#1006726 trousers: Write to device /dev/tpm0 failed

Package:
trousers
Source:
trousers
Description:
open-source TCG Software Stack (daemon)
Submitter:
Pieter-Jan Crommen
Date:
2022-03-03 15:42:03 UTC
Severity:
important
#1006726#5
Date:
2022-03-03 15:38:28 UTC
From:
To:
Dear Maintainer,

   * What led up to the situation?
        Running tpm_takeownership to take ownership of my TPM

        Lenovo W530 MTM 2447-6S8 (TPM chip: ST19NP18)

        TPM 1.2 Version Info:
        Chip Version: 1.2.13.12
        Spec Level: 2
        Errata Revision: 3
        TPM Vendor ID: STM
        Vendor Specific data: 50
        TPM Version: 01010000
        Manufacturer Info: 53544d20

   * What exactly did you do (or not do) that was effective (or ineffective)?
        First I tried to send following commands to /dev/tpm0 before taking
ownership.

        TMP_PhysicalPresence -> CMD_ENABLE

        python3 -c 'f=open("/dev/tpm0", "r+b", buffering=0);
f.write(b"\x00\xC1\x00\x00\x00\x0C\x40\x00\x00\x0A\x00\x20"
        ); print(f.readall())'
        returns \x00\xc4\x00\x00\x00\n\x00\x00\x00\x03 -> One or more parameter
is bad

        FROM single user mode.

        tpm_setpresence --enable-cmd
        returns Tspi_TPM_SetStatus failed: 0x00000003 - layer=tpm, code=0003
(3), Bad Parameter
        Change to Command Enable Failed

        TMP_PhysicalPresence -> PRESENCE_PRESENT

        python3 -c 'f=open("/dev/tpm0", "r+b", buffering=0);
f.write(b"\x00\xC1\x00\x00\x00\x0C\x40\x00\x00\x0A\x00\x08"
        ); print(f.readall())'
        returns \x00\xc4\x00\x00\x00\n\x00\x00\x00\x00 [success]

        TPM_PhysicalEnable

        python3 -c 'f=open("/dev/tpm0", "r+b", buffering=0);
f.write(b"\x00\xC1\x00\x00\x00\x0A\x00\x00\x00\x6F"
        ); print(f.readall())'
        returns \x00\xc4\x00\x00\x00\n\x00\x00\x00\x00 [success]

        TPM_PhysicalSetDeactivated (FALSE)

        python3 -c 'f=open("/dev/tpm0", "r+b", buffering=0);
f.write(b"\x00\xC1\x00\x00\x00\x0B\x00\x00\x00\x72\x00"
        ); print(f.readall())'
        returns \x00\xc4\x00\x00\x00\n\x00\x00\x00\x00 [success]

        TPM_SelfTestFull

        python3 -c 'f=open("/dev/tpm0", "r+b", buffering=0);
f.write(b"\x00\xC1\x00\x00\x00\x0A\x00\x00\x00\x50"
        ); print(f.readall())'
        returns \x00\xc4\x00\x00\x00\n\x00\x00\x00\x00 [success]

        Starting tcsd in foreground (/usr/sbin/tcsd -f)

        Next running tpm_takeownership fails with Tspi_TPM_TakeOwnership
failed: 0x00001087 - layer=tddl, code=0087 (135), I/O error
        TCSD reports 0x26.

        Rerunning tpm_takeownership failed with 0x00000026 - layer=tpm,
code=0026 (38), Invalid POST init sequence.
        I need to stop tcsd and send the following command to /dev/tpm0 before
tcsd is usable again or use tss1startup (ibm-tss)

        TPM_Startup(ST_CLEAR)

        python3 -c 'f=open("/dev/tpm0", "r+b", buffering=0);
f.write(b"\x00\xC1\x00\x00\x00\x0C\x00\x00\x00\x99\x00\x01"
        ); print(f.readall())'
        returns \x00\xc4\x00\x00\x00\n\x00\x00\x00\x00 [success]


   * What was the outcome of this action?

        (tpm-tools)
        Tspi_TPM_TakeOwnership failed: 0x00001087 - layer=tddl, code=0087
(135), I/O error

        (trousers)
        TDDL ERROR: tddl.c:201 write to device /dev/tpm0 failed: Timer expired
        LOG_RETERR TCSD TCS tddl.c:213: 0x87

        TCSD TDDL tddl.c:171 Calling write to driver
        From TPM: 00 C4 00 00 00 0A 00 00 00 26
        LOG_RETERR TPM tcsi_admin.c:464: 0x26

        (dmesg)
        [ 1503.316280] tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for
forensics
        [ 1503.316294] CPU: 7 PID: 2811 Comm: tcsd Not tainted 5.10.0-11-amd64
#1 Debian 5.10.92-1
        [ 1503.316297] Hardware name: LENOVO 24476S8/24476S8, BIOS CBET4000
Heads-v0.2.0-1150-g0670bcd-dirty 01/01/1970
        [ 1503.316300] Call Trace:
        [ 1503.316318]  dump_stack+0x6b/0x83
        [ 1503.316328]  tpm_tis_status.cold+0x19/0x20 [tpm_tis_core]
        [ 1503.316337]  tpm_transmit+0x15f/0x3d0 [tpm]
        [ 1503.316346]  tpm_dev_transmit.constprop.0+0x67/0xc0 [tpm]
        [ 1503.316353]  ? tpm_try_get_ops+0x44/0x90 [tpm]
        [ 1503.316360]  tpm_common_write+0x112/0x1c0 [tpm]
        [ 1503.316366]  vfs_write+0xc0/0x260
        [ 1503.316370]  ksys_write+0x5f/0xe0
        [ 1503.316378]  do_syscall_64+0x33/0x80
        [ 1503.316383]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
        [ 1503.316387] RIP: 0033:0x7feabfc79fef
        [ 1503.316394] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 fd ff
ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48>
3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c fd ff ff 48
        [ 1503.316398] RSP: 002b:00007feabf78e2a0 EFLAGS: 00000293 ORIG_RAX:
0000000000000001
        [ 1503.316403] RAX: ffffffffffffffda RBX: 00000000a033ff00 RCX:
00007feabfc79fef
        [ 1503.316406] RDX: 0000000000000270 RSI: 000055a0b7b88340 RDI:
0000000000000003
        [ 1503.316409] RBP: 00007feabf78e310 R08: 0000000000000000 R09:
000000000000002d
        [ 1503.316411] R10: 00007feabf78bae5 R11: 0000000000000293 R12:
00007ffc2bdc332e
        [ 1503.316414] R13: 00007ffc2bdc332f R14: 00007feabf790fc0 R15:
0000000000802000
        [ 1683.261606] tpm tpm0: Operation Timed out

   * What outcome did you expect instead?
        Successfully take ownership.