search

Dasharo / open-source-firmware-validation

OSFV infrastructure with automated tests and scripts for managing test results
Apache License 2.0
6 stars 1 forks source link

`TPMCMD007.002 CREATELOADED Function (Ubuntu 22.04)` don't work on VP4650 #217

Open Psotas opened 4 months ago

Psotas commented 4 months ago

Device

VP4650

RTE version

Dasharo v1.2.0

Affected component(s) or functionality

No response

Brief summary

TPMCMD007.002 CREATELOADED Function (Ubuntu 22.04) don't work on VP4650

How reproducible

No response

How to reproduce

Run TPMCMD007.002 CREATELOADED Function (Ubuntu 22.04)

Expected behavior

Test PASS

Actual behavior

rm -f primary.ctx obj.key Return:

WARNING:esys:src/tss2-esys/api/Esys_CreateLoaded.c:368:Esys_CreateLoaded_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_CreateLoaded.c:129:Esys_CreateLoaded() Esys Finish ErrorCode (0x000b0143)
ERROR: Esys_CreateLoaded(0xB0143) - rmt:error(2.0): command code not supported
ERROR: Unable to run tpm2_create

Link to screenshots or logs

dasharo-security_log.zip

Additional context

No response

Solutions you've tried

No response

macpijan commented 4 months ago

@krystian-hebel Should this function work on any TPM, or it may be simply not supported?

In other words, can you suggest whether it may be:

krystian-hebel commented 4 months ago

TPM2_CreateLoaded is mandatory function according to current TCG PC Client Platform TPM Profile Specification for TPM 2.0 revision 1.05. In fact, it is mandatory since 1.03. 0.43 is the latest publicly available revision that doesn't list this function.

If TPM claims it is compliant with any 1.x revision of specification it is an issue with TPM, but I don't see any compatibility claims for TPM 2.0 update on Infineon's page for this TPM.

macpijan commented 4 months ago

@krystian-hebel In OS it says it is this one: https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-tpm/slb-9665tt2.0/

            X509v3 Subject Alternative Name: critical
                DirName:/2.23.133.2.1=id:49465800/2.23.133.2.2=SLB 9665/2.23.133.2.3=id:053E

They are pin-compatible, so maybe the main difference is which firmware is preloaded? This one says: Compliant to TPM 2.0 Rev. 01.16.

krystian-hebel commented 4 months ago

There are many different TPM documents, TPM 2.0 Rev. 01.16 applies to TPM Library specification. In this revision there indeed is no CreateLoaded, but this revision is from October 30, 2014, it's almost 10 years old. This is roughly the same point in time as PC Client 0.43 from my previous comment. This is older that I thought, then again first revisions of spreadsheet are even older (from https://www.infineon.com/dgdl/Infineon-data-sheet-SLB9665_2.0_Rev1.2-DS-v01_02-EN.pdf):

image

image

I still think that we should keep this test and report an error. Not every TPM is perfectly compliant with the latest revision of specification and that's fine, but we should somehow reward those that are.

pkubaj commented 3 months ago

Same issues on 4670 and 4630.

mkopec commented 3 months ago

Same issue on apu6.

filipleple commented 3 months ago

also occurs on VP2420, https://github.com/Dasharo/dasharo-issues/issues/782

EDIT: resolved, no longer occurs on VP2420

macpijan commented 2 months ago

So this test is not on the test env, it is a hardware module problem. It should be moved to dasharo-issues.

macpijan commented 13 hours ago

@BeataZdunczyk let's verify if it is in dasharo-issues, if not - let's move it