Re: [tpm2] Policy check fails writing to NVRAM > 512B

Re: [tpm2] Policy check fails writing to NVRAM > 512B

[@ 2018-06-13 18:06 UTC (permalink / raw)]

[-- Attachment #1: Type: text/plain, Size: 4699 bytes --]

Hi Tadeusz,

I enabled TCTI debug info and there were no extra messages when executing
the write command:

$ export TSS2_LOG="all+ERROR,tcti+TRACE"

$ tpm2_nvwrite -x 0x1800005 -a 0x1800005 -L sha256:0 -F pcr.value
ta_config.cfg
ERROR: Failed to write NV area at index 0x1800005 (25165829) offset 0x200.
Error:0x99d
ERROR: Unable to run tpm2_nvwrite

Am I doing something wrong? or are the TSS logs available somewhere else
after I execute the command and that is why I see nothing?

I also tried enabling logging as TSS2_LOG="all+TRACE", but I only see debug
and trace logs from marshal and none of them say error or anything similar.

Thanks,
Gabriela


2018-06-13 20:47 GMT+03:00 Tadeusz Struk <tadeusz.struk(a)intel.com>:

> On 06/11/2018 11:20 PM, Gabriela Limonta Márquez wrote:
> > Hi,
> >
> > I have updated the tpm2 software stack to use
> >
> > tpm2-tss @ 2.0.0_rc3
> > tpm2-abrmd @ 2.0.0_rc0
> > tpm2-tools @ 3.1.0-rc0
> >
> > I am trying to write a file to NVRAM and seal it using a simple policy
> > ​ (sha256:0)​
> > .
> >
> > I can create the policy and define the NVRAM. However, when I try
> writing to it it fails with a policy check error:
> >
> > $ tpm2_nvrelease -x 0x1800005 -a 0x40000001
> >
> > $ tpm2_pcrlist -L sha256:0 -o pcr.value
> > sha256 :
> >   0  : d8a76f44656e5b7ed75ddc6c19071d8594e99edb67c54c0f5f562a8bdaa26bbf
> >
> > $ tpm2_createpolicy -P -L sha256:0 -F pcr.value -f policy
> >
> > $ tpm2_nvdefine -x 0x1800005 -a 0x40000001 -s 700 -L policy -t
> "policyread|policywrite"
> >
> > $ tpm2_nvwrite -x  0x1800005 -a 0x1800005 -L sha256:0 -F pcr.value
> ta_config.cfg -V
> > INFO on line: "125" in file: "tools/tpm2_nvwrite.c": The data(size=512)
> to be written:
> > INFO on line: "141" in file: "tools/tpm2_nvwrite.c": Success to write NV
> area at index 0x1800005 (25165829) offset 0x0.
> > INFO on line: "125" in file: "tools/tpm2_nvwrite.c": The data(size=131)
> to be written:
> > ERROR on line: "136" in file: "tools/tpm2_nvwrite.c": Failed to write NV
> area at index 0x1800005 (25165829) offset 0x200. Error:0x99d
> > ERROR on line: "168" in file: "tools/tpm2_tool.c": Unable to run
> tpm2_nvwrite
> >
> > $ tpm2_rc_decode 0x99d
> > error layer
> >   hex: 0x0
> >   identifier: TSS2_TPM_RC_LAYER
> >   description: Error produced by the TPM
> > format 1 error code
> >   hex: 0x1d
> >   identifier: TPM2_RC_POLICY_FAIL
> >   description: a policy check failed
> > session
> >   hex: 0x100
> >   identifier: TPM2_RC_1
> >   description:  (null)
> >
> > From the verbose output I can see that the first 512 bytes are
> successfully written, and it only fails the policy check for the remaining
> 131 bytes.
> > ​I don't think this is a policy ​failure, since the policy check
> succeeds for the first 512 bytes and the policy is defined with PCR0 of the
> sha256 bank which is not changing.
> >
> >
> > ​My guess is that it was related to the size of the file I was trying to
> write to NVRAM, so​
> >  I tried writing a smaller file (< 512) and that succee
> > ​ds​
> > .
> >
> > $ tpm2_nvwrite -x  0x1800005 -a 0x1800005 -L sha256:0 -F pcr.value
> ta2_config.cfg -V
> > INFO on line: "125" in file: "tools/tpm2_nvwrite.c": The data(size=273)
> to be written:
> > INFO on line: "141" in file: "tools/tpm2_nvwrite.c": Success to write NV
> area at index 0x1800005 (25165829) offset 0x0.
> > 54504d5f454b5f4b45595f48414e444c45203d2022307838313031303030
> 32220a54504d5f414b5f4b45595f48414e444c45203d2022307838313031
> 30303033220a54504d5f484153485f414c474f524954484d203d20227368
> 61323536220a4d53475f46494c45203d20222f746d702f71756f74652e6d
> 7367220a5349474e41545552455f46494c45203d20222f746d702f71756f
> 74652e736967220a51554f54455f46494c45203d20222f746d702f71756f
> 74652e71756f74220a51554f54455f4a534f4e5f46494c45203d20222f74
> 6d702f71756f74652e6a736f6e220a454b5f46494c45203d20222f746d70
> 2f656b2e707562220a414b5f46494c45203d20222f746d702f616b2e707562220a%
> >
> > I only have this problem when using policies. If I define NVRAM without
> any policies I can write the file successfully even if the size is larger
> than 512.
> >
> > Does anyone have any idea what might be going on?
> >
> > Thanks in advance!
> >
> > Best regards,
> > Gabriela Limonta
>
> Hi Gabriela,
> My first guess is that the TCTI performs two partial writes internally and
> after the first partial write the policy digest
> gets updated. Could you please enable TCTI debug info and try to write the
> big buffer again.
> The debug info can be turned on by:
> export TSS2_LOG="all+ERROR,tcti+TRACE"
>
> Thanks,
> --
> Tadeusz
>

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 5737 bytes --]

Re: [tpm2] Policy check fails writing to NVRAM > 512B

[@ 2018-06-13 18:31 UTC (permalink / raw)]

[-- Attachment #1: Type: text/plain, Size: 1500 bytes --]

Yes, I noticed the same.
I tried recompiling it anyway with the command line options
"--with-maxloglevel=trace --enable-debug" but it made no difference.
The commands are being run without sudo, just a regular user.

Best,
Gabriela

2018-06-13 21:28 GMT+03:00 Tadeusz Struk <tadeusz.struk(a)intel.com>:

> On 06/13/2018 11:13 AM, Tadeusz Struk wrote:
> > On 06/13/2018 11:06 AM, Gabriela Limonta Márquez wrote:
> >> $ export TSS2_LOG="all+ERROR,tcti+TRACE"
> >>
> >> $ tpm2_nvwrite -x 0x1800005 -a 0x1800005 -L sha256:0 -F pcr.value
> ta_config.cfg
> >> ERROR: Failed to write NV area at index 0x1800005 (25165829) offset
> 0x200. Error:0x99d
> >> ERROR: Unable to run tpm2_nvwrite
> >>
> >> Am I doing something wrong? or are the TSS logs available somewhere
> else after I execute the command and that is why I see nothing?
> >>
> >> I also tried enabling logging as TSS2_LOG="all+TRACE", but I only see
> debug and trace logs from marshal and none of them say error or anything
> similar.
> >
> > That all looks good. The only thing that's probably missing is that the
> debug is not compiled into TSS.
> > It needs to be enabled at compile time by --with-maxloglevel=trace
> > Please see ./configure --help
> > Could you recompile TSS with that enabled and try again.
>
> Just looked at the config and see that the 'trace' is the default if you
> build it from the repo.
> Are you running your commands with sudo by any chance?
> Thanks,
> --
> Tadeusz
>

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 2445 bytes --]

Re: [tpm2] Policy check fails writing to NVRAM > 512B

[Tadeusz Struk]

[-- Attachment #1: Type: text/plain, Size: 1121 bytes --]

On 06/13/2018 11:13 AM, Tadeusz Struk wrote:
> On 06/13/2018 11:06 AM, Gabriela Limonta Márquez wrote:
>> $ export TSS2_LOG="all+ERROR,tcti+TRACE"
>>
>> $ tpm2_nvwrite -x 0x1800005 -a 0x1800005 -L sha256:0 -F pcr.value ta_config.cfg
>> ERROR: Failed to write NV area at index 0x1800005 (25165829) offset 0x200. Error:0x99d
>> ERROR: Unable to run tpm2_nvwrite
>>
>> Am I doing something wrong? or are the TSS logs available somewhere else after I execute the command and that is why I see nothing?
>>
>> I also tried enabling logging as TSS2_LOG="all+TRACE", but I only see debug and trace logs from marshal and none of them say error or anything similar.
> 
> That all looks good. The only thing that's probably missing is that the debug is not compiled into TSS.
> It needs to be enabled at compile time by --with-maxloglevel=trace
> Please see ./configure --help
> Could you recompile TSS with that enabled and try again.

Just looked at the config and see that the 'trace' is the default if you build it from the repo.
Are you running your commands with sudo by any chance?
Thanks,
-- 
Tadeusz

Re: [tpm2] Policy check fails writing to NVRAM > 512B

[Tadeusz Struk]

[-- Attachment #1: Type: text/plain, Size: 901 bytes --]

On 06/13/2018 11:06 AM, Gabriela Limonta Márquez wrote:
> $ export TSS2_LOG="all+ERROR,tcti+TRACE"
> 
> $ tpm2_nvwrite -x 0x1800005 -a 0x1800005 -L sha256:0 -F pcr.value ta_config.cfg
> ERROR: Failed to write NV area at index 0x1800005 (25165829) offset 0x200. Error:0x99d
> ERROR: Unable to run tpm2_nvwrite
> 
> Am I doing something wrong? or are the TSS logs available somewhere else after I execute the command and that is why I see nothing?
> 
> I also tried enabling logging as TSS2_LOG="all+TRACE", but I only see debug and trace logs from marshal and none of them say error or anything similar.

That all looks good. The only thing that's probably missing is that the debug is not compiled into TSS.
It needs to be enabled at compile time by --with-maxloglevel=trace
Please see ./configure --help
Could you recompile TSS with that enabled and try again.
Thanks,
-- 
Tadeusz

Re: [tpm2] Policy check fails writing to NVRAM > 512B

[Tadeusz Struk]

[-- Attachment #1: Type: text/plain, Size: 3735 bytes --]

On 06/11/2018 11:20 PM, Gabriela Limonta Márquez wrote:
> Hi,
> 
> I have updated the tpm2 software stack to use
> 
> tpm2-tss @ 2.0.0_rc3
> tpm2-abrmd @ 2.0.0_rc0
> tpm2-tools @ 3.1.0-rc0
> 
> I am trying to write a file to NVRAM and seal it using a simple policy
> ​ (sha256:0)​
> .
> 
> I can create the policy and define the NVRAM. However, when I try writing to it it fails with a policy check error:
> 
> $ tpm2_nvrelease -x 0x1800005 -a 0x40000001
> 
> $ tpm2_pcrlist -L sha256:0 -o pcr.value
> sha256 :
>   0  : d8a76f44656e5b7ed75ddc6c19071d8594e99edb67c54c0f5f562a8bdaa26bbf
> 
> $ tpm2_createpolicy -P -L sha256:0 -F pcr.value -f policy
> 
> $ tpm2_nvdefine -x 0x1800005 -a 0x40000001 -s 700 -L policy -t "policyread|policywrite"
> 
> $ tpm2_nvwrite -x  0x1800005 -a 0x1800005 -L sha256:0 -F pcr.value ta_config.cfg -V
> INFO on line: "125" in file: "tools/tpm2_nvwrite.c": The data(size=512) to be written:
> INFO on line: "141" in file: "tools/tpm2_nvwrite.c": Success to write NV area at index 0x1800005 (25165829) offset 0x0.
> INFO on line: "125" in file: "tools/tpm2_nvwrite.c": The data(size=131) to be written:
> ERROR on line: "136" in file: "tools/tpm2_nvwrite.c": Failed to write NV area at index 0x1800005 (25165829) offset 0x200. Error:0x99d
> ERROR on line: "168" in file: "tools/tpm2_tool.c": Unable to run tpm2_nvwrite
> 
> $ tpm2_rc_decode 0x99d
> error layer
>   hex: 0x0
>   identifier: TSS2_TPM_RC_LAYER
>   description: Error produced by the TPM
> format 1 error code
>   hex: 0x1d
>   identifier: TPM2_RC_POLICY_FAIL
>   description: a policy check failed
> session
>   hex: 0x100
>   identifier: TPM2_RC_1
>   description:  (null)
> 
> From the verbose output I can see that the first 512 bytes are successfully written, and it only fails the policy check for the remaining 131 bytes.
> ​I don't think this is a policy ​failure, since the policy check succeeds for the first 512 bytes and the policy is defined with PCR0 of the sha256 bank which is not changing.
> 
> 
> ​My guess is that it was related to the size of the file I was trying to write to NVRAM, so​
>  I tried writing a smaller file (< 512) and that succee
> ​ds​
> .
> 
> $ tpm2_nvwrite -x  0x1800005 -a 0x1800005 -L sha256:0 -F pcr.value ta2_config.cfg -V
> INFO on line: "125" in file: "tools/tpm2_nvwrite.c": The data(size=273) to be written:
> INFO on line: "141" in file: "tools/tpm2_nvwrite.c": Success to write NV area at index 0x1800005 (25165829) offset 0x0.
> 54504d5f454b5f4b45595f48414e444c45203d202230783831303130303032220a54504d5f414b5f4b45595f48414e444c45203d202230783831303130303033220a54504d5f484153485f414c474f524954484d203d2022736861323536220a4d53475f46494c45203d20222f746d702f71756f74652e6d7367220a5349474e41545552455f46494c45203d20222f746d702f71756f74652e736967220a51554f54455f46494c45203d20222f746d702f71756f74652e71756f74220a51554f54455f4a534f4e5f46494c45203d20222f746d702f71756f74652e6a736f6e220a454b5f46494c45203d20222f746d702f656b2e707562220a414b5f46494c45203d20222f746d702f616b2e707562220a%  
> 
> I only have this problem when using policies. If I define NVRAM without any policies I can write the file successfully even if the size is larger than 512.
> 
> Does anyone have any idea what might be going on?
> 
> Thanks in advance!
> 
> Best regards,
> Gabriela Limonta

Hi Gabriela,
My first guess is that the TCTI performs two partial writes internally and after the first partial write the policy digest
gets updated. Could you please enable TCTI debug info and try to write the big buffer again.
The debug info can be turned on by:
export TSS2_LOG="all+ERROR,tcti+TRACE"

Thanks,
-- 
Tadeusz

[tpm2] Policy check fails writing to NVRAM > 512B

[@ 2018-06-12 6:20 UTC (permalink / raw)]

[-- Attachment #1: Type: text/plain, Size: 3216 bytes --]

Hi,

I have updated the tpm2 software stack to use

tpm2-tss @ 2.0.0_rc3
tpm2-abrmd @ 2.0.0_rc0
tpm2-tools @ 3.1.0-rc0

I am trying to write a file to NVRAM and seal it using a simple policy
​ (sha256:0)​
.

I can create the policy and define the NVRAM. However, when I try writing
to it it fails with a policy check error:

$ tpm2_nvrelease -x 0x1800005 -a 0x40000001

$ tpm2_pcrlist -L sha256:0 -o pcr.value
sha256 :
  0  : d8a76f44656e5b7ed75ddc6c19071d8594e99edb67c54c0f5f562a8bdaa26bbf

$ tpm2_createpolicy -P -L sha256:0 -F pcr.value -f policy

$ tpm2_nvdefine -x 0x1800005 -a 0x40000001 -s 700 -L policy -t
"policyread|policywrite"

$ tpm2_nvwrite -x  0x1800005 -a 0x1800005 -L sha256:0 -F pcr.value
ta_config.cfg -V
INFO on line: "125" in file: "tools/tpm2_nvwrite.c": The data(size=512) to
be written:
INFO on line: "141" in file: "tools/tpm2_nvwrite.c": Success to write NV
area at index 0x1800005 (25165829) offset 0x0.
INFO on line: "125" in file: "tools/tpm2_nvwrite.c": The data(size=131) to
be written:
ERROR on line: "136" in file: "tools/tpm2_nvwrite.c": Failed to write NV
area at index 0x1800005 (25165829) offset 0x200. Error:0x99d
ERROR on line: "168" in file: "tools/tpm2_tool.c": Unable to run
tpm2_nvwrite

$ tpm2_rc_decode 0x99d
error layer
  hex: 0x0
  identifier: TSS2_TPM_RC_LAYER
  description: Error produced by the TPM
format 1 error code
  hex: 0x1d
  identifier: TPM2_RC_POLICY_FAIL
  description: a policy check failed
session
  hex: 0x100
  identifier: TPM2_RC_1
  description:  (null)

From the verbose output I can see that the first 512 bytes are successfully
written, and it only fails the policy check for the remaining 131 bytes.
​I don't think this is a policy ​failure, since the policy check succeeds
for the first 512 bytes and the policy is defined with PCR0 of the sha256
bank which is not changing.


​My guess is that it was related to the size of the file I was trying to
write to NVRAM, so​
 I tried writing a smaller file (< 512) and that succee
​ds​
.

$ tpm2_nvwrite -x  0x1800005 -a 0x1800005 -L sha256:0 -F pcr.value
ta2_config.cfg -V
INFO on line: "125" in file: "tools/tpm2_nvwrite.c": The data(size=273) to
be written:
INFO on line: "141" in file: "tools/tpm2_nvwrite.c": Success to write NV
area at index 0x1800005 (25165829) offset 0x0.
54504d5f454b5f4b45595f48414e444c45203d202230783831303130303032220a54504d5f414b5f4b45595f48414e444c45203d202230783831303130303033220a54504d5f484153485f414c474f524954484d203d2022736861323536220a4d53475f46494c45203d20222f746d702f71756f74652e6d7367220a5349474e41545552455f46494c45203d20222f746d702f71756f74652e736967220a51554f54455f46494c45203d20222f746d702f71756f74652e71756f74220a51554f54455f4a534f4e5f46494c45203d20222f746d702f71756f74652e6a736f6e220a454b5f46494c45203d20222f746d702f656b2e707562220a414b5f46494c45203d20222f746d702f616b2e707562220a%


I only have this problem when using policies. If I define NVRAM without any
policies I can write the file successfully even if the size is larger than
512.

Does anyone have any idea what might be going on?

Thanks in advance!

Best regards,
Gabriela Limonta
​​

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 4011 bytes --]