lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20170408202509.GA26119@obsidianresearch.com>
Date:   Sat, 8 Apr 2017 14:25:09 -0600
From:   Jason Gunthorpe <jgunthorpe@...idianresearch.com>
To:     Denis 'GNUtoo' Carikli <GNUtoo@...log.org>
Cc:     Paul Menzel <pmenzel@...gen.mpg.de>,
        "Maciej S. Szmigiero" <mail@...iej.szmigiero.name>,
        tpmdd-devel@...ts.sourceforge.net, linux-kernel@...r.kernel.org
Subject: Re: [tpmdd-devel] Regression between Linux 3.16 and 4.8/4.9 on
 Lenovo X60 with coreboot

On Sat, Apr 08, 2017 at 12:40:25PM +0200, Denis 'GNUtoo' Carikli wrote:

> I am working on it[1]. This commit has not been merged and is a work in
> progress. It is however available in coreboot's gerrit.

How did this work on any kernels if there was no PNP or ACPI entry?

FWIW, I wonder if coreboot is missing the code for wait_startup
in drivers/char/tpm/tpm_tis_core.c. If you don't do that step then
the DID/VID might not read properly.

> So far with it and a recent kernel and the patch mentioned above:
> - The linux driver finds the TPM automatically and doesn't require
>   force=1
> - The driver however still require itpm=1 to fully work: without it the
>   tpm is found, but I wasn't able to read the PCRs.

Unless it is an actual broken intel TPM you should never use
itpm=1. Juding by the log messages, it certainly is not.

Intel mode breaks the driver and removes certain error detection, eg
it may erronously succeed.

It is more likely that the failure to read PCRs reflects reality and
itpm=1 just supresses that error detection.

The TPM may need to be setup (eg cleared, EK generated, p/vflags setup
etc, etc) before it will support PCRs.

Usually the BIOS would do these steps when the TPM is first enabled,
you probably need to do them in userspace instead.

WARNING: Failure to provision the TPM properly before first use
could leave it in 'factory test' mode, which basically means it
doesn't work properly at all.

> - I want to make it work without itpm=1 if possible. I'll test with
>   INTC0102 as it is in the driver in the is_itpm function, and it was
>   also suggested to me by someone on IRC.

Don't do this unless it is actually that TPM.

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ