caps file showing wrong TCG version?

caps file showing wrong TCG version?

[Martin Galvan]

Hi all,

I have an Infineon SLB 9665 TPM chip, which according to
https://www.infineon.com/dgdl/Infineon-OPTIGA_TPM-PB-v10_15-EN.pdf?fileId=5546d46145da30e80145efa2f0b96a8e
uses TPM 2.0. However, /sys/class/tpm/tpm0/device/tpm/tpm0/caps is
showing "TCG version: 1.2". I'm aware that the versioning scheme using
by the TCG is a bit confusing (e.g. 1.2 is the "Main" spec, while 2.0
is a "library" spec), but I'm wondering whether this is correct.

Thanks

Re: caps file showing wrong TCG version?

[Martin Galvan]

Errata: The file I'm checking is /sys/class/tpm/tpm0/device/caps. For
some reason the sys/class/tpm/tpm0 dir seems to have a sort of
recursive structure.
El mar., 4 sept. 2018 a las 17:03, Martin Galvan
(<omgalvan.86@gmail.com>) escribio:
>
> Hi all,
>
> I have an Infineon SLB 9665 TPM chip, which according to
> https://www.infineon.com/dgdl/Infineon-OPTIGA_TPM-PB-v10_15-EN.pdf?fileId=5546d46145da30e80145efa2f0b96a8e
> uses TPM 2.0. However, /sys/class/tpm/tpm0/device/tpm/tpm0/caps is
> showing "TCG version: 1.2". I'm aware that the versioning scheme using
> by the TCG is a bit confusing (e.g. 1.2 is the "Main" spec, while 2.0
> is a "library" spec), but I'm wondering whether this is correct.
>
> Thanks

Re: caps file showing wrong TCG version?

[Martin Galvan]

Nevermind: it seems that I was wrong, and actually using a 1.2 device.
El mar., 4 sept. 2018 a las 17:05, Martin Galvan
(<omgalvan.86@gmail.com>) escribio:
>
> Errata: The file I'm checking is /sys/class/tpm/tpm0/device/caps. For
> some reason the sys/class/tpm/tpm0 dir seems to have a sort of
> recursive structure.
> El mar., 4 sept. 2018 a las 17:03, Martin Galvan
> (<omgalvan.86@gmail.com>) escribio:
> >
> > Hi all,
> >
> > I have an Infineon SLB 9665 TPM chip, which according to
> > https://www.infineon.com/dgdl/Infineon-OPTIGA_TPM-PB-v10_15-EN.pdf?fileId=5546d46145da30e80145efa2f0b96a8e
> > uses TPM 2.0. However, /sys/class/tpm/tpm0/device/tpm/tpm0/caps is
> > showing "TCG version: 1.2". I'm aware that the versioning scheme using
> > by the TCG is a bit confusing (e.g. 1.2 is the "Main" spec, while 2.0
> > is a "library" spec), but I'm wondering whether this is correct.
> >
> > Thanks

Re: caps file showing wrong TCG version?

[Jason Gunthorpe]

On Tue, Sep 04, 2018 at 05:05:34PM -0300, Martin Galvan wrote:
> Errata: The file I'm checking is /sys/class/tpm/tpm0/device/caps. For
> some reason the sys/class/tpm/tpm0 dir seems to have a sort of
> recursive structure.

Recursive sounds bad.. what are you seeing?

Jason

Re: caps file showing wrong TCG version?

[Martin Galvan]

El mar., 4 sept. 2018 a las 18:33, Jason Gunthorpe (<jgg@ziepe.ca>) escribio:
> Recursive sounds bad.. what are you seeing?

At least on my system, /sys/class/tpm/tpm0/device has a 'tpm' dir
which seems to replicate the tpm0/device struct endlessly. Digging a
bit deeper I see:

$ ls -l /sys/class/tpm/tpm0/device
lrwxrwxrwx 1 root root 0 Sep  4 12:15 /sys/class/tpm/tpm0/device ->
../../../00:09

The 00:09 dir in turn refers to ls /sys/devices/pnp0/00:09.

On an unrelated note: I was recently told that
/sys/class/tpm/tpm0/caps doesn't exist for TPM 2.0. This is
inconvenient, since the manufacturer and version info exposed through
that file can be used to detect CVE-2017-15361. Is there an equivalent
file for TPM 2.0?

Re: caps file showing wrong TCG version?

[Jarkko Sakkinen]

On Tue, Sep 04, 2018 at 05:03:40PM -0300, Martin Galvan wrote:
> Hi all,
> 
> I have an Infineon SLB 9665 TPM chip, which according to
> https://www.infineon.com/dgdl/Infineon-OPTIGA_TPM-PB-v10_15-EN.pdf?fileId=5546d46145da30e80145efa2f0b96a8e
> uses TPM 2.0. However, /sys/class/tpm/tpm0/device/tpm/tpm0/caps is
> showing "TCG version: 1.2". I'm aware that the versioning scheme using
> by the TCG is a bit confusing (e.g. 1.2 is the "Main" spec, while 2.0
> is a "library" spec), but I'm wondering whether this is correct.
> 
> Thanks

It is clearly a TPM 1.2 chip as it talks TPM 1.x protocol. The caps file
is only shown for TPM 1.x devices and it uses TPM_ORD_GET_CAP command,
which is part of the TPM 1.x protocol.

/Jarkko

Re: caps file showing wrong TCG version?

[Martin Galvan]

El mie., 5 sept. 2018 a las 14:30, Jarkko Sakkinen
(<jarkko.sakkinen@linux.intel.com>) escribio:
> It is clearly a TPM 1.2 chip as it talks TPM 1.x protocol. The caps file
> is only shown for TPM 1.x devices and it uses TPM_ORD_GET_CAP command,
> which is part of the TPM 1.x protocol.

Yes, I had realized that. My mistake.

Re: caps file showing wrong TCG version?

[Jarkko Sakkinen]

On Tue, Sep 04, 2018 at 06:55:45PM -0300, Martin Galvan wrote:
> El mar., 4 sept. 2018 a las 18:33, Jason Gunthorpe (<jgg@ziepe.ca>) escribio:
> > Recursive sounds bad.. what are you seeing?
> 
> At least on my system, /sys/class/tpm/tpm0/device has a 'tpm' dir
> which seems to replicate the tpm0/device struct endlessly. Digging a
> bit deeper I see:
> 
> $ ls -l /sys/class/tpm/tpm0/device
> lrwxrwxrwx 1 root root 0 Sep  4 12:15 /sys/class/tpm/tpm0/device ->
> ../../../00:09
> 
> The 00:09 dir in turn refers to ls /sys/devices/pnp0/00:09.
> 
> On an unrelated note: I was recently told that
> /sys/class/tpm/tpm0/caps doesn't exist for TPM 2.0. This is
> inconvenient, since the manufacturer and version info exposed through
> that file can be used to detect CVE-2017-15361. Is there an equivalent
> file for TPM 2.0?

Those files do not make sense because you can get the same information
by talking to /dev/tpm0.

/Jarkko

Re: caps file showing wrong TCG version?

[Martin Galvan]

El mie., 5 sept. 2018 a las 14:32, Jarkko Sakkinen
(<jarkko.sakkinen@linux.intel.com>) escribio:
> Those files do not make sense because you can get the same information
> by talking to /dev/tpm0.

Wouldn't that require using a lower-level interface, though? IIRC one
of the reasons of tpm2-tools' existence is to provide a user-friendly
way to do this. I was hoping there would be some way to do this
without having to install tpm2-tools.

Re: caps file showing wrong TCG version?

[Peter Huewe]

Am 5. September 2018 19:35:12 MESZ schrieb Martin Galvan <omgalvan.86@gmail.com>:
>El mie., 5 sept. 2018 a las 14:32, Jarkko Sakkinen
>(<jarkko.sakkinen@linux.intel.com>) escribio:
>> Those files do not make sense because you can get the same
>information
>> by talking to /dev/tpm0.
>
>Wouldn't that require using a lower-level interface, though? IIRC one
>of the reasons of tpm2-tools' existence is to provide a user-friendly
>way to do this. I was hoping there would be some way to do this
>without having to install tpm2-tools.
If you use the tpm (and care about the cve), you probably have the tools installed anyways.
If not you can use eltt2, it has much less dependencies:
 github.com/infineon/eltt2
Peter
-- 
Sent from my mobile

Re: caps file showing wrong TCG version?

[Jarkko Sakkinen]

On Wed, Sep 05, 2018 at 02:35:12PM -0300, Martin Galvan wrote:
> El mie., 5 sept. 2018 a las 14:32, Jarkko Sakkinen
> (<jarkko.sakkinen@linux.intel.com>) escribio:
> > Those files do not make sense because you can get the same information
> > by talking to /dev/tpm0.
> 
> Wouldn't that require using a lower-level interface, though? IIRC one
> of the reasons of tpm2-tools' existence is to provide a user-friendly
> way to do this. I was hoping there would be some way to do this
> without having to install tpm2-tools.

Would be trivial to write utilities that talk raw TPM 2.0 protocol and
give you equivalent information.

Some sample code from my smoke tests:

  https://github.com/jsakkine-intel/tpm2-scripts

I would write such utilities in raw C though but as you can see it is
not rocket science.

/Jarkko