1126097 – tpm-tools nvram utilities not working

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1126097 - tpm-tools nvram utilities not working

Summary: tpm-tools nvram utilities not working

Keywords:
Status:	CLOSED DUPLICATE of bug 1384447
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	tpm-tools
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	7.4
Assignee:	Jerry Snitselaar
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	952372
Blocks:	1203710 1299988 1353018 1384447
TreeView+	depends on / blocked

Reported:	2014-08-01 21:04 UTC by Stefan Berger
Modified:	2017-05-10 15:31 UTC (History)
CC List:	11 users (show)
Fixed In Version:	tpm-tools-1.3.9-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-05-10 15:31:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
IBM Linux Technology Center	119710	0	None	None	None	Never

Description Stefan Berger 2014-08-01 21:04:26 UTC

Description of problem:

tpm_nvread -i 0x10000001   is not returning any result
tpm_nvinfo                 returns wrong result


Version-Release number of selected component (if applicable):


tpm-tools-1.3.8-6.el7

How reproducible:


Steps to Reproduce:
1. tpm_nvinfo
2.
3.

Actual results:

(the result is TPM-dependent)

# tpm_nvinfo
NVRAM index   : 0x10000001 (268435457)
PCR read  selection:
PCR write selection:
Permissions   : 0x00000000 ()
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 0 (0x0)

# tpm_info -i 0x10000001

Expected results:

# tpm_nvinfo 
NVRAM index   : 0x10000001 (268435457)
PCR read  selection:
 Localities   : ALL
PCR write selection:
 Localities   : ALL
Permissions   : 0x00001002 (WRITEALL|OWNERWRITE)
bReadSTClear  : TRUE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 20 (0x14)

# tpm_nvread -i 0x10000001
00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                  
00000010  00 00 00 00                        

Additional info:  [SOLUTION]

Remove the following part from the patch tpm-tools-1.3.7-build.patch to solve the problem. (maybe this part had been necessary a while ago to a mismatch between trousers and tpm-tools?  this part must not be patched anymore!)

REMOVE:

diff -urp tpm-tools-1.3.8.orig/lib/tpm_tspi.c tpm-tools-1.3.8/lib/tpm_tspi.c
--- tpm-tools-1.3.8.orig/lib/tpm_tspi.c 2011-08-17 08:20:35.000000000 -0400
+++ tpm-tools-1.3.8/lib/tpm_tspi.c      2012-06-21 13:07:29.654445942 -0400
@@ -702,14 +702,14 @@ TSS_RESULT
 unloadNVDataPublic(UINT64 *offset, BYTE *blob, UINT32 blob_len, TPM_NV_DATA_PUBLIC *v)
 {
        UINT64 off = *offset;
-       TSS_RESULT result;
-       result = Trspi_UnloadBlob_NV_DATA_PUBLIC(&off, blob, NULL);
+       TSS_RESULT result = TSS_SUCCESS;
+/*     result = Trspi_UnloadBlob_NV_DATA_PUBLIC(&off, blob, NULL);
        if (result == TSS_SUCCESS) {
                if (off > blob_len)
                        return TSS_E_BAD_PARAMETER;
                result = Trspi_UnloadBlob_NV_DATA_PUBLIC(offset, blob, v);
        }
-       tspiResult("Trspi_UnloadBlob_NV_DATA_PUBLIC", result);
+       tspiResult("Trspi_UnloadBlob_NV_DATA_PUBLIC", result); */
        return result;
 }

Comment 2 Stefan Berger 2014-08-01 21:13:32 UTC

Oh well, Bug 952372  says the same thing.

Comment 3 IBM Bug Proxy 2014-12-12 17:30:39 UTC

------- Comment From hannsj_uhl.com 2014-12-12 17:21 EDT-------
.

Comment 4 Hanns-Joachim Uhl 2014-12-12 17:39:16 UTC

Hello Red Hat,
because there is a proposed solution available I would like to ask you
whether this solution could be already made available with RHEL7.1 Snapshot 1 ..?
Please provide me your thoughts.
Thanks in advance for your support.

Comment 8 Martin Wilck 2016-02-04 15:46:59 UTC

AFAICS this problem persists in RHEL 7.2

Comment 9 Stefan Berger 2016-02-04 15:55:42 UTC

See above 'Target Release: 7.1 → 7.3'. What needs to be done is described above.

Comment 10 Martin Wilck 2016-02-08 11:10:16 UTC

Red Hat, 

it doesn't make sense to me to delay reverting the obviously broken patch Stefan quoted in the bug description for 3 minor releases.

If this is the meaning of a package not being "on the approved component list", I reckon it'd be wiser to simply discard the package from RHEL, or officially declare it as unsupported.

Martin

Comment 11 Hanns-Joachim Uhl 2016-05-13 12:32:09 UTC

Hello Red Hat / Avesh,
... is the fix for this bugzilla planned to be included in RHEL7.3 ...?
Please confirm or advise ...
Thanks in advance for your support.

Comment 12 Hanns-Joachim Uhl 2016-06-24 12:13:04 UTC

(In reply to Hanns-Joachim Uhl from comment #11)
> Hello Red Hat / Avesh,
> ... is the fix for this bugzilla planned to be included in RHEL7.3 ...?
> Please confirm or advise ...
> Thanks in advance for your support.
.
Hello Red Hat / Avesh, Joe,
... now that RHEL7.3 is closing is the fix for this bugzilla planned 
to be included in RHEL7.3 ...?
Please confirm or advise ...
Thanks in advance for your support.

Comment 13 Joseph Kachuck 2016-07-11 16:18:58 UTC

Hello,
At current this has not been accepted for RHEL 7.3 yet.

Thank You
Joe Kachuck

Comment 14 Hanns-Joachim Uhl 2017-04-04 06:57:34 UTC

Hello Red Hat / Jerry,
... will this bugzilla be fixed with the coming RHEL7.4 ...?
Please advise ...
Thanks in advance for your support.

Comment 15 Jerry Snitselaar 2017-04-04 07:36:11 UTC

Yes, that patch is dropped in the version I have built for 7.4

Comment 16 Przemyslaw Sztoch 2017-05-02 23:59:18 UTC

Dear RH Crew,
That sounds like a joke.
Please, repair tpm_nv*!

Comment 17 Jerry Snitselaar 2017-05-03 00:47:48 UTC

[root@localhost jsnitsel]# rpm -q tpm-tools
tpm-tools-1.3.8-6.el7.x86_64
[root@localhost jsnitsel]# tpm_nvinfo
NVRAM index   : 0x10000001 (268435457)
PCR read  selection:
PCR write selection:
Permissions   : 0x00000000 ()
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 0 (0x0)

NVRAM index   : 0x1000f000 (268496896)
PCR read  selection:
PCR write selection:
Permissions   : 0x00000000 ()
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 0 (0x0)

NVRAM index   : 0x50000003 (1342177283)
PCR read  selection:
PCR write selection:
Permissions   : 0x00000000 ()
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 0 (0x0)

NVRAM index   : 0x50000001 (1342177281)
PCR read  selection:
PCR write selection:
Permissions   : 0x00000000 ()
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 0 (0x0)
[root@localhost jsnitsel]# rpm -q tpm-tools
tpm-tools-1.3.9-1.el7.x86_64
[root@localhost jsnitsel]# tpm_nvinfo
NVRAM index   : 0x10000001 (268435457)
PCR read  selection:
 Localities   : ALL
PCR write selection:
 Localities   : ALL
Permissions   : 0x00001002 (WRITEALL|OWNERWRITE)
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 20 (0x14)
...
[root@localhost jsnitsel]# tpm_nvread -i 0x10000001
00000000  06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06                  
00000010  06 06 06 06

Comment 18 IBM Bug Proxy 2017-05-03 15:11:14 UTC

------- Comment From stefanb.com 2017-05-03 11:04 EDT-------
I verified that the TPM tools version tpm-tools-1.3.9-1.el7.x86_64 is working correctly on my system:

[root@sbct-1 ~]# rpm -q -a | grep tpm-tools

[root@sbct-1 ~]# tpm_nvinfo

[root@sbct-1 ~]# tpm_nvdefine -i 1 -s 12 --pwda -p "AUTHREAD|AUTHWRITE" --pwdo
Enter owner password:
Enter NVRAM data password:
Confirm password:
Successfully created NVRAM area at index 0x1 (1).

[root@sbct-1 ~]# tpm_nvwrite -i 1 -d "Hello world" -p
Enter NVRAM access password:
Successfully wrote 11 bytes at offset 0 to NVRAM index 0x1 (1).

[root@sbct-1 ~]# tpm_nvread -i 1 -p
Enter NVRAM access password:
00000000  48 65 6c 6c 6f 20 77 6f 72 6c 64 ff              Hello world
[root@sbct-1 ~]# tpm_nvinfo

NVRAM index   : 0x00000001 (1)
Localities   : ALL
Localities   : ALL
Permissions   : 0x00040004 (AUTHREAD|AUTHWRITE)
Size          : 12 (0xc)

[root@sbct-1 ~]# tpm_nvrelease -i 1 -o
Enter owner password:
Successfully released NVRAM area at index 0x1 (1).

[root@sbct-1 ~]# tpm_nvinfo
Localities   : ALL
Localities   : ALL
Permissions   : 0x00001002 (WRITEALL|OWNERWRITE)
Size          : 20 (0x14)

Comment 19 Stefan Berger 2017-05-03 15:27:31 UTC

That entry above got completely mangled. Here's the correct one:

I verified that the TPM tools version tpm-tools-1.3.9-1.el7.x86_64 is working correctly on my system:

[root@sbct-1 ~]# rpm -q -a | grep tpm-tools
tpm-tools-1.3.9-1.el7.x86_64

[root@sbct-1 ~]# tpm_nvinfo
NVRAM index   : 0x10000001 (268435457)
PCR read  selection:
 Localities   : ALL
PCR write selection:
 Localities   : ALL
Permissions   : 0x00001002 (WRITEALL|OWNERWRITE)
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 20 (0x14)

[root@sbct-1 ~]# tpm_nvdefine -i 1 -s 12 --pwda -p "AUTHREAD|AUTHWRITE" --pwdo
Enter owner password:
Enter NVRAM data password:
Confirm password:
Successfully created NVRAM area at index 0x1 (1).

[root@sbct-1 ~]# tpm_nvwrite -i 1 -d "Hello world" -p
Enter NVRAM access password:
Successfully wrote 11 bytes at offset 0 to NVRAM index 0x1 (1).

[root@sbct-1 ~]# tpm_nvread -i 1 -p
Enter NVRAM access password:
00000000  48 65 6c 6c 6f 20 77 6f 72 6c 64 ff              Hello world
[root@sbct-1 ~]# tpm_nvinfo
NVRAM index   : 0x10000001 (268435457)
PCR read  selection:
 Localities   : ALL
PCR write selection:
 Localities   : ALL
Permissions   : 0x00001002 (WRITEALL|OWNERWRITE)
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 20 (0x14)

NVRAM index   : 0x00000001 (1)
PCR read  selection:
 Localities   : ALL
PCR write selection:
 Localities   : ALL
Permissions   : 0x00040004 (AUTHREAD|AUTHWRITE)
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 12 (0xc)

[root@sbct-1 ~]# tpm_nvrelease -i 1 -o
Enter owner password:
Successfully released NVRAM area at index 0x1 (1).

[root@sbct-1 ~]# tpm_nvinfo
NVRAM index   : 0x10000001 (268435457)
PCR read  selection:
 Localities   : ALL
PCR write selection:
 Localities   : ALL
Permissions   : 0x00001002 (WRITEALL|OWNERWRITE)
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 20 (0x14)

Comment 20 Jerry Snitselaar 2017-05-03 15:50:16 UTC

Thanks for the verification Stefan.

Comment 23 Jerry Snitselaar 2017-05-10 15:31:21 UTC


*** This bug has been marked as a duplicate of bug 1384447 ***

Note You need to log in before you can comment on or make changes to this bug.