Discussion:
[TrouSerS-users] Takeownership Problem On SwTPM
David Li
2015-03-25 23:58:47 UTC
Permalink
Hi,

I see this problem was discussed before for a real HW TPM.
I am running SW TPM and TSS stack on top of it. Now I am trying to
take ownership, after clearing it,

tpm_clear -f
Tspi_TPM_ClearOwner failed: 0x00000007 - layer=tpm, code=0007 (7), TPM
is disabled

$ tpm_takeownership -zy
Tspi_TPM_TakeOwnership failed: 0x00000007 - layer=tpm, code=0007 (7),
TPM is disabled

I use getcapability tool to dump the following:

$ ./getcapability -cap 4 -scap 0108
Result for capability 0x4, subcapability 0x108 is :
Permanent flags:
Disabled: TRUE
Ownership: TRUE
Deactivated: TRUE
Read Pubek: TRUE
Disable Owner Clear: FALSE
Allow Maintenance: TRUE
Physical Presence Lifetime Lock: FALSE
Physical Presence HW Enable: FALSE
Physical Presence CMD Enable: TRUE
CEKPUsed: TRUE
TPMpost: FALSE
TPMpost Lock: FALSE
FIPS: FALSE
Operator: FALSE
Enable Revoke EK: FALSE
NV Locked: TRUE
Read SRK pub: FALSE
TPM established: FALSE
Maintenance done: FALSE
Disable full DA logic info: FALSE

Any suggestions what command I need to run next to solve this problem?

Thanks.
Hon Ching Lo
2015-03-26 01:19:11 UTC
Permalink
Hi,

You need to make sure that you enable virtualization in the BIOS.
Depending on your hardware, you
may have to tweak a couple times to make it work.


Vicky
Post by David Li
Hi,
I see this problem was discussed before for a real HW TPM.
I am running SW TPM and TSS stack on top of it. Now I am trying to
take ownership, after clearing it,
tpm_clear -f
Tspi_TPM_ClearOwner failed: 0x00000007 - layer=tpm, code=0007 (7), TPM
is disabled
$ tpm_takeownership -zy
Tspi_TPM_TakeOwnership failed: 0x00000007 - layer=tpm, code=0007 (7),
TPM is disabled
$ ./getcapability -cap 4 -scap 0108
Disabled: TRUE
Ownership: TRUE
Deactivated: TRUE
Read Pubek: TRUE
Disable Owner Clear: FALSE
Allow Maintenance: TRUE
Physical Presence Lifetime Lock: FALSE
Physical Presence HW Enable: FALSE
Physical Presence CMD Enable: TRUE
CEKPUsed: TRUE
TPMpost: FALSE
TPMpost Lock: FALSE
FIPS: FALSE
Operator: FALSE
Enable Revoke EK: FALSE
NV Locked: TRUE
Read SRK pub: FALSE
TPM established: FALSE
Maintenance done: FALSE
Disable full DA logic info: FALSE
Any suggestions what command I need to run next to solve this problem?
Thanks.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website,
sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for
all
things parallel software development, from weekly thought leadership blogs
to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
TrouSerS-users mailing list
https://lists.sourceforge.net/lists/listinfo/trousers-users
David Li
2015-03-26 15:31:50 UTC
Permalink
Hi Vicky,

Do you mean that the machine I am running this test needs to have
virtualization enabled?

And I am not sure I understand why virtualization is needed for SW TPM to work.

David
Hi,
You need to make sure that you enable virtualization in the BIOS. Depending
on your hardware, you
may have to tweak a couple times to make it work.
Vicky
Post by David Li
Hi,
I see this problem was discussed before for a real HW TPM.
I am running SW TPM and TSS stack on top of it. Now I am trying to
take ownership, after clearing it,
tpm_clear -f
Tspi_TPM_ClearOwner failed: 0x00000007 - layer=tpm, code=0007 (7), TPM
is disabled
$ tpm_takeownership -zy
Tspi_TPM_TakeOwnership failed: 0x00000007 - layer=tpm, code=0007 (7),
TPM is disabled
$ ./getcapability -cap 4 -scap 0108
Disabled: TRUE
Ownership: TRUE
Deactivated: TRUE
Read Pubek: TRUE
Disable Owner Clear: FALSE
Allow Maintenance: TRUE
Physical Presence Lifetime Lock: FALSE
Physical Presence HW Enable: FALSE
Physical Presence CMD Enable: TRUE
CEKPUsed: TRUE
TPMpost: FALSE
TPMpost Lock: FALSE
FIPS: FALSE
Operator: FALSE
Enable Revoke EK: FALSE
NV Locked: TRUE
Read SRK pub: FALSE
TPM established: FALSE
Maintenance done: FALSE
Disable full DA logic info: FALSE
Any suggestions what command I need to run next to solve this problem?
Thanks.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website,
sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for
all
things parallel software development, from weekly thought leadership blogs
to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
TrouSerS-users mailing list
https://lists.sourceforge.net/lists/listinfo/trousers-users
Hon Ching Lo
2015-03-26 17:32:20 UTC
Permalink
David, Sorry, I misread your email thinking that it was for a real HW
TPM..
Post by David Li
Hi Vicky,
Do you mean that the machine I am running this test needs to have
virtualization enabled?
And I am not sure I understand why virtualization is needed for SW TPM to work.
David
Post by Hon Ching Lo
Hi,
You need to make sure that you enable virtualization in the BIOS.
Depending
Post by Hon Ching Lo
on your hardware, you
may have to tweak a couple times to make it work.
Vicky
Post by David Li
Hi,
I see this problem was discussed before for a real HW TPM.
I am running SW TPM and TSS stack on top of it. Now I am trying to
take ownership, after clearing it,
tpm_clear -f
Tspi_TPM_ClearOwner failed: 0x00000007 - layer=tpm, code=0007 (7), TPM
is disabled
$ tpm_takeownership -zy
Tspi_TPM_TakeOwnership failed: 0x00000007 - layer=tpm, code=0007 (7),
TPM is disabled
$ ./getcapability -cap 4 -scap 0108
Disabled: TRUE
Ownership: TRUE
Deactivated: TRUE
Read Pubek: TRUE
Disable Owner Clear: FALSE
Allow Maintenance: TRUE
Physical Presence Lifetime Lock: FALSE
Physical Presence HW Enable: FALSE
Physical Presence CMD Enable: TRUE
CEKPUsed: TRUE
TPMpost: FALSE
TPMpost Lock: FALSE
FIPS: FALSE
Operator: FALSE
Enable Revoke EK: FALSE
NV Locked: TRUE
Read SRK pub: FALSE
TPM established: FALSE
Maintenance done: FALSE
Disable full DA logic info: FALSE
Any suggestions what command I need to run next to solve this problem?
Thanks.
------------------------------------------------------------------------------
Post by Hon Ching Lo
Post by David Li
Dive into the World of Parallel Programming The Go Parallel Website,
sponsored
by Intel and developed in partnership with Slashdot Media, is your hub
for
Post by Hon Ching Lo
Post by David Li
all
things parallel software development, from weekly thought leadership
blogs
Post by Hon Ching Lo
Post by David Li
to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
TrouSerS-users mailing list
https://lists.sourceforge.net/lists/listinfo/trousers-users
David Li
2015-03-26 17:54:45 UTC
Permalink
Hi Vicky,

No problem! Just rebooted my sw TPM and it seems OK this time. However
there is one thing I dont' quite understand. Even though my createek
and take_onwership commands went through, there is this error message
always popped up. As you can see in the following example:

$ tpm_createek

Tspi_TPM_CreateEndorsementKey failed: 0x00000008 - layer=tpm,
code=0008 (8), The TPM target command has been disabled ←- NOT Sure
why this message!!!???


$ ./getcapability -cap 4 -scap 108

Result for capability 0x4, subcapability 0x108 is :

Permanent flags:

Disabled: FALSE

Ownership: TRUE

Deactivated: FALSE

Read Pubek: TRUE

Disable Owner Clear: FALSE

Allow Maintenance: TRUE

Physical Presence Lifetime Lock: FALSE

Physical Presence HW Enable: FALSE

Physical Presence CMD Enable: TRUE

CEKPUsed: TRUE

TPMpost: FALSE

TPMpost Lock: FALSE

FIPS: FALSE

Operator: FALSE

Enable Revoke EK: FALSE

NV Locked: TRUE

Read SRK pub: FALSE

TPM established: FALSE

Maintenance done: FALSE

Disable full DA logic info: FALSE


[$ tpm_takeownership -zy


$ tpm_getpubek -z

Tspi_TPM_GetPubEndorsementKey failed: 0x00000008 - layer=tpm,
code=0008 (8), The TPM target command has been disabled

Public Endorsement Key:

Version: 01010000

Usage: 0x0002 (Unknown)

Flags: 0x00000000 (!VOLATILE, !MIGRATABLE, !REDIRECTION)

AuthUsage: 0x00 (Never)

Algorithm: 0x00000020 (Unknown)

Encryption Scheme: 0x00000012 (Unknown)

Signature Scheme: 0x00000010 (Unknown)

Public Key:

f64ff2a0 76db20e9 aa5f5bc8 d931333e 2a4c38e9 87b729fb 165fe2ae 376346a5

18a30d4d 60a8eff2 d15336c5 64435ff7 13a66a44 b2a7ca8d d2252028 3efe8be6

6ec22842 4abf2899 41453392 4012a031 4fc82774 677524f8 d50601d1 ab93cb32

c91fc96f 8d6fd338 26c862e4 82ff08dd 2ce6634e 8f8b5115 81ec8da5 5f3e27f2

6e3a2c1a ba5f3366 ccbde800 950eff68 3b9dc108 638f3ccc 1ce78d55 b6ae3743

db2b7ada a0b7bd37 d96112c6 71e5ce65 48e9d099 8bcea038 9cc05311 0e4d175b

d9c35338 601676a1 bd2c5724 a0cce5e1 b4f7ff50 02cd6fe0 5ca91c09 b42cc00b

45534fe9 e770fad1 f5594cb2 67b77c11 3cb78931 fd9cc4d9 3ea923bc 71fa1b47
Post by Hon Ching Lo
David, Sorry, I misread your email thinking that it was for a real HW
TPM..
Post by David Li
Hi Vicky,
Do you mean that the machine I am running this test needs to have
virtualization enabled?
And I am not sure I understand why virtualization is needed for SW TPM to work.
David
Post by Hon Ching Lo
Hi,
You need to make sure that you enable virtualization in the BIOS.
Depending
on your hardware, you
may have to tweak a couple times to make it work.
Vicky
Post by David Li
Hi,
I see this problem was discussed before for a real HW TPM.
I am running SW TPM and TSS stack on top of it. Now I am trying to
take ownership, after clearing it,
tpm_clear -f
Tspi_TPM_ClearOwner failed: 0x00000007 - layer=tpm, code=0007 (7), TPM
is disabled
$ tpm_takeownership -zy
Tspi_TPM_TakeOwnership failed: 0x00000007 - layer=tpm, code=0007 (7),
TPM is disabled
$ ./getcapability -cap 4 -scap 0108
Disabled: TRUE
Ownership: TRUE
Deactivated: TRUE
Read Pubek: TRUE
Disable Owner Clear: FALSE
Allow Maintenance: TRUE
Physical Presence Lifetime Lock: FALSE
Physical Presence HW Enable: FALSE
Physical Presence CMD Enable: TRUE
CEKPUsed: TRUE
TPMpost: FALSE
TPMpost Lock: FALSE
FIPS: FALSE
Operator: FALSE
Enable Revoke EK: FALSE
NV Locked: TRUE
Read SRK pub: FALSE
TPM established: FALSE
Maintenance done: FALSE
Disable full DA logic info: FALSE
Any suggestions what command I need to run next to solve this problem?
Thanks.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website,
sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for
all
things parallel software development, from weekly thought leadership blogs
to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
TrouSerS-users mailing list
https://lists.sourceforge.net/lists/listinfo/trousers-users
Ken Goldman
2015-03-26 18:22:26 UTC
Permalink
Time to "teach you to fish".
Post by David Li
$ tpm_createek
Tspi_TPM_CreateEndorsementKey failed: 0x00000008 - layer=tpm,
code=0008 (8), The TPM target command has been disabled ←- NOT Sure
why this message!!!???
There are two ways to debug this.

1 - Look at the TPM spec for CreateEndorsementKeyPair, and see if
perhaps the first line gives you the answer. :-)

2 - Another way is to look at the SW TPM trace and for this command and
see if there is a line with the word "Error" in it.
Post by David Li
[$ tpm_takeownership -zy
$ tpm_getpubek -z
Tspi_TPM_GetPubEndorsementKey failed: 0x00000008 - layer=tpm,
code=0008 (8), The TPM target command has been disabled
I don't know what tpm_getpubek is doing. However, if you run it and
then look at the SW TPM trace for the string "Error", it may tell you
what's wrong.

~~

In general, a good percentage of my SW TPM code is tracing. It's there
to help you debug, but you have to look at it.

Ken Goldman
2015-03-26 16:33:09 UTC
Permalink
The SwTPM should not be affected by BIOS settings.
Post by Hon Ching Lo
You need to make sure that you enable virtualization in the BIOS.
Depending on your hardware, you
may have to tweak a couple times to make it work.
I am running SW TPM and TSS stack on top of it. Now I am trying to
take ownership, after clearing it,
Ken Goldman
2015-03-26 16:19:51 UTC
Permalink
See Part 2 Section 17. Take ownership is not permitted when the TPM is
disabled. You have to enable the TPM.

The file "INSTALL" explains how to do this. Let me know if the
documentation is unclear.
Post by David Li
Hi,
I see this problem was discussed before for a real HW TPM.
I am running SW TPM and TSS stack on top of it. Now I am trying to
take ownership, after clearing it,
tpm_clear -f
Tspi_TPM_ClearOwner failed: 0x00000007 - layer=tpm, code=0007 (7), TPM
is disabled
$ tpm_takeownership -zy
Tspi_TPM_TakeOwnership failed: 0x00000007 - layer=tpm, code=0007 (7),
TPM is disabled
$ ./getcapability -cap 4 -scap 0108
Disabled: TRUE
Deactivated: TRUE
Loading...