Bug 1126097
| Summary: | tpm-tools nvram utilities not working | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Stefan Berger <stefanb> |
| Component: | tpm-tools | Assignee: | Jerry Snitselaar <jsnitsel> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.0 | CC: | avagarwa, bhu, bugproxy, dmk, hannsj_uhl, jkachuck, jshortt, jsnitsel, martin.wilck, psztoch, sgrubb |
| Target Milestone: | rc | Keywords: | Patch |
| Target Release: | 7.4 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tpm-tools-1.3.9-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-05-10 15:31:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 952372 | ||
| Bug Blocks: | 1203710, 1299988, 1353018, 1384447 | ||
Oh well, Bug 952372 says the same thing. ------- Comment From hannsj_uhl.com 2014-12-12 17:21 EDT------- . Hello Red Hat, because there is a proposed solution available I would like to ask you whether this solution could be already made available with RHEL7.1 Snapshot 1 ..? Please provide me your thoughts. Thanks in advance for your support. AFAICS this problem persists in RHEL 7.2 See above 'Target Release: 7.1 → 7.3'. What needs to be done is described above. Red Hat, it doesn't make sense to me to delay reverting the obviously broken patch Stefan quoted in the bug description for 3 minor releases. If this is the meaning of a package not being "on the approved component list", I reckon it'd be wiser to simply discard the package from RHEL, or officially declare it as unsupported. Martin Hello Red Hat / Avesh, ... is the fix for this bugzilla planned to be included in RHEL7.3 ...? Please confirm or advise ... Thanks in advance for your support. (In reply to Hanns-Joachim Uhl from comment #11) > Hello Red Hat / Avesh, > ... is the fix for this bugzilla planned to be included in RHEL7.3 ...? > Please confirm or advise ... > Thanks in advance for your support. . Hello Red Hat / Avesh, Joe, ... now that RHEL7.3 is closing is the fix for this bugzilla planned to be included in RHEL7.3 ...? Please confirm or advise ... Thanks in advance for your support. Hello, At current this has not been accepted for RHEL 7.3 yet. Thank You Joe Kachuck Hello Red Hat / Jerry, ... will this bugzilla be fixed with the coming RHEL7.4 ...? Please advise ... Thanks in advance for your support. Yes, that patch is dropped in the version I have built for 7.4 Dear RH Crew, That sounds like a joke. Please, repair tpm_nv*! [root@localhost jsnitsel]# rpm -q tpm-tools tpm-tools-1.3.8-6.el7.x86_64 [root@localhost jsnitsel]# tpm_nvinfo NVRAM index : 0x10000001 (268435457) PCR read selection: PCR write selection: Permissions : 0x00000000 () bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 0 (0x0) NVRAM index : 0x1000f000 (268496896) PCR read selection: PCR write selection: Permissions : 0x00000000 () bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 0 (0x0) NVRAM index : 0x50000003 (1342177283) PCR read selection: PCR write selection: Permissions : 0x00000000 () bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 0 (0x0) NVRAM index : 0x50000001 (1342177281) PCR read selection: PCR write selection: Permissions : 0x00000000 () bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 0 (0x0) [root@localhost jsnitsel]# rpm -q tpm-tools tpm-tools-1.3.9-1.el7.x86_64 [root@localhost jsnitsel]# tpm_nvinfo NVRAM index : 0x10000001 (268435457) PCR read selection: Localities : ALL PCR write selection: Localities : ALL Permissions : 0x00001002 (WRITEALL|OWNERWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 20 (0x14) ... [root@localhost jsnitsel]# tpm_nvread -i 0x10000001 00000000 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 00000010 06 06 06 06 ------- Comment From stefanb.com 2017-05-03 11:04 EDT------- I verified that the TPM tools version tpm-tools-1.3.9-1.el7.x86_64 is working correctly on my system: [root@sbct-1 ~]# rpm -q -a | grep tpm-tools [root@sbct-1 ~]# tpm_nvinfo [root@sbct-1 ~]# tpm_nvdefine -i 1 -s 12 --pwda -p "AUTHREAD|AUTHWRITE" --pwdo Enter owner password: Enter NVRAM data password: Confirm password: Successfully created NVRAM area at index 0x1 (1). [root@sbct-1 ~]# tpm_nvwrite -i 1 -d "Hello world" -p Enter NVRAM access password: Successfully wrote 11 bytes at offset 0 to NVRAM index 0x1 (1). [root@sbct-1 ~]# tpm_nvread -i 1 -p Enter NVRAM access password: 00000000 48 65 6c 6c 6f 20 77 6f 72 6c 64 ff Hello world [root@sbct-1 ~]# tpm_nvinfo NVRAM index : 0x00000001 (1) Localities : ALL Localities : ALL Permissions : 0x00040004 (AUTHREAD|AUTHWRITE) Size : 12 (0xc) [root@sbct-1 ~]# tpm_nvrelease -i 1 -o Enter owner password: Successfully released NVRAM area at index 0x1 (1). [root@sbct-1 ~]# tpm_nvinfo Localities : ALL Localities : ALL Permissions : 0x00001002 (WRITEALL|OWNERWRITE) Size : 20 (0x14) That entry above got completely mangled. Here's the correct one: I verified that the TPM tools version tpm-tools-1.3.9-1.el7.x86_64 is working correctly on my system: [root@sbct-1 ~]# rpm -q -a | grep tpm-tools tpm-tools-1.3.9-1.el7.x86_64 [root@sbct-1 ~]# tpm_nvinfo NVRAM index : 0x10000001 (268435457) PCR read selection: Localities : ALL PCR write selection: Localities : ALL Permissions : 0x00001002 (WRITEALL|OWNERWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 20 (0x14) [root@sbct-1 ~]# tpm_nvdefine -i 1 -s 12 --pwda -p "AUTHREAD|AUTHWRITE" --pwdo Enter owner password: Enter NVRAM data password: Confirm password: Successfully created NVRAM area at index 0x1 (1). [root@sbct-1 ~]# tpm_nvwrite -i 1 -d "Hello world" -p Enter NVRAM access password: Successfully wrote 11 bytes at offset 0 to NVRAM index 0x1 (1). [root@sbct-1 ~]# tpm_nvread -i 1 -p Enter NVRAM access password: 00000000 48 65 6c 6c 6f 20 77 6f 72 6c 64 ff Hello world [root@sbct-1 ~]# tpm_nvinfo NVRAM index : 0x10000001 (268435457) PCR read selection: Localities : ALL PCR write selection: Localities : ALL Permissions : 0x00001002 (WRITEALL|OWNERWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 20 (0x14) NVRAM index : 0x00000001 (1) PCR read selection: Localities : ALL PCR write selection: Localities : ALL Permissions : 0x00040004 (AUTHREAD|AUTHWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 12 (0xc) [root@sbct-1 ~]# tpm_nvrelease -i 1 -o Enter owner password: Successfully released NVRAM area at index 0x1 (1). [root@sbct-1 ~]# tpm_nvinfo NVRAM index : 0x10000001 (268435457) PCR read selection: Localities : ALL PCR write selection: Localities : ALL Permissions : 0x00001002 (WRITEALL|OWNERWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 20 (0x14) Thanks for the verification Stefan. *** This bug has been marked as a duplicate of bug 1384447 *** |
Description of problem: tpm_nvread -i 0x10000001 is not returning any result tpm_nvinfo returns wrong result Version-Release number of selected component (if applicable): tpm-tools-1.3.8-6.el7 How reproducible: Steps to Reproduce: 1. tpm_nvinfo 2. 3. Actual results: (the result is TPM-dependent) # tpm_nvinfo NVRAM index : 0x10000001 (268435457) PCR read selection: PCR write selection: Permissions : 0x00000000 () bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 0 (0x0) # tpm_info -i 0x10000001 Expected results: # tpm_nvinfo NVRAM index : 0x10000001 (268435457) PCR read selection: Localities : ALL PCR write selection: Localities : ALL Permissions : 0x00001002 (WRITEALL|OWNERWRITE) bReadSTClear : TRUE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 20 (0x14) # tpm_nvread -i 0x10000001 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000010 00 00 00 00 Additional info: [SOLUTION] Remove the following part from the patch tpm-tools-1.3.7-build.patch to solve the problem. (maybe this part had been necessary a while ago to a mismatch between trousers and tpm-tools? this part must not be patched anymore!) REMOVE: diff -urp tpm-tools-1.3.8.orig/lib/tpm_tspi.c tpm-tools-1.3.8/lib/tpm_tspi.c --- tpm-tools-1.3.8.orig/lib/tpm_tspi.c 2011-08-17 08:20:35.000000000 -0400 +++ tpm-tools-1.3.8/lib/tpm_tspi.c 2012-06-21 13:07:29.654445942 -0400 @@ -702,14 +702,14 @@ TSS_RESULT unloadNVDataPublic(UINT64 *offset, BYTE *blob, UINT32 blob_len, TPM_NV_DATA_PUBLIC *v) { UINT64 off = *offset; - TSS_RESULT result; - result = Trspi_UnloadBlob_NV_DATA_PUBLIC(&off, blob, NULL); + TSS_RESULT result = TSS_SUCCESS; +/* result = Trspi_UnloadBlob_NV_DATA_PUBLIC(&off, blob, NULL); if (result == TSS_SUCCESS) { if (off > blob_len) return TSS_E_BAD_PARAMETER; result = Trspi_UnloadBlob_NV_DATA_PUBLIC(offset, blob, v); } - tspiResult("Trspi_UnloadBlob_NV_DATA_PUBLIC", result); + tspiResult("Trspi_UnloadBlob_NV_DATA_PUBLIC", result); */ return result; }