Discussion:
[TrouSerS-users] Debugging TPM Problems
David Hobach
2015-07-01 08:41:25 UTC
Permalink
Dear all,

can you please provide some hints about TPM debugging and/or trousers
debugging?

My problem is pretty straightforward:

I use Qubes OS which uses trousers and hence a TPM to measure boot
integrity by displaying a secret passphrase using tpm_sealdata/unsealdata.

Regardless of what BIOS changes I did though tpm_unsealdata still
displays my secret passphrase. Switching between kernels also doesn't
make my secret passphrase disappear.

So all in all I'd like to find out why it's that way.

Further details were also discussed at
https://groups.google.com/forum/#!topic/qubes-users/xNIiSyJQD0E (last
message should contain all info).

Kind Regards
David
Ken Goldman
2015-07-01 13:17:50 UTC
Permalink
My generic recommendation is to debug first with a SW TPM. This permits
you to look inside the device as it is processing.

This one (which I wrote) has extensive tracing. It interfaces easily
with trousers through a socket. I can often find someone's error just
by looking at the trace.

https://sourceforge.net/projects/ibmswtpm/

~~

For this specific issue, it feels like the PCRs you're sealing to are
not the same as the ones that change when BIOS changes.
Post by David Hobach
Dear all,
can you please provide some hints about TPM debugging and/or trousers
debugging?
I use Qubes OS which uses trousers and hence a TPM to measure boot
integrity by displaying a secret passphrase using tpm_sealdata/unsealdata.
Regardless of what BIOS changes I did though tpm_unsealdata still
displays my secret passphrase. Switching between kernels also doesn't
make my secret passphrase disappear.
So all in all I'd like to find out why it's that way.
Further details were also discussed at
https://groups.google.com/forum/#!topic/qubes-users/xNIiSyJQD0E (last
message should contain all info).
Loading...