#230 Hardware with TPM 1.2 chip not supported by Trousers.
List of installed and available packages under Linux Fedora:
$ LANG=C dnf -q list *trousers*
Installed Packages
trousers.x86_64 0.3.13-12.fc30 @koji-override-0
trousers-lib.x86_64 0.3.13-12.fc30 @anaconda
Available Packages
trousers-devel.x86_64 0.3.13-12.fc30 fedora
trousers-static.x86_64 0.3.13-12.fc30 fedora
Description An hardware with TPM 1.2 chip not supported by Trousers.
Original state: In BIOS, TPM has been cleared, no password assigned to system's owner.
Hardware used:
# dmidecode | grep -iA3 'system information'; dmidecode | grep -wi date
System Information
Manufacturer: Dell Inc.
Product Name: Latitude E4300
Version: Not Specified
Release Date: 10/13/2009
Kernel installed:
$ uname -r
5.2.8-200.fc30.x86_64
Enabled CPU features:
$ cat /proc/cpuinfo | sed -n "2p;20,21p" | grep -Ewi 'vendor_id|lm|vmx|aes|smx'
vendor_id : GenuineIntel
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl cpuid aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 xsave lahf_lm pti tpr_shadow vnmi flexpriority dtherm ida
TPM modules present on system:
$ ls -p /lib/modules/`uname -r`/kernel/drivers/char/tpm | grep --color -E '^|tpm' | column
tpm_atmel.ko.xz tpm_nsc.ko.xz tpm_vtpm_proxy.ko.xz
tpm_infineon.ko.xz tpm_tis_spi.ko.xz
Unexpectedly from previous output here reported module tpm_tis is not listed:
$ dmesg | grep -wi tpm
[ 1.387791] tpm_tis 00:05: 1.2 TPM (device-id 0x2001, rev-id 48)
[ 1.400731] tpm tpm0: Adjusting TPM timeout parameters.
TPM version:
$ tpm_version | head -n 6
TPM 1.2 Version Info:
Chip Version: 1.2.7.11
Spec Level: 2
Errata Revision: 1
TPM Vendor ID: BRCM
TPM Version: 01010000
$ tpm_selftest -l info
TPM Test Results: 809f7e60
tpm_selftest succeeded
A TPM chip is then present and its implementation is hardware-based and furthermore a discrete one.
When TXT is not in BIOS activated ,issue related to KVM and reported at Red Hat Bugzilla – Bug 1714586 does not occur. In system module kvm_intel is listed.
$ lsmod | grep -E 'kvm|tpm'
kvm_intel 303104 0
kvm 741376 1 kvm_intel
irqbypass 16384 1 kvm
Once TXT had been activated even honoring the required order, which is to activate TXT before enabling KVM, that issue does occur. In system module kvm_intel is no more listed.
$ lsmod | grep -E 'kvm|tpm'
kvm 753664 0
irqbypass 16384 1 kvm
Error messages related to component that interferes one with another –KVM, TCSD,–:
$ LANG=C sudo cat /var/log/boot.log | grep FAILED | head -n 1
[FAILED] Failed to start TCG Core Services Daemon.
$ LANG=C journalctl -b | grep -Ei 'kvm|tcg|tcsd'
[...]
Jul 23 17:38:10 localhost.localdomain kernel: kvm: disable TXT in the BIOS or activate TXT before enabling KVM
Jul 23 17:38:10 localhost.localdomain kernel: kvm: disabled by bios
Aug 17 13:25:50 localhost.localdomain systemd[1]: Starting TCG Core Services Daemon...
Aug 17 13:25:50 localhost.localdomain tcsd[794]: TCSD TDDL[794]: TrouSerS ioctl: (25) Inappropriate ioctl for device
Aug 17 13:25:50 localhost.localdomain tcsd[794]: TCSD TDDL[794]: TrouSerS Falling back to Read/Write device support.
Aug 17 13:25:50 localhost.localdomain TCSD[809]: TrouSerS trousers 0.3.13: TCSD up and running.
Aug 17 13:25:50 localhost.localdomain systemd[1]: Started TCG Core Services Daemon.
Aug 17 13:25:50 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tcsd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 17 13:26:15 localhost.localdomain libvirtd[918]: invalid argument: could not find capabilities for arch=x86_64 domaintype=kvm
The proper way to introduce an SRK into the persistent store seems to me to rely on taking ownership of the TPM via Trousers. Taking ownership can be done only once. Also the tpm_sealdata command requires the SRK not to have a password associated with it, which is the case on my system. Error encountered on my system:
# echo "Linux TPM" | tpm_sealdata -z -p 1 -o message.sealed
Tspi_Context_LoadKeyByUUID failed: 0x00002020 - layer=tcs, code=0020 (32), Key not found in persistent storage
# tpm_takeownership -z
Enter owner password:
Confirm password:
Tspi_TPM_TakeOwnership failed: 0x00000023 - layer=tpm, code=0023 (35), No EK