.rev142 branch. Compiled using ./configure
       --with-tpm2 --enable-debug
       Installed TPM2.0-TSS software stack.
       Using seabios with TPM patches and TrustedGrub2.
       [6]https://github.com/ts468/seabios-tpm
       Now when I start guest with TrustedGrub2, I get an error
    message from
       grub that TPM device not found. Even Windows guest fails to
    detect TPM.
       Command that I used to start the guest
       swtpm_cuse --tpm2 -M 260 -m 1 -n vtpm0 . I can see /dev/vtpm0
    after
       this
       command.
       Launch the guest: sudo qemu-system-x86_64  -enable-kvm  -m
    2048 -boot b
       -bios seabios.bin -boot menu=on -tpmdev
       cuse-tpm,id=tpm0,path=/dev/vtpm0
       -device tpm-tis,tpmdev=tpm0 -drive format=raw,file=ubuntu.img
       I debugged TrustedGrub2.0 code and found that it issues BIOS
    call INT
       1Ah, (AH)=BBh,(AL)=00h ( TCG_StatusCheck ) which fails.
       TPM 1.2 used to work fine, so just wondering if I have missed any
       components.
       Please can you share your thoughts.
       Thanks
       Anshul Makkar

    References

       1.
    https://sourceforge.net/projects/ibmtpm20tss/files/?source=navbar
       2. https://github.com/stefanberger/swtpm/issues/21
       3. mailto:address@hidden
       4. mailto:address@hidden
       5. mailto:address@hidden
       6. https://github.com/ts468/seabios-tpm
reply via email to
[Prev in Thread] Current Thread [Next in Thread]