tpm2-tools icon indicating copy to clipboard operation
tpm2-tools copied to clipboard

Published 20 hours ago verified publisher icon tpm2-software

Chromebook cr50: not able to seal secret in nvram

Open tlaurion opened this issue 1 year ago • 6 comments

The white rabbit to be followed is why CR50 TPM refuses to to add TPM DUK nv region into TPM which doesn't seem supported on CR50 not sure why:

TRACE: /bin/tpmr(32): main
TRACE: /bin/tpmr(413): tpm2_seal
DEBUG: tpm2_seal: file=/tmp/secret/secret.key handle=0x81000003 pcrl=0,1,2,3,4,5,6,7 pcrf=/tmp/secret/pcrf.bin pass=<hidden>
LOG: tpmr stderr: WARNING:esys:src/tss2-esys/api/Esys_PolicyPassword.c:292:Esys_PolicyPassword_Finish() Received TPM Error 
LOG: tpmr stderr: ERROR:esys:src/tss2-esys/api/Esys_PolicyPassword.c:106:Esys_PolicyPassword() Esys Finish ErrorCode (0x000b0143) 
LOG: tpmr stderr: ERROR: Esys_PolicyPassword(0xB0143) - rmt:error(2.0): command code not supported
LOG: tpmr stderr: ERROR: Could not build policyauthvalue TPM
LOG: tpmr stderr: ERROR: Unable to run policypassword

Originally posted by @tlaurion in https://github.com/linuxboot/heads/issues/1658#issuecomment-2136000413

tlaurion avatar Nov 16 '24 20:11 tlaurion

Related ErrorCode (0x000b0143)? https://github.com/tpm2-software/tpm2-tss/issues/1063

tlaurion avatar Nov 16 '24 20:11 tlaurion

Maybe cr50 doesn't support specific nvram region secret sealing? https://github.com/MrChromebox/firmware/issues/626

tlaurion avatar Nov 16 '24 21:11 tlaurion

The error messages says that the command TPM2_PolicyPassword is not implemented in the Cr50 firmware. With the command tpm2_getcap commands you can list all available commands.

JuergenReppSIT avatar Nov 17 '24 09:11 JuergenReppSIT

The error messages says that the command TPM2_PolicyPassword is not implemented in the Cr50 firmware.

I wish I had access to a machine with a CR50... Two logs at https://github.com/linuxboot/heads/pull/1658#issuecomment-2136075503, the first one applies same policy, and succeeds. The only difference I see with second log (which works on normal tpm2 but not here) is a a sealing in a seperate, distinct nvram reapplying policy (which succeeds on typical tpm2 for all non cr50 tpm under Heads...)

With the command tpm2_getcap commands you can list all available commands.

@mdrobnak can you post output of the command here?

tlaurion avatar Nov 20 '24 04:11 tlaurion

Of course - that's an easy one. Ran in Qubes on the Dom0 terminal... It's 693 lines so I'm attaching it.

-Matt cr50_getcap_commands.txt

mdrobnak avatar Nov 20 '24 04:11 mdrobnak

Of course - that's an easy one. Ran in Qubes on the Dom0 terminal... It's 693 lines so I'm attaching it.

-Matt cr50_getcap_commands.txt

TPM2_PolicyPassword effectively not part of support capabilities.

tlaurion avatar Nov 21 '24 02:11 tlaurion