Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chromebook cr50: not able to seal secret in nvram #3434

Open
tlaurion opened this issue Nov 16, 2024 · 6 comments
Open

Chromebook cr50: not able to seal secret in nvram #3434

tlaurion opened this issue Nov 16, 2024 · 6 comments

Comments

@tlaurion
Copy link

The white rabbit to be followed is why CR50 TPM refuses to to add TPM DUK nv region into TPM which doesn't seem supported on CR50 not sure why:

TRACE: /bin/tpmr(32): main
TRACE: /bin/tpmr(413): tpm2_seal
DEBUG: tpm2_seal: file=/tmp/secret/secret.key handle=0x81000003 pcrl=0,1,2,3,4,5,6,7 pcrf=/tmp/secret/pcrf.bin pass=<hidden>
LOG: tpmr stderr: WARNING:esys:src/tss2-esys/api/Esys_PolicyPassword.c:292:Esys_PolicyPassword_Finish() Received TPM Error 
LOG: tpmr stderr: ERROR:esys:src/tss2-esys/api/Esys_PolicyPassword.c:106:Esys_PolicyPassword() Esys Finish ErrorCode (0x000b0143) 
LOG: tpmr stderr: ERROR: Esys_PolicyPassword(0xB0143) - rmt:error(2.0): command code not supported
LOG: tpmr stderr: ERROR: Could not build policyauthvalue TPM
LOG: tpmr stderr: ERROR: Unable to run policypassword

Originally posted by @tlaurion in linuxboot/heads#1658 (comment)

@tlaurion tlaurion changed the title Chromebook cr50: not able to seal secret nvram Chromebook cr50: not able to seal secret in nvram Nov 16, 2024
@tlaurion
Copy link
Author

tlaurion commented Nov 16, 2024

Related ErrorCode (0x000b0143)? tpm2-software/tpm2-tss#1063

@tlaurion
Copy link
Author

Maybe cr50 doesn't support specific nvram region secret sealing? MrChromebox/firmware#626

@JuergenReppSIT
Copy link
Member

The error messages says that the command TPM2_PolicyPassword is not implemented in the Cr50 firmware.
With the command tpm2_getcap commands you can list all available commands.

@tlaurion
Copy link
Author

tlaurion commented Nov 20, 2024

The error messages says that the command TPM2_PolicyPassword is not implemented in the Cr50 firmware.

I wish I had access to a machine with a CR50...
Two logs at linuxboot/heads#1658 (comment), the first one applies same policy, and succeeds. The only difference I see with second log (which works on normal tpm2 but not here) is a a sealing in a seperate, distinct nvram reapplying policy (which succeeds on typical tpm2 for all non cr50 tpm under Heads...)

With the command tpm2_getcap commands you can list all available commands.

@mdrobnak can you post output of the command here?

@mdrobnak
Copy link

Of course - that's an easy one.
Ran in Qubes on the Dom0 terminal... It's 693 lines so I'm attaching it.

-Matt
cr50_getcap_commands.txt

@tlaurion
Copy link
Author

Of course - that's an easy one.
Ran in Qubes on the Dom0 terminal... It's 693 lines so I'm attaching it.

-Matt
cr50_getcap_commands.txt

TPM2_PolicyPassword effectively not part of support capabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants