Thanks for the patch, it was merged. -Ning
-----Original Message----- From: Seunghun Han [mailto:kkama...@gmail.com] Sent: Tuesday, March 13, 2018 12:10 PM To: tboot-devel@lists.sourceforge.net Subject: [tboot-devel] [PATCH] Fix unseal failure when the system wakes up after sleep mode # HG changeset patch # User Seunghun Han <kkama...@gmail.com> # Date 1520967280 -32400 # Wed Mar 14 03:54:40 2018 +0900 # Node ID 7479fd963976b796ca486b0a9690aa70917f67a5 # Parent 59086d17f60d5649906a7eb8ed939cefb60f9dee [tboot-devel]Fix unseal failure when the system wakes up after sleep mode. I'm a senior security researcher at National Security Research Institute of South Korea. The current implementation of tboot does not choose correct locality of TPM 1.2, therefore, unseal is failed and PCRs are not recovered when the system wakes up after sleep mode. The txt-stat messages are as follows. >TBOOT: PCRs before unseal: >TBOOT: PCR 17: b5 e8 37 3e 1c 21 88 25 70 4e cf fd 29 ce 4f 5e 55 ce a0 22 >TBOOT: PCR 18: 1b 49 9b e1 38 2f a2 d3 9d ba 14 d8 32 aa 8f 4a 20 b6 a2 be >TBOOT: verifying pre_k_s3_state >TBOOT: TPM: unseal data, return value = 0000003D >TBOOT: failed to unseal blob >TBOOT: TPM: Pcr 18 extend, return value = 0000003D >TBOOT: creation or verification of S3 measurements failed. To fix this bug, I added locality selection code to tpm12_init() function in tpm_12.c file. The tpm20_init() function in tpm_20.c file already has locality selection code, therefore I just added it to tpm12_init() function. diff -r 59086d17f60d -r 7479fd963976 tboot/common/tpm_12.c --- a/tboot/common/tpm_12.c Sun Feb 18 08:08:30 2018 -0800 +++ b/tboot/common/tpm_12.c Wed Mar 14 03:54:40 2018 +0900 @@ -1671,6 +1671,12 @@ if ( ti == NULL ) return false; + if (!txt_is_launched()) + ti->cur_loc = 0; + else + ti->cur_loc = 2; + + locality = ti->cur_loc; if ( !tpm_validate_locality(locality) ) { printk(TBOOT_WARN"TPM is not available.\n"); diff -r 59086d17f60d -r 7479fd963976 tboot/common/tpm_20.c --- a/tboot/common/tpm_20.c Sun Feb 18 08:08:30 2018 -0800 +++ b/tboot/common/tpm_20.c Wed Mar 14 03:54:40 2018 +0900 @@ -2482,13 +2482,13 @@ unsigned int i; tpm_info_list_t *info_list = get_tpm_info_list(g_sinit); - if ( ti == NULL ) + if ( ti == NULL ) return false; - if (!txt_is_launched()) - ti->cur_loc = 0; - else - ti->cur_loc = 2; + if (!txt_is_launched()) + ti->cur_loc = 0; + else + ti->cur_loc = 2; /* init version */ ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
