[go: up one dir, main page]
Menu

#237 tpm_restrictsrk -z fails with "Authentication failed"

Bug
open
nobody
None
5
2023-11-01
2023-11-01
Oskar Enoksson
No

tpm_restrictsrk -z fails with "Authentication failed" and I'm never prompted for any password. Is it a bug or just something I failed to grasp?

Platform: OpenSuse 15.4
trousers: 0.3.15
tpm-tools 1.3.9.2

```
# tpm_restrictsrk -z -l debug
Tspi_Context_Create success
Tspi_Context_Connect success
Tspi_Context_GetTpmObject success
Tspi_GetPolicyObject success
Tspi_Policy_SetSecret success
Tspi_TPM_SetStatus failed: 0x00000001 - layer=tpm, code=0001 (1), Authentication failed
Tspi_Context_FreeMemory success
Tspi_Context_Close success

```

Discussion

  • Ken Goldman

    Ken Goldman - 2023-11-01

    I don't know what this command does, but the error message implies a bad authorization value. -z says to use all zeros as the authorization value. Perhaps the authorization value is not all zeros.

    If you use a SW TPM, it will dump internal operations and help you / us debug.

     

  • Oskar Enoksson

    Oskar Enoksson - 2023-11-01

    Oops. My mistake. I had the impression that the -z flag to this command would reset the SRK password to all zeros. Not so. tpm_changeownerauth -s -r resets the SRK password. Help text for tpm_restrictsrk as below:

    Usage: tpm_restrictsrk [options]
        -h, --help
                Display command usage info.
        -v, --version
                Display command version info.
        -l, --log [none|error|info|debug]
                Set logging level.
        -u, --unicode
                Use TSS UNICODE encoding for passwords to comply with applications using TSS popup boxes
        -a, --allow
                Allow SRK read access using SRK auth
        -s, --status
                Display current status
        -r, --restrict
                Restrict SRK read to owner only
        -z, --well-known
                Use 20 bytes of zeros (TSS_WELL_KNOWN_SECRET) as the TPM secret authorization data

    See also release 1.3.1 text

    Close this bug ticket at will ...

     

  • Oskar Enoksson

    Oskar Enoksson - 2023-11-01

    Although ... the command tpm_restrictsrk -a actually seems non-working:

     # tpm_restrictsrk -a
Enter owner password: 
 # tpm_restrictsrk -s
Enter owner password: 
Storage Root Key readable with: owner auth
 #

    I expected the SRK readable without owner auth (with SRK auth) after successful tpm_restrictsrk -a
    My TPM chip is SLB9660:

    # tpm_version 
  TPM 1.2 Version Info:
  Chip Version:        1.2.4.40
  Spec Level:          2
  Errata Revision:     3
  TPM Vendor ID:       IFX
  Vendor Specific data: 04280077 0074706d 3631ffff ff
  TPM Version:         01010000
  Manufacturer Info:   49465800
     

    Last edit: Oskar Enoksson 2023-11-01

    • Ken Goldman

      Ken Goldman - 2023-11-01

      I don't know the implementation of tpm_restrictsrk . It's not a TPM command.

      At a high level, there is a flag readSRKPub which permits an unauthorized read of the SRK. Once clear, it needs owner auth.

      TPM 1.2 is old and obsolete, so you may not get any other responses. If you can use a SW TPM and send me the traces (email), I can see what the command is doing and why it's failing.

       

Log in to post a comment.