qemu-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-discuss] Trustedgrub2 reports No TPM found

From: Stefan Berger
Subject: Re: [Qemu-discuss] Trustedgrub2 reports No TPM found
Date: Wed, 10 May 2017 13:18:12 +0000 
   For TPM 1.2 you are seeing the right menu. In case of a TPM 2 you
   should only see a single menu entry:

   1. Clear TPM

   If you are not seeing this entry in case of TPM 2, something is wrong.
   For sure you should not see the same entries for TPM 1.2 in case of a
   TPM 2.

   With the IBM TPM tools you should do the following:

   export TPM_INTERFACE_TYPE=dev
   pcrread -ha 1

   That show something like this:

   count 1
    digest length 32
    00 00 00 00 ...

   Regards,
      Stefan


     ----- Original message -----
     From: anshul makkar <address@hidden>
     To: Stefan Berger <address@hidden>
     Cc: <address@hidden>
     Subject: Re: [Qemu-discuss] Trustedgrub2 reports No TPM found
     Date: Wed, May 10, 2017 8:19 AM

     Hi Stefan,

     Its the same number of entries for TPM 1.2 and TPM 2.0

     TPM menu during boot:

   The current state of TPM is:

   Enabled and active

   Ownership has not be taken

   A user can take ownership of the TPM

   Available options are:

   d) disable the TPM

   v Deactivate the TPM

   p) Prevent installation of an owner.
   Just did a quick runthrough with the IBM tools (the link that you
   shared)
   ##>createprimary
   Error: TSS_SOcket_Open: Error on connect to localhost:2321
   TSS_Socket_Open: client connect: error 111 Connection refused.
   createprimary: failed, rc 000b0008
   TSS_RC_NO_CONNECTION - Failure connecting to lower layer.
   I believe this error is due to the fact that tool is trying to connect
   using socket while I need to
   change it to direct device access. I saw this option in Makefile.
   Anshul



   On 10/05/17 12:56, Stefan Berger wrote:

      Hi Anshul,
       so does the SeaBIOS menu show several entries in case of TPM 1.2
   and
      the single entry in case of TPM 2?
       I don't know these TPM 2 tools and how they work. You may want to
   try
      these tools here as an alternative:

   [1][1]https://sourceforge.net/projects/ibmtpm20tss/files/?source=navbar
      Regards,
         Stefan
        ----- Original message -----
        From: anshul makkar [2]<address@hidden>
        To: Stefan Berger [3]<address@hidden>
        Cc: [4]<address@hidden>
        Subject: Re: Trustedgrub2 reports No TPM found
        Date: Wed, May 10, 2017 4:41 AM
        Hi Stefan,
        Thanks..
        " swtpm: ./configure --prefix=/usr --with-openssl ; make ; sudo
   make
        check -j16 ; sudo make install" . Don't we need to specify
        "--with-cuse" or its typo from you ?
        While building libtpm, even though we specify "--with-tpm2" flag
        during configuration phase, it builds libtpm for both 1.2 and 2.0
        and when I did make install I found that only 1.2 libraries were
        getting installed. Its kind of weird but I worked around this by
        deleting the 1.2 libraries after doing make and then did make
        install.
        swtpm_cuse --name vtpm0 --tpmstate dir=/tmp/vtpm0 --log
        file=/root/out.log
        sudo qemu-system-x86_64  -enable-kvm -display sdl  -m 2048 -boot b
        -bios /local/home/anshulma/tpm/seabios-tpm/out/bios.bin -boot
        menu=on -tpmdev cuse-tpm,id=tpm0,path=/dev/vtpm0 -device
        tpm-tis,tpmdev=tpm0 -drive
        format=raw,file=../../stefanberger_qemu_tpm/qemu-tpm/ubuntu.img
        After following the above steps, my ubuntu guest and trusted grub
        can see TPM. I installed TPM2-tss and tpm-tools in the guest. But
   I
        am not able to execute tpm2 commands.
        ##>tpm2_takeownership
        Error: Failed to initialize tcti context: 0x1 //trying to
        communicate over socket. initsocketTCTI failed.
        ##> resourcemgr
         Resource Mgr, device TCTI, failed initialization: 0xa000a.
        Exiting....
        ./tpm2_rc_decode 0xa000a : TSS2_BASE_RC_IO_ERROR.
        Then I read that I can remove resourcemgr from the configuration
   and
        can use direct TCTI mechanism introduced in TPM 2.0.
        ##>tpm2_takeownership -T device
        Error: Failed to initialize device TCTI context. //directly
        communicate with TCTI device. initdeviceTCTI failed.
        ./tpm2_rc_decode: 0xa00a: TSS2_BASE_RC_IO_ERROR, IO failure.
        I think I am missing some library or configuration which prevents
        initialization of TCTI interface.
        Please can you suggest.
        Thanks
        Anshul Makkar
      On 05/05/17 18:36, Stefan Berger wrote:
      I would use the following configure lines. You may want to watch out
   so
      you don't have two versions of the library on your system, though:
      libtpms: ./configure --prefix=/usr --with-tpm2 --with-openssl ; make
   ;
      make check ; sudo make install
      swtpm: ./configure --prefix=/usr --with-openssl ; make ; sudo make
      check -j16 ; sudo make install
      Please run a 'make check -j16' on the swtpm project before running a
      'make install'.
      Can you follow the setup steps that the person raising this issue
      followed: [2][5]https://github.com/stefanberger/swtpm/issues/21
        ----- Original message -----
        From: anshul makkar [3][6]<address@hidden>
        To: [4][7]<address@hidden>, [5][8]<address@hidden>
        Cc:
        Subject: Trustedgrub2 reports No TPM found
        Date: Fri, May 5, 2017 12:32 PM
      Hi,
      I had a working vTPM solution with TPM 1.2 using swtpm, libtpm
   qemu2.8,
      cuse.
      I wanted to try TPM 2.0 so I switched to:
      swtpm: tpm2-preview branch. Compiled using ./configure --with-tpm2
      --enable-debug --enable-cuse
      libtpm: tpm2-preview.rev142 branch. Compiled using ./configure
      --with-tpm2 --enable-debug
      Installed TPM2.0-TSS software stack.
      Using seabios with TPM patches and TrustedGrub2.
      [6][9]https://github.com/ts468/seabios-tpm
      Now when I start guest with TrustedGrub2, I get an error message
   from
      grub that TPM device not found. Even Windows guest fails to detect
   TPM.
      Command that I used to start the guest
      swtpm_cuse --tpm2 -M 260 -m 1 -n vtpm0 . I can see /dev/vtpm0 after
      this
      command.
      Launch the guest: sudo qemu-system-x86_64  -enable-kvm  -m 2048
   -boot b
      -bios seabios.bin -boot menu=on -tpmdev
      cuse-tpm,id=tpm0,path=/dev/vtpm0
      -device tpm-tis,tpmdev=tpm0 -drive format=raw,file=ubuntu.img
      I debugged TrustedGrub2.0 code and found that it issues BIOS call
   INT
      1Ah, (AH)=BBh,(AL)=00h ( TCG_StatusCheck ) which fails.
      TPM 1.2 used to work fine, so just wondering if I have missed any
      components.
      Please can you share your thoughts.
      Thanks
      Anshul Makkar
   References
      1.
   [10]https://sourceforge.net/projects/ibmtpm20tss/files/?source=navbar
      2. [11]https://github.com/stefanberger/swtpm/issues/21
      3. [12]mailto:address@hidden
      4. [13]mailto:address@hidden
      5. [14]mailto:address@hidden
      6. [15]https://github.com/ts468/seabios-tpm

References

   1. https://sourceforge.net/projects/ibmtpm20tss/files/?source=navbar
   2. mailto:address@hidden
   3. mailto:address@hidden
   4. mailto:address@hidden
   5. https://github.com/stefanberger/swtpm/issues/21
   6. mailto:address@hidden
   7. mailto:address@hidden
   8. mailto:address@hidden
   9. https://github.com/ts468/seabios-tpm
  10. https://sourceforge.net/projects/ibmtpm20tss/files/?source=navbar
  11. https://github.com/stefanberger/swtpm/issues/21
  12. mailto:address@hidden
  13. mailto:address@hidden
  14. mailto:address@hidden
  15. https://github.com/ts468/seabios-tpm
reply via email to
[Prev in Thread] Current Thread [Next in Thread]