Re: [tpm2] tpm support on Intel NUCs

Re: [tpm2] tpm support on Intel NUCs

[Peter Magnusson]

[-- Attachment #1: Type: text/plain, Size: 5345 bytes --]

For the record, with all SINIT files installed into /boot and update-grub2
performed, Ubuntu tboot works with EFI boot and I can no longer reproduce
the hang.

tboot built from source also works nicely without any problems.

A tad annoying that EFI hangs leaves no log so you have no indication of
what the problem was.
Will work on the system next week and see if the tboot hangs returns ;)
On Wed, May 9, 2018 at 3:26 PM Peter Magnusson <
blaufish.public.email(a)gmail.com> wrote:

> thanks, tboot started working on legacy boot without any tpm2_tools action
> necessary.

> is tboot hanging in EFI boot a known issue? (the ubuntu tboot scripts
seems
> to be written with EFI in mind, so I presumed it was supported)
> On Tue, May 8, 2018 at 6:24 PM Ian Oliver <ian.justin.oliver(a)gmail.com>
> wrote:

> > Fedora 27, Ubuntu 18.04  both with 4.15 kernels work on the NUCs with
the
> current release version of TPM tools.  Legacy boot is enabled, otherwise
> tboot hands during the DRTM measurement.   We have SELinux+IMA/EMA working
> on Fedora and correctly writing to the TPM only with Fedora - Ubuntu has
> AppArmor unfortunately.

> > The patch for the TPM BUFFER size is required otherwise nv_write/read do
> not work (this has now been pushed into the tools code base as I
> understand).

> > Ian



> > On 8 May 2018 at 18:56, Peter Magnusson <blaufish.public.email(a)gmail.com

> wrote:

> >> 1/
> >> For the record, the combo of tpm2-tools 3.0.4, tpm2-tss 1.4.0,
tpm2-abrmd
> >> 1.3.1 works excellently on NUC.

> >> 2/
> >> Regarding Boot hang on Ubuntu, I see this on Ubuntu 18 as well. I'm
> >> planning to install in BIOS legacy mode to get tboot logs on screen
> unless
> >> this is resolved otherwise (ubuntu grub scripts disables VGA log for
efi
> >> tboot).

> >> The following blog posts suggests that tboot should not be working on
> Intel
> >> NUC out of the box, but the commands are tpm_tools based.
> >> https://blog.twobit.us/2015/01/02/txt-and-tboot-on-the-ivb-nuc/
> >> I tried to follow the advice on the blog but get error 0x9a2
> >> TPM_RC_BAD_AUTH... do I need to take ownership before executing
command?

> >> tpm2_nvdefine -T device:/dev/tpmrm0 --index=0xffffffff --size=0
> >> WARN: Defining an index with size 0
> >> ERROR: Failed to define NV area at index 0xffffffff (-1).Error:0x9a2
> >> tpm2_rc_decode 0x9a2
> >> error layer
> >>     hex: 0x0
> >>     identifier: TSS2_TPM_ERROR_LEVEL
> >>     description: Error produced by the TPM
> >> format 1 error code
> >>     hex: 0x22
> >>     identifier: TPM_RC_BAD_AUTH
> >>     description: authorization failure without DA implications
> >> session
> >>     hex: 0x100
> >>     identifier: TPM_RC_1
> >>     description:  (null)
> >> On Fri, Apr 27, 2018 at 6:59 AM Ian Oliver <ian.justin.oliver(a)gmail.com

> >> wrote:

> >> > Hello Duncan,

> >> > we've three NUC7i5DNKE - two running Fedora (latest) and one with
> Ubuntu
> >> 17.04.  Worked for us out of the box: had to enable TXT in the BIOS but
> >> that set everything else necessary automatically.  SRTM measures work,
> DRTM
> >> with tboot does not - tboot just hangs - still debugging this one - the
> ACM
> >> module seems to be correct.

> >> > Fedora requires a kernel recompile to get SELinux and IMA/EMA
running;
> >>    Ubuntu does not support IMA policies an AppArmor kernel panics.

> >> > tss/abrmd/tpm2-tools all compile with the latest releases, "master"
> does
> >> not without some hacking - old libraries etc (CentOS was nigh on
> impossible
> >> in this respect)

> >> > I'll check the kernel versions and tpm drivers when I get into the
> >> office, but 4.13 (at least) for the kernal has worked for us on more or
> >> less everything (NUC, Nokia AirFrame, Lenovo laptops).

> >> > t.

> >> > Ian

> >> > On 27 April 2018 at 01:20, <Duncan.Palmer(a)data61.csiro.au> wrote:

> >> >> Apologies if this is slightly OT for this list...


> >> >> We're running the tpm2 tools in Intel NUCs (a NUC5i7RYH to be
exact),
> >> using Linux kernel 4.4.59 (shipped by Ubuntu as 4.4.0-77). The tpm
> drivers
> >> on this kernel don't work out of the box, and I had to put in a fairly
> >> nasty hack to make them work. The same driver now does not work on a
> newer
> >> NUC7i7 model. Are other people using NUCs, and if so, are you having
> >> similar issues?


> >> >> Cheers,

> >> >> Dunk


> >> >> Duncan Palmer
> >> >> Senior Software Engineer | Autonomous Systems
> >> >> Data61 | CSIRO

> >> >> E duncan.palmer(a)csiro.au

> >> >> Queensland Centre for Advanced Technologies (QCAT),

> >> >> 1 Technology Court, Pullenvale QLD, 4069

> >> >> www.data61.csiro.au


> >> >> CSIRO’s Digital Productivity business unit and NICTA have joined
> forces
> >> to create digital powerhouse Data61




> >> > --
> >> > Dr. Ian Oliver
> >> > ===============================
> >> > Privacy Engineering:  via Amazon
> >> > Twitter: @i_j_oliver
> >> > _______________________________________________
> >> > tpm2 mailing list
> >> > tpm2(a)lists.01.org
> >> > https://lists.01.org/mailman/listinfo/tpm2




> > --
> > Dr. Ian Oliver
> > ===============================
> > Privacy Engineering:  via Amazon
> > Twitter: @i_j_oliver

Re: [tpm2] tpm support on Intel NUCs

[Peter Magnusson]

[-- Attachment #1: Type: text/plain, Size: 4626 bytes --]

thanks, tboot started working on legacy boot without any tpm2_tools action
necessary.

is tboot hanging in EFI boot a known issue? (the ubuntu tboot scripts seems
to be written with EFI in mind, so I presumed it was supported)
On Tue, May 8, 2018 at 6:24 PM Ian Oliver <ian.justin.oliver(a)gmail.com>
wrote:

> Fedora 27, Ubuntu 18.04  both with 4.15 kernels work on the NUCs with the
current release version of TPM tools.  Legacy boot is enabled, otherwise
tboot hands during the DRTM measurement.   We have SELinux+IMA/EMA working
on Fedora and correctly writing to the TPM only with Fedora - Ubuntu has
AppArmor unfortunately.

> The patch for the TPM BUFFER size is required otherwise nv_write/read do
not work (this has now been pushed into the tools code base as I
understand).

> Ian



> On 8 May 2018 at 18:56, Peter Magnusson <blaufish.public.email(a)gmail.com>
wrote:

>> 1/
>> For the record, the combo of tpm2-tools 3.0.4, tpm2-tss 1.4.0, tpm2-abrmd
>> 1.3.1 works excellently on NUC.

>> 2/
>> Regarding Boot hang on Ubuntu, I see this on Ubuntu 18 as well. I'm
>> planning to install in BIOS legacy mode to get tboot logs on screen
unless
>> this is resolved otherwise (ubuntu grub scripts disables VGA log for efi
>> tboot).

>> The following blog posts suggests that tboot should not be working on
Intel
>> NUC out of the box, but the commands are tpm_tools based.
>> https://blog.twobit.us/2015/01/02/txt-and-tboot-on-the-ivb-nuc/
>> I tried to follow the advice on the blog but get error 0x9a2
>> TPM_RC_BAD_AUTH... do I need to take ownership before executing command?

>> tpm2_nvdefine -T device:/dev/tpmrm0 --index=0xffffffff --size=0
>> WARN: Defining an index with size 0
>> ERROR: Failed to define NV area at index 0xffffffff (-1).Error:0x9a2
>> tpm2_rc_decode 0x9a2
>> error layer
>>     hex: 0x0
>>     identifier: TSS2_TPM_ERROR_LEVEL
>>     description: Error produced by the TPM
>> format 1 error code
>>     hex: 0x22
>>     identifier: TPM_RC_BAD_AUTH
>>     description: authorization failure without DA implications
>> session
>>     hex: 0x100
>>     identifier: TPM_RC_1
>>     description:  (null)
>> On Fri, Apr 27, 2018 at 6:59 AM Ian Oliver <ian.justin.oliver(a)gmail.com>
>> wrote:

>> > Hello Duncan,

>> > we've three NUC7i5DNKE - two running Fedora (latest) and one with
Ubuntu
>> 17.04.  Worked for us out of the box: had to enable TXT in the BIOS but
>> that set everything else necessary automatically.  SRTM measures work,
DRTM
>> with tboot does not - tboot just hangs - still debugging this one - the
ACM
>> module seems to be correct.

>> > Fedora requires a kernel recompile to get SELinux and IMA/EMA running;
>>    Ubuntu does not support IMA policies an AppArmor kernel panics.

>> > tss/abrmd/tpm2-tools all compile with the latest releases, "master"
does
>> not without some hacking - old libraries etc (CentOS was nigh on
impossible
>> in this respect)

>> > I'll check the kernel versions and tpm drivers when I get into the
>> office, but 4.13 (at least) for the kernal has worked for us on more or
>> less everything (NUC, Nokia AirFrame, Lenovo laptops).

>> > t.

>> > Ian

>> > On 27 April 2018 at 01:20, <Duncan.Palmer(a)data61.csiro.au> wrote:

>> >> Apologies if this is slightly OT for this list...


>> >> We're running the tpm2 tools in Intel NUCs (a NUC5i7RYH to be exact),
>> using Linux kernel 4.4.59 (shipped by Ubuntu as 4.4.0-77). The tpm
drivers
>> on this kernel don't work out of the box, and I had to put in a fairly
>> nasty hack to make them work. The same driver now does not work on a
newer
>> NUC7i7 model. Are other people using NUCs, and if so, are you having
>> similar issues?


>> >> Cheers,

>> >> Dunk


>> >> Duncan Palmer
>> >> Senior Software Engineer | Autonomous Systems
>> >> Data61 | CSIRO

>> >> E duncan.palmer(a)csiro.au

>> >> Queensland Centre for Advanced Technologies (QCAT),

>> >> 1 Technology Court, Pullenvale QLD, 4069

>> >> www.data61.csiro.au


>> >> CSIRO’s Digital Productivity business unit and NICTA have joined
forces
>> to create digital powerhouse Data61




>> > --
>> > Dr. Ian Oliver
>> > ===============================
>> > Privacy Engineering:  via Amazon
>> > Twitter: @i_j_oliver
>> > _______________________________________________
>> > tpm2 mailing list
>> > tpm2(a)lists.01.org
>> > https://lists.01.org/mailman/listinfo/tpm2




> --
> Dr. Ian Oliver
> ===============================
> Privacy Engineering:  via Amazon
> Twitter: @i_j_oliver

Re: [tpm2] tpm support on Intel NUCs

[Duncan.Palmer]

[-- Attachment #1: Type: text/plain, Size: 5574 bytes --]

We've a relatively simple configuration for our appliance-like embedded system. The kernel, initrd, grub config and rootfs are stored on a single encrypted partition. We've added functionality to the CoreOS fork of grub to allow the key for the encrypted partition to be read from TPM NVRAM, so we end up with a trusted and secure boot process. We side-step the problems of dealing with changing kernel and initrd hashes on upgrades, as we don't allow any direct end-user access, and can therefore assume that the contents of the encrypted partition are trusted. I intend to submit the CoreOS changes shortly.


Dunk


Duncan Palmer
Senior Software Engineer | Autonomous Systems
Data61 | CSIRO

E duncan.palmer(a)csiro.au

Queensland Centre for Advanced Technologies (QCAT),

1 Technology Court, Pullenvale QLD, 4069

www.data61.csiro.au<http://my.csiro.au/Business-Units/Operations/Communication/CSIRO-Branding/Data61-Branding/www.data61.csiro.au>


CSIRO’s Digital Productivity business unit and NICTA have joined forces to create digital powerhouse Data61

________________________________
From: Ian Oliver <ian.justin.oliver(a)gmail.com>
Sent: 09 May 2018 02:24
To: Peter Magnusson
Cc: Palmer, Duncan (Data61, Pullenvale); tpm2(a)lists.01.org
Subject: Re: [tpm2] tpm support on Intel NUCs

Fedora 27, Ubuntu 18.04  both with 4.15 kernels work on the NUCs with the current release version of TPM tools.  Legacy boot is enabled, otherwise tboot hands during the DRTM measurement.   We have SELinux+IMA/EMA working on Fedora and correctly writing to the TPM only with Fedora - Ubuntu has AppArmor unfortunately.

The patch for the TPM BUFFER size is required otherwise nv_write/read do not work (this has now been pushed into the tools code base as I understand).

Ian



On 8 May 2018 at 18:56, Peter Magnusson <blaufish.public.email(a)gmail.com<mailto:blaufish.public.email(a)gmail.com>> wrote:
1/
For the record, the combo of tpm2-tools 3.0.4, tpm2-tss 1.4.0, tpm2-abrmd
1.3.1 works excellently on NUC.

2/
Regarding Boot hang on Ubuntu, I see this on Ubuntu 18 as well. I'm
planning to install in BIOS legacy mode to get tboot logs on screen unless
this is resolved otherwise (ubuntu grub scripts disables VGA log for efi
tboot).

The following blog posts suggests that tboot should not be working on Intel
NUC out of the box, but the commands are tpm_tools based.
https://blog.twobit.us/2015/01/02/txt-and-tboot-on-the-ivb-nuc/
I tried to follow the advice on the blog but get error 0x9a2
TPM_RC_BAD_AUTH... do I need to take ownership before executing command?

tpm2_nvdefine -T device:/dev/tpmrm0 --index=0xffffffff --size=0
WARN: Defining an index with size 0
ERROR: Failed to define NV area at index 0xffffffff (-1).Error:0x9a2
tpm2_rc_decode 0x9a2
error layer
   hex: 0x0
   identifier: TSS2_TPM_ERROR_LEVEL
   description: Error produced by the TPM
format 1 error code
   hex: 0x22
   identifier: TPM_RC_BAD_AUTH
   description: authorization failure without DA implications
session
   hex: 0x100
   identifier: TPM_RC_1
   description:  (null)
On Fri, Apr 27, 2018 at 6:59 AM Ian Oliver <ian.justin.oliver(a)gmail.com<mailto:ian.justin.oliver(a)gmail.com>>
wrote:

> Hello Duncan,

> we've three NUC7i5DNKE - two running Fedora (latest) and one with Ubuntu
17.04.  Worked for us out of the box: had to enable TXT in the BIOS but
that set everything else necessary automatically.  SRTM measures work, DRTM
with tboot does not - tboot just hangs - still debugging this one - the ACM
module seems to be correct.

> Fedora requires a kernel recompile to get SELinux and IMA/EMA running;
  Ubuntu does not support IMA policies an AppArmor kernel panics.

> tss/abrmd/tpm2-tools all compile with the latest releases, "master" does
not without some hacking - old libraries etc (CentOS was nigh on impossible
in this respect)

> I'll check the kernel versions and tpm drivers when I get into the
office, but 4.13 (at least) for the kernal has worked for us on more or
less everything (NUC, Nokia AirFrame, Lenovo laptops).

> t.

> Ian

> On 27 April 2018 at 01:20, <Duncan.Palmer(a)data61.csiro.au<mailto:Duncan.Palmer(a)data61.csiro.au>> wrote:

>> Apologies if this is slightly OT for this list...


>> We're running the tpm2 tools in Intel NUCs (a NUC5i7RYH to be exact),
using Linux kernel 4.4.59 (shipped by Ubuntu as 4.4.0-77). The tpm drivers
on this kernel don't work out of the box, and I had to put in a fairly
nasty hack to make them work. The same driver now does not work on a newer
NUC7i7 model. Are other people using NUCs, and if so, are you having
similar issues?


>> Cheers,

>> Dunk


>> Duncan Palmer
>> Senior Software Engineer | Autonomous Systems
>> Data61 | CSIRO

>> E duncan.palmer(a)csiro.au

>> Queensland Centre for Advanced Technologies (QCAT),

>> 1 Technology Court, Pullenvale QLD, 4069

>> www.data61.csiro.au<http://www.data61.csiro.au>


>> CSIRO’s Digital Productivity business unit and NICTA have joined forces
to create digital powerhouse Data61




> --
> Dr. Ian Oliver
> ===============================
> Privacy Engineering:  via Amazon
> Twitter: @i_j_oliver
> _______________________________________________
> tpm2 mailing list
> tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
> https://lists.01.org/mailman/listinfo/tpm2



--
Dr. Ian Oliver
===============================
Privacy Engineering:  via Amazon<http://www.amazon.co.uk/dp/1497569710>
Twitter: @i_j_oliver

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 9094 bytes --]

Re: [tpm2] tpm support on Intel NUCs

[Ian Oliver]

[-- Attachment #1: Type: text/plain, Size: 4271 bytes --]

Fedora 27, Ubuntu 18.04  both with 4.15 kernels work on the NUCs with the
current release version of TPM tools.  Legacy boot is enabled, otherwise
tboot hands during the DRTM measurement.   We have SELinux+IMA/EMA working
on Fedora and correctly writing to the TPM only with Fedora - Ubuntu has
AppArmor unfortunately.

The patch for the TPM BUFFER size is required otherwise nv_write/read do
not work (this has now been pushed into the tools code base as I
understand).

Ian



On 8 May 2018 at 18:56, Peter Magnusson <blaufish.public.email(a)gmail.com>
wrote:

> 1/
> For the record, the combo of tpm2-tools 3.0.4, tpm2-tss 1.4.0, tpm2-abrmd
> 1.3.1 works excellently on NUC.
>
> 2/
> Regarding Boot hang on Ubuntu, I see this on Ubuntu 18 as well. I'm
> planning to install in BIOS legacy mode to get tboot logs on screen unless
> this is resolved otherwise (ubuntu grub scripts disables VGA log for efi
> tboot).
>
> The following blog posts suggests that tboot should not be working on Intel
> NUC out of the box, but the commands are tpm_tools based.
> https://blog.twobit.us/2015/01/02/txt-and-tboot-on-the-ivb-nuc/
> I tried to follow the advice on the blog but get error 0x9a2
> TPM_RC_BAD_AUTH... do I need to take ownership before executing command?
>
> tpm2_nvdefine -T device:/dev/tpmrm0 --index=0xffffffff --size=0
> WARN: Defining an index with size 0
> ERROR: Failed to define NV area at index 0xffffffff (-1).Error:0x9a2
> tpm2_rc_decode 0x9a2
> error layer
>    hex: 0x0
>    identifier: TSS2_TPM_ERROR_LEVEL
>    description: Error produced by the TPM
> format 1 error code
>    hex: 0x22
>    identifier: TPM_RC_BAD_AUTH
>    description: authorization failure without DA implications
> session
>    hex: 0x100
>    identifier: TPM_RC_1
>    description:  (null)
> On Fri, Apr 27, 2018 at 6:59 AM Ian Oliver <ian.justin.oliver(a)gmail.com>
> wrote:
>
> > Hello Duncan,
>
> > we've three NUC7i5DNKE - two running Fedora (latest) and one with Ubuntu
> 17.04.  Worked for us out of the box: had to enable TXT in the BIOS but
> that set everything else necessary automatically.  SRTM measures work, DRTM
> with tboot does not - tboot just hangs - still debugging this one - the ACM
> module seems to be correct.
>
> > Fedora requires a kernel recompile to get SELinux and IMA/EMA running;
>   Ubuntu does not support IMA policies an AppArmor kernel panics.
>
> > tss/abrmd/tpm2-tools all compile with the latest releases, "master" does
> not without some hacking - old libraries etc (CentOS was nigh on impossible
> in this respect)
>
> > I'll check the kernel versions and tpm drivers when I get into the
> office, but 4.13 (at least) for the kernal has worked for us on more or
> less everything (NUC, Nokia AirFrame, Lenovo laptops).
>
> > t.
>
> > Ian
>
> > On 27 April 2018 at 01:20, <Duncan.Palmer(a)data61.csiro.au> wrote:
>
> >> Apologies if this is slightly OT for this list...
>
>
> >> We're running the tpm2 tools in Intel NUCs (a NUC5i7RYH to be exact),
> using Linux kernel 4.4.59 (shipped by Ubuntu as 4.4.0-77). The tpm drivers
> on this kernel don't work out of the box, and I had to put in a fairly
> nasty hack to make them work. The same driver now does not work on a newer
> NUC7i7 model. Are other people using NUCs, and if so, are you having
> similar issues?
>
>
> >> Cheers,
>
> >> Dunk
>
>
> >> Duncan Palmer
> >> Senior Software Engineer | Autonomous Systems
> >> Data61 | CSIRO
>
> >> E duncan.palmer(a)csiro.au
>
> >> Queensland Centre for Advanced Technologies (QCAT),
>
> >> 1 Technology Court, Pullenvale QLD, 4069
>
> >> www.data61.csiro.au
>
>
> >> CSIRO’s Digital Productivity business unit and NICTA have joined forces
> to create digital powerhouse Data61
>
>
>
>
> > --
> > Dr. Ian Oliver
> > ===============================
> > Privacy Engineering:  via Amazon
> > Twitter: @i_j_oliver
> > _______________________________________________
> > tpm2 mailing list
> > tpm2(a)lists.01.org
> > https://lists.01.org/mailman/listinfo/tpm2
>



-- 
*Dr. Ian Oliver*
===============================
Privacy Engineering:  via Amazon <http://www.amazon.co.uk/dp/1497569710>
*Twitter: @i_j_oliver*

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 5863 bytes --]

Re: [tpm2] tpm support on Intel NUCs

[Peter Magnusson]

[-- Attachment #1: Type: text/plain, Size: 3349 bytes --]

1/
For the record, the combo of tpm2-tools 3.0.4, tpm2-tss 1.4.0, tpm2-abrmd
1.3.1 works excellently on NUC.

2/
Regarding Boot hang on Ubuntu, I see this on Ubuntu 18 as well. I'm
planning to install in BIOS legacy mode to get tboot logs on screen unless
this is resolved otherwise (ubuntu grub scripts disables VGA log for efi
tboot).

The following blog posts suggests that tboot should not be working on Intel
NUC out of the box, but the commands are tpm_tools based.
https://blog.twobit.us/2015/01/02/txt-and-tboot-on-the-ivb-nuc/
I tried to follow the advice on the blog but get error 0x9a2
TPM_RC_BAD_AUTH... do I need to take ownership before executing command?

tpm2_nvdefine -T device:/dev/tpmrm0 --index=0xffffffff --size=0
WARN: Defining an index with size 0
ERROR: Failed to define NV area at index 0xffffffff (-1).Error:0x9a2
tpm2_rc_decode 0x9a2
error layer
   hex: 0x0
   identifier: TSS2_TPM_ERROR_LEVEL
   description: Error produced by the TPM
format 1 error code
   hex: 0x22
   identifier: TPM_RC_BAD_AUTH
   description: authorization failure without DA implications
session
   hex: 0x100
   identifier: TPM_RC_1
   description:  (null)
On Fri, Apr 27, 2018 at 6:59 AM Ian Oliver <ian.justin.oliver(a)gmail.com>
wrote:

> Hello Duncan,

> we've three NUC7i5DNKE - two running Fedora (latest) and one with Ubuntu
17.04.  Worked for us out of the box: had to enable TXT in the BIOS but
that set everything else necessary automatically.  SRTM measures work, DRTM
with tboot does not - tboot just hangs - still debugging this one - the ACM
module seems to be correct.

> Fedora requires a kernel recompile to get SELinux and IMA/EMA running;
  Ubuntu does not support IMA policies an AppArmor kernel panics.

> tss/abrmd/tpm2-tools all compile with the latest releases, "master" does
not without some hacking - old libraries etc (CentOS was nigh on impossible
in this respect)

> I'll check the kernel versions and tpm drivers when I get into the
office, but 4.13 (at least) for the kernal has worked for us on more or
less everything (NUC, Nokia AirFrame, Lenovo laptops).

> t.

> Ian

> On 27 April 2018 at 01:20, <Duncan.Palmer(a)data61.csiro.au> wrote:

>> Apologies if this is slightly OT for this list...


>> We're running the tpm2 tools in Intel NUCs (a NUC5i7RYH to be exact),
using Linux kernel 4.4.59 (shipped by Ubuntu as 4.4.0-77). The tpm drivers
on this kernel don't work out of the box, and I had to put in a fairly
nasty hack to make them work. The same driver now does not work on a newer
NUC7i7 model. Are other people using NUCs, and if so, are you having
similar issues?


>> Cheers,

>> Dunk


>> Duncan Palmer
>> Senior Software Engineer | Autonomous Systems
>> Data61 | CSIRO

>> E duncan.palmer(a)csiro.au

>> Queensland Centre for Advanced Technologies (QCAT),

>> 1 Technology Court, Pullenvale QLD, 4069

>> www.data61.csiro.au


>> CSIRO’s Digital Productivity business unit and NICTA have joined forces
to create digital powerhouse Data61




> --
> Dr. Ian Oliver
> ===============================
> Privacy Engineering:  via Amazon
> Twitter: @i_j_oliver
> _______________________________________________
> tpm2 mailing list
> tpm2(a)lists.01.org
> https://lists.01.org/mailman/listinfo/tpm2

Re: [tpm2] tpm support on Intel NUCs

[Duncan.Palmer]

[-- Attachment #1: Type: text/plain, Size: 2949 bytes --]

Thanks Ian,


Sounds like we need to test some newer kernels..


Dunk


Duncan Palmer
Senior Software Engineer | Autonomous Systems
Data61 | CSIRO

E duncan.palmer(a)csiro.au

Queensland Centre for Advanced Technologies (QCAT),

1 Technology Court, Pullenvale QLD, 4069

www.data61.csiro.au<http://my.csiro.au/Business-Units/Operations/Communication/CSIRO-Branding/Data61-Branding/www.data61.csiro.au>


CSIRO's Digital Productivity business unit and NICTA have joined forces to create digital powerhouse Data61

________________________________
From: Ian Oliver <ian.justin.oliver(a)gmail.com>
Sent: 27 April 2018 14:59
To: Palmer, Duncan (Data61, Pullenvale)
Cc: tpm2(a)lists.01.org
Subject: Re: tpm support on Intel NUCs

Hello Duncan,

we've three NUC7i5DNKE<https://ark.intel.com/products/122486/Intel-NUC-Kit-NUC7i5DNKE> - two running Fedora (latest) and one with Ubuntu 17.04.  Worked for us out of the box: had to enable TXT in the BIOS but that set everything else necessary automatically.  SRTM measures work, DRTM with tboot does not - tboot just hangs - still debugging this one - the ACM module seems to be correct.

Fedora requires a kernel recompile to get SELinux and IMA/EMA running;  Ubuntu does not support IMA policies an AppArmor kernel panics.

tss/abrmd/tpm2-tools all compile with the latest releases, "master" does not without some hacking - old libraries etc (CentOS was nigh on impossible in this respect)

I'll check the kernel versions and tpm drivers when I get into the office, but 4.13 (at least) for the kernal has worked for us on more or less everything (NUC, Nokia AirFrame, Lenovo laptops).

t.

Ian

On 27 April 2018 at 01:20, <Duncan.Palmer(a)data61.csiro.au<mailto:Duncan.Palmer(a)data61.csiro.au>> wrote:

Apologies if this is slightly OT for this list...


We're running the tpm2 tools in Intel NUCs (a NUC5i7RYH to be exact), using Linux kernel 4.4.59 (shipped by Ubuntu as 4.4.0-77). The tpm drivers on this kernel don't work out of the box, and I had to put in a fairly nasty hack to make them work. The same driver now does not work on a newer NUC7i7 model. Are other people using NUCs, and if so, are you having similar issues?


Cheers,

Dunk


Duncan Palmer
Senior Software Engineer | Autonomous Systems
Data61 | CSIRO

E duncan.palmer(a)csiro.au

Queensland Centre for Advanced Technologies (QCAT),

1 Technology Court, Pullenvale QLD, 4069<https://maps.google.com/?q=1+Technology+Court,+Pullenvale+QLD,+4069&entry=gmail&source=g>

www.data61.csiro.au<http://my.csiro.au/Business-Units/Operations/Communication/CSIRO-Branding/Data61-Branding/www.data61.csiro.au>


CSIRO's Digital Productivity business unit and NICTA have joined forces to create digital powerhouse Data61



--
Dr. Ian Oliver
===============================
Privacy Engineering:  via Amazon<http://www.amazon.co.uk/dp/1497569710>
Twitter: @i_j_oliver

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 7123 bytes --]

Re: [tpm2] tpm support on Intel NUCs

[Ian Oliver]

[-- Attachment #1: Type: text/plain, Size: 2243 bytes --]

Hello Duncan,

we've three NUC7i5DNKE
<https://ark.intel.com/products/122486/Intel-NUC-Kit-NUC7i5DNKE> - two
running Fedora (latest) and one with Ubuntu 17.04.  Worked for us out of
the box: had to enable TXT in the BIOS but that set everything else
necessary automatically.  SRTM measures work, DRTM with tboot does not -
tboot just hangs - still debugging this one - the ACM module seems to be
correct.

Fedora requires a kernel recompile to get SELinux and IMA/EMA running;
Ubuntu does not support IMA policies an AppArmor kernel panics.

tss/abrmd/tpm2-tools all compile with the latest releases, "master" does
not without some hacking - old libraries etc (CentOS was nigh on impossible
in this respect)

I'll check the kernel versions and tpm drivers when I get into the office,
but 4.13 (at least) for the kernal has worked for us on more or less
everything (NUC, Nokia AirFrame, Lenovo laptops).

t.

Ian

On 27 April 2018 at 01:20, <Duncan.Palmer(a)data61.csiro.au> wrote:

> Apologies if this is slightly OT for this list...
>
>
> We're running the tpm2 tools in Intel NUCs (a NUC5i7RYH to be exact),
> using Linux kernel 4.4.59 (shipped by Ubuntu as 4.4.0-77). The tpm drivers
> on this kernel don't work out of the box, and I had to put in a fairly
> nasty hack to make them work. The same driver now does not work on a newer
> NUC7i7 model. Are other people using NUCs, and if so, are you having
> similar issues?
>
>
> Cheers,
>
> Dunk
>
>
> *Duncan Palmer*
> Senior Software Engineer | Autonomous Systems
> *Data61 | CSIRO*
>
> *E* duncan.palmer(a)csiro.au
>
> Queensland Centre for Advanced Technologies (QCAT),
>
> 1 Technology Court, Pullenvale QLD, 4069
> <https://maps.google.com/?q=1+Technology+Court,+Pullenvale+QLD,+4069&entry=gmail&source=g>
> www.data61.csiro.au
> <http://my.csiro.au/Business-Units/Operations/Communication/CSIRO-Branding/Data61-Branding/www.data61.csiro.au>
>
>
> *CSIRO’s Digital Productivity business unit and NICTA have joined forces
> to create digital powerhouse Data61*
>



-- 
*Dr. Ian Oliver*
===============================
Privacy Engineering:  via Amazon <http://www.amazon.co.uk/dp/1497569710>
*Twitter: @i_j_oliver*

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 4516 bytes --]

[tpm2] tpm support on Intel NUCs

[Duncan.Palmer]

[-- Attachment #1: Type: text/plain, Size: 911 bytes --]

Apologies if this is slightly OT for this list...


We're running the tpm2 tools in Intel NUCs (a NUC5i7RYH to be exact), using Linux kernel 4.4.59 (shipped by Ubuntu as 4.4.0-77). The tpm drivers on this kernel don't work out of the box, and I had to put in a fairly nasty hack to make them work. The same driver now does not work on a newer NUC7i7 model. Are other people using NUCs, and if so, are you having similar issues?


Cheers,

Dunk


Duncan Palmer
Senior Software Engineer | Autonomous Systems
Data61 | CSIRO

E duncan.palmer(a)csiro.au

Queensland Centre for Advanced Technologies (QCAT),

1 Technology Court, Pullenvale QLD, 4069

www.data61.csiro.au<http://my.csiro.au/Business-Units/Operations/Communication/CSIRO-Branding/Data61-Branding/www.data61.csiro.au>


CSIRO's Digital Productivity business unit and NICTA have joined forces to create digital powerhouse Data61

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 2446 bytes --]