Hi all,
Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / tpm_i2c_nuvoton
while it works in TPM 1.2 mode (I can reflash it via UEFI setup).
Kernel version is 4.19.1
Kernel config:
$ cat .config | egrep 'TCG|TPM|CRB|_TIS'
CONFIG_TCG_TPM=y
CONFIG_HW_RANDOM_TPM=y
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
CONFIG_TCG_TIS_SPI=y
# CONFIG_TCG_TIS_I2C_ATMEL is not set
# CONFIG_TCG_TIS_I2C_INFINEON is not set
CONFIG_TCG_TIS_I2C_NUVOTON=y
# CONFIG_TCG_NSC is not set
# CONFIG_TCG_ATMEL is not set
# CONFIG_TCG_INFINEON is not set
CONFIG_TCG_CRB=y
# CONFIG_TCG_VTPM_PROXY is not set
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
TPM 1.2 mode dmesg:
$ dmesg | egrep -i tis\|tpm\|crb
[ 3.210040] tpm_tis 00:0a: 1.2 TPM (device-id 0xFE, rev-id 2)
TPM 2.0 mode dmesg:
$ dmesg | egrep -i tis\|tpm\|crb
[ 0.000000] efi: ACPI
2.0=0x9e457000 ACPI=0x9e457000 SMBIOS=0x9ec44000 SMBIOS
3.0=0x9ec43000 TPMEventLog=0x9711f018
[ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-
S06 00001300 AMI 00000000)
[ 4.071550] ima: No TPM chip found, activating TPM-bypass!
Any ideas?
Best regards
Michael
On Sun, 2018-11-11 at 18:55 +0100, Michael Niewöhner wrote:
> Hi all,
>
> Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis /
> tpm_i2c_nuvoton while it works in TPM 1.2 mode (I can reflash it via
> UEFI setup). Kernel version is 4.19.1
Not that this helps you, but mine definitely works. I've got an older
Dell XPS-13 with a Nuvoton 650 which is software switchable between 1.2
and 2.0. This is what mine says
jejb@jarvis:~> dmesg|egrep -i tis\|tpm\|crb
[ 0.000000] efi: ACPI=0x79419000 ACPI 2.0=0x79419000 SMBIOS=0xf0000 TPMEventLog=0x69db3018
[ 0.012797] ACPI: TPM2 0x0000000079446CC0 000034 (v03 Tpm2Tabl 00000001 AMI 00000000)
[ 2.035242] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
However, this makes me wonder about yours:
> [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-
> S06 00001300 AMI 00000000)
I thought the Lenovo "upgrade to 2.0" in fact disabled the external TPM
in favour of the Intel PTT (software TPM in the management engine).
Since you apparently have the tpm_crb driver that should find the PTT
TPM, this might be one of the attachment bugs in the CRB driver ...
from your ACPI output it looks to be not specifying the Tpm2Tabl.
James
On Sun, 2018-11-11 at 18:55 +0100, Michael Niewöhner wrote:
> Hi all,
>
> Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / tpm_i2c_nuvoton
> while it works in TPM 1.2 mode (I can reflash it via UEFI setup).
> Kernel version is 4.19.1
>
> Kernel config:
>
> $ cat .config | egrep 'TCG|TPM|CRB|_TIS'
> CONFIG_TCG_TPM=y
> CONFIG_HW_RANDOM_TPM=y
> CONFIG_TCG_TIS_CORE=y
> CONFIG_TCG_TIS=y
> CONFIG_TCG_TIS_SPI=y
> # CONFIG_TCG_TIS_I2C_ATMEL is not set
> # CONFIG_TCG_TIS_I2C_INFINEON is not set
> CONFIG_TCG_TIS_I2C_NUVOTON=y
> # CONFIG_TCG_NSC is not set
> # CONFIG_TCG_ATMEL is not set
> # CONFIG_TCG_INFINEON is not set
> CONFIG_TCG_CRB=y
> # CONFIG_TCG_VTPM_PROXY is not set
> # CONFIG_TCG_TIS_ST33ZP24_I2C is not set
> # CONFIG_TCG_TIS_ST33ZP24_SPI is not set
>
>
> TPM 1.2 mode dmesg:
>
> $ dmesg | egrep -i tis\|tpm\|crb
> [ 3.210040] tpm_tis 00:0a: 1.2 TPM (device-id 0xFE, rev-id 2)
>
>
> TPM 2.0 mode dmesg:
>
> $ dmesg | egrep -i tis\|tpm\|crb
> [ 0.000000] efi: ACPI
> 2.0=0x9e457000 ACPI=0x9e457000 SMBIOS=0x9ec44000 SMBIOS
> 3.0=0x9ec43000 TPMEventLog=0x9711f018
> [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-
> S06 00001300 AMI 00000000)
> [ 4.071550] ima: No TPM chip found, activating TPM-bypass!
It's possible that eventually the TPM is initialized, but not in time
for IMA. Could you you check to see if the TPM is responding to
userspace commands after boot?
Mimi
Hi James,
On Sun, 2018-11-11 at 10:24 -0800, James Bottomley wrote:
> On Sun, 2018-11-11 at 18:55 +0100, Michael Niewöhner wrote:
> > Hi all,
> >
> > Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis /
> > tpm_i2c_nuvoton while it works in TPM 1.2 mode (I can reflash it via
> > UEFI setup). Kernel version is 4.19.1
>
> Not that this helps you, but mine definitely works. I've got an older
> Dell XPS-13 with a Nuvoton 650 which is software switchable between 1.2
> and 2.0. This is what mine says
>
> jejb@jarvis:~> dmesg|egrep -i tis\|tpm\|crb
> [ 0.000000] efi: ACPI=0x79419000 ACPI
> 2.0=0x79419000 SMBIOS=0xf0000 TPMEventLog=0x69db3018
> [ 0.012797] ACPI: TPM2 0x0000000079446CC0 000034 (v03 Tpm2Tabl
> 00000001 AMI 00000000)
> [ 2.035242] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
>
> However, this makes me wonder about yours:
>
> > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-
> > S06 00001300 AMI 00000000)
>
> I thought the Lenovo "upgrade to 2.0" in fact disabled the external TPM
> in favour of the Intel PTT (software TPM in the management engine).
> Since you apparently have the tpm_crb driver that should find the PTT
> TPM, this might be one of the attachment bugs in the CRB driver ...
> from your ACPI output it looks to be not specifying the Tpm2Tabl.
Well, there are at least two implementations I know of:
For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT TPM 2.0
This here is my ThinkStation P320 which can choose between PTT 1.2, PTT 2.0,
Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton gets
reflashed with the appropriate firmware.
>
> James
>
Hi Mimi,
On Sun, 2018-11-11 at 13:33 -0500, Mimi Zohar wrote:
> On Sun, 2018-11-11 at 18:55 +0100, Michael Niewöhner wrote:
> > Hi all,
> >
> > Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / tpm_i2c_nuvoton
> > while it works in TPM 1.2 mode (I can reflash it via UEFI setup).
> > Kernel version is 4.19.1
> >
> > Kernel config:
> >
> > $ cat .config | egrep 'TCG|TPM|CRB|_TIS'
> > CONFIG_TCG_TPM=y
> > CONFIG_HW_RANDOM_TPM=y
> > CONFIG_TCG_TIS_CORE=y
> > CONFIG_TCG_TIS=y
> > CONFIG_TCG_TIS_SPI=y
> > # CONFIG_TCG_TIS_I2C_ATMEL is not set
> > # CONFIG_TCG_TIS_I2C_INFINEON is not set
> > CONFIG_TCG_TIS_I2C_NUVOTON=y
> > # CONFIG_TCG_NSC is not set
> > # CONFIG_TCG_ATMEL is not set
> > # CONFIG_TCG_INFINEON is not set
> > CONFIG_TCG_CRB=y
> > # CONFIG_TCG_VTPM_PROXY is not set
> > # CONFIG_TCG_TIS_ST33ZP24_I2C is not set
> > # CONFIG_TCG_TIS_ST33ZP24_SPI is not set
> >
> >
> > TPM 1.2 mode dmesg:
> >
> > $ dmesg | egrep -i tis\|tpm\|crb
> > [ 3.210040] tpm_tis 00:0a: 1.2 TPM (device-id 0xFE, rev-id 2)
> >
> >
> > TPM 2.0 mode dmesg:
> >
> > $ dmesg | egrep -i tis\|tpm\|crb
> > [ 0.000000] efi: ACPI
> > 2.0=0x9e457000 ACPI=0x9e457000 SMBIOS=0x9ec44000 SMBIOS
> > 3.0=0x9ec43000 TPMEventLog=0x9711f018
> > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-
> > S06 00001300 AMI 00000000)
> > [ 4.071550] ima: No TPM chip found, activating TPM-bypass!
>
> It's possible that eventually the TPM is initialized, but not in time
> for IMA. Could you you check to see if the TPM is responding to
> userspace commands after boot?
No it isn't even detected. There is no /dev/tpm0 and /sys/class/tpm is empty.
>
> Mimi
>
On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote:
[...]
> > However, this makes me wonder about yours:
> >
> > > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO
> > > TC-
> > > S06 00001300 AMI 00000000)
> >
> > I thought the Lenovo "upgrade to 2.0" in fact disabled the external
> > TPM in favour of the Intel PTT (software TPM in the management
> > engine). Since you apparently have the tpm_crb driver that should
> > find the PTT TPM, this might be one of the attachment bugs in the
> > CRB driver ... from your ACPI output it looks to be not specifying
> > the Tpm2Tabl.
>
> Well, there are at least two implementations I know of:
> For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT
> TPM 2.0 This here is my ThinkStation P320 which can choose between
> PTT 1.2, PTT 2.0,
> Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton
> gets
> reflashed with the appropriate firmware.
Well, I still think the ACPI setup is incorrect. What's in
/sys/class/platform (should be directories of ACPI devices)? The TPM
is supposed to show up as MSFT0101. If it doesn't is there any other
device string in there that might be a TPM?
James
On Sun, 2018-11-11 at 10:57 -0800, James Bottomley wrote:
> On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote:
> [...]
> > > However, this makes me wonder about yours:
> > >
> > > > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO
> > > > TC-
> > > > S06 00001300 AMI 00000000)
> > >
> > > I thought the Lenovo "upgrade to 2.0" in fact disabled the external
> > > TPM in favour of the Intel PTT (software TPM in the management
> > > engine). Since you apparently have the tpm_crb driver that should
> > > find the PTT TPM, this might be one of the attachment bugs in the
> > > CRB driver ... from your ACPI output it looks to be not specifying
> > > the Tpm2Tabl.
> >
> > Well, there are at least two implementations I know of:
> > For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT
> > TPM 2.0 This here is my ThinkStation P320 which can choose between
> > PTT 1.2, PTT 2.0,
> > Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton
> > gets
> > reflashed with the appropriate firmware.
>
> Well, I still think the ACPI setup is incorrect. What's in
> /sys/class/platform (should be directories of ACPI devices)? The TPM
> is supposed to show up as MSFT0101. If it doesn't is there any other
> device string in there that might be a TPM?
Nope. I'm not sure if it should show up in ACPI... isn't TPM 2.0 I2C?
$ find /sys | grep -i tpm
/sys/class/tpmrm
/sys/class/tpm
/sys/bus/platform/drivers/tpm_tis
/sys/bus/platform/drivers/tpm_tis/uevent
/sys/bus/platform/drivers/tpm_tis/bind
/sys/bus/platform/drivers/tpm_tis/unbind
/sys/bus/pnp/drivers/tpm_tis
/sys/bus/pnp/drivers/tpm_tis/uevent
/sys/bus/pnp/drivers/tpm_tis/bind
/sys/bus/pnp/drivers/tpm_tis/unbind
/sys/bus/acpi/drivers/tpm_crb
/sys/bus/acpi/drivers/tpm_crb/uevent
/sys/bus/acpi/drivers/tpm_crb/bind
/sys/bus/acpi/drivers/tpm_crb/unbind
/sys/bus/i2c/drivers/tpm_i2c_nuvoton
/sys/bus/i2c/drivers/tpm_i2c_nuvoton/uevent
/sys/bus/i2c/drivers/tpm_i2c_nuvoton/bind
/sys/bus/i2c/drivers/tpm_i2c_nuvoton/unbind
>
> James
>
On Sun, 2018-11-11 at 21:09 +0100, Michael Niewöhner wrote:
> On Sun, 2018-11-11 at 10:57 -0800, James Bottomley wrote:
[...]
> > Well, I still think the ACPI setup is incorrect. What's in
> > /sys/class/platform (should be directories of ACPI devices)? The
> > TPM is supposed to show up as MSFT0101. If it doesn't is there any
> > other device string in there that might be a TPM?
>
> Nope. I'm not sure if it should show up in ACPI... isn't TPM 2.0 I2C?
Your ACPI parser identifies it here:
> [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-S06 00001300 AMI 00000000)
So it has to be a device in the platform directory. What is in this
directory? To find the TPM it probably has something TPM like in the
firmware_node description:
/sys/devices/platform/<dev>/firmware_node/description
Mine says
jejb@jarvis:~/git/linux/drivers> cat /sys/devices/platform/MSFT0101\:00/firmware_node/description
TPM 2.0 Device
James
On Sun, 2018-11-11 at 12:29 -0800, James Bottomley wrote:
> On Sun, 2018-11-11 at 21:09 +0100, Michael Niewöhner wrote:
> > On Sun, 2018-11-11 at 10:57 -0800, James Bottomley wrote:
>
> [...]
> > > Well, I still think the ACPI setup is incorrect. What's in
> > > /sys/class/platform (should be directories of ACPI devices)? The
> > > TPM is supposed to show up as MSFT0101. If it doesn't is there any
> > > other device string in there that might be a TPM?
> >
> > Nope. I'm not sure if it should show up in ACPI... isn't TPM 2.0 I2C?
>
> Your ACPI parser identifies it here:
>
> > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-
> > S06 00001300 AMI 00000000)
>
> So it has to be a device in the platform directory. What is in this
> directory? To find the TPM it probably has something TPM like in the
> firmware_node description:
>
> /sys/devices/platform/<dev>/firmware_node/description
>
> Mine says
>
> jejb@jarvis:~/git/linux/drivers> cat
> /sys/devices/platform/MSFT0101\:00/firmware_node/description
> TPM 2.0 Device
>
Ah, yep. There is indeed a MSFT0101:
(initramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/description
TPM 2.0 Device
(initramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/hid
MSFT0101
(in
itramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/path
\_SB_.TPM_
(in
itramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/status
15
(initramf
s) cat /sys/devices/platform/MSFT0101\:00/firmware_node/uid
1
> James
On Sun, 2018-11-11 at 21:34 +0100, Michael Niewöhner wrote:
> On Sun, 2018-11-11 at 12:29 -0800, James Bottomley wrote:
> > On Sun, 2018-11-11 at 21:09 +0100, Michael Niewöhner wrote:
> > > On Sun, 2018-11-11 at 10:57 -0800, James Bottomley wrote:
> >
> > [...]
> > > > Well, I still think the ACPI setup is incorrect. What's in
> > > > /sys/class/platform (should be directories of ACPI devices)? The
> > > > TPM is supposed to show up as MSFT0101. If it doesn't is there any
> > > > other device string in there that might be a TPM?
> > >
> > > Nope. I'm not sure if it should show up in ACPI... isn't TPM 2.0 I2C?
> >
> > Your ACPI parser identifies it here:
> >
> > > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-
> > > S06 00001300 AMI 00000000)
> >
> > So it has to be a device in the platform directory. What is in this
> > directory? To find the TPM it probably has something TPM like in the
> > firmware_node description:
> >
> > /sys/devices/platform/<dev>/firmware_node/description
> >
> > Mine says
> >
> > jejb@jarvis:~/git/linux/drivers> cat
> > /sys/devices/platform/MSFT0101\:00/firmware_node/description
> > TPM 2.0 Device
> >
>
> Ah, yep. There is indeed a MSFT0101:
> (initramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/description
> TPM 2.0 Device
> (initramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/hid
> MSFT0101
> (in
> itramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/path
> \_SB_.TPM_
> (in
> itramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/status
> 15
> (initramf
> s) cat /sys/devices/platform/MSFT0101\:00/firmware_node/uid
> 1
>
> > James
Very strange... When I pull the power cord, then replug and boot, I get these
dmesg messages:
[ 0.000000] efi: ACPI
2.0=0x9ea78000 ACPI=0x9ea78000 SMBIOS=0x9f5e5000 SMBIOS
3.0=0x9f5e4000 MPS=0xfca00 ESRT=0x9c06e918 MEMATTR=0x99cb9018 TPMEventLog=0x
98d0c018
[ 0.001794] ACPI: TPM2 0x000000009EAB1F70 000034 (v03 LENOVO TC-
S06 00001260 AMI 00000000)
[ 3.096587] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
[ 3.105684] tpm tpm0: A TPM error (2314) occurred attempting the self test
After a reboot I get those "ima: ..." message again. Pulling the plug seems to
reset anything (the TPM).
The PTT TPM 2.0 shows exactly the same behaviour.
> Very strange... When I pull the power cord, then replug and boot, I get these
> dmesg messages:
> [ 0.000000] efi: ACPI
> 2.0=0x9ea78000 ACPI=0x9ea78000 SMBIOS=0x9f5e5000 SMBIOS
> 3.0=0x9f5e4000 MPS=0xfca00 ESRT=0x9c06e918 MEMATTR=0x99cb9018 TPMEventLog=0x
> 98d0c018
> [ 0.001794] ACPI: TPM2 0x000000009EAB1F70 000034 (v03 LENOVO TC-
> S06 00001260 AMI 00000000)
> [ 3.096587] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> [ 3.105684] tpm tpm0: A TPM error (2314) occurred attempting the self test
>
> After a reboot I get those "ima: ..." message again. Pulling the plug seems to
> reset anything (the TPM).
>
> The PTT TPM 2.0 shows exactly the same behaviour.
On a cold boot, it takes longer to initialize the TPM. The TPM is
returning TPM2_RC_TESTING (0x090A == 2314), meaning that it has not
yet finished the initialization.
Nayna's post a patch, which should address the TPM2_RC_TESTING error
message.
https://lore.kernel.org/linux-integrity/20180515071712.9331-1-nayna@li
nux.vnet.ibm.com/
thanks,
Mimi
On Sun, Nov 11, 2018 at 06:55:36PM +0100, Michael Niew?hner wrote:
> Hi all,
>
> Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / tpm_i2c_nuvoton
> while it works in TPM 1.2 mode (I can reflash it via UEFI setup).
> Kernel version is 4.19.1
Can you check what ACPI dump would show up [1]?
[1] acpidump > acpidump.out
/Jarkko
On Sun, Nov 11, 2018 at 10:11:33PM +0100, Michael Niew?hner wrote:
> Very strange... When I pull the power cord, then replug and boot, I get these
> dmesg messages:
> [ 0.000000] efi: ACPI
> 2.0=0x9ea78000 ACPI=0x9ea78000 SMBIOS=0x9f5e5000 SMBIOS
> 3.0=0x9f5e4000 MPS=0xfca00 ESRT=0x9c06e918 MEMATTR=0x99cb9018 TPMEventLog=0x
> 98d0c018
> [ 0.001794] ACPI: TPM2 0x000000009EAB1F70 000034 (v03 LENOVO TC-
> S06 00001260 AMI 00000000)
> [ 3.096587] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> [ 3.105684] tpm tpm0: A TPM error (2314) occurred attempting the self test
>
> After a reboot I get those "ima: ..." message again. Pulling the plug seems to
> reset anything (the TPM).
>
> The PTT TPM 2.0 shows exactly the same behaviour.
The error in question is TPM_RC_TESTING i.e. TPM is still processing
selftests in the background.
It is clearly a regression but unfortanely it is harmless and unrelated
i.e. tpm2_do_selftest() should not print an error message because it
is legit behavior.
The function actually masks the whole error:
if (rc == TPM2_RC_TESTING)
rc = TPM2_RC_SUCCESS;
/Jarkko
Hi all,
I tried that patch mentioned by Mimi but it does not change anything for me.
Then I did some more tests with different kernel configs and finally got TPM
working by
a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis.
(initramfs) dmesg | grep -i tpm
[ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018
[ 0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-
S06 00001260 AMI 00000000)
(initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm
(initramfs) modprobe tpm_tis
[ 44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
b) compiling TPM-support in-kernel and manually bind the ACPI device
(initramfs) dmesg | grep -i tpm
[ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000 SMBIOS
3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018
[ 0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06 00001260
AMI 00000000)
(initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
[ 233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
It seems to me, the kernel tries to enable the TPM to early...
Michael
On Wed, 2018-11-14 at 21:46 +0100, Michael Niewöhner wrote:
> Hi all,
>
> I tried that patch mentioned by Mimi but it does not change anything for me.
>
> Then I did some more tests with different kernel configs and finally got TPM
> working by
> a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis.
>
> (initramfs) dmesg | grep -i tpm
> [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018
> TPMEventLog=0x97cbb018
> [ 0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-
> S06 00001260 AMI 00000000)
> (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm
> (initramfs) modprobe tpm_tis
> [ 44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
>
> b) compiling TPM-support in-kernel and manually bind the ACPI device
>
> (initramfs) dmesg | grep -i tpm
> [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> SMBIOS
> 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018
> [ 0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06
> 00001260
> AMI 00000000)
> (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> [ 233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
>
>
> It seems to me, the kernel tries to enable the TPM to early...
>
>
> Michael
Looks like the manual driver bind works more or less but e.g reading hwrng does
not work...
# echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
[ 148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
# cat /sys/devices/virtual/misc/hw_random/rng_current
tpm-rng-0
# cat /dev/hwrng >/dev/null
cat: /dev/hwrng: Operation not permitted
On Fri, Nov 16, 2018 at 10:06:28PM +0100, Michael Niew?hner wrote:
> On Wed, 2018-11-14 at 21:46 +0100, Michael Niew?hner wrote:
> > Hi all,
> >
> > I tried that patch mentioned by Mimi but it does not change anything for me.
> >
> > Then I did some more tests with different kernel configs and finally got TPM
> > working by
> > a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis.
> >
> > (initramfs) dmesg | grep -i tpm
> > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> > SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018
> > TPMEventLog=0x97cbb018
> > [ 0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-
> > S06 00001260 AMI 00000000)
> > (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm
> > (initramfs) modprobe tpm_tis
> > [ 44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> >
> > b) compiling TPM-support in-kernel and manually bind the ACPI device
> >
> > (initramfs) dmesg | grep -i tpm
> > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> > SMBIOS
> > 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018
> > [ 0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06
> > 00001260
> > AMI 00000000)
> > (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> > [ 233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> >
> >
> > It seems to me, the kernel tries to enable the TPM to early...
> >
> >
> > Michael
>
> Looks like the manual driver bind works more or less but e.g reading hwrng does
> not work...
>
> # echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> [ 148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> # cat /sys/devices/virtual/misc/hw_random/rng_current
> tpm-rng-0
> # cat /dev/hwrng >/dev/null
> cat: /dev/hwrng: Operation not permitted
Can you check with trace-cmd start -p function -l 'tpm*'?
/Jarkko
On Sun, 2018-11-18 at 10:18 +0200, Jarkko Sakkinen wrote:
> On Fri, Nov 16, 2018 at 10:06:28PM +0100, Michael Niewöhner wrote:
> > On Wed, 2018-11-14 at 21:46 +0100, Michael Niewöhner wrote:
> > > Hi all,
> > >
> > > I tried that patch mentioned by Mimi but it does not change anything for
> > > me.
> > >
> > > Then I did some more tests with different kernel configs and finally got
> > > TPM
> > > working by
> > > a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis.
> > >
> > > (initramfs) dmesg | grep -i tpm
> > > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> > > SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018
> > > TPMEventLog=0x97cbb018
> > > [ 0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-
> > > S06 00001260 AMI 00000000)
> > > (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm
> > > (initramfs) modprobe tpm_tis
> > > [ 44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > >
> > > b) compiling TPM-support in-kernel and manually bind the ACPI device
> > >
> > > (initramfs) dmesg | grep -i tpm
> > > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> > > SMBIOS
> > > 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018
> > > [ 0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06
> > > 00001260
> > > AMI 00000000)
> > > (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> > > [ 233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > >
> > >
> > > It seems to me, the kernel tries to enable the TPM to early...
> > >
> > >
> > > Michael
> >
> > Looks like the manual driver bind works more or less but e.g reading hwrng
> > does
> > not work...
> >
> > # echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> > [ 148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > # cat /sys/devices/virtual/misc/hw_random/rng_current
> > tpm-rng-0
> > # cat /dev/hwrng >/dev/null
> > cat: /dev/hwrng: Operation not permitted
>
> Can you check with trace-cmd start -p function -l 'tpm*'?
>
> /Jarkko
Hi Jarko,
what output do you need exactly?
root@debian:~# trace-cmd record -p function -l 'tpm*'
plugin 'function'
Hit Ctrl^C to stop recording
^CCPU0 data recorded at offset=0x464000
0 bytes in size
CPU1 data recorded at offset=0x464000
0 bytes in size
CPU2 data recorded at offset=0x464000
0 bytes in size
CPU3 data recorded at offset=0x464000
4096 bytes in size
CPU4 data recorded at offset=0x465000
4096 bytes in size
CPU5 data recorded at offset=0x466000
0 bytes in size
CPU6 data recorded at offset=0x466000
0 bytes in size
CPU7 data recorded at offset=0x466000
0 bytes in size
root@debian:~# trace-cmd report
CPU 0 is empty
CPU 1 is empty
CPU 2 is empty
CPU 5 is empty
CPU 6 is empty
CPU 7 is empty
cpus=8
cat-3324 [003] 265.547715: function: tpm_hwrng_read
cat-3324 [003] 265.547721: function: tpm_get_random
cat-3324 [003] 265.547721:
function: tpm_find_get_ops
cat-3324 [003] 265.547721:
function: tpm_try_get_ops
cat-3324 [003] 265.547721:
function: tpm2_get_random
cat-3324 [003] 265.547722:
function: tpm_transmit_cmd
cat-3324 [003] 265.547722:
function: tpm_transmit
cat-3324 [003] 265.547722:
function: tpm_tis_clkrun_enable
cat-3324 [003] 265.547723:
function: tpm_tcg_read_bytes
< snip ... many times the same lines: cat-3324 ... function: tpm_tcg_read_bytes
>
cat-3324 [004] 266.291087:
function: tpm_tcg_read_bytes
cat-3324 [004] 266.296347:
function: tpm_tis_clkrun_enable
cat-3324 [004] 266.296349: function: tpm_put_ops
Michael
On Sun, Nov 18, 2018 at 03:10:06PM +0100, Michael Niew?hner wrote:
> On Sun, 2018-11-18 at 10:18 +0200, Jarkko Sakkinen wrote:
> > On Fri, Nov 16, 2018 at 10:06:28PM +0100, Michael Niew?hner wrote:
> > > On Wed, 2018-11-14 at 21:46 +0100, Michael Niew?hner wrote:
> > > > Hi all,
> > > >
> > > > I tried that patch mentioned by Mimi but it does not change anything for
> > > > me.
> > > >
> > > > Then I did some more tests with different kernel configs and finally got
> > > > TPM
> > > > working by
> > > > a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis.
> > > >
> > > > (initramfs) dmesg | grep -i tpm
> > > > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> > > > SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018
> > > > TPMEventLog=0x97cbb018
> > > > [ 0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-
> > > > S06 00001260 AMI 00000000)
> > > > (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm
> > > > (initramfs) modprobe tpm_tis
> > > > [ 44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > > >
> > > > b) compiling TPM-support in-kernel and manually bind the ACPI device
> > > >
> > > > (initramfs) dmesg | grep -i tpm
> > > > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> > > > SMBIOS
> > > > 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018
> > > > [ 0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06
> > > > 00001260
> > > > AMI 00000000)
> > > > (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> > > > [ 233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > > >
> > > >
> > > > It seems to me, the kernel tries to enable the TPM to early...
> > > >
> > > >
> > > > Michael
> > >
> > > Looks like the manual driver bind works more or less but e.g reading hwrng
> > > does
> > > not work...
> > >
> > > # echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> > > [ 148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > > # cat /sys/devices/virtual/misc/hw_random/rng_current
> > > tpm-rng-0
> > > # cat /dev/hwrng >/dev/null
> > > cat: /dev/hwrng: Operation not permitted
> >
> > Can you check with trace-cmd start -p function -l 'tpm*'?
> >
> > /Jarkko
>
>
> Hi Jarko,
>
> what output do you need exactly?
TPM gets added with tpm_add_hwrng() and the callback that is called by
hwrng subsystem is tpm_hwrng_read().
Obviously the former gets called (can be seen from the sysfs file). Just
wondering if it ever reaches tpm_hwrng_read().
/Jarkko
Hi,
On Mon, 2018-11-19 at 15:49 +0200, Jarkko Sakkinen wrote:
> On Sun, Nov 18, 2018 at 03:10:06PM +0100, Michael Niewöhner wrote:
> > On Sun, 2018-11-18 at 10:18 +0200, Jarkko Sakkinen wrote:
> > > On Fri, Nov 16, 2018 at 10:06:28PM +0100, Michael Niewöhner wrote:
> > > > On Wed, 2018-11-14 at 21:46 +0100, Michael Niewöhner wrote:
> > > > > Hi all,
> > > > >
> > > > > I tried that patch mentioned by Mimi but it does not change anything
> > > > > for
> > > > > me.
> > > > >
> > > > > Then I did some more tests with different kernel configs and finally
> > > > > got
> > > > > TPM
> > > > > working by
> > > > > a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis.
> > > > >
> > > > > (initramfs) dmesg | grep -i tpm
> > > > > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000
> > > > > SMBIOS=0x9f5eb000
> > > > > SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018
> > > > > TPMEventLog=0x97cbb018
> > > > > [ 0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-
> > > > > S06 00001260 AMI 00000000)
> > > > > (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm
> > > > > (initramfs) modprobe tpm_tis
> > > > > [ 44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > > > >
> > > > > b) compiling TPM-support in-kernel and manually bind the ACPI device
> > > > >
> > > > > (initramfs) dmesg | grep -i tpm
> > > > > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000
> > > > > SMBIOS=0x9f5eb000
> > > > > SMBIOS
> > > > > 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018
> > > > > TPMEventLog=0x97cbb018
> > > > > [ 0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06
> > > > > 00001260
> > > > > AMI 00000000)
> > > > > (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> > > > > [ 233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > > > >
> > > > >
> > > > > It seems to me, the kernel tries to enable the TPM to early...
> > > > >
> > > > >
> > > > > Michael
> > > >
> > > > Looks like the manual driver bind works more or less but e.g reading
> > > > hwrng
> > > > does
> > > > not work...
> > > >
> > > > # echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> > > > [ 148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > > > # cat /sys/devices/virtual/misc/hw_random/rng_current
> > > > tpm-rng-0
> > > > # cat /dev/hwrng >/dev/null
> > > > cat: /dev/hwrng: Operation not permitted
> > >
> > > Can you check with trace-cmd start -p function -l 'tpm*'?
> > >
> > > /Jarkko
> >
> >
> > Hi Jarko,
> >
> > what output do you need exactly?
>
> TPM gets added with tpm_add_hwrng() and the callback that is called by
> hwrng subsystem is tpm_hwrng_read().
>
> Obviously the former gets called (can be seen from the sysfs file). Just
> wondering if it ever reaches tpm_hwrng_read().
>
> /Jarkko
I wanted to be sure that there is no hardware failure so I tested the TPM in
UEFI Shell using the tpm tools from github.com/fpmurphy/UEFI-Utilities-2016
I can confirm that it is working there in both modes 1.2 and 2.0.
FS0:\> ShowTPM2.efi
Signature : TPM2
Length : 52
Revision : 3
Checksum : 167
Oem ID : LENOVO
Oem Table ID : TC-S06
Oem Revision : 4704
Creator ID : AMI
Creator Revision : 0
Platform Class : 0
Control Area Address : 0
Start Method : 6 (Memory mapped I/O)
Platform S.P. Size : 0
FS0:\> ShowTCM20.efi
Structure Version: 1.1
Protocol Version: 1.1
Supported Hash Algorithms: SHA1 SHA256
Supported Event Log Formats: TCG_1.2 TCG_2
TPM Present Flag: True
Maximum Command Size: 2048
Maximum Response Size: 2048
Manufactuer ID: NTC
Number of PCR Banks: 2
FS0:\> ShowPCR20.efi
Bank (Algorithm): TPM_ALG_SHA1 (0x0004)
[00] 1E BB 2B E3 B7 10 3A 09 B5 CA EE B5 82 7C 12 42 CD 66 32 EC
[01] 80 4E 8E 47 19 9D C7 31 4E B4 3C 4D C9 58 EF 6F 0B 6B 49 62
[02] B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36
[03] B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36
....
......
Michael
Hi again,
after some experiments I finally found a solution...
There seems to be a bug in TPM2.0 firmware version (1.3.1.0) included in Lenovos
UEFI image but they do not provide an update.
I have extracted the firmware version 1.3.2.8 from Dell's XPS15 TPM2.0 firmware
update and used this to replace the firmware in my Lenovo UEFI image.
After flashing this version via UEFI Setup the TPM2.0 gets detected and now is
fully working. WTF.
For anyone having the same problem: binwalk, uefi-firmware-parser, uefipatch and
flashrom are your friends ;-)
Best regards
Michael
On Mon, Nov 26, 2018 at 08:15:38PM +0100, Michael Niew?hner wrote:
> Hi again,
>
> after some experiments I finally found a solution...
> There seems to be a bug in TPM2.0 firmware version (1.3.1.0) included in Lenovos
> UEFI image but they do not provide an update.
>
> I have extracted the firmware version 1.3.2.8 from Dell's XPS15 TPM2.0 firmware
> update and used this to replace the firmware in my Lenovo UEFI image.
> After flashing this version via UEFI Setup the TPM2.0 gets detected and now is
> fully working. WTF.
That can be called as true craftmanship :-) Awesome work! Maybe you
should even consider blogging this. Sounds interesting.
> For anyone having the same problem: binwalk, uefi-firmware-parser, uefipatch and
> flashrom are your friends ;-)
>
> Best regards
> Michael
/Jarkko
Hi Michael,
On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote:
> Well, there are at least two implementations I know of:
> For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT TPM 2.0
> This here is my ThinkStation P320 which can choose between PTT 1.2, PTT 2.0,
> Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton gets
> reflashed with the appropriate firmware.
With IBM's LTC help, we finally found a Lenovo with the Nuvoton
NCPT650. It's a System x3550 M5[1], not a ThinkStation P320, running
Fedora (vmlinuz-4.16.14-300.fc28.x86_64). I replaced the 4.16 kernel
with the latest stable 4.19.y kernel. Both the TPM and IMA seem to be
working properly. Not sure if this helps...
From dmesg:
# dmesg | grep -i tpm
[ 0.000000] Linux version 4.19.14 ([email protected]
bm.com) (gcc version 8.1.1 20180502 (Red Hat 8.1.1-1) (GCC)) #6 SMP
Thu Jan 10 22:32:54 EST 2019
[ 0.000000] efi: ACPI=0x7b786000 ACPI 2.0=0x7b786014
SMBIOS=0x793fe000 TPMEventLog=0x426fa018
[ 0.014413] ACPI: SSDT 0x000000007B784000 0003A7 (v02 INTEL
Tpm2Tabl 00001000 INTL 20130328)
[ 0.014416] ACPI: TPM2 0x000000007B783000 000034 (v03 INTEL EDK2
00000002 INTL 01000013)
[ 2.667052] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2
# cat /sys/kernel/security/ima/ascii_runtime_measurements | head -2
10 5425744ce804c8cae89a08d53b41ab20ff1b3ea6 ima-sig
sha1:7996f7339c3ce64e63f1232ef1aa6033247af784 boot_aggregate
I installed the ibmtpm2tss[2], built (eg. autoreconf -i; configure --
enable-hwtpm) and installed it.
# export LD_LIBRARY_PATH=/usr/local/lib/
# cd /usr/local/bin
# ./tsspcrread -ha 10 -halg sha256 -ns
f73ff9109b06d4f7a7cbe7eac32b20d2ca662e55cb4c81e152beea261989ad4b
Mimi
[1] https://lenovopress.com/lp0599.pdf
[2] https://git.code.sf.net/p/ibmtpm20tss/tss
Hi Mimi,
On Fri, 2019-01-11 at 10:40 -0500, Mimi Zohar wrote:
> Hi Michael,
>
> On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote:
>
> > Well, there are at least two implementations I know of:
> > For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT TPM
> > 2.0
> > This here is my ThinkStation P320 which can choose between PTT 1.2, PTT 2.0,
> > Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton gets
> > reflashed with the appropriate firmware.
>
> With IBM's LTC help, we finally found a Lenovo with the Nuvoton
> NCPT650. It's a System x3550 M5[1], not a ThinkStation P320, running
> Fedora (vmlinuz-4.16.14-300.fc28.x86_64). I replaced the 4.16 kernel
> with the latest stable 4.19.y kernel. Both the TPM and IMA seem to be
> working properly. Not sure if this helps...
>
> From dmesg:
> # dmesg | grep -i tpm
> [ 0.000000] Linux version 4.19.14 ([email protected]
> bm.com) (gcc version 8.1.1 20180502 (Red Hat 8.1.1-1) (GCC)) #6 SMP
> Thu Jan 10 22:32:54 EST 2019
> [ 0.000000] efi: ACPI=0x7b786000 ACPI 2.0=0x7b786014
> SMBIOS=0x793fe000 TPMEventLog=0x426fa018
> [ 0.014413] ACPI: SSDT 0x000000007B784000 0003A7 (v02 INTEL
> Tpm2Tabl 00001000 INTL 20130328)
> [ 0.014416] ACPI: TPM2 0x000000007B783000 000034 (v03 INTEL EDK2
> 00000002 INTL 01000013)
> [ 2.667052] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2
>
> # cat /sys/kernel/security/ima/ascii_runtime_measurements | head -2
> 10 5425744ce804c8cae89a08d53b41ab20ff1b3ea6 ima-sig
> sha1:7996f7339c3ce64e63f1232ef1aa6033247af784 boot_aggregate
>
> I installed the ibmtpm2tss[2], built (eg. autoreconf -i; configure --
> enable-hwtpm) and installed it.
>
> # export LD_LIBRARY_PATH=/usr/local/lib/
> # cd /usr/local/bin
> # ./tsspcrread -ha 10 -halg sha256 -ns
> f73ff9109b06d4f7a7cbe7eac32b20d2ca662e55cb4c81e152beea261989ad4b
>
> Mimi
>
> [1] https://lenovopress.com/lp0599.pdf
> [2] https://git.code.sf.net/p/ibmtpm20tss/tss
>
what UEFI version is installed on that machine?
Is the TPM connected via LPC or I2C?
Best regards
Michael
Hi again,
On Sat, 2019-01-12 at 10:52 +0100, Michael Niewöhner wrote:
> Hi Mimi,
>
> On Fri, 2019-01-11 at 10:40 -0500, Mimi Zohar wrote:
> > Hi Michael,
> >
> > On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote:
> >
> > > Well, there are at least two implementations I know of:
> > > For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT TPM
> > > 2.0
> > > This here is my ThinkStation P320 which can choose between PTT 1.2, PTT
> > > 2.0,
> > > Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton gets
> > > reflashed with the appropriate firmware.
> >
> > With IBM's LTC help, we finally found a Lenovo with the Nuvoton
> > NCPT650. It's a System x3550 M5[1], not a ThinkStation P320, running
> > Fedora (vmlinuz-4.16.14-300.fc28.x86_64). I replaced the 4.16 kernel
> > with the latest stable 4.19.y kernel. Both the TPM and IMA seem to be
> > working properly. Not sure if this helps...
> >
> > From dmesg:
> > # dmesg | grep -i tpm
> > [ 0.000000] Linux version 4.19.14 ([email protected]
> > bm.com) (gcc version 8.1.1 20180502 (Red Hat 8.1.1-1) (GCC)) #6 SMP
> > Thu Jan 10 22:32:54 EST 2019
> > [ 0.000000] efi: ACPI=0x7b786000 ACPI 2.0=0x7b786014
> > SMBIOS=0x793fe000 TPMEventLog=0x426fa018
> > [ 0.014413] ACPI: SSDT 0x000000007B784000 0003A7 (v02 INTEL
> > Tpm2Tabl 00001000 INTL 20130328)
> > [ 0.014416] ACPI: TPM2 0x000000007B783000 000034 (v03 INTEL EDK2
> > 00000002 INTL 01000013)
> > [ 2.667052] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2
> >
> > # cat /sys/kernel/security/ima/ascii_runtime_measurements | head -2
> > 10 5425744ce804c8cae89a08d53b41ab20ff1b3ea6 ima-sig
> > sha1:7996f7339c3ce64e63f1232ef1aa6033247af784 boot_aggregate
> >
> > I installed the ibmtpm2tss[2], built (eg. autoreconf -i; configure --
> > enable-hwtpm) and installed it.
> >
> > # export LD_LIBRARY_PATH=/usr/local/lib/
> > # cd /usr/local/bin
> > # ./tsspcrread -ha 10 -halg sha256 -ns
> > f73ff9109b06d4f7a7cbe7eac32b20d2ca662e55cb4c81e152beea261989ad4b
> >
> > Mimi
> >
> > [1] https://lenovopress.com/lp0599.pdf
> > [2] https://git.code.sf.net/p/ibmtpm20tss/tss
> >
>
> what UEFI version is installed on that machine?
> Is the TPM connected via LPC or I2C?
>
> Best regards
> Michael
>
>
I had a short look to an extracted x3550 UEFI firmware (tbe132l-2.52).
This seems to be a very different implementation, probably due to the fact that
this is a server firmware but not a desktop/workstation firmware.
I do not know how much UEFI has influence on the communication with the TPM but
I assume we can not really compare x3550 with P320 :-(
Best regards
Michael