PCRs can't be read out with HW TPM

[mchlnix]

Hello,

I'm currently using your tools to test some functionality on my Lenovo Thinkpad x260.

It has a hardware TPM 1.2 with a firmware upgrade to a TPM 2.

Using the ./tpm2_listpcrs command I get the error message:

too much pcrs to get! try to split into multiple calls...

Running ./tpm2_listpcrs -L gives:

Supported Bank/Algorithm: TPM_ALG_SHA1(0x0004) TPM_ALG_SHA256(0x000b)

If I run ./tpm2_listpcrs -g 0x0004 it works and shows me PCRs 0-23.

If I run ./tpm2_listpcrs -g 0x000b or ./tpm2_listpcrs -g 0x000b:0, however, I get the same error message as I did above. That there are too much (many?) PCRs to get.

Is that a bug or a problem on my side?

If more information on my HW TPM or configuration is needed, I'll be happy to provide it,

[edonyzpc]

Did you upgrade your TPM2.0-TSS to 1.0. I got the same problem when my TPM2.0-TSS is 1.0_beta and tpm2.0-tools is 1.0.

[mchlnix]

I just pulled both repos yesterday. Will update with the version numbers in a minute.

EDIT: The tpm-tools say they're v1.10. But they're pretty much both on the level of the master.

Using the release versions might fix my problem.

[edonyzpc]

yeah, I am using the latest release version 1.0 both of TSS and tpm2.0-tools. Did this work for you?

[mchlnix]

I'm not that fast :smile:

Have to go to a meeting, will check back, when I had time to try it out. :)

[mchlnix]

It had the same result unfortunately. The command ./tpm2_listpcrs -L 0x000b:1 fails with error code 247.

I used TSS release version 1.0 and tools release version 1.1.0.

I've added some printk's to the tpm_crb kernel module.

Here is what it was sending to the TPM and what it received from it: http://pastebin.com/eRs6bWeC

[williamcroberts]

For some reason its hardcoded to a max of 24:

`static bool read_pcr_values(listpcr_context *context) {

TPML_PCR_SELECTION pcr_selection_tmp;
TPML_PCR_SELECTION pcr_selection_out;
UINT32 pcr_update_counter;

//1. prepare pcrSelectionIn with g_pcrSelections
memcpy(&pcr_selection_tmp, &context->pcr_selections, sizeof(pcr_selection_tmp));

//2. call pcr_read
context->pcrs.count = 0;
do {
    UINT32 rval = Tss2_Sys_PCR_Read(context->sapi_context, 0, &pcr_selection_tmp,
            &pcr_update_counter, &pcr_selection_out,
            &context->pcrs.pcr_values[context->pcrs.count], 0);

    if (rval != TPM_RC_SUCCESS) {
        LOG_ERR("read pcr failed. tpm error 0x%0x", rval);
        return -1;
    }

    //3. unmask pcrSelectionOut bits from pcrSelectionIn
    update_pcr_selections(&pcr_selection_tmp, &pcr_selection_out);

    //4. goto step 2 if pcrSelctionIn still has bits set
} while (++context->pcrs.count < 24 && !unset_pcr_sections(&pcr_selection_tmp));

if (context->pcrs.count >= 24 && !unset_pcr_sections(&pcr_selection_tmp)) {
    LOG_ERR("too much pcrs to get! try to split into multiple calls...");
    return false;
}

return true;

}`

I am not sure why the magic number 24 was chosen, let me try arbitrarily upping that...

[williamcroberts]

24 seems to be some magic number as defined by #define IMPLEMENTATION_PCR 24 / the number of PCR in the TPM /, so it appears that there should never be more than 24... but I am new and trying to figure this out as well.

As far as -g 0x000b:0 is concerned, that will properly error out now, the -g is the algorithm specifier, so that should be a number understood by strtoul("0x00b", 0);

Can you try off of the current tip of master to see if you can reproduce? I don't have hardware :-1:

[williamcroberts]

I wonder if it has to do with checking if there are still bit sets in the array, can you try building the PR https://github.com/01org/tpm2.0-tools/pull/240 and see if that error outputs?

[mchlnix]

Point 3.6 of the PC Client TPM Interface Specification Version 1.3; Revision 27 says:

3.6 Number of PCRs
------------------

A conformant TPM MUST provide a minimum of 24 PCRs.

If a TPM is implemented with more than 24 PCRs, the attributes of the additional PCRs 
are not defined by this specification.

That's probably the origin of the magic number.

I will try some time next week.

[mchlnix]

Sorry for the wait.

I got around to testing your branch "119" with the pull request and got the following output:

ERROR: bit 1 in pcrSelection array index 0 found!
ERROR: bit 2 in pcrSelection array index 0 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: bit 0 in pcrSelection array index 1 found!
ERROR: too much pcrs to get! try to split into multiple calls...

[idesai]

hmm... I do not see the issue where pcrs are not dumped with my setup with the simulator, the tpm2_listpcrs dumps all banks. Note they are expected to have the (uninitiated values) since nothing is being extended. Attached is my output. tpm2_listpcrs.txt

[williamcroberts]

@idesai the bug as reported is when there are more than 24 banks (0-23). As @mchlnix states, the spec allows for more than 24 banks.

The tool needs to be smarter ensure that it can set and retrieve arbitrary numbers of banks. The code is pretty awful, so someone will have to invest the time to figure out how best to achieve that.

[idesai]

Ah! sorry i misread. Yes. We can read the number of supported PCR from fixed-properties capability structure. On the sim it is: TPM_PT_PCR_COUNT: 0x00000018.

[williamcroberts]

This actually might be a limitation in the SAPI.

When we call Tss2_Sys_PCR_Read() we provide the PCR Selection array via: TPML_PCR_SELECTION *pcrSelectionIn;

This is defined as: typedef struct { UINT32 count; /* number of selection structuresA value of zero is allowed. */ TPMS_PCR_SELECTION pcrSelections[HASH_COUNT]; /* list of selections */ } TPML_PCR_SELECTION;

Where HASH_COUNT is 5.

From there, the TPMS_PCR_SELECTION structure is: typedef struct { TPMI_ALG_HASH hash; /* the hash algorithm associated with the selection */ UINT8 sizeofSelect; /* the size in octets of the pcrSelect array */ BYTE pcrSelect[PCR_SELECT_MAX]; /* the bit map of selected PCR */ } TPMS_PCR_SELECTION;

Where PCR_SELECT_MAX is 3. So we have 3 bytes in that array so we can only fit 24 pcr selection values.

I think this may need to be assigned as a bug to TSS tools project. @idesai @gwei3 @flihp do you guys agree or am I missing something here?

[idesai]

I concur. additionally the tools will need to read the capability structure for the supported number of pcr

[williamcroberts]

This seems to be fixed in the referenced PRs and the newest PR #295