Running TPM2.0-TSS on Intel's NUC (NUC5i3MYHE)

[danglus]

Hi, I'm trying to use the TPM2.0-TSS on an Intel's NUC that has a TPM http://www.intel.com/content/www/us/en/nuc/nuc-kit-nuc5i3myhe-board-nuc5i3mybe.html). The NUC is running Ubuntu.

Anyway, after installing few missing packages, I managed to make the library.

Unfortunately, the test/tpmclient doesn't pass:

    passing case:   PASSED!
    failing case:   PASSED!

RM ZERO SIZED RESPONSE TEST: failing case: FAILED! Ret code s/b: a000a, but was: 1d5

---

And, I'm also get fatal errors with tpm2_tools: For example:

root@optn36:~/tpm/tpm2.0-tools/test# tpm2_createprimary -A e -g 0x000B -G 0x0001 -C context.p_B1 nameAlg = 0x000b type = 0x0001 contextFile = context.p_B1 Resource Mgr, resMgr, failed initialization: 0x1. Exiting... root@optn36:~/tpm/tpm2.0-tools/test# tpm2_createprimary -A e -g 0x000B -G 0x0001 -C context.p_B1 nameAlg = 0x000b type = 0x0001 contextFile = context.p_B1

CreatePrimary Succeed ! Handle: 0x80000000

......ContextSave:Save handle 0x80000000 context failed. TPM Error:0x101......

Any idea what can I try in order to make it work?

Is there an alternative platform that this library is known to work with?

Thanks, Dan

[flihp]

Hey there @danglus. A couple things: First is that the tpmclient should be run against the TPM2 simulator only. We haven't been particularly clear about this in the past but I updated the README file this week to clear this up. Second is some debugging tips: in the tpm2.0-tools repo there's a tool called tpm2_rc_decode which should help out decoding those hex response codes you're getting.

Ignoring the tpmclient failure for the time being... The error you're getting from the tpm2.0-tool is 0x101 which decodes to:

flihp@lappy:~/tpm2.0-tools$ src/tpm2_rc_decode 0x101
error layer
  hex: 0x0
  identifier: TSS2_TPM_ERROR_LEVEL
  description: Error produced by the TPM
format 0 error code
  hex: 0x01
  name: TPM_RC_FAILURE
  description: commands not being accepted because of a TPM failure

So this looks like the TPM on that platform is reporting that the TPM has failed in some way and is now refusing to accept commands. Yipes! I've never seen this before personally.

Generally the first thing I'd recommend is checking for a firmware update on that platform. Do you know if that system has a discrete TPM or PTT? I'd also recommend you retry running the tpm2.0-tools commands after you power cycle the system. It could be that the execution of tpmclient before running the tools put the TPM into some weird state.

[danglus]

Yes, this NUC has a "Discrete trusted platform module (TPM v2.0). I updated the BIOS and power cycled the NUC, but problem persists (we even jumpered the TPM - just in case).

Was this library tested on HW TPMs? if so, do you know which brands?

[flihp]

I've only ever tested the TSS against Intel's PTT and the Infineon TPM. Have you been able to perform simple operations like query the TPM for capabilities? This is where I would start, simple metadata queries. Then move on to stuff like key creation & usage.

Can you grab the tpm2_dump_capability and see if you can at least get your TPM to dump info about its current state / supported capabilities?

[danglus]

Thanks Philip,

1) According to its datasheet, the TPM in this NUC is an Infineon SLB9665TT2.0 TPM version 2.0

http://www.infineon.com/cms/en/product/security-and-smart-card-solutions/optiga-embedded-security-solutions/optiga-tpm/SLB+9665+TT20+FW551/productType.html?productType=5546d46250cc1fdf0150d371824765eb

http://www.infineon.com/cms/en/product/security-and-smart-card-solutions/optiga-embedded-security-solutions/optiga-tpm/channel.html?channel=5546d462503812bb015066de24291768

2) The tpm2.0 tools that I pulled from github doesn’t include a tpm2_dump_capability, basically here are the commands that it has:

~/tpm/tpm2.0-tools/src# tpm2_ tpm2_activatecredential tpm2_getmanufec tpm2_listpersistent tpm2_nvreadlock tpm2_rsaencrypt tpm2_akparse tpm2_getpubak tpm2_load tpm2_nvrelease tpm2_sign tpm2_certify tpm2_getpubek tpm2_loadexternal tpm2_nvwrite tpm2_takeownership tpm2_create tpm2_getrandom tpm2_makecredential tpm2_quote tpm2_unseal tpm2_createprimary tpm2_hash tpm2_nvdefine tpm2_rc_decode tpm2_verifysignature tpm2_encryptdecrypt tpm2_hmac tpm2_nvlist tpm2_readpublic tpm2_evictcontrol tpm2_listpcrs tpm2_nvread tpm2_rsadecrypt

3) The simplest thing that I could think of was to get a random value – which seems to work: root@optn36:~/tpm/tpm2.0-tools/test# tpm2_getrandom -s 256 -o out.random

GetRandom succ... byte size: 32 0xA4 0xB2 0xA6 0xF3 0x4F 0x01 0x84 0xA0 0x10 0xE7 0x53 0x61 0x1A 0xCF 0x65 0x8F 0x4A 0x42 0x55 0x23 0xC6 0xC6 0x4B 0x51 0x55 0xE9 0xAE 0xDB 0x1A 0xDA 0x98 0x2D

4) But still, whenever I try to create a primary key, I’m getting the same error message:

CreatePrimary Succeed ! Handle: 0x80000000

......ContextSave:Save handle 0x80000000 context failed. TPM Error:0x101......

Thanks, Dan

From: Philip Tricca [mailto:notifications@github.com] Sent: Monday, March 13, 2017 7:35 PM To: 01org/TPM2.0-TSS TPM2.0-TSS@noreply.github.com Cc: Dan Gluskin dangl@mellanox.com; Mention mention@noreply.github.com Subject: Re: [01org/TPM2.0-TSS] Running TPM2.0-TSS on Intel's NUC (NUC5i3MYHE) (#354)

I've only ever tested the TSS against Intel's PTT and the Infineon TPM. Have you been able to perform simple operations like query the TPM for capabilities? This is where I would start, simple metadata queries. Then move on to stuff like key creation & usage.

Can you grab the tpm2_dump_capability and see if you can at least get your TPM to dump info about its current state / supported capabilities?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/01org/TPM2.0-TSS/issues/354#issuecomment-286183333, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AL0hSojcGdf5RNbavhoijcRdpMUluEPQks5rlX41gaJpZM4MVhXC.

[flihp]

Ah sounds like you're using a packaged version of the TSS & tools?. To get the tpm2_dump_capability tool you'll need to pull from the tools project git and build from source. Having the data produced by this tool will give us a better understanding of the TPM (manufacturer data, version numbers for the firmware etc). Also building from the latest git for both tools will rule out a bug that may have been fixed since the release your package is built from. No guarantees this will fix the issue but it's the lowest effort test we can do.

[danglus]

Actually, I built the tools from source, but I pulled them a long time ago. Anyway, I pulled again, and here is the dump: TPMA_CC: 0x0440011f commandIndex: 0x11f reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x04400120 commandIndex: 0x120 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02c00121 commandIndex: 0x121 reserved1: 0x0 nv: set extensive: set flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x04400122 commandIndex: 0x122 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02c00126 commandIndex: 0x126 reserved1: 0x0 nv: set extensive: set flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02400127 commandIndex: 0x127 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02400128 commandIndex: 0x128 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02400129 commandIndex: 0x129 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0240012a commandIndex: 0x12a reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0240012b commandIndex: 0x12b reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0240012e commandIndex: 0x12e reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02000130 commandIndex: 0x130 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x12000131 commandIndex: 0x131 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: set V: clear Res: 0x0 TPMA_CC: 0x04400134 commandIndex: 0x134 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x04400135 commandIndex: 0x135 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x04400136 commandIndex: 0x136 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x04400137 commandIndex: 0x137 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x04400138 commandIndex: 0x138 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02400139 commandIndex: 0x139 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0240013a commandIndex: 0x13a reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0240013b commandIndex: 0x13b reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0240013c commandIndex: 0x13c reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0240013d commandIndex: 0x13d reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0300013e commandIndex: 0x13e reserved1: 0x0 nv: clear extensive: clear flushed: set cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x00400142 commandIndex: 0x142 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x0 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x00400143 commandIndex: 0x143 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x0 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x00400144 commandIndex: 0x144 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x0 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x00400145 commandIndex: 0x145 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x0 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x00400146 commandIndex: 0x146 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x0 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x04000147 commandIndex: 0x147 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x04000148 commandIndex: 0x148 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x06000149 commandIndex: 0x149 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x3 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0400014a commandIndex: 0x14a reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0400014b commandIndex: 0x14b reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0600014d commandIndex: 0x14d reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x3 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0400014e commandIndex: 0x14e reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0400014f commandIndex: 0x14f reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x04000150 commandIndex: 0x150 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x04000151 commandIndex: 0x151 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02000153 commandIndex: 0x153 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02000154 commandIndex: 0x154 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02000155 commandIndex: 0x155 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02000156 commandIndex: 0x156 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x12000157 commandIndex: 0x157 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: set V: clear Res: 0x0 TPMA_CC: 0x02000158 commandIndex: 0x158 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02000159 commandIndex: 0x159 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x1200015b commandIndex: 0x15b reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: set V: clear Res: 0x0 TPMA_CC: 0x0200015c commandIndex: 0x15c reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0200015d commandIndex: 0x15d reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0200015e commandIndex: 0x15e reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x04000160 commandIndex: 0x160 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x10000161 commandIndex: 0x161 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x0 rHandle: set V: clear Res: 0x0 TPMA_CC: 0x02000162 commandIndex: 0x162 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02000163 commandIndex: 0x163 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x00000165 commandIndex: 0x165 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x0 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x10000167 commandIndex: 0x167 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x0 rHandle: set V: clear Res: 0x0 TPMA_CC: 0x02000168 commandIndex: 0x168 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02000169 commandIndex: 0x169 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0200016a commandIndex: 0x16a reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0200016b commandIndex: 0x16b reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0200016c commandIndex: 0x16c reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0200016d commandIndex: 0x16d reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0200016e commandIndex: 0x16e reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0200016f commandIndex: 0x16f reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02000170 commandIndex: 0x170 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02000171 commandIndex: 0x171 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02000173 commandIndex: 0x173 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02000174 commandIndex: 0x174 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x14000176 commandIndex: 0x176 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x2 rHandle: set V: clear Res: 0x0 TPMA_CC: 0x02000177 commandIndex: 0x177 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x00000178 commandIndex: 0x178 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x0 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0000017a commandIndex: 0x17a reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x0 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0000017b commandIndex: 0x17b reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x0 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0000017c commandIndex: 0x17c reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x0 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0000017d commandIndex: 0x17d reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x0 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0000017e commandIndex: 0x17e reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x0 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0200017f commandIndex: 0x17f reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02000180 commandIndex: 0x180 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x00000181 commandIndex: 0x181 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x0 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02400182 commandIndex: 0x182 reserved1: 0x0 nv: set extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x05400185 commandIndex: 0x185 reserved1: 0x0 nv: set extensive: clear flushed: set cHandles: 0x2 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x10000186 commandIndex: 0x186 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x0 rHandle: set V: clear Res: 0x0 TPMA_CC: 0x02000188 commandIndex: 0x188 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x02000189 commandIndex: 0x189 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0000018a commandIndex: 0x18a reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x0 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0200018b commandIndex: 0x18b reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0200018c commandIndex: 0x18c reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x0200018f commandIndex: 0x18f reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: clear Res: 0x0 TPMA_CC: 0x2200012f commandIndex: 0x12f reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: set Res: 0x0 TPMA_CC: 0x22000400 commandIndex: 0x400 reserved1: 0x0 nv: clear extensive: clear flushed: clear cHandles: 0x1 rHandle: clear V: set Res: 0x0 TPMA_ALGORITHM for ALG_ID: 0x1 asymmetric: set symmetric: clear hash: clear object: set reserved: 0x0 signing: clear encrypting: clear method: clear TPMA_ALGORITHM for ALG_ID: 0x4 asymmetric: clear symmetric: clear hash: set object: clear reserved: 0x0 signing: clear encrypting: clear method: clear TPMA_ALGORITHM for ALG_ID: 0x5 asymmetric: clear symmetric: clear hash: set object: clear reserved: 0x0 signing: set encrypting: clear method: clear TPMA_ALGORITHM for ALG_ID: 0x6 asymmetric: clear symmetric: set hash: clear object: clear reserved: 0x0 signing: clear encrypting: clear method: clear TPMA_ALGORITHM for ALG_ID: 0x8 asymmetric: clear symmetric: clear hash: set object: set reserved: 0x0 signing: set encrypting: set method: clear TPMA_ALGORITHM for ALG_ID: 0xa asymmetric: clear symmetric: set hash: set object: clear reserved: 0x0 signing: clear encrypting: clear method: clear TPMA_ALGORITHM for ALG_ID: 0xb asymmetric: clear symmetric: clear hash: set object: clear reserved: 0x0 signing: clear encrypting: clear method: clear TPMA_ALGORITHM for ALG_ID: 0x14 asymmetric: set symmetric: clear hash: clear object: clear reserved: 0x0 signing: set encrypting: clear method: clear TPMA_ALGORITHM for ALG_ID: 0x15 asymmetric: set symmetric: clear hash: clear object: clear reserved: 0x0 signing: clear encrypting: set method: clear TPMA_ALGORITHM for ALG_ID: 0x16 asymmetric: set symmetric: clear hash: clear object: clear reserved: 0x0 signing: set encrypting: clear method: clear TPMA_ALGORITHM for ALG_ID: 0x17 asymmetric: set symmetric: clear hash: clear object: clear reserved: 0x0 signing: clear encrypting: set method: clear TPMA_ALGORITHM for ALG_ID: 0x18 asymmetric: set symmetric: clear hash: clear object: clear reserved: 0x0 signing: set encrypting: clear method: set TPMA_ALGORITHM for ALG_ID: 0x19 asymmetric: set symmetric: clear hash: clear object: clear reserved: 0x0 signing: clear encrypting: clear method: set TPMA_ALGORITHM for ALG_ID: 0x1a asymmetric: set symmetric: clear hash: clear object: clear reserved: 0x0 signing: set encrypting: clear method: clear TPMA_ALGORITHM for ALG_ID: 0x20 asymmetric: clear symmetric: clear hash: set object: clear reserved: 0x0 signing: clear encrypting: clear method: set TPMA_ALGORITHM for ALG_ID: 0x22 asymmetric: clear symmetric: clear hash: set object: clear reserved: 0x0 signing: clear encrypting: clear method: set TPMA_ALGORITHM for ALG_ID: 0x23 asymmetric: set symmetric: clear hash: clear object: set reserved: 0x0 signing: clear encrypting: clear method: clear TPMA_ALGORITHM for ALG_ID: 0x25 asymmetric: clear symmetric: clear hash: clear object: set reserved: 0x0 signing: clear encrypting: clear method: clear TPMA_ALGORITHM for ALG_ID: 0x43 asymmetric: clear symmetric: set hash: clear object: clear reserved: 0x0 signing: clear encrypting: set method: clear TPM_PT_PERSISTENT: ownerAuthSet: clear endorsementAuthSet: clear lockoutAuthSet: clear reserved1: clear disableClear: clear inLockout: clear tpmGeneratedEPS: clear reserved2: clear TPM_PT_STARTUP_CLEAR: phEnable: set shEnable: set ehEnable: set phEnableNV: set reserved1: clear orderly: clear TPM_PT_HR_NV_INDEX: 0x00000002 TPM_PT_HR_LOADED: 0x00000000 TPM_PT_HR_LOADED_AVAIL: 0x00000003 TPM_PT_HR_ACTIVE: 0x00000000 TPM_PT_HR_ACTIVE_AVAIL: 0x00000040 TPM_PT_HR_TRANSIENT_AVAIL: 0x00000003 TPM_PT_HR_PERSISTENT: 0x00000000 TPM_PT_HR_PERSISTENT_AVAIL: 0x00000012 TPM_PT_NV_COUNTERS: 0x00000000 TPM_PT_NV_COUNTERS_AVAIL: 0x0000000c TPM_PT_ALGORITHM_SET: 0x00000000 TPM_PT_LOADED_CURVES: 0x00000002 TPM_PT_LOCKOUT_COUNTER: 0x00000000 TPM_PT_MAX_AUTH_FAIL: 0x00000020 TPM_PT_LOCKOUT_INTERVAL: 0x00001c20 TPM_PT_LOCKOUT_RECOVERY: 0x00015180 TPM_PT_AUDIT_COUNTER_0: 0x00000000 TPM_PT_AUDIT_COUNTER_1: 0x00000000 TPM_PT_FAMILY_INDICATOR: as UINT32: 0x08322e3000 as string: "2.0" TPM_PT_LEVEL: 0 TPM_PT_REVISION: 1.00 TPM_PT_DAY_OF_YEAR: 0x0000012f TPM_PT_YEAR: 0x000007de TPM_PT_MANUFACTURER: 0x49465800 TPM_PT_VENDOR_STRING_1: as UINT32: 0x534c4239 as string: "SLB9" TPM_PT_VENDOR_STRING_2: as UINT32: 0x36363500 as string: "665" TPM_PT_VENDOR_STRING_3: as UINT32: 0x00000000 as string: "" TPM_PT_VENDOR_STRING_4: as UINT32: 0x00000000 as string: "" TPM_PT_VENDOR_TPM_TYPE: 0x00000000 TPM_PT_FIRMWARE_VERSION_1: 0x00050028 TPM_PT_FIRMWARE_VERSION_2: 0x0007b302 TPM_PT_INPUT_BUFFER: 0x00000400 TPM_PT_HR_TRANSIENT_MIN: 0x00000003 TPM_PT_HR_PERSISTENT_MIN: 0x00000007 TPM_PT_HR_LOADED_MIN: 0x00000003 TPM_PT_ACTIVE_SESSIONS_MAX: 0x00000040 TPM_PT_PCR_COUNT: 0x00000018 TPM_PT_PCR_SELECT_MIN: 0x00000003 TPM_PT_CONTEXT_GAP_MAX: 0x0000ffff TPM_PT_NV_COUNTERS_MAX: 0x00000008 TPM_PT_NV_INDEX_MAX: 0x00000680 TPM_PT_MEMORY: 0x00000006 TPM_PT_CLOCK_UPDATE: 0x00080000 TPM_PT_CONTEXT_HASH: 0x0000000b TPM_PT_CONTEXT_SYM: 0x00000006 TPM_PT_CONTEXT_SYM_SIZE: 0x00000080 TPM_PT_ORDERLY_COUNT: 0x000000ff TPM_PT_MAX_COMMAND_SIZE: 0x00000500 TPM_PT_MAX_RESPONSE_SIZE: 0x00000500 TPM_PT_MAX_DIGEST: 0x00000020 TPM_PT_MAX_OBJECT_CONTEXT: 0x00000396 TPM_PT_MAX_SESSION_CONTEXT: 0x000000eb TPM_PT_PS_FAMILY_INDICATOR: 0x00000001 TPM_PT_PS_LEVEL: 0x00000000 TPM_PT_PS_REVISION: 0x00000100 TPM_PT_PS_DAY_OF_YEAR: 0x00000000 TPM_PT_PS_YEAR: 0x00000000 TPM_PT_SPLIT_MAX: 0x00000080 TPM_PT_TOTAL_COMMANDS: 0x0000005a TPM_PT_LIBRARY_COMMANDS: 0x00000058 TPM_PT_VENDOR_COMMANDS: 0x00000002 TPM_PT_NV_BUFFER_MAX: 0x00000300

From: Philip Tricca [mailto:notifications@github.com] Sent: Tuesday, March 14, 2017 3:39 AM To: 01org/TPM2.0-TSS TPM2.0-TSS@noreply.github.com Cc: Dan Gluskin dangl@mellanox.com; Mention mention@noreply.github.com Subject: Re: [01org/TPM2.0-TSS] Running TPM2.0-TSS on Intel's NUC (NUC5i3MYHE) (#354)

Ah sounds like you're using a packaged version of the TSS & tools?. To get the tpm2_dump_capability tool you'll need to pull from the tools project git and build from source. Having the data produced by this tool will give us a better understanding of the TPM (manufacturer data, version numbers for the firmware etc). Also building from the latest git for both tools will rule out a bug that may have been fixed since the release your package is built from. No guarantees this will fix the issue but it's the lowest effort test we can do.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/01org/TPM2.0-TSS/issues/354#issuecomment-286296036, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AL0hSp8QtwvZHFiKfgF32YZqpeTsQ31eks5rle_PgaJpZM4MVhXC.

[flihp]

Thx for the capability dump. Everything in there looks pretty normal so at least the GetCapability command works. Even better, the vendor strings match the spec sheet!

TPM_PT_MANUFACTURER: 0x49465800
TPM_PT_VENDOR_STRING_1:
 as UINT32: 0x534c4239
 as string: "SLB9"
TPM_PT_VENDOR_STRING_2:
 as UINT32: 0x36363500
 as string: "665"

The failure you're seeing with the createprimary tool doesn't look like it's related to the actual creation of the primary key. Looks like it's failing to save the context of the transient object. The tools do this so you can use the key in future commands.

Are you able to execute this command against the software simulator?

Probably a good idea to hack up a quick integration test that does a simple key creation, context save and context flush.

[danglus]

Hi, 1) Yes, it works fine against the IBM simulator, even on the same machine. 2) I'm getting the same error on the two NUCs that I have. 3) it takes the command 17 seconds to fail: root@frc-nuc:~/tpm/tpm2.0-tools/test# time tpm2_createprimary -A n -g 0xB -G 0x1 -C primary.ctx nameAlg = 0x000b type = 0x0001 contextFile = primary.ctx

CreatePrimary Succeed ! Handle: 0x80000000

ERROR: Tss2_Sys_ContextSave: Saving handle 0x80000000 context failed. TPM Error:0x101

real 0m17.435s user 0m0.000s sys 0m0.000s root@frc-nuc:~/tpm/tpm2.0-tools/test#

4) when running a successful command, like: tpm2_getrandom -s 16 -o rnd.txt The resoruce manager dumps the following

---

Accept socket: 0x9 Accept socket: 0x8 Resource Manager TPM CMD Server accepted client Resource Manager Other CMD Server accepted client In rmRecvBytes, recv failed (socket: 0x8) with error: 0 TpmCmdServer died (TPM CMD), rval: 0x000a000a, socket: 0x8. In rmRecvBytes, recv failed (socket: 0x9) with error: 0 OtherCmdServer died (Other CMD), socket: 0x9.

---

This happens in about 100ms. I wonder why it says "In rmRecvBytes, recv failed" because the command return a valid value: root@frc-nuc:~/tpm/tpm2.0-tools/test# time tpm2_getrandom -s 16 -o rnd.txt byte size: 16 0x98 0x13 0xFB 0x26 0x72 0x09 0x3A 0x97 0x41 0x8A 0xFB 0xFF 0xD3 0xD7 0xF5 0xAB

real 0m0.163s user 0m0.000s sys 0m0.000s

However for the faulty createprimary command, it first dumps:

---

Accept socket: 0x7 Resource Manager Other CMD Server accepted client Accept socket: 0x6 Resource Manager TPM CMD Server accepted client

---

and then after the 17 seconds:

---

In rmRecvBytes, recv failed (socket: 0x7) with error: 0 OtherCmdServer died (Other CMD), socket: 0x7. In rmRecvBytes, recv failed (socket: 0x6) with error: 0 TpmCmdServer died (TPM CMD), rval: 0x000a000a, socket: 0x6.

---

BTW, why did you recommend to 'hack up a quick integration test'? do you suspect that tpm2_tools is doing something wrong?

Anyway, I'll have time tomorrow to try new staff.

Thanks, Dan

[webmeister]

Under normal circumstances a TPM should never respond with TPM_RC_FAILURE. What you're seeing here is probably a bug in the firmware of your TPM. When you see the error with tpm2_createprimary, could you also try to create an ECC key (-G 0x23) instead?

[danglus]

Hi Alex, From what I can see, this error is not coming from the TPM but from the resourceMgr itself. When I run: “tpm2_createprimary -A n -g 0xB -G 0x1 -C primary.ctx”

The EvictContext() function is called twice. Unfortunately, when the HW TPM is in use, on the 2nd call, FindEntry return TSS2_RC_SUCCESS but: foundEntryPtr->status.loaded is false which cause the EvictContext() to fail (return 0xC1000), and this what causes the overall return val to be 0x101.

Here is the relevant code snippet from the resroucemgr.c:

TSS2_RC EvictContext(TPM_HANDLE virtualHandle) { TSS2_RC rval = TSS2_RC_SUCCESS; RESOURCE_MANAGER_ENTRY_PTR foundEntryPtr;

// Find entry corresponding to this virtual handle.
rval = FindEntry( entryList, RMFIND_VIRTUAL_HANDLE, virtualHandle, &foundEntryPtr);
printf("dangl: resourcemgr.c:906/EvictContext/FindEntry(virtualHandle=%X): rval=%X\n",virtualHandle,rval);
if( rval != TSS2_RC_SUCCESS )
    return rval;

ENABLE_RM_TPM_CMD_DEBUG_MSGS;

if( foundEntryPtr->status.loaded )
{
  …
 }
 else
 {
        SetRmErrorLevel( &rval, TSS2_RESMGRTPM_ERROR_LEVEL );
    }

---

Any ideas?

Thanks, Dan

From: Alexander Steffen [mailto:notifications@github.com] Sent: Thursday, March 23, 2017 5:23 PM To: 01org/TPM2.0-TSS TPM2.0-TSS@noreply.github.com Cc: Dan Gluskin dangl@mellanox.com; Mention mention@noreply.github.com Subject: Re: [01org/TPM2.0-TSS] Running TPM2.0-TSS on Intel's NUC (NUC5i3MYHE) (#354)

Under normal circumstances a TPM should never respond with TPM_RC_FAILURE. What you're seeing here is probably a bug in the firmware of your TPM. When you see the error with tpm2_createprimary, could you also try to create an ECC key (-G 0x23) instead?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/01org/TPM2.0-TSS/issues/354#issuecomment-288754580, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AL0hSmsjU_D-BZtAptbZXWipRldIsh-Lks5roo5dgaJpZM4MVhXC.

[flihp]

@danglus : Given all of the data I'm inclined to agree with @webmeister. The response code 0x101 should only be returned by your TPM, and it indicates an internal error (aka a bug in the TPM).

No guarantees that we're right though. The best way to test this theory is to remove the resourcemgr from your configuration. This can be done using the dynamic TCTI mechanism recently introduced to the tpm2.0-tools project. Each tool now accepts command line options that allow it to instantiate either the socket or the device TCTI. The socket interface is the default, but you can use the device TCTI to communicate directly with the TPM device driver (removing the resourcemgr from the equation).

[danglus]

Oh, this is interesting.

It worked once:

root@frc-nuc:~/tpm/tpm2.0-tools# tools/tpm2_createprimary -T device -A n -g 0xB -G 0x1 -C primary.ctx nameAlg = 0x000b type = 0x0001 contextFile = primary.ctx

CreatePrimary Succeed ! Handle: 0x80000000

But it now fails when I try it again:

root@frc-nuc:~/tpm/tpm2.0-tools# tools/tpm2_createprimary -T device -A n -g 0xB -G 0x1 -C primary.ctx nameAlg = 0x000b type = 0x0001 contextFile = primary.ctx

CreatePrimary Failed ! ErrorCode: 0x84

root@frc-nuc:~/tpm/tpm2.0-tools# tpm2_rc_decode 0x84 error layer hex: 0x0 identifier: TSS2_TPM_ERROR_LEVEL description: Error produced by the TPM format 1 error code hex: 0x04 identifier: TPM_RC_VALUE description: value is out of range or is not correct for the context handle hex:0x000 identifier: TPM_RC_8 description: (null)

[webmeister]

But now you get a different error code: TPM_RC_VALUE, which usually indicates an invalid command parameter. And according to the message, it is already the CreatePrimary call that fails, whereas before it failed in the ContextSave step.

@flihp: Is there an easy way to dump the commands and responses on their way to/from the TPM? Such a log would make it easier to see which commands are executed and why they fail. --debugLevel does not seem to have any effect for me.

[flihp]

Debug flags need to be enabled at build time. All of the necessary flags are collected in a CONFIG_SITE file here: https://github.com/01org/TPM2.0-TSS/blob/master/lib/debug_config.site The INSTALL file has instructions / examples showing the use of the CONFIG_SITE file here: https://github.com/01org/TPM2.0-TSS/blob/master/INSTALL#L67

The debug output you'll get will include full dumps of the buffers as they pass though the resourcemgr.

[flihp]

@webmeister Just realized that your reference to debugLevel was an option that the resourcemgr / test code is expected to understand. Unfortunately, AFAIK, that option never did anything :frowning_face: I'm in the process of re-implementing a lot of functionality and the debug interfaces are part of that.

[danglus]

@flihp , I tried the tpm2 tools '-T device' options and it worked:

root@frc-nuc:~/tpm/tpm2.0-tools# tools/tpm2_createprimary -T device -A n -g 0xB -G 0x23 nameAlg = 0x000b type = 0x0023

CreatePrimary Succeed ! Handle: 0x80000000

root@frc-nuc:~/tpm/tpm2.0-tools# tpm2_create -T device -g 0x000B -G 0x0001 -o 7e6a2f02-0fe3-11e7-8d9c-f44d3065a2e4_pub -O 7e6a2f02-0fe3-11e7-8d9c-f44d3065a2e4_priv -H 0x80000000 nameAlg = 0x000b type = 0x0001 ObjectAttribute: 0x00060072

Create Object Succeed !

root@frc-nuc:~/tpm/test# tpm2_load -T device -u 7e6a2f02-0fe3-11e7-8d9c-f44d3065a2e4_pub -r 7e6a2f02-0fe3-11e7-8d9c-f44d3065a2e4_priv -H 0x80000000 -n 7e6a2f02-0fe3-11e7-8d9c-f44d3065a2e4_key

parentHandle: 0x80000000

Load succ. LoadedHandle: 0x80000001

root@frc-nuc:~/tpm/test# tpm2_sign -T device -k 0x80000001 -g 0x000B -m rnd.txt -s sign.out

So, when using the '-T option' I can use the TPM. I had less luck when I tried to use context files (but maybe I'm not doing it right). From what I can see, context saving is also problem when I'm using the resorucemgr. From what I can see the problem is with the EvictContext() function (and not an error returned by the TPM).

BTW, is there a way for to run the resorucemgr in a debugger? (it is a bash script an not an executable so I've no idea how to do it).

Again, any idea will be appreciated (if possible from your side, we could even try to schedule on online debug session).

Thanks, Dan

• I wanted to add that this is an mainstream Infinion TPM installed in a mainstream Intel's NUC. So, even if there's a bug in the TPM (which I doubt at this point) we should probably find a walkaround. Regardless, we will try to install Windows10 on one of those NUCs and try it out with C#.

[danglus]

@flihp, @webmeister : we tried to use the TPM using Microsoft's TSS.MSR.NET on Windows10 and it worked (even with context).

[flihp]

@danglus : Glad you're making progress. Using the device TCTI means you don't have to rely on saving / loading contexts since the resourcemgr won't be flushing transient objects when the tpm2.0-tools programs exit. This is a reasonable short term work-around but there's still a bug: the tools should be able to save / restore context files.

Let me circle back with the folks over at the tpm2.0-tools project to see if we can "root cause" this one.

[idesai]

Sorry, joining this party late. Here is my output executing tpm2_createprimary repeatedly. In summary I am not seeing create primary error. Is that the problem statement? idesai-SKL::<~>./Documents/TSS/toolsBuild/tools/tpm2_createprimary -A n -g 0xb -G 0x1 -C prim.ctx Accept socket: 0x6 Resource Manager Other CMD Server accepted client Accept socket: 0x7 Resource Manager TPM CMD Server accepted client nameAlg = 0x000b type = 0x0001 contextFile = prim.ctx

CreatePrimary Succeed ! Handle: 0x80000000

TpmCmdServer died (TPM CMD), rval: 0x00000000, socket: 0x7. OtherCmdServer died (Other CMD), socket: 0x6. idesai-SKL::<~>./Documents/TSS/toolsBuild/tools/tpm2_createprimary -A n -g 0xb -G 0x1 -C prim2.ctx Accept socket: 0x8 Resource Manager Other CMD Server accepted client Accept socket: 0x9 Resource Manager TPM CMD Server accepted client nameAlg = 0x000b type = 0x0001 contextFile = prim2.ctx

CreatePrimary Succeed ! Handle: 0x80000000

TpmCmdServer died (TPM CMD), rval: 0x00000000, socket: 0x9. OtherCmdServer died (Other CMD), socket: 0x8.

[webmeister]

@idesai: Could you run those commands in a loop, to ensure it does not fail after multiple tries? Also, what TPM (vendor/firmware version) do you use?

[idesai]

Are you creating a primary key using the same template under the same hierarchy in a tight loop? You would always arrive at the same key, what is the use case? My test was on a skylake with Intel Platform Trust Technology (PTT), Intel's integrated TPM2.0 solution.

[idesai]

Looped for about 10 minutes now, no errors yet.

[idesai]

Still going no errors yet.

[danglus]

Hi, I managed to write my own code, that can do ContextSave and ContextLoad with the TPM in this NUC. Anyway, given that the resorucemgr is going thought a major re-write, I think that we can close this ticket.

Thanks! Dan

[flihp]

Hey Dan. I've got one of these NUCs on order. Should land here in the next few days. Will try to repro when I have the hardware.

[danglus]

This is great!

Two comments:

1) Using the SAPI commands directly, I’m now able to create primary keys, RSA keys as well as save/load and flash context.

2) I got the following response from Infineon support:

“According to the github link and the corresponding description, the device is a SLB 9665 FW5.40: TPM_PT_FIRMWARE_VERSION_1: 0x00050028 indicates FW V5.40

The issue is described as known issue in the errata sheet: 3.3.5.3 Context management issue for RSA primary keys Long sequences of TPM2_ContextSave / TPM2_ContextLoad for RSA primary keys may cause the TPM to return TPM_RC_FAILURE in TPM2_ContextLoad. So RSA primary key context is rejected.

With the next FW version, e.g. FW5.51 the issue has been fixed.” So, maybe, the resourcemgr failing because of a FW bug afterall. Anyway, I’ll try to update the TPM FW to see if it solves the resourcemgr problem.

Regards, Dan

[danglus]

@flihp have received that NUC device?

I have a problem which I wasn't able to solve with Intel Support. The TPM on this NUC is installed with an old TPM version (5.40) that has few known bugs. Anyway, I got an update package from Infineon - but I can't install it because it only work with NULL platform password (and, apparently, Intel has changed it).

Thanks, Dan

[snits]

@danglus did they provide a link to their site for it? I'd be interested in whatever they've given as I have one of those systems.

[danglus]

Well, this is a real issue. I got the update from Infineon, but I can't install it on the NUC's TPM because the platform password is not NULL. I have a very long discussion with Intel support about it, they asked me to install all kind of, unfortunately, unrelated Windows only update packages which didn't help. Additionally, so far they were reluctant to escalate this problem to higher support tiers.

@flihp, as an Intel employee, and an owner of one of those NUC any chance you could help here? (my ticket number Case #: 02977336 [ ref:_00DU0YT3c._5000Pc4utz:ref ]).

[flihp]

Let me ask around a bit. Not sure how this stuff works TBH. Not sure where to start asking really.

[idesai]

@danglus Typically platform hierarchy authorization is set to a random value at startup by early boot code. Start with information on BIOS: vendor, version, tpm configuration options, etc. Does infineon provide an EFI application to update firmware by any chance?

[idesai]

@danglus there is infact an EFI update utility from infineon. See issue #270. PS: What coincidence that the tool was referenced by @musakontron on Oct 6th (today) last year :) fs1:\TPMUpdate> TPMFactoryUpd.efi -update tpm20-emptyplatformauth -firmware TPM20_5.51.2098.0_to_TPM20_5.60.2677.0.BIN

[gregelkin]

To update the Infineon SLB9665 firmware on our boards (I am a BIOS dev for ericsson HDS8000 CSU01 implementation of the Intel RiverForest platform Intel LongBrook CRB based chipset port from Insyde software), I first have to run the Intel TXT provisioning tools script "ResetPlatformAuth sha256 TopSecret" from the UEFI shell to reset the Platform Authority to the “Empty Buffer”, but that needs the bunch of TXT provisioning files "TopSecret" (*.hash , .pdef . .idef . .wpdef etc), which are derived from the Insyde provided example provisioning files which I think are based on the Intel TXT provisioning files from the IBP (Intel Business Portal) doc#542298 TPM2ProvTool v0.7 , with the policy digest changed for our boards...

[flihp]

Thanks for the info @gregelkin, any chance the tools you're referring to are available to the public? Can you provide links?

[gregelkin]

The Infineon firmware update tool needs the Platform Hierarchy (policy to be satisfied? value is randomised by BIOS code?) to be in the "empty buffer" state, which I've achieved before for my platform by the TXT provisioning tool ResetPlatformAuth script with the policy/hash definition files that match the policy/hash in our BIOS. So even if the Intel provisioning tool/script were in public domain, it's unlikely that the definition files to match the customers BIOS PlatformHierarchy policy would be available to the public? I don't know what other way to get the Platform Hierarchy policy satisfied for the Infineon tool to let the firmware update work. It's a bit of a mess to be honest...

[gregelkin]

some links at https://www.intel.com/content/www/us/en/embedded/products/grantley-refresh/software-and-drivers.html whose download require an Intel "resource and design center" account registration & CNDA, but I also note that doc#542298 now says the tools/example provisioning scripts & definitions (which I got 2+ years ago from there) are in CDI/IBL# 563989 and that I can't see outside of my IBP account anywhere.

[flihp]

I think flashing the firmware on these chips is about to get a lot more relevant: https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/