search

tpm2-software / tpm2-tools

The source repository for the Trusted Platform Module (TPM2.0) tools
https://tpm2-software.github.io
721 stars 379 forks source link

Chromebook cr50: not able to seal secret in nvram #3434

Open tlaurion opened 3 days ago

tlaurion commented 3 days ago

The white rabbit to be followed is why CR50 TPM refuses to to add TPM DUK nv region into TPM which doesn't seem supported on CR50 not sure why:

TRACE: /bin/tpmr(32): main
TRACE: /bin/tpmr(413): tpm2_seal
DEBUG: tpm2_seal: file=/tmp/secret/secret.key handle=0x81000003 pcrl=0,1,2,3,4,5,6,7 pcrf=/tmp/secret/pcrf.bin pass=<hidden>
LOG: tpmr stderr: WARNING:esys:src/tss2-esys/api/Esys_PolicyPassword.c:292:Esys_PolicyPassword_Finish() Received TPM Error 
LOG: tpmr stderr: ERROR:esys:src/tss2-esys/api/Esys_PolicyPassword.c:106:Esys_PolicyPassword() Esys Finish ErrorCode (0x000b0143) 
LOG: tpmr stderr: ERROR: Esys_PolicyPassword(0xB0143) - rmt:error(2.0): command code not supported
LOG: tpmr stderr: ERROR: Could not build policyauthvalue TPM
LOG: tpmr stderr: ERROR: Unable to run policypassword

Originally posted by @tlaurion in https://github.com/linuxboot/heads/issues/1658#issuecomment-2136000413

tlaurion commented 3 days ago

Related ErrorCode (0x000b0143)? https://github.com/tpm2-software/tpm2-tss/issues/1063

tlaurion commented 3 days ago

Maybe cr50 doesn't support specific nvram region secret sealing? https://github.com/MrChromebox/firmware/issues/626

JuergenReppSIT commented 2 days ago

The error messages says that the command TPM2_PolicyPassword is not implemented in the Cr50 firmware. With the command tpm2_getcap commands you can list all available commands.

tlaurion commented 1 hour ago

The error messages says that the command TPM2_PolicyPassword is not implemented in the Cr50 firmware.

I wish I had access to a machine with a CR50... Two logs at https://github.com/linuxboot/heads/pull/1658#issuecomment-2136075503, the first one applies same policy, and succeeds. The only difference I see with second log (which works on normal tpm2 but not here) is a distinct nvram reapplying policy (which succeeds on typical tpm2 for all non cr50 tpm under Heads...)

With the command tpm2_getcap commands you can list all available commands.

@mdrobnak can you post output of the command here?

mdrobnak commented 1 hour ago

Of course - that's an easy one. Ran in Qubes on the Dom0 terminal... It's 693 lines so I'm attaching it.

-Matt cr50_getcap_commands.txt