From: Anderson, Daniel <daniel.anderson at intel.com>
To: tpm2@lists.01.org
Subject: Re: [tpm2] TCTI initialization fails with error 0xc000b
Date: Thu, 22 Feb 2018 17:17:57 +0000 [thread overview]
Message-ID: <207C810BE4BA2440832668E0F208BFD3AF6398@ORSMSX108.amr.corp.intel.com> (raw)
In-Reply-To: 09b4a528-26cb-8b26-786f-58b43276bf81@redhat.com
[-- Attachment #1: Type: text/plain, Size: 4128 bytes --]
Javier,
Thanks for your reply--it is really useful as there are multiple undocumented options I need to use. I am using MS Outlook which is lame for inline replies, so I'll manually mark it with "dan> "
Dan
-----Original Message-----
From: Javier Martinez Canillas [mailto:javierm(a)redhat.com]
Sent: Thursday, February 22, 2018 8:52 AM
To: Anderson, Daniel <daniel.anderson(a)intel.com>; tpm2(a)lists.01.org
Subject: Re: [tpm2] TCTI initialization fails with error 0xc000b
Hello Dan,
On 02/22/2018 05:01 PM, Anderson, Daniel wrote:
> Javier,
> Thanks!
>
> The version is the latest source as of the message--I pulled the latest source and rebuilt several times.
Ok, I'm also building today's master branch for all projects.
> I will try again today and see if there has been a fix in the past week.
> There is no /dev/tpm--I am using the simulator and specify that in the options.
I didn't see the option specified in the command you shared in this thread.
You have to run with tpm2-abrmd --tcti socket.
dan> OK. That may be the missing option. The "tpm2-abrmd --tcti socket" option is not mentioned anywhere in dan> the INSTALL.md or README.md files.
dan> I found a tpm2-abrmd man page with several examples, but it doesn't mention which one to use for the dan> simulator.
dan> Also, since tpm2-abrmd is started automatically by systemd, apparently, how does one add this option dan> (whatever the correct syntax) to the system configuration?
> There may be another option or setting that I am missing though.
> Here is what I build with:
>
> For tpm2-tss:
> configure --enable-unit
> --with-simulatorbin=$TPM_SERVER
Only these are valid options for tpm2-tss, from here are tpm2-abrmd options:
> --with-dbuspolicydir=/etc/dbus-1/system.d
> --with-systemdsystemunitdir=/lib/systemd/system
> --with-systemdpresetdir=/lib/systemd/system-preset
> --with-udevrulesdir=/etc/udev/rules.d
> --with-sysdefaultdir=/etc/default
> --with-dbusdatadir=/usr/share/dbus-1/system-services
>
> For tpm2-abrmd:
> configure --enable-unit
> --with-simulatorbin=$HOME/tpm/simulator/src/tpm_server
>
As mentioned, you either got the configure options mixed up or are using it wrong.
There are my configure options for tpm2-tss, tpm2-abrmd and tpm2-tools:
tpm2-tss:
$ ./configure --prefix=/usr
tpm2-abrmd:
$ ./configure --with-dbuspolicydir=/etc/dbus-1/system.d --with-udevrulesdir=/usr/lib/udev/rules.d --with-systemdsystemunitdir=/usr/lib/systemd/system --libdir=/usr/lib64
dan> This is useful. The systemdsystemunitdir (not mentioned in the README or INSTALL) should help.
tpm2-tools
$ ./configure --prefix=/usr
> I cannot believe that anyone has tpm2-abrmd working without special hand-copied fixes. The com.intel.tss2.tabrmd.service for example is not installed in /usr/share/dbus-1/system-services/ but in /usr/local/share/dbus-1/system-services/.
>
I think this is because you didn't specify a correct --with-dbuspolicydir as mentioned before. Another thing that you have to keep in mind, is that the default D-Bus config only allows the tss and root user to acquire the com.intel.tss2.Tabrmd D-Bus well-known name.
So after installing latest master with these configure options, I just do:
$ ./tpm_server
$ sudo -u tss /usr/local/sbin/tpm2-abrmd --tcti socket
dan> so you do not use system to start tpm2-abrmd.
$ tpm2_pcrlist -L sha1:0 -T abrmd
sha1:
0 : 0x0000000000000000000000000000000000000003
And using the device TCTI also works for me:
$ sudo -u tss /usr/local/sbin/tpm2-abrmd --tcti device
dan> neither tpm2-abrmd --tcti socket or tpm2-abrmd --tcti device is mentioned in the README.md, INSTALL.md, or tpm2-abrmd(8) man page, so I'll add those.
$ tpm2_pcrlist -L sha1:0 -T abrmd
sha1:
0 : 0xC72EC9E6CBC2B6A95F334DDDD6513981DA00F0C2
Best regards,
--
Javier Martinez Canillas
Software Engineer - Desktop Hardware Enablement Red Hat
next reply other threads:[~2018-02-22 17:17 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-22 17:17 Anderson, Daniel [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-02-23 19:49 [tpm2] TCTI initialization fails with error 0xc000b Philip Tricca
2018-02-23 17:23 Roberts, William C
2018-02-22 22:13 Anderson, Daniel
2018-02-22 20:38 Javier Martinez Canillas
2018-02-22 16:51 Javier Martinez Canillas
2018-02-22 16:01 Anderson, Daniel
2018-02-22 8:48 Javier Martinez Canillas
2018-02-20 19:40 Anderson, Daniel
2018-02-16 16:52 Roberts, William C
2018-02-14 10:05 Moneeb Azhar
2018-02-14 8:02 Javier Martinez Canillas
2018-02-14 7:42 Moneeb Azhar
2018-02-13 22:11 Tricca, Philip B
2018-02-13 20:44 Moneeb Azhar
2018-02-13 18:38 Tricca, Philip B
2018-02-13 12:49 Moneeb Azhar
2018-02-12 16:04 Tricca, Philip B
2018-02-12 13:43 Moneeb Azhar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=207C810BE4BA2440832668E0F208BFD3AF6398@ORSMSX108.amr.corp.intel.com \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.