It shows 'TPM: no cert_nv found, Fail to verify PCR digest' when running the RA demo on the hardware TPM.

We encountered the error 'no cert_nv found' while testing the RA DEMO program on the ZTE physical TPM. Since the source code of libtpm.a is not open, we are temporarily unable to identify the exact cause of the issue. We speculate that the nv index of the ak_certmight be hard-coded, and the different nv indexes of TPMs from different manufacturers could be causing this error."

TPM: ZTE hardware TPM

dmesg|grep -i tpm
[    0.000000] efi:  ACPI=0x700b3000  ACPI 2.0=0x700b3014  TPMFinalLog=0x70082000  SMBIOS=0x76ca6000  SMBIOS 3.0=0x76ca5000  ESRT=0x6404d998  TPMEventLog=0x5e622018
[    0.012088] ACPI: TPM2 0x000000006C5E0000 00004C (v04 ALASKA A M I    00000001 AMI  00000000)
[   15.422343] tpm_tis MSFT0101:00: IRQ index 0 not found
[   15.428448] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x501, rev-id 33)

HyperEnclave start up log:

[  317.680861] hyper_enclave: loading out-of-tree module taints kernel.
[  317.680936] hyper_enclave: module verification failed: signature and/or required key missing - tainting kernel
[  317.688080] HE: cpu_vendor_detect: 39. Vendor ID: GenuineIntel
[  317.696911] HE: get_convertible_memory: 136. BIOS E820 table from firmware: [0x0000000000000000 -> 0x000000000003e000], type: System RAM
[  317.696913] HE: get_convertible_memory: 136. BIOS E820 table from firmware: [0x000000000003e000 -> 0x000000000003f000], type: Reserved
[  317.696913] HE: get_convertible_memory: 136. BIOS E820 table from firmware: [0x000000000003f000 -> 0x00000000000a0000], type: System RAM
[  317.696914] HE: get_convertible_memory: 136. BIOS E820 table from firmware: [0x00000000000a0000 -> 0x0000000000100000], type: Reserved
[  317.696914] HE: get_convertible_memory: 136. BIOS E820 table from firmware: [0x0000000000100000 -> 0x0000000069fdf000], type: System RAM
[  317.696915] HE: get_convertible_memory: 136. BIOS E820 table from firmware: [0x0000000069fdf000 -> 0x000000006c0df000], type: Reserved
[  317.696915] HE: get_convertible_memory: 136. BIOS E820 table from firmware: [0x000000006c0df000 -> 0x000000006c9df000], type: ACPI Tables
[  317.696916] HE: get_convertible_memory: 136. BIOS E820 table from firmware: [0x000000006c9df000 -> 0x0000000070277000], type: ACPI Non-volatile Storage
[  317.696917] HE: get_convertible_memory: 136. BIOS E820 table from firmware: [0x0000000070277000 -> 0x00000000777ff000], type: Reserved
[  317.696917] HE: get_convertible_memory: 136. BIOS E820 table from firmware: [0x00000000777ff000 -> 0x0000000077800000], type: System RAM
[  317.696917] HE: get_convertible_memory: 136. BIOS E820 table from firmware: [0x0000000077800000 -> 0x0000000090000000], type: Reserved
[  317.696918] HE: get_convertible_memory: 136. BIOS E820 table from firmware: [0x00000000fe010000 -> 0x00000000fe011000], type: Reserved
[  317.696918] HE: get_convertible_memory: 136. BIOS E820 table from firmware: [0x00000000ff000000 -> 0x0000000100000000], type: Reserved
[  317.696919] HE: get_convertible_memory: 136. BIOS E820 table from firmware: [0x0000000100000000 -> 0x0000008080000000], type: System RAM
[  317.696920] HE: get_convertible_memory: 213. Convertible Memory[ 0]: 0x0000000000000000 -> 0x000000000003e000
[  317.696921] HE: get_convertible_memory: 213. Convertible Memory[ 1]: 0x000000000003f000 -> 0x00000000000a0000
[  317.696921] HE: get_convertible_memory: 213. Convertible Memory[ 2]: 0x0000000000100000 -> 0x0000000069fdf000
[  317.696922] HE: get_convertible_memory: 213. Convertible Memory[ 3]: 0x00000000777ff000 -> 0x0000000077800000
[  317.696922] HE: get_convertible_memory: 213. Convertible Memory[ 4]: 0x0000000100000000 -> 0x0000008080000000
[  317.696923] HE: get_convertible_memory: 218. Convertible Memory size: 0x7fe9f7f000
[  317.696923] HE: get_valid_rsrv_mem: 285. Reserved Memory[ 0]: 0x100000000 -> 0x900000000
[  317.696924] HE: get_valid_rsrv_mem: 290. Reserved Memory size: 0x800000000
[  317.696936] HE: mem_test: 48. Memory[0x100000000 - 0x300000000] test begin
[  320.502063] HE: mem_test: 78. Memory[0x100000000 - 0x300000000] test pass
[  320.502069] HE: mem_test: 48. Memory[0x300000000 - 0x500000000] test begin
[  325.160164] HE: mem_test: 78. Memory[0x300000000 - 0x500000000] test pass
[  325.160176] HE: mem_test: 48. Memory[0x500000000 - 0x700000000] test begin
[  329.435651] HE: mem_test: 78. Memory[0x500000000 - 0x700000000] test pass
[  329.435664] HE: mem_test: 48. Memory[0x700000000 - 0x900000000] test begin
[  335.166738] HE: mem_test: 78. Memory[0x700000000 - 0x900000000] test pass
[  335.220299] HE: get_hv_heap_size: 375. Hypervisor heap size: 0xbf800000
[  335.220300] HE: get_hv_cmrm_size: 387. Hypervisor cmrm size: 0xc0c00000
[  335.220301] HE: get_hv_frame_size: 400. Hypervisor frame size: 0x3fc00000
[  335.220301] HE: get_hypervisor_size: 413. Hv_core_and_percpu_size: 0x76f1000, Hypervisor size: 0x200000000
[  335.220302] HE: he_cmd_enable: 302. hypervisor size: 0x200000000
[  335.857650] HE: he_cmd_enable: 352. config_size: 2500
[  336.018157] HE: add_epc_pages: 43. total_epc_pages: 0x600000, free_epc_pages: 0x600000
[  336.018159] HE: init_enclave_page: 317. epc ranges: [0x300000000-0x900000000], 0x600000000
[  336.018160] HE: init_enclave_page: 333. Initialized EPC ranges size: 0x600000000
[  336.018161] HE: he_cmd_enable: 383. config_header load_addr: 0xffffff00076f1000
[  336.018231] HE: he_cmd_enable: 404. mem_region load_addr: 0xffffff00076f1124
[  336.018236] HE: __inspect_tpm: 58. using hardware tpm
[  336.018237] HE: he_cmd_enable: 411. tpm mmio type=0,size=5000 pa=fed40000
[  336.062249] extended to PCR 12: 2b 90 ce 44 71 f8 95 ef 1a e4 66 bb e8 26 91 c8
[  336.062250] extended to PCR 12: 9a b2 31 73 f2 56 58 ac ce cb e2 a4 ea eb 4b f1
[  336.066872] HE: __extend_pcr: 197. tpm_pcr_extend result=0
[  339.319270] HE: init_cmrm: 448. Initialize [0x0 -> 0x1000000000]'s CMRM
[  339.910980] HE: init_cmrm: 448. Initialize [0x1000000000 -> 0x2000000000]'s CMRM
[  340.502383] HE: init_cmrm: 448. Initialize [0x2000000000 -> 0x3000000000]'s CMRM
[  341.093540] HE: init_cmrm: 448. Initialize [0x3000000000 -> 0x4000000000]'s CMRM
[  341.684120] HE: init_cmrm: 448. Initialize [0x4000000000 -> 0x5000000000]'s CMRM
[  342.276030] HE: init_cmrm: 448. Initialize [0x5000000000 -> 0x6000000000]'s CMRM
[  342.867889] HE: init_cmrm: 448. Initialize [0x6000000000 -> 0x7000000000]'s CMRM
[  343.459638] HE: init_cmrm: 448. Initialize [0x7000000000 -> 0x8000000000]'s CMRM
[  343.477653] HE: init_cmrm: 448. Initialize [0x8000000000 -> 0x8080000000]'s CMRM
[  343.477849] HE: he_cmd_enable: 483. The hyperenclave is opening.
[  353.509304] [0] Activating hypervisor on CPU 0...
[  353.509306] [1] Activating hypervisor on CPU 1...
[  353.509308] [2] Activating hypervisor on CPU 2...
[  353.509309] [3] Activating hypervisor on CPU 3...
[  353.509311] [4] Activating hypervisor on CPU 4...
[  353.509313] [5] Activating hypervisor on CPU 5...
[  353.509314] [6] Activating hypervisor on CPU 6...
[  353.509316] [7] Activating hypervisor on CPU 7...
[  353.509317] [8] Activating hypervisor on CPU 8...
[  353.509319] [9] Activating hypervisor on CPU 9...
[  353.509320] [10] Activating hypervisor on CPU 10...
[  353.509322] [11] Activating hypervisor on CPU 11...
[  353.509323] [12] Activating hypervisor on CPU 12...
[  353.509325] [13] Activating hypervisor on CPU 13...
[  353.509326] [14] Init HHBox log feature ok
[  353.509327] [14] Init HHBox crash feature ok
[  353.509327] [14] tpm_detect starting....
[  353.509328] [14] TPM: FIFO_INF Locality 0 is open
[  353.509329] [14] TPM: discrete TPM2.0 Family
[  353.509329] [14] ti->sig_scheme :0x1b
[  353.509330] [14] ti->cur_alg :0x12
[  353.509331] [14] hash banks:  :0x3
[  353.509331] [14] hash alg supported:  :0x4
[  353.509332] [14] hash alg supported:  :0xb
[  353.509333] [14] hash alg supported:  :0x12
[  353.509334] [14] nv_read_sealed size= :0x674
[  353.509334] [14] TPM: Unseal return value = :0x99d
[  353.509335] [14] TPM:tpm20_unseal failed
[  353.509336] [14] TPM: failed to unseal secret from tpm nv. Hypervisor will reinitialize....
[  353.509337] [14] creating primary sealing key....
[  353.509338] [14] primary key is persisted to  :0x81000002
[  353.509338] [14] creating primary signing key....
[  353.509339] [14] AK public_area
[  353.509341] [14] 00230012000500F200asfsadfsdffaE0C083824A5D551DA71512EB5C2EBDC00209F27C0087D92B824D504626C2B51E3FA955ABF0DC66A741EC7078750AE96BED4
[  353.509342] [14] size= :0x78
[  353.509343] [14] primary key is persisted to  :0x81000001
[  353.509343] [14] TPM: tpm signing key pub x
[  353.509344] [14] 7A1E62FDF27sadfsdafasdfasdf551DA71512EB5C2EBDC
[  353.509345] [14] size= :0x20
[  353.509346] [14] TPM: tpm signing key pub y
[  353.509346] [14] 9F27C0087D9dfasdfasBF0DC66A741EC7078750AE96BED4
[  353.509347] [14] size= :0x20
[  353.509348] [14] TPM: tpm signing key name
[  353.509349] [14] 0012BD1CD6FC7Bsfsadfasd63C5380F7D7A3892EC1840B0AE9AE315
[  353.509349] [14] size= :0x22
[  353.509350] [14] creating primary endorsement key....
[  353.509351] [14] primary key is persisted to  :0x81000003
[  353.509352] [14] TPM: tpm endorsement key pub x
[  353.509353] [14] 99455E829FE3E4sadfsdfaA90B6FB03B904FE4013F515DE37EB
[  353.509354] [14] size= :0x20
[  353.509354] [14] TPM: tpm endorsement key pub y
[  353.509355] [14] C361D96D126412E8ssssd9686209ADB191A899395C8DA
[  353.509356] [14] size= :0x20
[  353.509357] [14] TPM: secret is sealed size= :0x674
[  353.509358] [14] TPM: root secret is generated and sealed
[  353.509359] [14] TPM: hypervisor AK pub x=
[  353.509360] [14] 1846845B0044B6D6ssssss2BE6738B209E1384E4EC70DA
[  353.509360] [14] size= :0x20
[  353.509361] [14] TPM: hypervisor AK pub y=
[  353.509362] [14] 31CF54A51C87FD7CF9sssssAD945CF
[  353.509362] [14] size= :0x20
[  353.509363] [14] TPM: hash of he_ak_pub extended to PCR 13:
[  353.509364] [14] E559AA2F67A94691D1D43329315670F5D0E1BECEB2EFD2A86105147D11F56903
[  353.509365] [14] size= :0x20
[  353.509365] [14] HyperEnclave: root of trust initialized!

Run the RA demo:

}
[verify_attest_sig /root/linux-sgx/sdk/hyper/quote_verify_hyper/quote_verify.cpp:257] Error: Fail to verify signature
[sgx_verify_quote /root/linux-sgx/sdk/hyper/quote_verify_hyper/quote_verify.cpp:377] Error: Fail to verify signature in TPM quote

Error, call sp_ra_proc_msg3_req fail [ra_network_send_receive].Error, sgx_verify_quote fail in 0x[0021].
Error, sending msg3 failed [main].
Call enclave_ra_close success.root@test:~/hyperenclave_demos/RemoteAttestation#

Detailed errors log "TPM: no cert_nv found":

[  891.969891] HE: print_stats: 94.     EWB page cnt: 0(0M), ELDU page cnt: 0(0M)
[  892.899385] HE: he_cmd_encl_create: 226. encl: 0xffff945dd4802000
[  892.899388] HE: he_cmd_encl_create: 259. encl: 0xffff945dd4802000, encl.start_gva=0x7fe0ead54000, encl_size: 0x400000
[  892.911211] HE: print_stats: 87. encl 0xffff945dd4802000 stats:
[  892.911212] HE: print_stats: 88.     elapsed time: 0(s)
[  892.911212] HE: print_stats: 94.     EWB page cnt: 0(0M), ELDU page cnt: 0(0M)
[  896.000072] HE: shared_memory_destroy: 327. mmu_notifier_unregister
[  896.000276] HE: he_encl_cleanup: 966. nr_free_epc_page: 0x600000, encl: 0xffff945dd4802000
[  896.000277] HE: print_stats: 87. encl 0xffff945dd4802000 stats:
[  896.000277] HE: print_stats: 88.     elapsed time: 3(s)
[  896.000278] HE: print_stats: 94.     EWB page cnt: 0(0M), ELDU page cnt: 0(0M)
[  896.000379] HE: he_cmd_encl_create: 226. encl: 0xffff945dd4802000
[  896.000382] HE: he_cmd_encl_create: 259. encl: 0xffff945dd4802000, encl.start_gva=0x7fe0ead54000, encl_size: 0x400000
[  896.012317] HE: print_stats: 87. encl 0xffff945dd4802000 stats:
[  896.012318] HE: print_stats: 88.     elapsed time: 0(s)
[  896.012319] HE: print_stats: 94.     EWB page cnt: 0(0M), ELDU page cnt: 0(0M)
[  896.297285] [55] TPM: tpm quote user_data=
[  896.297287] [55] 481564B1B06E38BD1EB2D309C5DF040ABEC7EDD4880A18393697109B1FA2B94D
[  896.297288] [55] size= :0x20
[  896.297288] [55] TPM: tpm quote attest data:
[  896.297291] [55] FF544347801800220012A10592C8FC0C0EE9E40AEC04B6100110F8C933187157202791B9AF8B3CA6D0D500220012481564B1B06E38BD1EB2D309C5DF040ABEC7EDD4880A18393697109B1FA2B94D00000000000FDF0F3B35F430E0B58C8C01A6A7A77C6F5882B200000001001203FF33000020801DDAEF902EA6D970FC8B39916B3F1EF8C17628543B07720E5AC20EAD129E34
[  896.297292] [55] size= :0x93
[  896.297293] [55] TPM: no cert_nv found

[  896.297294] [55] HyperEnclave: no platform cert
[  896.297295] [55] quote len =775 sig_len = 339
[  896.297330] [112] TPM: tpm quote user_data=
[  896.297331] [112] F45D4AE62C1F4EC5DC802DEDBF48F4D8D4EF8A815B4C3CEF59BD8127B84BEF2A
[  896.297332] [112] size= :0x20
[  896.297333] [112] TPM: tpm quote attest data:
[  896.297335] [112] FF544347801800220012A10592C8FC0C0EE9E40AEC04B6100110F8C933187157202791B9AF8B3CA6D0D500220012F45D4AE62C1F4EC5DC802DEDBF48F4D8D4EF8A815B4C3CEF59BD8127B84BEF2A00000000000FC25D3B35F430E0B58C8C01A6A7A77C6F5882B200000001001203FF33000020801DDAEF902EA6D970FC8B39916B3F1EF8C17628543B07720E5AC20EAD129E34
[  896.297336] [112] size= :0x93
[  896.297337] [112] TPM: no cert_nv found

[  896.297338] [112] HyperEnclave: no platform cert
[  896.297339] [112] quote len =775 sig_len = 339
[  896.297339] [112] TPM: tpm quote user_data=
[  896.297340] [112] B91BFE06077D328A62E66033ED01865D906AE4F30EC61DC05A146543F8724B33
[  896.297341] [112] size= :0x20
[  896.297342] [112] TPM: tpm quote attest data:
[  896.297344] [112] FF544347801800220012A10592C8FC0C0EE9E40AEC04B6100110F8C933187157202791B9AF8B3CA6D0D500220012B91BFE06077D328A62E66033ED01865D906AE4F30EC61DC05A146543F8724B3300000000000FCED73B35F430E0B58C8C01A6A7A77C6F5882B200000001001203FF33000020801DDAEF902EA6D970FC8B39916B3F1EF8C17628543B07720E5AC20EAD129E34
[  896.297345] [112] size= :0x93
[  896.297345] [112] TPM: no cert_nv found

We try to patch the libtpm.a to change the nv index, now it throws new errors Fail to verify PCR digest:


[verify_attest_pcr /root/linux-sgx/sdk/hyper/quote_verify_hyper/quote_verify.cpp:295] Error: Fail to verify PCR digest
[sgx_verify_quote /root/linux-sgx/sdk/hyper/quote_verify_hyper/quote_verify.cpp:400] Error: Fail to verify TPM attest

Error, call sp_ra_proc_msg3_req fail [ra_network_send_receive].Error, sgx_verify_quote fail in 0x[0019].

HyperEnclave / hyperenclave

It shows 'TPM: no cert_nv found, Fail to verify PCR digest' when running the RA demo on the hardware TPM. #26