LKML Archive on lore.kernel.org
 help / Atom feed
* [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
@ 2018-11-11 17:55 Michael Niewöhner
  2018-11-11 18:24 ` James Bottomley
                   ` (2 more replies)
  0 siblings, 3 replies; 24+ messages in thread
From: Michael Niewöhner @ 2018-11-11 17:55 UTC (permalink / raw)
  To: peterhuewe, jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel

Hi all,

Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / tpm_i2c_nuvoton
while it works in TPM 1.2 mode (I can reflash it via UEFI setup).
Kernel version is 4.19.1

Kernel config:

$ cat .config | egrep 'TCG|TPM|CRB|_TIS'
CONFIG_TCG_TPM=y
CONFIG_HW_RANDOM_TPM=y
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
CONFIG_TCG_TIS_SPI=y
# CONFIG_TCG_TIS_I2C_ATMEL is not set
# CONFIG_TCG_TIS_I2C_INFINEON is not set
CONFIG_TCG_TIS_I2C_NUVOTON=y
# CONFIG_TCG_NSC is not set
# CONFIG_TCG_ATMEL is not set
# CONFIG_TCG_INFINEON is not set
CONFIG_TCG_CRB=y
# CONFIG_TCG_VTPM_PROXY is not set
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set


TPM 1.2 mode dmesg:

$ dmesg | egrep -i tis\|tpm\|crb
[    3.210040] tpm_tis 00:0a: 1.2 TPM (device-id 0xFE, rev-id 2)


TPM 2.0 mode dmesg:

$ dmesg | egrep -i tis\|tpm\|crb
[    0.000000] efi:  ACPI
2.0=0x9e457000  ACPI=0x9e457000  SMBIOS=0x9ec44000  SMBIOS
3.0=0x9ec43000  TPMEventLog=0x9711f018 
[    0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-
S06   00001300 AMI  00000000)
[    4.071550] ima: No TPM chip found, activating TPM-bypass!


Any ideas?


Best regards
Michael



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-11 17:55 [BUG] Nuvoton NCPT650 TPM 2.0 mode not working Michael Niewöhner
@ 2018-11-11 18:24 ` James Bottomley
  2018-11-11 18:50   ` Michael Niewöhner
  2018-11-11 18:33 ` Mimi Zohar
  2018-11-13 10:28 ` Jarkko Sakkinen
  2 siblings, 1 reply; 24+ messages in thread
From: James Bottomley @ 2018-11-11 18:24 UTC (permalink / raw)
  To: Michael Niewöhner, peterhuewe, jarkko.sakkinen, jgg, arnd,
	linux-integrity, linux-kernel

On Sun, 2018-11-11 at 18:55 +0100, Michael Niewöhner wrote:
> Hi all,
> 
> Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis /
> tpm_i2c_nuvoton while it works in TPM 1.2 mode (I can reflash it via
> UEFI setup). Kernel version is 4.19.1

Not that this helps you, but mine definitely works.  I've got an older
Dell XPS-13 with a Nuvoton 650 which is software switchable between 1.2
and 2.0.  This is what mine says

jejb@jarvis:~> dmesg|egrep -i tis\|tpm\|crb
[    0.000000] efi:  ACPI=0x79419000  ACPI 2.0=0x79419000  SMBIOS=0xf0000  TPMEventLog=0x69db3018 
[    0.012797] ACPI: TPM2 0x0000000079446CC0 000034 (v03        Tpm2Tabl 00000001 AMI  00000000)
[    2.035242] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)

However, this makes me wonder about yours:

> [    0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-
> S06   00001300 AMI  00000000)

I thought the Lenovo "upgrade to 2.0" in fact disabled the external TPM
in favour of the Intel PTT (software TPM in the management engine). 
Since you apparently have the tpm_crb driver that should find the PTT
TPM, this might be one of the attachment bugs in the CRB driver ...
from your ACPI output it looks to be not specifying the Tpm2Tabl.

James


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-11 17:55 [BUG] Nuvoton NCPT650 TPM 2.0 mode not working Michael Niewöhner
  2018-11-11 18:24 ` James Bottomley
@ 2018-11-11 18:33 ` Mimi Zohar
  2018-11-11 18:51   ` Michael Niewöhner
  2018-11-13 10:28 ` Jarkko Sakkinen
  2 siblings, 1 reply; 24+ messages in thread
From: Mimi Zohar @ 2018-11-11 18:33 UTC (permalink / raw)
  To: Michael Niewöhner, peterhuewe, jarkko.sakkinen, jgg, arnd,
	linux-integrity, linux-kernel

On Sun, 2018-11-11 at 18:55 +0100, Michael Niewöhner wrote:
> Hi all,
> 
> Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / tpm_i2c_nuvoton
> while it works in TPM 1.2 mode (I can reflash it via UEFI setup).
> Kernel version is 4.19.1
> 
> Kernel config:
> 
> $ cat .config | egrep 'TCG|TPM|CRB|_TIS'
> CONFIG_TCG_TPM=y
> CONFIG_HW_RANDOM_TPM=y
> CONFIG_TCG_TIS_CORE=y
> CONFIG_TCG_TIS=y
> CONFIG_TCG_TIS_SPI=y
> # CONFIG_TCG_TIS_I2C_ATMEL is not set
> # CONFIG_TCG_TIS_I2C_INFINEON is not set
> CONFIG_TCG_TIS_I2C_NUVOTON=y
> # CONFIG_TCG_NSC is not set
> # CONFIG_TCG_ATMEL is not set
> # CONFIG_TCG_INFINEON is not set
> CONFIG_TCG_CRB=y
> # CONFIG_TCG_VTPM_PROXY is not set
> # CONFIG_TCG_TIS_ST33ZP24_I2C is not set
> # CONFIG_TCG_TIS_ST33ZP24_SPI is not set
> 
> 
> TPM 1.2 mode dmesg:
> 
> $ dmesg | egrep -i tis\|tpm\|crb
> [    3.210040] tpm_tis 00:0a: 1.2 TPM (device-id 0xFE, rev-id 2)
> 
> 
> TPM 2.0 mode dmesg:
> 
> $ dmesg | egrep -i tis\|tpm\|crb
> [    0.000000] efi:  ACPI
> 2.0=0x9e457000  ACPI=0x9e457000  SMBIOS=0x9ec44000  SMBIOS
> 3.0=0x9ec43000  TPMEventLog=0x9711f018 
> [    0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-
> S06   00001300 AMI  00000000)
> [    4.071550] ima: No TPM chip found, activating TPM-bypass!

It's possible that eventually the TPM is initialized, but not in time
for IMA.  Could you you check to see if the TPM is responding to
userspace commands after boot?

Mimi


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-11 18:24 ` James Bottomley
@ 2018-11-11 18:50   ` Michael Niewöhner
  2018-11-11 18:57     ` James Bottomley
  2019-01-11 15:40     ` Mimi Zohar
  0 siblings, 2 replies; 24+ messages in thread
From: Michael Niewöhner @ 2018-11-11 18:50 UTC (permalink / raw)
  To: James Bottomley, peterhuewe, jarkko.sakkinen, jgg, arnd,
	linux-integrity, linux-kernel

Hi James,

On Sun, 2018-11-11 at 10:24 -0800, James Bottomley wrote:
> On Sun, 2018-11-11 at 18:55 +0100, Michael Niewöhner wrote:
> > Hi all,
> > 
> > Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis /
> > tpm_i2c_nuvoton while it works in TPM 1.2 mode (I can reflash it via
> > UEFI setup). Kernel version is 4.19.1
> 
> Not that this helps you, but mine definitely works.  I've got an older
> Dell XPS-13 with a Nuvoton 650 which is software switchable between 1.2
> and 2.0.  This is what mine says
> 
> jejb@jarvis:~> dmesg|egrep -i tis\|tpm\|crb
> [    0.000000] efi:  ACPI=0x79419000  ACPI
> 2.0=0x79419000  SMBIOS=0xf0000  TPMEventLog=0x69db3018 
> [    0.012797] ACPI: TPM2 0x0000000079446CC0 000034 (v03        Tpm2Tabl
> 00000001 AMI  00000000)
> [    2.035242] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> 
> However, this makes me wonder about yours:
> 
> > [    0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-
> > S06   00001300 AMI  00000000)
> 
> I thought the Lenovo "upgrade to 2.0" in fact disabled the external TPM
> in favour of the Intel PTT (software TPM in the management engine). 
> Since you apparently have the tpm_crb driver that should find the PTT
> TPM, this might be one of the attachment bugs in the CRB driver ...
> from your ACPI output it looks to be not specifying the Tpm2Tabl.

Well, there are at least two implementations I know of:
For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT TPM 2.0
This here is my ThinkStation P320 which can choose between PTT 1.2, PTT 2.0,
Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton gets
reflashed with the appropriate firmware.

> 
> James
> 



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-11 18:33 ` Mimi Zohar
@ 2018-11-11 18:51   ` Michael Niewöhner
  0 siblings, 0 replies; 24+ messages in thread
From: Michael Niewöhner @ 2018-11-11 18:51 UTC (permalink / raw)
  To: Mimi Zohar, peterhuewe, jarkko.sakkinen, jgg, arnd,
	linux-integrity, linux-kernel

Hi Mimi,

On Sun, 2018-11-11 at 13:33 -0500, Mimi Zohar wrote:
> On Sun, 2018-11-11 at 18:55 +0100, Michael Niewöhner wrote:
> > Hi all,
> > 
> > Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / tpm_i2c_nuvoton
> > while it works in TPM 1.2 mode (I can reflash it via UEFI setup).
> > Kernel version is 4.19.1
> > 
> > Kernel config:
> > 
> > $ cat .config | egrep 'TCG|TPM|CRB|_TIS'
> > CONFIG_TCG_TPM=y
> > CONFIG_HW_RANDOM_TPM=y
> > CONFIG_TCG_TIS_CORE=y
> > CONFIG_TCG_TIS=y
> > CONFIG_TCG_TIS_SPI=y
> > # CONFIG_TCG_TIS_I2C_ATMEL is not set
> > # CONFIG_TCG_TIS_I2C_INFINEON is not set
> > CONFIG_TCG_TIS_I2C_NUVOTON=y
> > # CONFIG_TCG_NSC is not set
> > # CONFIG_TCG_ATMEL is not set
> > # CONFIG_TCG_INFINEON is not set
> > CONFIG_TCG_CRB=y
> > # CONFIG_TCG_VTPM_PROXY is not set
> > # CONFIG_TCG_TIS_ST33ZP24_I2C is not set
> > # CONFIG_TCG_TIS_ST33ZP24_SPI is not set
> > 
> > 
> > TPM 1.2 mode dmesg:
> > 
> > $ dmesg | egrep -i tis\|tpm\|crb
> > [    3.210040] tpm_tis 00:0a: 1.2 TPM (device-id 0xFE, rev-id 2)
> > 
> > 
> > TPM 2.0 mode dmesg:
> > 
> > $ dmesg | egrep -i tis\|tpm\|crb
> > [    0.000000] efi:  ACPI
> > 2.0=0x9e457000  ACPI=0x9e457000  SMBIOS=0x9ec44000  SMBIOS
> > 3.0=0x9ec43000  TPMEventLog=0x9711f018 
> > [    0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-
> > S06   00001300 AMI  00000000)
> > [    4.071550] ima: No TPM chip found, activating TPM-bypass!
> 
> It's possible that eventually the TPM is initialized, but not in time
> for IMA.  Could you you check to see if the TPM is responding to
> userspace commands after boot?

No it isn't even detected. There is no /dev/tpm0 and /sys/class/tpm is empty.

> 
> Mimi
> 



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-11 18:50   ` Michael Niewöhner
@ 2018-11-11 18:57     ` James Bottomley
  2018-11-11 20:09       ` Michael Niewöhner
  2019-01-11 15:40     ` Mimi Zohar
  1 sibling, 1 reply; 24+ messages in thread
From: James Bottomley @ 2018-11-11 18:57 UTC (permalink / raw)
  To: Michael Niewöhner, peterhuewe, jarkko.sakkinen, jgg, arnd,
	linux-integrity, linux-kernel

On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote:
[...]
> > However, this makes me wonder about yours:
> > 
> > > [    0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO
> > > TC-
> > > S06   00001300 AMI  00000000)
> > 
> > I thought the Lenovo "upgrade to 2.0" in fact disabled the external
> > TPM in favour of the Intel PTT (software TPM in the management
> > engine).  Since you apparently have the tpm_crb driver that should
> > find the PTT TPM, this might be one of the attachment bugs in the
> > CRB driver ... from your ACPI output it looks to be not specifying
> > the Tpm2Tabl.
> 
> Well, there are at least two implementations I know of:
> For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT
> TPM 2.0 This here is my ThinkStation P320 which can choose between
> PTT 1.2, PTT 2.0,
> Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton
> gets
> reflashed with the appropriate firmware.

Well, I still think the ACPI setup is incorrect.  What's in
/sys/class/platform (should be directories of ACPI devices)?  The TPM
is supposed to show up as MSFT0101.  If it doesn't is there any other
device string in there that might be a TPM?

James


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-11 18:57     ` James Bottomley
@ 2018-11-11 20:09       ` Michael Niewöhner
  2018-11-11 20:29         ` James Bottomley
  0 siblings, 1 reply; 24+ messages in thread
From: Michael Niewöhner @ 2018-11-11 20:09 UTC (permalink / raw)
  To: James Bottomley, peterhuewe, jarkko.sakkinen, jgg, arnd,
	linux-integrity, linux-kernel


On Sun, 2018-11-11 at 10:57 -0800, James Bottomley wrote:
> On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote:
> [...]
> > > However, this makes me wonder about yours:
> > > 
> > > > [    0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO
> > > > TC-
> > > > S06   00001300 AMI  00000000)
> > > 
> > > I thought the Lenovo "upgrade to 2.0" in fact disabled the external
> > > TPM in favour of the Intel PTT (software TPM in the management
> > > engine).  Since you apparently have the tpm_crb driver that should
> > > find the PTT TPM, this might be one of the attachment bugs in the
> > > CRB driver ... from your ACPI output it looks to be not specifying
> > > the Tpm2Tabl.
> > 
> > Well, there are at least two implementations I know of:
> > For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT
> > TPM 2.0 This here is my ThinkStation P320 which can choose between
> > PTT 1.2, PTT 2.0,
> > Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton
> > gets
> > reflashed with the appropriate firmware.
> 
> Well, I still think the ACPI setup is incorrect.  What's in
> /sys/class/platform (should be directories of ACPI devices)?  The TPM
> is supposed to show up as MSFT0101.  If it doesn't is there any other
> device string in there that might be a TPM?

Nope. I'm not sure if it should show up in ACPI... isn't TPM 2.0 I2C?

$ find /sys | grep -i tpm
/sys/class/tpmrm
/sys/class/tpm
/sys/bus/platform/drivers/tpm_tis
/sys/bus/platform/drivers/tpm_tis/uevent
/sys/bus/platform/drivers/tpm_tis/bind
/sys/bus/platform/drivers/tpm_tis/unbind
/sys/bus/pnp/drivers/tpm_tis
/sys/bus/pnp/drivers/tpm_tis/uevent
/sys/bus/pnp/drivers/tpm_tis/bind
/sys/bus/pnp/drivers/tpm_tis/unbind
/sys/bus/acpi/drivers/tpm_crb
/sys/bus/acpi/drivers/tpm_crb/uevent
/sys/bus/acpi/drivers/tpm_crb/bind
/sys/bus/acpi/drivers/tpm_crb/unbind
/sys/bus/i2c/drivers/tpm_i2c_nuvoton
/sys/bus/i2c/drivers/tpm_i2c_nuvoton/uevent
/sys/bus/i2c/drivers/tpm_i2c_nuvoton/bind
/sys/bus/i2c/drivers/tpm_i2c_nuvoton/unbind


> 
> James
> 



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-11 20:09       ` Michael Niewöhner
@ 2018-11-11 20:29         ` James Bottomley
  2018-11-11 20:34           ` Michael Niewöhner
  0 siblings, 1 reply; 24+ messages in thread
From: James Bottomley @ 2018-11-11 20:29 UTC (permalink / raw)
  To: Michael Niewöhner, peterhuewe, jarkko.sakkinen, jgg, arnd,
	linux-integrity, linux-kernel

On Sun, 2018-11-11 at 21:09 +0100, Michael Niewöhner wrote:
> On Sun, 2018-11-11 at 10:57 -0800, James Bottomley wrote:
[...]
> > Well, I still think the ACPI setup is incorrect.  What's in
> > /sys/class/platform (should be directories of ACPI devices)?  The
> > TPM is supposed to show up as MSFT0101.  If it doesn't is there any
> > other device string in there that might be a TPM?
> 
> Nope. I'm not sure if it should show up in ACPI... isn't TPM 2.0 I2C?

Your ACPI parser identifies it here:

> [    0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-S06   00001300 AMI  00000000)

So it has to be a device in the platform directory.  What is in this
directory?  To find the TPM it probably has something TPM like in the
firmware_node description:

/sys/devices/platform/<dev>/firmware_node/description

Mine says

jejb@jarvis:~/git/linux/drivers> cat /sys/devices/platform/MSFT0101\:00/firmware_node/description
TPM 2.0 Device

James

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-11 20:29         ` James Bottomley
@ 2018-11-11 20:34           ` Michael Niewöhner
  2018-11-11 21:11             ` Michael Niewöhner
  0 siblings, 1 reply; 24+ messages in thread
From: Michael Niewöhner @ 2018-11-11 20:34 UTC (permalink / raw)
  To: James Bottomley, peterhuewe, jarkko.sakkinen, jgg, arnd,
	linux-integrity, linux-kernel

On Sun, 2018-11-11 at 12:29 -0800, James Bottomley wrote:
> On Sun, 2018-11-11 at 21:09 +0100, Michael Niewöhner wrote:
> > On Sun, 2018-11-11 at 10:57 -0800, James Bottomley wrote:
> 
> [...]
> > > Well, I still think the ACPI setup is incorrect.  What's in
> > > /sys/class/platform (should be directories of ACPI devices)?  The
> > > TPM is supposed to show up as MSFT0101.  If it doesn't is there any
> > > other device string in there that might be a TPM?
> > 
> > Nope. I'm not sure if it should show up in ACPI... isn't TPM 2.0 I2C?
> 
> Your ACPI parser identifies it here:
> 
> > [    0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-
> > S06   00001300 AMI  00000000)
> 
> So it has to be a device in the platform directory.  What is in this
> directory?  To find the TPM it probably has something TPM like in the
> firmware_node description:
> 
> /sys/devices/platform/<dev>/firmware_node/description
> 
> Mine says
> 
> jejb@jarvis:~/git/linux/drivers> cat
> /sys/devices/platform/MSFT0101\:00/firmware_node/description
> TPM 2.0 Device
> 

Ah, yep. There is indeed a MSFT0101:
(initramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/description 
TPM 2.0 Device
(initramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/hid 
MSFT0101
(in
itramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/path 
\_SB_.TPM_
(in
itramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/status 
15
(initramf
s) cat /sys/devices/platform/MSFT0101\:00/firmware_node/uid 
1

> James



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-11 20:34           ` Michael Niewöhner
@ 2018-11-11 21:11             ` Michael Niewöhner
  2018-11-11 21:42               ` Mimi Zohar
  2018-11-13 10:50               ` Jarkko Sakkinen
  0 siblings, 2 replies; 24+ messages in thread
From: Michael Niewöhner @ 2018-11-11 21:11 UTC (permalink / raw)
  To: James Bottomley, peterhuewe, jarkko.sakkinen, jgg, arnd,
	linux-integrity, linux-kernel

On Sun, 2018-11-11 at 21:34 +0100, Michael Niewöhner wrote:
> On Sun, 2018-11-11 at 12:29 -0800, James Bottomley wrote:
> > On Sun, 2018-11-11 at 21:09 +0100, Michael Niewöhner wrote:
> > > On Sun, 2018-11-11 at 10:57 -0800, James Bottomley wrote:
> > 
> > [...]
> > > > Well, I still think the ACPI setup is incorrect.  What's in
> > > > /sys/class/platform (should be directories of ACPI devices)?  The
> > > > TPM is supposed to show up as MSFT0101.  If it doesn't is there any
> > > > other device string in there that might be a TPM?
> > > 
> > > Nope. I'm not sure if it should show up in ACPI... isn't TPM 2.0 I2C?
> > 
> > Your ACPI parser identifies it here:
> > 
> > > [    0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-
> > > S06   00001300 AMI  00000000)
> > 
> > So it has to be a device in the platform directory.  What is in this
> > directory?  To find the TPM it probably has something TPM like in the
> > firmware_node description:
> > 
> > /sys/devices/platform/<dev>/firmware_node/description
> > 
> > Mine says
> > 
> > jejb@jarvis:~/git/linux/drivers> cat
> > /sys/devices/platform/MSFT0101\:00/firmware_node/description
> > TPM 2.0 Device
> > 
> 
> Ah, yep. There is indeed a MSFT0101:
> (initramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/description 
> TPM 2.0 Device
> (initramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/hid 
> MSFT0101
> (in
> itramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/path 
> \_SB_.TPM_
> (in
> itramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/status 
> 15
> (initramf
> s) cat /sys/devices/platform/MSFT0101\:00/firmware_node/uid 
> 1
> 
> > James

Very strange... When I pull the power cord, then replug and boot, I get these
dmesg messages:
[    0.000000] efi:  ACPI
2.0=0x9ea78000  ACPI=0x9ea78000  SMBIOS=0x9f5e5000  SMBIOS
3.0=0x9f5e4000  MPS=0xfca00  ESRT=0x9c06e918  MEMATTR=0x99cb9018  TPMEventLog=0x
98d0c018 
[    0.001794] ACPI: TPM2 0x000000009EAB1F70 000034 (v03 LENOVO TC-
S06   00001260 AMI  00000000)
[    3.096587] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
[    3.105684] tpm tpm0: A TPM error (2314) occurred attempting the self test

After a reboot I get those "ima: ..." message again. Pulling the plug seems to
reset anything (the TPM).

The PTT TPM 2.0 shows exactly the same behaviour.



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-11 21:11             ` Michael Niewöhner
@ 2018-11-11 21:42               ` Mimi Zohar
  2018-11-14 20:46                 ` Michael Niewöhner
  2018-11-13 10:50               ` Jarkko Sakkinen
  1 sibling, 1 reply; 24+ messages in thread
From: Mimi Zohar @ 2018-11-11 21:42 UTC (permalink / raw)
  To: Michael Niewöhner, James Bottomley, peterhuewe,
	jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel
  Cc: Nayna Jain

> Very strange... When I pull the power cord, then replug and boot, I get these
> dmesg messages:
> [    0.000000] efi:  ACPI
> 2.0=0x9ea78000  ACPI=0x9ea78000  SMBIOS=0x9f5e5000  SMBIOS
> 3.0=0x9f5e4000  MPS=0xfca00  ESRT=0x9c06e918  MEMATTR=0x99cb9018  TPMEventLog=0x
> 98d0c018 
> [    0.001794] ACPI: TPM2 0x000000009EAB1F70 000034 (v03 LENOVO TC-
> S06   00001260 AMI  00000000)
> [    3.096587] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> [    3.105684] tpm tpm0: A TPM error (2314) occurred attempting the self test
> 
> After a reboot I get those "ima: ..." message again. Pulling the plug seems to
> reset anything (the TPM).
> 
> The PTT TPM 2.0 shows exactly the same behaviour.

On a cold boot, it takes longer to initialize the TPM.  The TPM is
returning TPM2_RC_TESTING (0x090A == 2314), meaning that it has not
yet finished the initialization.

Nayna's post a patch, which should address the TPM2_RC_TESTING error
message.

https://lore.kernel.org/linux-integrity/20180515071712.9331-1-nayna@li
nux.vnet.ibm.com/

thanks,

Mimi




^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-11 17:55 [BUG] Nuvoton NCPT650 TPM 2.0 mode not working Michael Niewöhner
  2018-11-11 18:24 ` James Bottomley
  2018-11-11 18:33 ` Mimi Zohar
@ 2018-11-13 10:28 ` Jarkko Sakkinen
  2 siblings, 0 replies; 24+ messages in thread
From: Jarkko Sakkinen @ 2018-11-13 10:28 UTC (permalink / raw)
  To: Michael Niewöhner
  Cc: peterhuewe, jgg, arnd, linux-integrity, linux-kernel

On Sun, Nov 11, 2018 at 06:55:36PM +0100, Michael Niewöhner wrote:
> Hi all,
> 
> Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / tpm_i2c_nuvoton
> while it works in TPM 1.2 mode (I can reflash it via UEFI setup).
> Kernel version is 4.19.1

Can you check what ACPI dump would show up [1]?

[1] acpidump > acpidump.out

/Jarkko

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-11 21:11             ` Michael Niewöhner
  2018-11-11 21:42               ` Mimi Zohar
@ 2018-11-13 10:50               ` Jarkko Sakkinen
  1 sibling, 0 replies; 24+ messages in thread
From: Jarkko Sakkinen @ 2018-11-13 10:50 UTC (permalink / raw)
  To: Michael Niewöhner
  Cc: James Bottomley, peterhuewe, jgg, arnd, linux-integrity, linux-kernel

On Sun, Nov 11, 2018 at 10:11:33PM +0100, Michael Niewöhner wrote:
> Very strange... When I pull the power cord, then replug and boot, I get these
> dmesg messages:
> [    0.000000] efi:  ACPI
> 2.0=0x9ea78000  ACPI=0x9ea78000  SMBIOS=0x9f5e5000  SMBIOS
> 3.0=0x9f5e4000  MPS=0xfca00  ESRT=0x9c06e918  MEMATTR=0x99cb9018  TPMEventLog=0x
> 98d0c018 
> [    0.001794] ACPI: TPM2 0x000000009EAB1F70 000034 (v03 LENOVO TC-
> S06   00001260 AMI  00000000)
> [    3.096587] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> [    3.105684] tpm tpm0: A TPM error (2314) occurred attempting the self test
> 
> After a reboot I get those "ima: ..." message again. Pulling the plug seems to
> reset anything (the TPM).
> 
> The PTT TPM 2.0 shows exactly the same behaviour.

The error in question is TPM_RC_TESTING i.e. TPM is still processing
selftests in the background.

It is clearly a regression but unfortanely it is harmless and unrelated
i.e. tpm2_do_selftest() should not print an error message because it
is legit behavior.

The function actually masks the whole error:

	if (rc == TPM2_RC_TESTING)
		rc = TPM2_RC_SUCCESS;

/Jarkko

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-11 21:42               ` Mimi Zohar
@ 2018-11-14 20:46                 ` Michael Niewöhner
  2018-11-16 21:06                   ` Michael Niewöhner
  0 siblings, 1 reply; 24+ messages in thread
From: Michael Niewöhner @ 2018-11-14 20:46 UTC (permalink / raw)
  To: Mimi Zohar, James Bottomley, peterhuewe, jarkko.sakkinen, jgg,
	arnd, linux-integrity, linux-kernel
  Cc: Nayna Jain

Hi all,

I tried that patch mentioned by Mimi but it does not change anything for me.

Then I did some more tests with different kernel configs and finally got TPM
working by
a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis.

(initramfs) dmesg | grep -i tpm
[    0.000000] efi:  ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018
[    0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-
S06   00001260 AMI 00000000)
(initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm
(initramfs) modprobe tpm_tis
[   44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)

b) compiling TPM-support in-kernel and manually bind the ACPI device

(initramfs) dmesg | grep -i tpm
[    0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000 SMBIOS
3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018
[    0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06 00001260
AMI 00000000)
(initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
[  233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)


It seems to me, the kernel tries to enable the TPM to early...


Michael



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-14 20:46                 ` Michael Niewöhner
@ 2018-11-16 21:06                   ` Michael Niewöhner
  2018-11-18  8:18                     ` Jarkko Sakkinen
  0 siblings, 1 reply; 24+ messages in thread
From: Michael Niewöhner @ 2018-11-16 21:06 UTC (permalink / raw)
  To: Mimi Zohar, James Bottomley, peterhuewe, jarkko.sakkinen, jgg,
	arnd, linux-integrity, linux-kernel, Nayna Jain

On Wed, 2018-11-14 at 21:46 +0100, Michael Niewöhner wrote:
> Hi all,
> 
> I tried that patch mentioned by Mimi but it does not change anything for me.
> 
> Then I did some more tests with different kernel configs and finally got TPM
> working by
> a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis.
> 
> (initramfs) dmesg | grep -i tpm
> [    0.000000] efi:  ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018
> TPMEventLog=0x97cbb018
> [    0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-
> S06   00001260 AMI 00000000)
> (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm
> (initramfs) modprobe tpm_tis
> [   44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> 
> b) compiling TPM-support in-kernel and manually bind the ACPI device
> 
> (initramfs) dmesg | grep -i tpm
> [    0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> SMBIOS
> 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018
> [    0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06
> 00001260
> AMI 00000000)
> (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> [  233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> 
> 
> It seems to me, the kernel tries to enable the TPM to early...
> 
> 
> Michael

Looks like the manual driver bind works more or less but e.g reading hwrng does
not work...

# echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
[  148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
# cat /sys/devices/virtual/misc/hw_random/rng_current
tpm-rng-0
# cat /dev/hwrng >/dev/null 
cat: /dev/hwrng: Operation not permitted



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-16 21:06                   ` Michael Niewöhner
@ 2018-11-18  8:18                     ` Jarkko Sakkinen
  2018-11-18 14:10                       ` Michael Niewöhner
  0 siblings, 1 reply; 24+ messages in thread
From: Jarkko Sakkinen @ 2018-11-18  8:18 UTC (permalink / raw)
  To: Michael Niewöhner
  Cc: Mimi Zohar, James Bottomley, peterhuewe, jgg, arnd,
	linux-integrity, linux-kernel, Nayna Jain

On Fri, Nov 16, 2018 at 10:06:28PM +0100, Michael Niewöhner wrote:
> On Wed, 2018-11-14 at 21:46 +0100, Michael Niewöhner wrote:
> > Hi all,
> > 
> > I tried that patch mentioned by Mimi but it does not change anything for me.
> > 
> > Then I did some more tests with different kernel configs and finally got TPM
> > working by
> > a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis.
> > 
> > (initramfs) dmesg | grep -i tpm
> > [    0.000000] efi:  ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> > SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018
> > TPMEventLog=0x97cbb018
> > [    0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-
> > S06   00001260 AMI 00000000)
> > (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm
> > (initramfs) modprobe tpm_tis
> > [   44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > 
> > b) compiling TPM-support in-kernel and manually bind the ACPI device
> > 
> > (initramfs) dmesg | grep -i tpm
> > [    0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> > SMBIOS
> > 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018
> > [    0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06
> > 00001260
> > AMI 00000000)
> > (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> > [  233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > 
> > 
> > It seems to me, the kernel tries to enable the TPM to early...
> > 
> > 
> > Michael
> 
> Looks like the manual driver bind works more or less but e.g reading hwrng does
> not work...
> 
> # echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> [  148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> # cat /sys/devices/virtual/misc/hw_random/rng_current
> tpm-rng-0
> # cat /dev/hwrng >/dev/null 
> cat: /dev/hwrng: Operation not permitted

Can you check with trace-cmd start -p function -l 'tpm*'?

/Jarkko

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-18  8:18                     ` Jarkko Sakkinen
@ 2018-11-18 14:10                       ` Michael Niewöhner
  2018-11-19 13:49                         ` Jarkko Sakkinen
  0 siblings, 1 reply; 24+ messages in thread
From: Michael Niewöhner @ 2018-11-18 14:10 UTC (permalink / raw)
  To: Jarkko Sakkinen
  Cc: Mimi Zohar, James Bottomley, peterhuewe, jgg, arnd,
	linux-integrity, linux-kernel, Nayna Jain

On Sun, 2018-11-18 at 10:18 +0200, Jarkko Sakkinen wrote:
> On Fri, Nov 16, 2018 at 10:06:28PM +0100, Michael Niewöhner wrote:
> > On Wed, 2018-11-14 at 21:46 +0100, Michael Niewöhner wrote:
> > > Hi all,
> > > 
> > > I tried that patch mentioned by Mimi but it does not change anything for
> > > me.
> > > 
> > > Then I did some more tests with different kernel configs and finally got
> > > TPM
> > > working by
> > > a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis.
> > > 
> > > (initramfs) dmesg | grep -i tpm
> > > [    0.000000] efi:  ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> > > SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018
> > > TPMEventLog=0x97cbb018
> > > [    0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-
> > > S06   00001260 AMI 00000000)
> > > (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm
> > > (initramfs) modprobe tpm_tis
> > > [   44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > > 
> > > b) compiling TPM-support in-kernel and manually bind the ACPI device
> > > 
> > > (initramfs) dmesg | grep -i tpm
> > > [    0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> > > SMBIOS
> > > 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018
> > > [    0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06
> > > 00001260
> > > AMI 00000000)
> > > (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> > > [  233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > > 
> > > 
> > > It seems to me, the kernel tries to enable the TPM to early...
> > > 
> > > 
> > > Michael
> > 
> > Looks like the manual driver bind works more or less but e.g reading hwrng
> > does
> > not work...
> > 
> > # echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> > [  148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > # cat /sys/devices/virtual/misc/hw_random/rng_current
> > tpm-rng-0
> > # cat /dev/hwrng >/dev/null 
> > cat: /dev/hwrng: Operation not permitted
> 
> Can you check with trace-cmd start -p function -l 'tpm*'?
> 
> /Jarkko


Hi Jarko,

what output do you need exactly?

root@debian:~# trace-cmd record -p function -l 'tpm*'
  plugin 'function'
Hit Ctrl^C to stop recording
^CCPU0 data recorded at offset=0x464000
    0 bytes in size
CPU1 data recorded at offset=0x464000
    0 bytes in size
CPU2 data recorded at offset=0x464000
    0 bytes in size
CPU3 data recorded at offset=0x464000
    4096 bytes in size
CPU4 data recorded at offset=0x465000
    4096 bytes in size
CPU5 data recorded at offset=0x466000
    0 bytes in size
CPU6 data recorded at offset=0x466000
    0 bytes in size
CPU7 data recorded at offset=0x466000
    0 bytes in size
root@debian:~# trace-cmd report
CPU 0 is empty
CPU 1 is empty
CPU 2 is empty
CPU 5 is empty
CPU 6 is empty
CPU 7 is empty
cpus=8
             cat-3324  [003]   265.547715: function:             tpm_hwrng_read
             cat-3324  [003]   265.547721: function:             tpm_get_random
             cat-3324  [003]   265.547721:
function:                tpm_find_get_ops
             cat-3324  [003]   265.547721:
function:                   tpm_try_get_ops
             cat-3324  [003]   265.547721:
function:                tpm2_get_random
             cat-3324  [003]   265.547722:
function:                   tpm_transmit_cmd
             cat-3324  [003]   265.547722:
function:                      tpm_transmit
             cat-3324  [003]   265.547722:
function:                         tpm_tis_clkrun_enable
             cat-3324  [003]   265.547723:
function:             tpm_tcg_read_bytes

< snip ... many times the same lines: cat-3324 ... function: tpm_tcg_read_bytes
>

             cat-3324  [004]   266.291087:
function:             tpm_tcg_read_bytes
             cat-3324  [004]   266.296347:
function:             tpm_tis_clkrun_enable
             cat-3324  [004]   266.296349: function:             tpm_put_ops

Michael



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-18 14:10                       ` Michael Niewöhner
@ 2018-11-19 13:49                         ` Jarkko Sakkinen
  2018-11-25 20:06                           ` Michael Niewöhner
  0 siblings, 1 reply; 24+ messages in thread
From: Jarkko Sakkinen @ 2018-11-19 13:49 UTC (permalink / raw)
  To: Michael Niewöhner
  Cc: Mimi Zohar, James Bottomley, peterhuewe, jgg, arnd,
	linux-integrity, linux-kernel, Nayna Jain

On Sun, Nov 18, 2018 at 03:10:06PM +0100, Michael Niewöhner wrote:
> On Sun, 2018-11-18 at 10:18 +0200, Jarkko Sakkinen wrote:
> > On Fri, Nov 16, 2018 at 10:06:28PM +0100, Michael Niewöhner wrote:
> > > On Wed, 2018-11-14 at 21:46 +0100, Michael Niewöhner wrote:
> > > > Hi all,
> > > > 
> > > > I tried that patch mentioned by Mimi but it does not change anything for
> > > > me.
> > > > 
> > > > Then I did some more tests with different kernel configs and finally got
> > > > TPM
> > > > working by
> > > > a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis.
> > > > 
> > > > (initramfs) dmesg | grep -i tpm
> > > > [    0.000000] efi:  ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> > > > SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018
> > > > TPMEventLog=0x97cbb018
> > > > [    0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-
> > > > S06   00001260 AMI 00000000)
> > > > (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm
> > > > (initramfs) modprobe tpm_tis
> > > > [   44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > > > 
> > > > b) compiling TPM-support in-kernel and manually bind the ACPI device
> > > > 
> > > > (initramfs) dmesg | grep -i tpm
> > > > [    0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000
> > > > SMBIOS
> > > > 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018
> > > > [    0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06
> > > > 00001260
> > > > AMI 00000000)
> > > > (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> > > > [  233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > > > 
> > > > 
> > > > It seems to me, the kernel tries to enable the TPM to early...
> > > > 
> > > > 
> > > > Michael
> > > 
> > > Looks like the manual driver bind works more or less but e.g reading hwrng
> > > does
> > > not work...
> > > 
> > > # echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> > > [  148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > > # cat /sys/devices/virtual/misc/hw_random/rng_current
> > > tpm-rng-0
> > > # cat /dev/hwrng >/dev/null 
> > > cat: /dev/hwrng: Operation not permitted
> > 
> > Can you check with trace-cmd start -p function -l 'tpm*'?
> > 
> > /Jarkko
> 
> 
> Hi Jarko,
> 
> what output do you need exactly?

TPM gets added with tpm_add_hwrng() and the callback that is called by
hwrng subsystem is tpm_hwrng_read().

Obviously the former gets called (can be seen from the sysfs file). Just
wondering if it ever reaches tpm_hwrng_read().

/Jarkko

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-19 13:49                         ` Jarkko Sakkinen
@ 2018-11-25 20:06                           ` Michael Niewöhner
  2018-11-26 19:15                             ` Michael Niewöhner
  0 siblings, 1 reply; 24+ messages in thread
From: Michael Niewöhner @ 2018-11-25 20:06 UTC (permalink / raw)
  To: Jarkko Sakkinen, Mimi Zohar, James Bottomley, peterhuewe, jgg,
	arnd, linux-integrity, linux-kernel, Nayna Jain

Hi,

On Mon, 2018-11-19 at 15:49 +0200, Jarkko Sakkinen wrote:
> On Sun, Nov 18, 2018 at 03:10:06PM +0100, Michael Niewöhner wrote:
> > On Sun, 2018-11-18 at 10:18 +0200, Jarkko Sakkinen wrote:
> > > On Fri, Nov 16, 2018 at 10:06:28PM +0100, Michael Niewöhner wrote:
> > > > On Wed, 2018-11-14 at 21:46 +0100, Michael Niewöhner wrote:
> > > > > Hi all,
> > > > > 
> > > > > I tried that patch mentioned by Mimi but it does not change anything
> > > > > for
> > > > > me.
> > > > > 
> > > > > Then I did some more tests with different kernel configs and finally
> > > > > got
> > > > > TPM
> > > > > working by
> > > > > a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis.
> > > > > 
> > > > > (initramfs) dmesg | grep -i tpm
> > > > > [    0.000000] efi:  ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000
> > > > > SMBIOS=0x9f5eb000
> > > > > SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018
> > > > > TPMEventLog=0x97cbb018
> > > > > [    0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-
> > > > > S06   00001260 AMI 00000000)
> > > > > (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm
> > > > > (initramfs) modprobe tpm_tis
> > > > > [   44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > > > > 
> > > > > b) compiling TPM-support in-kernel and manually bind the ACPI device
> > > > > 
> > > > > (initramfs) dmesg | grep -i tpm
> > > > > [    0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000
> > > > > SMBIOS=0x9f5eb000
> > > > > SMBIOS
> > > > > 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018
> > > > > TPMEventLog=0x97cbb018
> > > > > [    0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06
> > > > > 00001260
> > > > > AMI 00000000)
> > > > > (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> > > > > [  233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > > > > 
> > > > > 
> > > > > It seems to me, the kernel tries to enable the TPM to early...
> > > > > 
> > > > > 
> > > > > Michael
> > > > 
> > > > Looks like the manual driver bind works more or less but e.g reading
> > > > hwrng
> > > > does
> > > > not work...
> > > > 
> > > > # echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind
> > > > [  148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2)
> > > > # cat /sys/devices/virtual/misc/hw_random/rng_current
> > > > tpm-rng-0
> > > > # cat /dev/hwrng >/dev/null 
> > > > cat: /dev/hwrng: Operation not permitted
> > > 
> > > Can you check with trace-cmd start -p function -l 'tpm*'?
> > > 
> > > /Jarkko
> > 
> > 
> > Hi Jarko,
> > 
> > what output do you need exactly?
> 
> TPM gets added with tpm_add_hwrng() and the callback that is called by
> hwrng subsystem is tpm_hwrng_read().
> 
> Obviously the former gets called (can be seen from the sysfs file). Just
> wondering if it ever reaches tpm_hwrng_read().
> 
> /Jarkko

I wanted to be sure that there is no hardware failure so I tested the TPM in
UEFI Shell using the tpm tools from github.com/fpmurphy/UEFI-Utilities-2016

I can confirm that it is working there in both modes 1.2 and 2.0.


FS0:\> ShowTPM2.efi

           Signature : TPM2
              Length : 52
            Revision : 3
            Checksum : 167
              Oem ID : LENOVO
        Oem Table ID : TC-S06  
        Oem Revision : 4704
          Creator ID : AMI 
    Creator Revision : 0
      Platform Class : 0
Control Area Address : 0
        Start Method : 6 (Memory mapped I/O)
  Platform S.P. Size : 0

FS0:\> ShowTCM20.efi
          Structure Version: 1.1
           Protocol Version: 1.1
  Supported Hash Algorithms: SHA1 SHA256 
Supported Event Log Formats: TCG_1.2 TCG_2 
           TPM Present Flag: True
       Maximum Command Size: 2048
      Maximum Response Size: 2048
             Manufactuer ID: NTC
       Number of PCR Banks: 2

FS0:\> ShowPCR20.efi

Bank (Algorithm): TPM_ALG_SHA1 (0x0004)

[00]  1E BB 2B E3 B7 10 3A 09 B5 CA EE B5 82 7C 12 42 CD 66 32 EC
[01]  80 4E 8E 47 19 9D C7 31 4E B4 3C 4D C9 58 EF 6F 0B 6B 49 62
[02]  B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36
[03]  B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36
....
......



Michael



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-25 20:06                           ` Michael Niewöhner
@ 2018-11-26 19:15                             ` Michael Niewöhner
  2018-11-26 21:13                               ` Jarkko Sakkinen
  0 siblings, 1 reply; 24+ messages in thread
From: Michael Niewöhner @ 2018-11-26 19:15 UTC (permalink / raw)
  To: Jarkko Sakkinen, Mimi Zohar, James Bottomley, peterhuewe, jgg,
	arnd, linux-integrity, linux-kernel, Nayna Jain

Hi again,

after some experiments I finally found a solution...
There seems to be a bug in TPM2.0 firmware version (1.3.1.0) included in Lenovos
UEFI image but they do not provide an update.

I have extracted the firmware version 1.3.2.8 from Dell's XPS15 TPM2.0 firmware
update and used this to replace the firmware in my Lenovo UEFI image.
After flashing this version via UEFI Setup the TPM2.0 gets detected and now is
fully working. WTF.

For anyone having the same problem: binwalk, uefi-firmware-parser, uefipatch and
flashrom are your friends ;-)

Best regards
Michael



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-26 19:15                             ` Michael Niewöhner
@ 2018-11-26 21:13                               ` Jarkko Sakkinen
  0 siblings, 0 replies; 24+ messages in thread
From: Jarkko Sakkinen @ 2018-11-26 21:13 UTC (permalink / raw)
  To: Michael Niewöhner
  Cc: Mimi Zohar, James Bottomley, peterhuewe, jgg, arnd,
	linux-integrity, linux-kernel, Nayna Jain

On Mon, Nov 26, 2018 at 08:15:38PM +0100, Michael Niewöhner wrote:
> Hi again,
> 
> after some experiments I finally found a solution...
> There seems to be a bug in TPM2.0 firmware version (1.3.1.0) included in Lenovos
> UEFI image but they do not provide an update.
> 
> I have extracted the firmware version 1.3.2.8 from Dell's XPS15 TPM2.0 firmware
> update and used this to replace the firmware in my Lenovo UEFI image.
> After flashing this version via UEFI Setup the TPM2.0 gets detected and now is
> fully working. WTF.

That can be called as true craftmanship :-) Awesome work! Maybe you
should even consider blogging this. Sounds interesting.

> For anyone having the same problem: binwalk, uefi-firmware-parser, uefipatch and
> flashrom are your friends ;-)
> 
> Best regards
> Michael

/Jarkko

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2018-11-11 18:50   ` Michael Niewöhner
  2018-11-11 18:57     ` James Bottomley
@ 2019-01-11 15:40     ` Mimi Zohar
  2019-01-12  9:52       ` Michael Niewöhner
  1 sibling, 1 reply; 24+ messages in thread
From: Mimi Zohar @ 2019-01-11 15:40 UTC (permalink / raw)
  To: Michael Niewöhner; +Cc: jarkko.sakkinen, linux-integrity, linux-kernel

Hi Michael,

On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote:

> Well, there are at least two implementations I know of:
> For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT TPM 2.0
> This here is my ThinkStation P320 which can choose between PTT 1.2, PTT 2.0,
> Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton gets
> reflashed with the appropriate firmware.

With IBM's LTC help, we finally found a Lenovo with the Nuvoton
NCPT650.  It's a System x3550 M5[1], not a ThinkStation P320, running
Fedora (vmlinuz-4.16.14-300.fc28.x86_64). I replaced the 4.16 kernel
with the latest stable 4.19.y kernel.  Both the TPM and IMA seem to be
working properly.  Not sure if this helps...

From dmesg:
# dmesg | grep -i tpm 
[    0.000000] Linux version 4.19.14 (mimi@x86tpm2Server.rtp.stglabs.i
bm.com) (gcc version 8.1.1 20180502 (Red Hat 8.1.1-1) (GCC)) #6 SMP
Thu Jan 10 22:32:54 EST 2019
[    0.000000] efi:  ACPI=0x7b786000  ACPI 2.0=0x7b786014 
SMBIOS=0x793fe000  TPMEventLog=0x426fa018 
[    0.014413] ACPI: SSDT 0x000000007B784000 0003A7 (v02 INTEL 
Tpm2Tabl 00001000 INTL 20130328)
[    0.014416] ACPI: TPM2 0x000000007B783000 000034 (v03 INTEL  EDK2  
  00000002 INTL 01000013)
[    2.667052] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2

# cat /sys/kernel/security/ima/ascii_runtime_measurements | head -2
10 5425744ce804c8cae89a08d53b41ab20ff1b3ea6 ima-sig
sha1:7996f7339c3ce64e63f1232ef1aa6033247af784 boot_aggregate

I installed the ibmtpm2tss[2], built (eg. autoreconf -i; configure --
enable-hwtpm) and installed it.

# export LD_LIBRARY_PATH=/usr/local/lib/
# cd /usr/local/bin
# ./tsspcrread -ha 10 -halg sha256 -ns
f73ff9109b06d4f7a7cbe7eac32b20d2ca662e55cb4c81e152beea261989ad4b

Mimi

[1] https://lenovopress.com/lp0599.pdf
[2] https://git.code.sf.net/p/ibmtpm20tss/tss


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2019-01-11 15:40     ` Mimi Zohar
@ 2019-01-12  9:52       ` Michael Niewöhner
  2019-01-12 10:49         ` Michael Niewöhner
  0 siblings, 1 reply; 24+ messages in thread
From: Michael Niewöhner @ 2019-01-12  9:52 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: jarkko.sakkinen, linux-integrity, linux-kernel

Hi Mimi,

On Fri, 2019-01-11 at 10:40 -0500, Mimi Zohar wrote:
> Hi Michael,
> 
> On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote:
> 
> > Well, there are at least two implementations I know of:
> > For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT TPM
> > 2.0
> > This here is my ThinkStation P320 which can choose between PTT 1.2, PTT 2.0,
> > Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton gets
> > reflashed with the appropriate firmware.
> 
> With IBM's LTC help, we finally found a Lenovo with the Nuvoton
> NCPT650.  It's a System x3550 M5[1], not a ThinkStation P320, running
> Fedora (vmlinuz-4.16.14-300.fc28.x86_64). I replaced the 4.16 kernel
> with the latest stable 4.19.y kernel.  Both the TPM and IMA seem to be
> working properly.  Not sure if this helps...
> 
> From dmesg:
> # dmesg | grep -i tpm 
> [    0.000000] Linux version 4.19.14 (mimi@x86tpm2Server.rtp.stglabs.i
> bm.com) (gcc version 8.1.1 20180502 (Red Hat 8.1.1-1) (GCC)) #6 SMP
> Thu Jan 10 22:32:54 EST 2019
> [    0.000000] efi:  ACPI=0x7b786000  ACPI 2.0=0x7b786014 
> SMBIOS=0x793fe000  TPMEventLog=0x426fa018 
> [    0.014413] ACPI: SSDT 0x000000007B784000 0003A7 (v02 INTEL 
> Tpm2Tabl 00001000 INTL 20130328)
> [    0.014416] ACPI: TPM2 0x000000007B783000 000034 (v03 INTEL  EDK2  
>   00000002 INTL 01000013)
> [    2.667052] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2
> 
> # cat /sys/kernel/security/ima/ascii_runtime_measurements | head -2
> 10 5425744ce804c8cae89a08d53b41ab20ff1b3ea6 ima-sig
> sha1:7996f7339c3ce64e63f1232ef1aa6033247af784 boot_aggregate
> 
> I installed the ibmtpm2tss[2], built (eg. autoreconf -i; configure --
> enable-hwtpm) and installed it.
> 
> # export LD_LIBRARY_PATH=/usr/local/lib/
> # cd /usr/local/bin
> # ./tsspcrread -ha 10 -halg sha256 -ns
> f73ff9109b06d4f7a7cbe7eac32b20d2ca662e55cb4c81e152beea261989ad4b
> 
> Mimi
> 
> [1] https://lenovopress.com/lp0599.pdf
> [2] https://git.code.sf.net/p/ibmtpm20tss/tss
> 

what UEFI version is installed on that machine?
Is the TPM connected via LPC or I2C?

Best regards
Michael





^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working
  2019-01-12  9:52       ` Michael Niewöhner
@ 2019-01-12 10:49         ` Michael Niewöhner
  0 siblings, 0 replies; 24+ messages in thread
From: Michael Niewöhner @ 2019-01-12 10:49 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: jarkko.sakkinen, linux-integrity, linux-kernel

Hi again,

On Sat, 2019-01-12 at 10:52 +0100, Michael Niewöhner wrote:
> Hi Mimi,
> 
> On Fri, 2019-01-11 at 10:40 -0500, Mimi Zohar wrote:
> > Hi Michael,
> > 
> > On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote:
> > 
> > > Well, there are at least two implementations I know of:
> > > For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT TPM
> > > 2.0
> > > This here is my ThinkStation P320 which can choose between PTT 1.2, PTT
> > > 2.0,
> > > Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton gets
> > > reflashed with the appropriate firmware.
> > 
> > With IBM's LTC help, we finally found a Lenovo with the Nuvoton
> > NCPT650.  It's a System x3550 M5[1], not a ThinkStation P320, running
> > Fedora (vmlinuz-4.16.14-300.fc28.x86_64). I replaced the 4.16 kernel
> > with the latest stable 4.19.y kernel.  Both the TPM and IMA seem to be
> > working properly.  Not sure if this helps...
> > 
> > From dmesg:
> > # dmesg | grep -i tpm 
> > [    0.000000] Linux version 4.19.14 (mimi@x86tpm2Server.rtp.stglabs.i
> > bm.com) (gcc version 8.1.1 20180502 (Red Hat 8.1.1-1) (GCC)) #6 SMP
> > Thu Jan 10 22:32:54 EST 2019
> > [    0.000000] efi:  ACPI=0x7b786000  ACPI 2.0=0x7b786014 
> > SMBIOS=0x793fe000  TPMEventLog=0x426fa018 
> > [    0.014413] ACPI: SSDT 0x000000007B784000 0003A7 (v02 INTEL 
> > Tpm2Tabl 00001000 INTL 20130328)
> > [    0.014416] ACPI: TPM2 0x000000007B783000 000034 (v03 INTEL  EDK2  
> >   00000002 INTL 01000013)
> > [    2.667052] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2
> > 
> > # cat /sys/kernel/security/ima/ascii_runtime_measurements | head -2
> > 10 5425744ce804c8cae89a08d53b41ab20ff1b3ea6 ima-sig
> > sha1:7996f7339c3ce64e63f1232ef1aa6033247af784 boot_aggregate
> > 
> > I installed the ibmtpm2tss[2], built (eg. autoreconf -i; configure --
> > enable-hwtpm) and installed it.
> > 
> > # export LD_LIBRARY_PATH=/usr/local/lib/
> > # cd /usr/local/bin
> > # ./tsspcrread -ha 10 -halg sha256 -ns
> > f73ff9109b06d4f7a7cbe7eac32b20d2ca662e55cb4c81e152beea261989ad4b
> > 
> > Mimi
> > 
> > [1] https://lenovopress.com/lp0599.pdf
> > [2] https://git.code.sf.net/p/ibmtpm20tss/tss
> > 
> 
> what UEFI version is installed on that machine?
> Is the TPM connected via LPC or I2C?
> 
> Best regards
> Michael
> 
> 

I had a short look to an extracted x3550 UEFI firmware (tbe132l-2.52).
This seems to be a very different implementation,  probably due to the fact that
this is a server firmware but not a desktop/workstation firmware.

I do not know how much UEFI has influence on the communication with the TPM but
I assume we can not really compare x3550 with P320 :-(

Best regards
Michael





^ permalink raw reply	[flat|nested] 24+ messages in thread

end of thread, back to index

Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-11 17:55 [BUG] Nuvoton NCPT650 TPM 2.0 mode not working Michael Niewöhner
2018-11-11 18:24 ` James Bottomley
2018-11-11 18:50   ` Michael Niewöhner
2018-11-11 18:57     ` James Bottomley
2018-11-11 20:09       ` Michael Niewöhner
2018-11-11 20:29         ` James Bottomley
2018-11-11 20:34           ` Michael Niewöhner
2018-11-11 21:11             ` Michael Niewöhner
2018-11-11 21:42               ` Mimi Zohar
2018-11-14 20:46                 ` Michael Niewöhner
2018-11-16 21:06                   ` Michael Niewöhner
2018-11-18  8:18                     ` Jarkko Sakkinen
2018-11-18 14:10                       ` Michael Niewöhner
2018-11-19 13:49                         ` Jarkko Sakkinen
2018-11-25 20:06                           ` Michael Niewöhner
2018-11-26 19:15                             ` Michael Niewöhner
2018-11-26 21:13                               ` Jarkko Sakkinen
2018-11-13 10:50               ` Jarkko Sakkinen
2019-01-11 15:40     ` Mimi Zohar
2019-01-12  9:52       ` Michael Niewöhner
2019-01-12 10:49         ` Michael Niewöhner
2018-11-11 18:33 ` Mimi Zohar
2018-11-11 18:51   ` Michael Niewöhner
2018-11-13 10:28 ` Jarkko Sakkinen

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org linux-kernel@archiver.kernel.org
	public-inbox-index lkml


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox