* [BUG] Nuvoton NCPT650 TPM 2.0 mode not working @ 2018-11-11 17:55 Michael Niewöhner 2018-11-11 18:24 ` James Bottomley ` (2 more replies) 0 siblings, 3 replies; 24+ messages in thread From: Michael Niewöhner @ 2018-11-11 17:55 UTC (permalink / raw) To: peterhuewe, jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel Hi all, Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / tpm_i2c_nuvoton while it works in TPM 1.2 mode (I can reflash it via UEFI setup). Kernel version is 4.19.1 Kernel config: $ cat .config | egrep 'TCG|TPM|CRB|_TIS' CONFIG_TCG_TPM=y CONFIG_HW_RANDOM_TPM=y CONFIG_TCG_TIS_CORE=y CONFIG_TCG_TIS=y CONFIG_TCG_TIS_SPI=y # CONFIG_TCG_TIS_I2C_ATMEL is not set # CONFIG_TCG_TIS_I2C_INFINEON is not set CONFIG_TCG_TIS_I2C_NUVOTON=y # CONFIG_TCG_NSC is not set # CONFIG_TCG_ATMEL is not set # CONFIG_TCG_INFINEON is not set CONFIG_TCG_CRB=y # CONFIG_TCG_VTPM_PROXY is not set # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set TPM 1.2 mode dmesg: $ dmesg | egrep -i tis\|tpm\|crb [ 3.210040] tpm_tis 00:0a: 1.2 TPM (device-id 0xFE, rev-id 2) TPM 2.0 mode dmesg: $ dmesg | egrep -i tis\|tpm\|crb [ 0.000000] efi: ACPI 2.0=0x9e457000 ACPI=0x9e457000 SMBIOS=0x9ec44000 SMBIOS 3.0=0x9ec43000 TPMEventLog=0x9711f018 [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC- S06 00001300 AMI 00000000) [ 4.071550] ima: No TPM chip found, activating TPM-bypass! Any ideas? Best regards Michael ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-11 17:55 [BUG] Nuvoton NCPT650 TPM 2.0 mode not working Michael Niewöhner @ 2018-11-11 18:24 ` James Bottomley 2018-11-11 18:50 ` Michael Niewöhner 2018-11-11 18:33 ` Mimi Zohar 2018-11-13 10:28 ` Jarkko Sakkinen 2 siblings, 1 reply; 24+ messages in thread From: James Bottomley @ 2018-11-11 18:24 UTC (permalink / raw) To: Michael Niewöhner, peterhuewe, jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel On Sun, 2018-11-11 at 18:55 +0100, Michael Niewöhner wrote: > Hi all, > > Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / > tpm_i2c_nuvoton while it works in TPM 1.2 mode (I can reflash it via > UEFI setup). Kernel version is 4.19.1 Not that this helps you, but mine definitely works. I've got an older Dell XPS-13 with a Nuvoton 650 which is software switchable between 1.2 and 2.0. This is what mine says jejb@jarvis:~> dmesg|egrep -i tis\|tpm\|crb [ 0.000000] efi: ACPI=0x79419000 ACPI 2.0=0x79419000 SMBIOS=0xf0000 TPMEventLog=0x69db3018 [ 0.012797] ACPI: TPM2 0x0000000079446CC0 000034 (v03 Tpm2Tabl 00000001 AMI 00000000) [ 2.035242] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) However, this makes me wonder about yours: > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC- > S06 00001300 AMI 00000000) I thought the Lenovo "upgrade to 2.0" in fact disabled the external TPM in favour of the Intel PTT (software TPM in the management engine). Since you apparently have the tpm_crb driver that should find the PTT TPM, this might be one of the attachment bugs in the CRB driver ... from your ACPI output it looks to be not specifying the Tpm2Tabl. James ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-11 18:24 ` James Bottomley @ 2018-11-11 18:50 ` Michael Niewöhner 2018-11-11 18:57 ` James Bottomley 2019-01-11 15:40 ` Mimi Zohar 0 siblings, 2 replies; 24+ messages in thread From: Michael Niewöhner @ 2018-11-11 18:50 UTC (permalink / raw) To: James Bottomley, peterhuewe, jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel Hi James, On Sun, 2018-11-11 at 10:24 -0800, James Bottomley wrote: > On Sun, 2018-11-11 at 18:55 +0100, Michael Niewöhner wrote: > > Hi all, > > > > Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / > > tpm_i2c_nuvoton while it works in TPM 1.2 mode (I can reflash it via > > UEFI setup). Kernel version is 4.19.1 > > Not that this helps you, but mine definitely works. I've got an older > Dell XPS-13 with a Nuvoton 650 which is software switchable between 1.2 > and 2.0. This is what mine says > > jejb@jarvis:~> dmesg|egrep -i tis\|tpm\|crb > [ 0.000000] efi: ACPI=0x79419000 ACPI > 2.0=0x79419000 SMBIOS=0xf0000 TPMEventLog=0x69db3018 > [ 0.012797] ACPI: TPM2 0x0000000079446CC0 000034 (v03 Tpm2Tabl > 00000001 AMI 00000000) > [ 2.035242] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > > However, this makes me wonder about yours: > > > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC- > > S06 00001300 AMI 00000000) > > I thought the Lenovo "upgrade to 2.0" in fact disabled the external TPM > in favour of the Intel PTT (software TPM in the management engine). > Since you apparently have the tpm_crb driver that should find the PTT > TPM, this might be one of the attachment bugs in the CRB driver ... > from your ACPI output it looks to be not specifying the Tpm2Tabl. Well, there are at least two implementations I know of: For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT TPM 2.0 This here is my ThinkStation P320 which can choose between PTT 1.2, PTT 2.0, Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton gets reflashed with the appropriate firmware. > > James > ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-11 18:50 ` Michael Niewöhner @ 2018-11-11 18:57 ` James Bottomley 2018-11-11 20:09 ` Michael Niewöhner 2019-01-11 15:40 ` Mimi Zohar 1 sibling, 1 reply; 24+ messages in thread From: James Bottomley @ 2018-11-11 18:57 UTC (permalink / raw) To: Michael Niewöhner, peterhuewe, jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote: [...] > > However, this makes me wonder about yours: > > > > > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO > > > TC- > > > S06 00001300 AMI 00000000) > > > > I thought the Lenovo "upgrade to 2.0" in fact disabled the external > > TPM in favour of the Intel PTT (software TPM in the management > > engine). Since you apparently have the tpm_crb driver that should > > find the PTT TPM, this might be one of the attachment bugs in the > > CRB driver ... from your ACPI output it looks to be not specifying > > the Tpm2Tabl. > > Well, there are at least two implementations I know of: > For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT > TPM 2.0 This here is my ThinkStation P320 which can choose between > PTT 1.2, PTT 2.0, > Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton > gets > reflashed with the appropriate firmware. Well, I still think the ACPI setup is incorrect. What's in /sys/class/platform (should be directories of ACPI devices)? The TPM is supposed to show up as MSFT0101. If it doesn't is there any other device string in there that might be a TPM? James ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-11 18:57 ` James Bottomley @ 2018-11-11 20:09 ` Michael Niewöhner 2018-11-11 20:29 ` James Bottomley 0 siblings, 1 reply; 24+ messages in thread From: Michael Niewöhner @ 2018-11-11 20:09 UTC (permalink / raw) To: James Bottomley, peterhuewe, jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel On Sun, 2018-11-11 at 10:57 -0800, James Bottomley wrote: > On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote: > [...] > > > However, this makes me wonder about yours: > > > > > > > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO > > > > TC- > > > > S06 00001300 AMI 00000000) > > > > > > I thought the Lenovo "upgrade to 2.0" in fact disabled the external > > > TPM in favour of the Intel PTT (software TPM in the management > > > engine). Since you apparently have the tpm_crb driver that should > > > find the PTT TPM, this might be one of the attachment bugs in the > > > CRB driver ... from your ACPI output it looks to be not specifying > > > the Tpm2Tabl. > > > > Well, there are at least two implementations I know of: > > For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT > > TPM 2.0 This here is my ThinkStation P320 which can choose between > > PTT 1.2, PTT 2.0, > > Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton > > gets > > reflashed with the appropriate firmware. > > Well, I still think the ACPI setup is incorrect. What's in > /sys/class/platform (should be directories of ACPI devices)? The TPM > is supposed to show up as MSFT0101. If it doesn't is there any other > device string in there that might be a TPM? Nope. I'm not sure if it should show up in ACPI... isn't TPM 2.0 I2C? $ find /sys | grep -i tpm /sys/class/tpmrm /sys/class/tpm /sys/bus/platform/drivers/tpm_tis /sys/bus/platform/drivers/tpm_tis/uevent /sys/bus/platform/drivers/tpm_tis/bind /sys/bus/platform/drivers/tpm_tis/unbind /sys/bus/pnp/drivers/tpm_tis /sys/bus/pnp/drivers/tpm_tis/uevent /sys/bus/pnp/drivers/tpm_tis/bind /sys/bus/pnp/drivers/tpm_tis/unbind /sys/bus/acpi/drivers/tpm_crb /sys/bus/acpi/drivers/tpm_crb/uevent /sys/bus/acpi/drivers/tpm_crb/bind /sys/bus/acpi/drivers/tpm_crb/unbind /sys/bus/i2c/drivers/tpm_i2c_nuvoton /sys/bus/i2c/drivers/tpm_i2c_nuvoton/uevent /sys/bus/i2c/drivers/tpm_i2c_nuvoton/bind /sys/bus/i2c/drivers/tpm_i2c_nuvoton/unbind > > James > ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-11 20:09 ` Michael Niewöhner @ 2018-11-11 20:29 ` James Bottomley 2018-11-11 20:34 ` Michael Niewöhner 0 siblings, 1 reply; 24+ messages in thread From: James Bottomley @ 2018-11-11 20:29 UTC (permalink / raw) To: Michael Niewöhner, peterhuewe, jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel On Sun, 2018-11-11 at 21:09 +0100, Michael Niewöhner wrote: > On Sun, 2018-11-11 at 10:57 -0800, James Bottomley wrote: [...] > > Well, I still think the ACPI setup is incorrect. What's in > > /sys/class/platform (should be directories of ACPI devices)? The > > TPM is supposed to show up as MSFT0101. If it doesn't is there any > > other device string in there that might be a TPM? > > Nope. I'm not sure if it should show up in ACPI... isn't TPM 2.0 I2C? Your ACPI parser identifies it here: > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC-S06 00001300 AMI 00000000) So it has to be a device in the platform directory. What is in this directory? To find the TPM it probably has something TPM like in the firmware_node description: /sys/devices/platform/<dev>/firmware_node/description Mine says jejb@jarvis:~/git/linux/drivers> cat /sys/devices/platform/MSFT0101\:00/firmware_node/description TPM 2.0 Device James ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-11 20:29 ` James Bottomley @ 2018-11-11 20:34 ` Michael Niewöhner 2018-11-11 21:11 ` Michael Niewöhner 0 siblings, 1 reply; 24+ messages in thread From: Michael Niewöhner @ 2018-11-11 20:34 UTC (permalink / raw) To: James Bottomley, peterhuewe, jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel On Sun, 2018-11-11 at 12:29 -0800, James Bottomley wrote: > On Sun, 2018-11-11 at 21:09 +0100, Michael Niewöhner wrote: > > On Sun, 2018-11-11 at 10:57 -0800, James Bottomley wrote: > > [...] > > > Well, I still think the ACPI setup is incorrect. What's in > > > /sys/class/platform (should be directories of ACPI devices)? The > > > TPM is supposed to show up as MSFT0101. If it doesn't is there any > > > other device string in there that might be a TPM? > > > > Nope. I'm not sure if it should show up in ACPI... isn't TPM 2.0 I2C? > > Your ACPI parser identifies it here: > > > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC- > > S06 00001300 AMI 00000000) > > So it has to be a device in the platform directory. What is in this > directory? To find the TPM it probably has something TPM like in the > firmware_node description: > > /sys/devices/platform/<dev>/firmware_node/description > > Mine says > > jejb@jarvis:~/git/linux/drivers> cat > /sys/devices/platform/MSFT0101\:00/firmware_node/description > TPM 2.0 Device > Ah, yep. There is indeed a MSFT0101: (initramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/description TPM 2.0 Device (initramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/hid MSFT0101 (in itramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/path \_SB_.TPM_ (in itramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/status 15 (initramf s) cat /sys/devices/platform/MSFT0101\:00/firmware_node/uid 1 > James ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-11 20:34 ` Michael Niewöhner @ 2018-11-11 21:11 ` Michael Niewöhner 2018-11-11 21:42 ` Mimi Zohar 2018-11-13 10:50 ` Jarkko Sakkinen 0 siblings, 2 replies; 24+ messages in thread From: Michael Niewöhner @ 2018-11-11 21:11 UTC (permalink / raw) To: James Bottomley, peterhuewe, jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel On Sun, 2018-11-11 at 21:34 +0100, Michael Niewöhner wrote: > On Sun, 2018-11-11 at 12:29 -0800, James Bottomley wrote: > > On Sun, 2018-11-11 at 21:09 +0100, Michael Niewöhner wrote: > > > On Sun, 2018-11-11 at 10:57 -0800, James Bottomley wrote: > > > > [...] > > > > Well, I still think the ACPI setup is incorrect. What's in > > > > /sys/class/platform (should be directories of ACPI devices)? The > > > > TPM is supposed to show up as MSFT0101. If it doesn't is there any > > > > other device string in there that might be a TPM? > > > > > > Nope. I'm not sure if it should show up in ACPI... isn't TPM 2.0 I2C? > > > > Your ACPI parser identifies it here: > > > > > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC- > > > S06 00001300 AMI 00000000) > > > > So it has to be a device in the platform directory. What is in this > > directory? To find the TPM it probably has something TPM like in the > > firmware_node description: > > > > /sys/devices/platform/<dev>/firmware_node/description > > > > Mine says > > > > jejb@jarvis:~/git/linux/drivers> cat > > /sys/devices/platform/MSFT0101\:00/firmware_node/description > > TPM 2.0 Device > > > > Ah, yep. There is indeed a MSFT0101: > (initramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/description > TPM 2.0 Device > (initramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/hid > MSFT0101 > (in > itramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/path > \_SB_.TPM_ > (in > itramfs) cat /sys/devices/platform/MSFT0101\:00/firmware_node/status > 15 > (initramf > s) cat /sys/devices/platform/MSFT0101\:00/firmware_node/uid > 1 > > > James Very strange... When I pull the power cord, then replug and boot, I get these dmesg messages: [ 0.000000] efi: ACPI 2.0=0x9ea78000 ACPI=0x9ea78000 SMBIOS=0x9f5e5000 SMBIOS 3.0=0x9f5e4000 MPS=0xfca00 ESRT=0x9c06e918 MEMATTR=0x99cb9018 TPMEventLog=0x 98d0c018 [ 0.001794] ACPI: TPM2 0x000000009EAB1F70 000034 (v03 LENOVO TC- S06 00001260 AMI 00000000) [ 3.096587] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) [ 3.105684] tpm tpm0: A TPM error (2314) occurred attempting the self test After a reboot I get those "ima: ..." message again. Pulling the plug seems to reset anything (the TPM). The PTT TPM 2.0 shows exactly the same behaviour. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-11 21:11 ` Michael Niewöhner @ 2018-11-11 21:42 ` Mimi Zohar 2018-11-14 20:46 ` Michael Niewöhner 2018-11-13 10:50 ` Jarkko Sakkinen 1 sibling, 1 reply; 24+ messages in thread From: Mimi Zohar @ 2018-11-11 21:42 UTC (permalink / raw) To: Michael Niewöhner, James Bottomley, peterhuewe, jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel Cc: Nayna Jain > Very strange... When I pull the power cord, then replug and boot, I get these > dmesg messages: > [ 0.000000] efi: ACPI > 2.0=0x9ea78000 ACPI=0x9ea78000 SMBIOS=0x9f5e5000 SMBIOS > 3.0=0x9f5e4000 MPS=0xfca00 ESRT=0x9c06e918 MEMATTR=0x99cb9018 TPMEventLog=0x > 98d0c018 > [ 0.001794] ACPI: TPM2 0x000000009EAB1F70 000034 (v03 LENOVO TC- > S06 00001260 AMI 00000000) > [ 3.096587] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > [ 3.105684] tpm tpm0: A TPM error (2314) occurred attempting the self test > > After a reboot I get those "ima: ..." message again. Pulling the plug seems to > reset anything (the TPM). > > The PTT TPM 2.0 shows exactly the same behaviour. On a cold boot, it takes longer to initialize the TPM. The TPM is returning TPM2_RC_TESTING (0x090A == 2314), meaning that it has not yet finished the initialization. Nayna's post a patch, which should address the TPM2_RC_TESTING error message. https://lore.kernel.org/linux-integrity/20180515071712.9331-1-nayna@li nux.vnet.ibm.com/ thanks, Mimi ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-11 21:42 ` Mimi Zohar @ 2018-11-14 20:46 ` Michael Niewöhner 2018-11-16 21:06 ` Michael Niewöhner 0 siblings, 1 reply; 24+ messages in thread From: Michael Niewöhner @ 2018-11-14 20:46 UTC (permalink / raw) To: Mimi Zohar, James Bottomley, peterhuewe, jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel Cc: Nayna Jain Hi all, I tried that patch mentioned by Mimi but it does not change anything for me. Then I did some more tests with different kernel configs and finally got TPM working by a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis. (initramfs) dmesg | grep -i tpm [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000 SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018 [ 0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC- S06 00001260 AMI 00000000) (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm (initramfs) modprobe tpm_tis [ 44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) b) compiling TPM-support in-kernel and manually bind the ACPI device (initramfs) dmesg | grep -i tpm [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000 SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018 [ 0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06 00001260 AMI 00000000) (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind [ 233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) It seems to me, the kernel tries to enable the TPM to early... Michael ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-14 20:46 ` Michael Niewöhner @ 2018-11-16 21:06 ` Michael Niewöhner 2018-11-18 8:18 ` Jarkko Sakkinen 0 siblings, 1 reply; 24+ messages in thread From: Michael Niewöhner @ 2018-11-16 21:06 UTC (permalink / raw) To: Mimi Zohar, James Bottomley, peterhuewe, jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel, Nayna Jain On Wed, 2018-11-14 at 21:46 +0100, Michael Niewöhner wrote: > Hi all, > > I tried that patch mentioned by Mimi but it does not change anything for me. > > Then I did some more tests with different kernel configs and finally got TPM > working by > a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis. > > (initramfs) dmesg | grep -i tpm > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000 > SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 > TPMEventLog=0x97cbb018 > [ 0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC- > S06 00001260 AMI 00000000) > (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm > (initramfs) modprobe tpm_tis > [ 44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > > b) compiling TPM-support in-kernel and manually bind the ACPI device > > (initramfs) dmesg | grep -i tpm > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000 > SMBIOS > 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018 > [ 0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06 > 00001260 > AMI 00000000) > (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind > [ 233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > > > It seems to me, the kernel tries to enable the TPM to early... > > > Michael Looks like the manual driver bind works more or less but e.g reading hwrng does not work... # echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind [ 148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) # cat /sys/devices/virtual/misc/hw_random/rng_current tpm-rng-0 # cat /dev/hwrng >/dev/null cat: /dev/hwrng: Operation not permitted ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-16 21:06 ` Michael Niewöhner @ 2018-11-18 8:18 ` Jarkko Sakkinen 2018-11-18 14:10 ` Michael Niewöhner 0 siblings, 1 reply; 24+ messages in thread From: Jarkko Sakkinen @ 2018-11-18 8:18 UTC (permalink / raw) To: Michael Niewöhner Cc: Mimi Zohar, James Bottomley, peterhuewe, jgg, arnd, linux-integrity, linux-kernel, Nayna Jain On Fri, Nov 16, 2018 at 10:06:28PM +0100, Michael Niewöhner wrote: > On Wed, 2018-11-14 at 21:46 +0100, Michael Niewöhner wrote: > > Hi all, > > > > I tried that patch mentioned by Mimi but it does not change anything for me. > > > > Then I did some more tests with different kernel configs and finally got TPM > > working by > > a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis. > > > > (initramfs) dmesg | grep -i tpm > > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000 > > SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 > > TPMEventLog=0x97cbb018 > > [ 0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC- > > S06 00001260 AMI 00000000) > > (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm > > (initramfs) modprobe tpm_tis > > [ 44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > > > > b) compiling TPM-support in-kernel and manually bind the ACPI device > > > > (initramfs) dmesg | grep -i tpm > > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000 > > SMBIOS > > 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018 > > [ 0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06 > > 00001260 > > AMI 00000000) > > (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind > > [ 233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > > > > > > It seems to me, the kernel tries to enable the TPM to early... > > > > > > Michael > > Looks like the manual driver bind works more or less but e.g reading hwrng does > not work... > > # echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind > [ 148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > # cat /sys/devices/virtual/misc/hw_random/rng_current > tpm-rng-0 > # cat /dev/hwrng >/dev/null > cat: /dev/hwrng: Operation not permitted Can you check with trace-cmd start -p function -l 'tpm*'? /Jarkko ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-18 8:18 ` Jarkko Sakkinen @ 2018-11-18 14:10 ` Michael Niewöhner 2018-11-19 13:49 ` Jarkko Sakkinen 0 siblings, 1 reply; 24+ messages in thread From: Michael Niewöhner @ 2018-11-18 14:10 UTC (permalink / raw) To: Jarkko Sakkinen Cc: Mimi Zohar, James Bottomley, peterhuewe, jgg, arnd, linux-integrity, linux-kernel, Nayna Jain On Sun, 2018-11-18 at 10:18 +0200, Jarkko Sakkinen wrote: > On Fri, Nov 16, 2018 at 10:06:28PM +0100, Michael Niewöhner wrote: > > On Wed, 2018-11-14 at 21:46 +0100, Michael Niewöhner wrote: > > > Hi all, > > > > > > I tried that patch mentioned by Mimi but it does not change anything for > > > me. > > > > > > Then I did some more tests with different kernel configs and finally got > > > TPM > > > working by > > > a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis. > > > > > > (initramfs) dmesg | grep -i tpm > > > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000 > > > SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 > > > TPMEventLog=0x97cbb018 > > > [ 0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC- > > > S06 00001260 AMI 00000000) > > > (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm > > > (initramfs) modprobe tpm_tis > > > [ 44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > > > > > > b) compiling TPM-support in-kernel and manually bind the ACPI device > > > > > > (initramfs) dmesg | grep -i tpm > > > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000 > > > SMBIOS > > > 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018 > > > [ 0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06 > > > 00001260 > > > AMI 00000000) > > > (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind > > > [ 233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > > > > > > > > > It seems to me, the kernel tries to enable the TPM to early... > > > > > > > > > Michael > > > > Looks like the manual driver bind works more or less but e.g reading hwrng > > does > > not work... > > > > # echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind > > [ 148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > > # cat /sys/devices/virtual/misc/hw_random/rng_current > > tpm-rng-0 > > # cat /dev/hwrng >/dev/null > > cat: /dev/hwrng: Operation not permitted > > Can you check with trace-cmd start -p function -l 'tpm*'? > > /Jarkko Hi Jarko, what output do you need exactly? root@debian:~# trace-cmd record -p function -l 'tpm*' plugin 'function' Hit Ctrl^C to stop recording ^CCPU0 data recorded at offset=0x464000 0 bytes in size CPU1 data recorded at offset=0x464000 0 bytes in size CPU2 data recorded at offset=0x464000 0 bytes in size CPU3 data recorded at offset=0x464000 4096 bytes in size CPU4 data recorded at offset=0x465000 4096 bytes in size CPU5 data recorded at offset=0x466000 0 bytes in size CPU6 data recorded at offset=0x466000 0 bytes in size CPU7 data recorded at offset=0x466000 0 bytes in size root@debian:~# trace-cmd report CPU 0 is empty CPU 1 is empty CPU 2 is empty CPU 5 is empty CPU 6 is empty CPU 7 is empty cpus=8 cat-3324 [003] 265.547715: function: tpm_hwrng_read cat-3324 [003] 265.547721: function: tpm_get_random cat-3324 [003] 265.547721: function: tpm_find_get_ops cat-3324 [003] 265.547721: function: tpm_try_get_ops cat-3324 [003] 265.547721: function: tpm2_get_random cat-3324 [003] 265.547722: function: tpm_transmit_cmd cat-3324 [003] 265.547722: function: tpm_transmit cat-3324 [003] 265.547722: function: tpm_tis_clkrun_enable cat-3324 [003] 265.547723: function: tpm_tcg_read_bytes < snip ... many times the same lines: cat-3324 ... function: tpm_tcg_read_bytes > cat-3324 [004] 266.291087: function: tpm_tcg_read_bytes cat-3324 [004] 266.296347: function: tpm_tis_clkrun_enable cat-3324 [004] 266.296349: function: tpm_put_ops Michael ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-18 14:10 ` Michael Niewöhner @ 2018-11-19 13:49 ` Jarkko Sakkinen 2018-11-25 20:06 ` Michael Niewöhner 0 siblings, 1 reply; 24+ messages in thread From: Jarkko Sakkinen @ 2018-11-19 13:49 UTC (permalink / raw) To: Michael Niewöhner Cc: Mimi Zohar, James Bottomley, peterhuewe, jgg, arnd, linux-integrity, linux-kernel, Nayna Jain On Sun, Nov 18, 2018 at 03:10:06PM +0100, Michael Niewöhner wrote: > On Sun, 2018-11-18 at 10:18 +0200, Jarkko Sakkinen wrote: > > On Fri, Nov 16, 2018 at 10:06:28PM +0100, Michael Niewöhner wrote: > > > On Wed, 2018-11-14 at 21:46 +0100, Michael Niewöhner wrote: > > > > Hi all, > > > > > > > > I tried that patch mentioned by Mimi but it does not change anything for > > > > me. > > > > > > > > Then I did some more tests with different kernel configs and finally got > > > > TPM > > > > working by > > > > a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis. > > > > > > > > (initramfs) dmesg | grep -i tpm > > > > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000 > > > > SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 > > > > TPMEventLog=0x97cbb018 > > > > [ 0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC- > > > > S06 00001260 AMI 00000000) > > > > (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm > > > > (initramfs) modprobe tpm_tis > > > > [ 44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > > > > > > > > b) compiling TPM-support in-kernel and manually bind the ACPI device > > > > > > > > (initramfs) dmesg | grep -i tpm > > > > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 SMBIOS=0x9f5eb000 > > > > SMBIOS > > > > 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 TPMEventLog=0x97cbb018 > > > > [ 0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06 > > > > 00001260 > > > > AMI 00000000) > > > > (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind > > > > [ 233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > > > > > > > > > > > > It seems to me, the kernel tries to enable the TPM to early... > > > > > > > > > > > > Michael > > > > > > Looks like the manual driver bind works more or less but e.g reading hwrng > > > does > > > not work... > > > > > > # echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind > > > [ 148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > > > # cat /sys/devices/virtual/misc/hw_random/rng_current > > > tpm-rng-0 > > > # cat /dev/hwrng >/dev/null > > > cat: /dev/hwrng: Operation not permitted > > > > Can you check with trace-cmd start -p function -l 'tpm*'? > > > > /Jarkko > > > Hi Jarko, > > what output do you need exactly? TPM gets added with tpm_add_hwrng() and the callback that is called by hwrng subsystem is tpm_hwrng_read(). Obviously the former gets called (can be seen from the sysfs file). Just wondering if it ever reaches tpm_hwrng_read(). /Jarkko ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-19 13:49 ` Jarkko Sakkinen @ 2018-11-25 20:06 ` Michael Niewöhner 2018-11-26 19:15 ` Michael Niewöhner 0 siblings, 1 reply; 24+ messages in thread From: Michael Niewöhner @ 2018-11-25 20:06 UTC (permalink / raw) To: Jarkko Sakkinen, Mimi Zohar, James Bottomley, peterhuewe, jgg, arnd, linux-integrity, linux-kernel, Nayna Jain Hi, On Mon, 2018-11-19 at 15:49 +0200, Jarkko Sakkinen wrote: > On Sun, Nov 18, 2018 at 03:10:06PM +0100, Michael Niewöhner wrote: > > On Sun, 2018-11-18 at 10:18 +0200, Jarkko Sakkinen wrote: > > > On Fri, Nov 16, 2018 at 10:06:28PM +0100, Michael Niewöhner wrote: > > > > On Wed, 2018-11-14 at 21:46 +0100, Michael Niewöhner wrote: > > > > > Hi all, > > > > > > > > > > I tried that patch mentioned by Mimi but it does not change anything > > > > > for > > > > > me. > > > > > > > > > > Then I did some more tests with different kernel configs and finally > > > > > got > > > > > TPM > > > > > working by > > > > > a) compiling TPM as modules and rmmod tpm* and re-modprobe tpm_tis. > > > > > > > > > > (initramfs) dmesg | grep -i tpm > > > > > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 > > > > > SMBIOS=0x9f5eb000 > > > > > SMBIOS 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 > > > > > TPMEventLog=0x97cbb018 > > > > > [ 0.003793] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC- > > > > > S06 00001260 AMI 00000000) > > > > > (initramfs) rmmod tpm_crb tpm_tis tpm_tis_core tpm > > > > > (initramfs) modprobe tpm_tis > > > > > [ 44.956905] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > > > > > > > > > > b) compiling TPM-support in-kernel and manually bind the ACPI device > > > > > > > > > > (initramfs) dmesg | grep -i tpm > > > > > [ 0.000000] efi: ACPI 2.0=0x9ea7e000 ACPI=0x9ea7e000 > > > > > SMBIOS=0x9f5eb000 > > > > > SMBIOS > > > > > 3.0=0x9f5ea000 ESRT=0x9c07d918 MEMATTR=0x9bea3018 > > > > > TPMEventLog=0x97cbb018 > > > > > [ 0.003546] ACPI: TPM2 0x000000009EAB7F70 000034 (v03 LENOVO TC-S06 > > > > > 00001260 > > > > > AMI 00000000) > > > > > (initramfs) echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind > > > > > [ 233.076079] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > > > > > > > > > > > > > > > It seems to me, the kernel tries to enable the TPM to early... > > > > > > > > > > > > > > > Michael > > > > > > > > Looks like the manual driver bind works more or less but e.g reading > > > > hwrng > > > > does > > > > not work... > > > > > > > > # echo MSFT0101:00 >/sys/bus/platform/drivers/tpm_tis/bind > > > > [ 148.293302] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > > > > # cat /sys/devices/virtual/misc/hw_random/rng_current > > > > tpm-rng-0 > > > > # cat /dev/hwrng >/dev/null > > > > cat: /dev/hwrng: Operation not permitted > > > > > > Can you check with trace-cmd start -p function -l 'tpm*'? > > > > > > /Jarkko > > > > > > Hi Jarko, > > > > what output do you need exactly? > > TPM gets added with tpm_add_hwrng() and the callback that is called by > hwrng subsystem is tpm_hwrng_read(). > > Obviously the former gets called (can be seen from the sysfs file). Just > wondering if it ever reaches tpm_hwrng_read(). > > /Jarkko I wanted to be sure that there is no hardware failure so I tested the TPM in UEFI Shell using the tpm tools from github.com/fpmurphy/UEFI-Utilities-2016 I can confirm that it is working there in both modes 1.2 and 2.0. FS0:\> ShowTPM2.efi Signature : TPM2 Length : 52 Revision : 3 Checksum : 167 Oem ID : LENOVO Oem Table ID : TC-S06 Oem Revision : 4704 Creator ID : AMI Creator Revision : 0 Platform Class : 0 Control Area Address : 0 Start Method : 6 (Memory mapped I/O) Platform S.P. Size : 0 FS0:\> ShowTCM20.efi Structure Version: 1.1 Protocol Version: 1.1 Supported Hash Algorithms: SHA1 SHA256 Supported Event Log Formats: TCG_1.2 TCG_2 TPM Present Flag: True Maximum Command Size: 2048 Maximum Response Size: 2048 Manufactuer ID: NTC Number of PCR Banks: 2 FS0:\> ShowPCR20.efi Bank (Algorithm): TPM_ALG_SHA1 (0x0004) [00] 1E BB 2B E3 B7 10 3A 09 B5 CA EE B5 82 7C 12 42 CD 66 32 EC [01] 80 4E 8E 47 19 9D C7 31 4E B4 3C 4D C9 58 EF 6F 0B 6B 49 62 [02] B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36 [03] B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36 .... ...... Michael ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-25 20:06 ` Michael Niewöhner @ 2018-11-26 19:15 ` Michael Niewöhner 2018-11-26 21:13 ` Jarkko Sakkinen 0 siblings, 1 reply; 24+ messages in thread From: Michael Niewöhner @ 2018-11-26 19:15 UTC (permalink / raw) To: Jarkko Sakkinen, Mimi Zohar, James Bottomley, peterhuewe, jgg, arnd, linux-integrity, linux-kernel, Nayna Jain Hi again, after some experiments I finally found a solution... There seems to be a bug in TPM2.0 firmware version (1.3.1.0) included in Lenovos UEFI image but they do not provide an update. I have extracted the firmware version 1.3.2.8 from Dell's XPS15 TPM2.0 firmware update and used this to replace the firmware in my Lenovo UEFI image. After flashing this version via UEFI Setup the TPM2.0 gets detected and now is fully working. WTF. For anyone having the same problem: binwalk, uefi-firmware-parser, uefipatch and flashrom are your friends ;-) Best regards Michael ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-26 19:15 ` Michael Niewöhner @ 2018-11-26 21:13 ` Jarkko Sakkinen 0 siblings, 0 replies; 24+ messages in thread From: Jarkko Sakkinen @ 2018-11-26 21:13 UTC (permalink / raw) To: Michael Niewöhner Cc: Mimi Zohar, James Bottomley, peterhuewe, jgg, arnd, linux-integrity, linux-kernel, Nayna Jain On Mon, Nov 26, 2018 at 08:15:38PM +0100, Michael Niewöhner wrote: > Hi again, > > after some experiments I finally found a solution... > There seems to be a bug in TPM2.0 firmware version (1.3.1.0) included in Lenovos > UEFI image but they do not provide an update. > > I have extracted the firmware version 1.3.2.8 from Dell's XPS15 TPM2.0 firmware > update and used this to replace the firmware in my Lenovo UEFI image. > After flashing this version via UEFI Setup the TPM2.0 gets detected and now is > fully working. WTF. That can be called as true craftmanship :-) Awesome work! Maybe you should even consider blogging this. Sounds interesting. > For anyone having the same problem: binwalk, uefi-firmware-parser, uefipatch and > flashrom are your friends ;-) > > Best regards > Michael /Jarkko ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-11 21:11 ` Michael Niewöhner 2018-11-11 21:42 ` Mimi Zohar @ 2018-11-13 10:50 ` Jarkko Sakkinen 1 sibling, 0 replies; 24+ messages in thread From: Jarkko Sakkinen @ 2018-11-13 10:50 UTC (permalink / raw) To: Michael Niewöhner Cc: James Bottomley, peterhuewe, jgg, arnd, linux-integrity, linux-kernel On Sun, Nov 11, 2018 at 10:11:33PM +0100, Michael Niewöhner wrote: > Very strange... When I pull the power cord, then replug and boot, I get these > dmesg messages: > [ 0.000000] efi: ACPI > 2.0=0x9ea78000 ACPI=0x9ea78000 SMBIOS=0x9f5e5000 SMBIOS > 3.0=0x9f5e4000 MPS=0xfca00 ESRT=0x9c06e918 MEMATTR=0x99cb9018 TPMEventLog=0x > 98d0c018 > [ 0.001794] ACPI: TPM2 0x000000009EAB1F70 000034 (v03 LENOVO TC- > S06 00001260 AMI 00000000) > [ 3.096587] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2) > [ 3.105684] tpm tpm0: A TPM error (2314) occurred attempting the self test > > After a reboot I get those "ima: ..." message again. Pulling the plug seems to > reset anything (the TPM). > > The PTT TPM 2.0 shows exactly the same behaviour. The error in question is TPM_RC_TESTING i.e. TPM is still processing selftests in the background. It is clearly a regression but unfortanely it is harmless and unrelated i.e. tpm2_do_selftest() should not print an error message because it is legit behavior. The function actually masks the whole error: if (rc == TPM2_RC_TESTING) rc = TPM2_RC_SUCCESS; /Jarkko ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-11 18:50 ` Michael Niewöhner 2018-11-11 18:57 ` James Bottomley @ 2019-01-11 15:40 ` Mimi Zohar 2019-01-12 9:52 ` Michael Niewöhner 1 sibling, 1 reply; 24+ messages in thread From: Mimi Zohar @ 2019-01-11 15:40 UTC (permalink / raw) To: Michael Niewöhner; +Cc: jarkko.sakkinen, linux-integrity, linux-kernel Hi Michael, On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote: > Well, there are at least two implementations I know of: > For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT TPM 2.0 > This here is my ThinkStation P320 which can choose between PTT 1.2, PTT 2.0, > Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton gets > reflashed with the appropriate firmware. With IBM's LTC help, we finally found a Lenovo with the Nuvoton NCPT650. It's a System x3550 M5[1], not a ThinkStation P320, running Fedora (vmlinuz-4.16.14-300.fc28.x86_64). I replaced the 4.16 kernel with the latest stable 4.19.y kernel. Both the TPM and IMA seem to be working properly. Not sure if this helps... From dmesg: # dmesg | grep -i tpm [ 0.000000] Linux version 4.19.14 (mimi@x86tpm2Server.rtp.stglabs.i bm.com) (gcc version 8.1.1 20180502 (Red Hat 8.1.1-1) (GCC)) #6 SMP Thu Jan 10 22:32:54 EST 2019 [ 0.000000] efi: ACPI=0x7b786000 ACPI 2.0=0x7b786014 SMBIOS=0x793fe000 TPMEventLog=0x426fa018 [ 0.014413] ACPI: SSDT 0x000000007B784000 0003A7 (v02 INTEL Tpm2Tabl 00001000 INTL 20130328) [ 0.014416] ACPI: TPM2 0x000000007B783000 000034 (v03 INTEL EDK2 00000002 INTL 01000013) [ 2.667052] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2 # cat /sys/kernel/security/ima/ascii_runtime_measurements | head -2 10 5425744ce804c8cae89a08d53b41ab20ff1b3ea6 ima-sig sha1:7996f7339c3ce64e63f1232ef1aa6033247af784 boot_aggregate I installed the ibmtpm2tss[2], built (eg. autoreconf -i; configure -- enable-hwtpm) and installed it. # export LD_LIBRARY_PATH=/usr/local/lib/ # cd /usr/local/bin # ./tsspcrread -ha 10 -halg sha256 -ns f73ff9109b06d4f7a7cbe7eac32b20d2ca662e55cb4c81e152beea261989ad4b Mimi [1] https://lenovopress.com/lp0599.pdf [2] https://git.code.sf.net/p/ibmtpm20tss/tss ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2019-01-11 15:40 ` Mimi Zohar @ 2019-01-12 9:52 ` Michael Niewöhner 2019-01-12 10:49 ` Michael Niewöhner 0 siblings, 1 reply; 24+ messages in thread From: Michael Niewöhner @ 2019-01-12 9:52 UTC (permalink / raw) To: Mimi Zohar; +Cc: jarkko.sakkinen, linux-integrity, linux-kernel Hi Mimi, On Fri, 2019-01-11 at 10:40 -0500, Mimi Zohar wrote: > Hi Michael, > > On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote: > > > Well, there are at least two implementations I know of: > > For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT TPM > > 2.0 > > This here is my ThinkStation P320 which can choose between PTT 1.2, PTT 2.0, > > Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton gets > > reflashed with the appropriate firmware. > > With IBM's LTC help, we finally found a Lenovo with the Nuvoton > NCPT650. It's a System x3550 M5[1], not a ThinkStation P320, running > Fedora (vmlinuz-4.16.14-300.fc28.x86_64). I replaced the 4.16 kernel > with the latest stable 4.19.y kernel. Both the TPM and IMA seem to be > working properly. Not sure if this helps... > > From dmesg: > # dmesg | grep -i tpm > [ 0.000000] Linux version 4.19.14 (mimi@x86tpm2Server.rtp.stglabs.i > bm.com) (gcc version 8.1.1 20180502 (Red Hat 8.1.1-1) (GCC)) #6 SMP > Thu Jan 10 22:32:54 EST 2019 > [ 0.000000] efi: ACPI=0x7b786000 ACPI 2.0=0x7b786014 > SMBIOS=0x793fe000 TPMEventLog=0x426fa018 > [ 0.014413] ACPI: SSDT 0x000000007B784000 0003A7 (v02 INTEL > Tpm2Tabl 00001000 INTL 20130328) > [ 0.014416] ACPI: TPM2 0x000000007B783000 000034 (v03 INTEL EDK2 > 00000002 INTL 01000013) > [ 2.667052] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2 > > # cat /sys/kernel/security/ima/ascii_runtime_measurements | head -2 > 10 5425744ce804c8cae89a08d53b41ab20ff1b3ea6 ima-sig > sha1:7996f7339c3ce64e63f1232ef1aa6033247af784 boot_aggregate > > I installed the ibmtpm2tss[2], built (eg. autoreconf -i; configure -- > enable-hwtpm) and installed it. > > # export LD_LIBRARY_PATH=/usr/local/lib/ > # cd /usr/local/bin > # ./tsspcrread -ha 10 -halg sha256 -ns > f73ff9109b06d4f7a7cbe7eac32b20d2ca662e55cb4c81e152beea261989ad4b > > Mimi > > [1] https://lenovopress.com/lp0599.pdf > [2] https://git.code.sf.net/p/ibmtpm20tss/tss > what UEFI version is installed on that machine? Is the TPM connected via LPC or I2C? Best regards Michael ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2019-01-12 9:52 ` Michael Niewöhner @ 2019-01-12 10:49 ` Michael Niewöhner 0 siblings, 0 replies; 24+ messages in thread From: Michael Niewöhner @ 2019-01-12 10:49 UTC (permalink / raw) To: Mimi Zohar; +Cc: jarkko.sakkinen, linux-integrity, linux-kernel Hi again, On Sat, 2019-01-12 at 10:52 +0100, Michael Niewöhner wrote: > Hi Mimi, > > On Fri, 2019-01-11 at 10:40 -0500, Mimi Zohar wrote: > > Hi Michael, > > > > On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote: > > > > > Well, there are at least two implementations I know of: > > > For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT TPM > > > 2.0 > > > This here is my ThinkStation P320 which can choose between PTT 1.2, PTT > > > 2.0, > > > Nuvoton 1.2 and 2.0. When switchting between 1.2 and 2.0 the Nuvoton gets > > > reflashed with the appropriate firmware. > > > > With IBM's LTC help, we finally found a Lenovo with the Nuvoton > > NCPT650. It's a System x3550 M5[1], not a ThinkStation P320, running > > Fedora (vmlinuz-4.16.14-300.fc28.x86_64). I replaced the 4.16 kernel > > with the latest stable 4.19.y kernel. Both the TPM and IMA seem to be > > working properly. Not sure if this helps... > > > > From dmesg: > > # dmesg | grep -i tpm > > [ 0.000000] Linux version 4.19.14 (mimi@x86tpm2Server.rtp.stglabs.i > > bm.com) (gcc version 8.1.1 20180502 (Red Hat 8.1.1-1) (GCC)) #6 SMP > > Thu Jan 10 22:32:54 EST 2019 > > [ 0.000000] efi: ACPI=0x7b786000 ACPI 2.0=0x7b786014 > > SMBIOS=0x793fe000 TPMEventLog=0x426fa018 > > [ 0.014413] ACPI: SSDT 0x000000007B784000 0003A7 (v02 INTEL > > Tpm2Tabl 00001000 INTL 20130328) > > [ 0.014416] ACPI: TPM2 0x000000007B783000 000034 (v03 INTEL EDK2 > > 00000002 INTL 01000013) > > [ 2.667052] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFE, rev-id 2 > > > > # cat /sys/kernel/security/ima/ascii_runtime_measurements | head -2 > > 10 5425744ce804c8cae89a08d53b41ab20ff1b3ea6 ima-sig > > sha1:7996f7339c3ce64e63f1232ef1aa6033247af784 boot_aggregate > > > > I installed the ibmtpm2tss[2], built (eg. autoreconf -i; configure -- > > enable-hwtpm) and installed it. > > > > # export LD_LIBRARY_PATH=/usr/local/lib/ > > # cd /usr/local/bin > > # ./tsspcrread -ha 10 -halg sha256 -ns > > f73ff9109b06d4f7a7cbe7eac32b20d2ca662e55cb4c81e152beea261989ad4b > > > > Mimi > > > > [1] https://lenovopress.com/lp0599.pdf > > [2] https://git.code.sf.net/p/ibmtpm20tss/tss > > > > what UEFI version is installed on that machine? > Is the TPM connected via LPC or I2C? > > Best regards > Michael > > I had a short look to an extracted x3550 UEFI firmware (tbe132l-2.52). This seems to be a very different implementation, probably due to the fact that this is a server firmware but not a desktop/workstation firmware. I do not know how much UEFI has influence on the communication with the TPM but I assume we can not really compare x3550 with P320 :-( Best regards Michael ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-11 17:55 [BUG] Nuvoton NCPT650 TPM 2.0 mode not working Michael Niewöhner 2018-11-11 18:24 ` James Bottomley @ 2018-11-11 18:33 ` Mimi Zohar 2018-11-11 18:51 ` Michael Niewöhner 2018-11-13 10:28 ` Jarkko Sakkinen 2 siblings, 1 reply; 24+ messages in thread From: Mimi Zohar @ 2018-11-11 18:33 UTC (permalink / raw) To: Michael Niewöhner, peterhuewe, jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel On Sun, 2018-11-11 at 18:55 +0100, Michael Niewöhner wrote: > Hi all, > > Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / tpm_i2c_nuvoton > while it works in TPM 1.2 mode (I can reflash it via UEFI setup). > Kernel version is 4.19.1 > > Kernel config: > > $ cat .config | egrep 'TCG|TPM|CRB|_TIS' > CONFIG_TCG_TPM=y > CONFIG_HW_RANDOM_TPM=y > CONFIG_TCG_TIS_CORE=y > CONFIG_TCG_TIS=y > CONFIG_TCG_TIS_SPI=y > # CONFIG_TCG_TIS_I2C_ATMEL is not set > # CONFIG_TCG_TIS_I2C_INFINEON is not set > CONFIG_TCG_TIS_I2C_NUVOTON=y > # CONFIG_TCG_NSC is not set > # CONFIG_TCG_ATMEL is not set > # CONFIG_TCG_INFINEON is not set > CONFIG_TCG_CRB=y > # CONFIG_TCG_VTPM_PROXY is not set > # CONFIG_TCG_TIS_ST33ZP24_I2C is not set > # CONFIG_TCG_TIS_ST33ZP24_SPI is not set > > > TPM 1.2 mode dmesg: > > $ dmesg | egrep -i tis\|tpm\|crb > [ 3.210040] tpm_tis 00:0a: 1.2 TPM (device-id 0xFE, rev-id 2) > > > TPM 2.0 mode dmesg: > > $ dmesg | egrep -i tis\|tpm\|crb > [ 0.000000] efi: ACPI > 2.0=0x9e457000 ACPI=0x9e457000 SMBIOS=0x9ec44000 SMBIOS > 3.0=0x9ec43000 TPMEventLog=0x9711f018 > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC- > S06 00001300 AMI 00000000) > [ 4.071550] ima: No TPM chip found, activating TPM-bypass! It's possible that eventually the TPM is initialized, but not in time for IMA. Could you you check to see if the TPM is responding to userspace commands after boot? Mimi ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-11 18:33 ` Mimi Zohar @ 2018-11-11 18:51 ` Michael Niewöhner 0 siblings, 0 replies; 24+ messages in thread From: Michael Niewöhner @ 2018-11-11 18:51 UTC (permalink / raw) To: Mimi Zohar, peterhuewe, jarkko.sakkinen, jgg, arnd, linux-integrity, linux-kernel Hi Mimi, On Sun, 2018-11-11 at 13:33 -0500, Mimi Zohar wrote: > On Sun, 2018-11-11 at 18:55 +0100, Michael Niewöhner wrote: > > Hi all, > > > > Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / tpm_i2c_nuvoton > > while it works in TPM 1.2 mode (I can reflash it via UEFI setup). > > Kernel version is 4.19.1 > > > > Kernel config: > > > > $ cat .config | egrep 'TCG|TPM|CRB|_TIS' > > CONFIG_TCG_TPM=y > > CONFIG_HW_RANDOM_TPM=y > > CONFIG_TCG_TIS_CORE=y > > CONFIG_TCG_TIS=y > > CONFIG_TCG_TIS_SPI=y > > # CONFIG_TCG_TIS_I2C_ATMEL is not set > > # CONFIG_TCG_TIS_I2C_INFINEON is not set > > CONFIG_TCG_TIS_I2C_NUVOTON=y > > # CONFIG_TCG_NSC is not set > > # CONFIG_TCG_ATMEL is not set > > # CONFIG_TCG_INFINEON is not set > > CONFIG_TCG_CRB=y > > # CONFIG_TCG_VTPM_PROXY is not set > > # CONFIG_TCG_TIS_ST33ZP24_I2C is not set > > # CONFIG_TCG_TIS_ST33ZP24_SPI is not set > > > > > > TPM 1.2 mode dmesg: > > > > $ dmesg | egrep -i tis\|tpm\|crb > > [ 3.210040] tpm_tis 00:0a: 1.2 TPM (device-id 0xFE, rev-id 2) > > > > > > TPM 2.0 mode dmesg: > > > > $ dmesg | egrep -i tis\|tpm\|crb > > [ 0.000000] efi: ACPI > > 2.0=0x9e457000 ACPI=0x9e457000 SMBIOS=0x9ec44000 SMBIOS > > 3.0=0x9ec43000 TPMEventLog=0x9711f018 > > [ 0.003517] ACPI: TPM2 0x000000009E490ED8 000034 (v03 LENOVO TC- > > S06 00001300 AMI 00000000) > > [ 4.071550] ima: No TPM chip found, activating TPM-bypass! > > It's possible that eventually the TPM is initialized, but not in time > for IMA. Could you you check to see if the TPM is responding to > userspace commands after boot? No it isn't even detected. There is no /dev/tpm0 and /sys/class/tpm is empty. > > Mimi > ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [BUG] Nuvoton NCPT650 TPM 2.0 mode not working 2018-11-11 17:55 [BUG] Nuvoton NCPT650 TPM 2.0 mode not working Michael Niewöhner 2018-11-11 18:24 ` James Bottomley 2018-11-11 18:33 ` Mimi Zohar @ 2018-11-13 10:28 ` Jarkko Sakkinen 2 siblings, 0 replies; 24+ messages in thread From: Jarkko Sakkinen @ 2018-11-13 10:28 UTC (permalink / raw) To: Michael Niewöhner Cc: peterhuewe, jgg, arnd, linux-integrity, linux-kernel On Sun, Nov 11, 2018 at 06:55:36PM +0100, Michael Niewöhner wrote: > Hi all, > > Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / tpm_i2c_nuvoton > while it works in TPM 1.2 mode (I can reflash it via UEFI setup). > Kernel version is 4.19.1 Can you check what ACPI dump would show up [1]? [1] acpidump > acpidump.out /Jarkko ^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2019-01-12 10:49 UTC | newest] Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-11-11 17:55 [BUG] Nuvoton NCPT650 TPM 2.0 mode not working Michael Niewöhner 2018-11-11 18:24 ` James Bottomley 2018-11-11 18:50 ` Michael Niewöhner 2018-11-11 18:57 ` James Bottomley 2018-11-11 20:09 ` Michael Niewöhner 2018-11-11 20:29 ` James Bottomley 2018-11-11 20:34 ` Michael Niewöhner 2018-11-11 21:11 ` Michael Niewöhner 2018-11-11 21:42 ` Mimi Zohar 2018-11-14 20:46 ` Michael Niewöhner 2018-11-16 21:06 ` Michael Niewöhner 2018-11-18 8:18 ` Jarkko Sakkinen 2018-11-18 14:10 ` Michael Niewöhner 2018-11-19 13:49 ` Jarkko Sakkinen 2018-11-25 20:06 ` Michael Niewöhner 2018-11-26 19:15 ` Michael Niewöhner 2018-11-26 21:13 ` Jarkko Sakkinen 2018-11-13 10:50 ` Jarkko Sakkinen 2019-01-11 15:40 ` Mimi Zohar 2019-01-12 9:52 ` Michael Niewöhner 2019-01-12 10:49 ` Michael Niewöhner 2018-11-11 18:33 ` Mimi Zohar 2018-11-11 18:51 ` Michael Niewöhner 2018-11-13 10:28 ` Jarkko Sakkinen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).