lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20170408123651.76f18ba4@second-laptop.localdomain>
Date:   Sat, 8 Apr 2017 12:40:25 +0200
From:   Denis 'GNUtoo' Carikli <GNUtoo@...log.org>
To:     Paul Menzel <pmenzel@...gen.mpg.de>
Cc:     Jason Gunthorpe <jgunthorpe@...idianresearch.com>,
        "Maciej S. Szmigiero" <mail@...iej.szmigiero.name>,
        tpmdd-devel@...ts.sourceforge.net, linux-kernel@...r.kernel.org
Subject: Re: [tpmdd-devel] Regression between Linux 3.16 and 4.8/4.9 on
 Lenovo X60 with coreboot

Hi Paul,

On Thu, 6 Apr 2017 10:55:57 -0600
Jason Gunthorpe <jgunthorpe@...idianresearch.com> wrote:

> We added direct ACPI binding to the driver in addition to PNP, so if
> you have an ACPI table it goes down that path and does some additional
> validation of what is in the TPM. The BIOS must provide a
> acpi_dev_resource_memory and a ACPI_SIG_TPM2 for the ACPI entry at a
> minimum.

I am working on it[1]. This commit has not been merged and is a work in
progress. It is however available in coreboot's gerrit.

So far with it and a recent kernel and the patch mentioned above:
- The linux driver finds the TPM automatically and doesn't require
  force=1
- The driver however still require itpm=1 to fully work: without it the
  tpm is found, but I wasn't able to read the PCRs.

Since I use a rolling release distribution, the kenrel version I use
tend to change quite fast, I can re-test if needed.

I need to improve the following in my patch:
- The IDs readings obviously need to be fixed.
- I want to make it work without itpm=1 if possible. I'll test with
  INTC0102 as it is in the driver in the is_itpm function, and it was
  also suggested to me by someone on IRC.

I also still need to investigate more why the itpm workaround is needed.
Does the TPM shipped in such laptops respect the specifications?
Is the wiring bad?

References:
-----------
[1]https://review.coreboot.org/cgit/coreboot.git/commit/?id=060cf4e0f50f765f85e3ecedd836eed85d1571fe

Denis.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ