| 2019-06-24 07:58:44 |
Ivan Hu |
description |
Hi,
With all updates installed to Ubuntu disco it is impossible to use TPM2 device on the machine.
Most of the TPM2 commands seem to fail due to Linux kernel having async access problem that is fixed in linux kernel 5.0.10 release.
With previous Ubuntu releases I was able to utilize TPM2 but now this has regressed for disco release.
tpm2-tools package's github ticket describes the problem:
https://github.com/tpm2-software/tpm2-tools/issues/1356
Official kernel's includes the fix:
https://github.com/torvalds/linux/commit/7110629263469b4664d00b38ef80a656eddf3637#diff-694c702fe379e115a3c42d926cedf6de
Could you please include the fix from 5.0.10 in forthcoming Ubuntu kernel update to fix the TPM 2.0 regression?
How to reproduce
----------------
You may want to execute those commands as a root or alternative add yourself to tss group. (ubuntu's tpm2tss setup does not work so easily yet).
Those commands from tpm2-tools issue can be used to test it out:
$ tpm2_nvlist
ERROR: GetCapability:Get NV Index list Error. TPM Error:0xa0008
ERROR: Unable to run tpm2_nvlist
$ tpm2_pcrlist
ERROR: GetCapability: Get PCR allocation status Error. TPM Error:0xa000a......
ERROR: Unable to run tpm2_pcrlist
Both of those commands should work nicely and produce list of NV objects (nvlist) or PCR register contents (pcrlist). Latter one is probably easier to see that it works.
Note: randomly some commands may progress so try them multiple times if it happens to success. More complex commands seems to have better rate to fail. This randomness is due to async nature of the problem that was fixed.
What you are required to have in hardware:
- TPM 2.0 chip so that:
$ ls -1 /dev/tpm*
/dev/tpm0
/dev/tpmrm0
Easiest is to have either laptop with integrated tpm 2.0 which is not in active use or then desktop with tpm 2.0 addon card (or integrated solution) where it is not in active use. Commands listed above can also be safely executed on TPM 2.0 enabled system without causing problems. With other commands I would be more cautious especially with TPM 2.0 enabled system if you are not familiar with TPM2 commands.
What packages you need to install (may require some more):
- tpm2-tools
- libtss2-udev
- libtss2-tcti-tabrmd0
Thanks,
Vesa Jääskeläinen
ProblemType: Bug
DistroRelease: Ubuntu 19.04
Package: linux-image-5.0.0-17-generic 5.0.0-17.18
ProcVersionSignature: Ubuntu 5.0.0-17.18-generic 5.0.8
Uname: Linux 5.0.0-17-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.10-0ubuntu27
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC1: chaac 2503 F.... pulseaudio
/dev/snd/controlC0: chaac 2503 F.... pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Tue Jun 18 22:52:14 2019
HibernationDevice: RESUME=UUID=1c9f002c-f771-48de-8e73-c73ee21a6410
InstallationDate: Installed on 2018-09-02 (289 days ago)
InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725)
MachineType: System manufacturer System Product Name
ProcFB: 0 EFI VGA
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.0.0-17-generic root=UUID=383abbcb-8fac-4f16-a3bd-2747d4f334cf ro quiet splash vt.handoff=1
RelatedPackageVersions:
linux-restricted-modules-5.0.0-17-generic N/A
linux-backports-modules-5.0.0-17-generic N/A
linux-firmware 1.178.1
RfKill:
SourcePackage: linux
UpgradeStatus: Upgraded to disco on 2019-04-19 (60 days ago)
dmi.bios.date: 12/12/2017
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 0606
dmi.board.asset.tag: Default string
dmi.board.name: ROG STRIX Z370-F GAMING
dmi.board.vendor: ASUSTeK COMPUTER INC.
dmi.board.version: Rev X.0x
dmi.chassis.asset.tag: Default string
dmi.chassis.type: 3
dmi.chassis.vendor: Default string
dmi.chassis.version: Default string
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr0606:bd12/12/2017:svnSystemmanufacturer:pnSystemProductName:pvrSystemVersion:rvnASUSTeKCOMPUTERINC.:rnROGSTRIXZ370-FGAMING:rvrRevX.0x:cvnDefaultstring:ct3:cvrDefaultstring:
dmi.product.family: To be filled by O.E.M.
dmi.product.name: System Product Name
dmi.product.sku: SKU
dmi.product.version: System Version
dmi.sys.vendor: System manufacturer |
Hi,
With all updates installed to Ubuntu disco it is impossible to use TPM2 device on the machine.
Most of the TPM2 commands seem to fail due to Linux kernel having async access problem that is fixed in linux kernel 5.0.10 release.
With previous Ubuntu releases I was able to utilize TPM2 but now this has regressed for disco release.
tpm2-tools package's github ticket describes the problem:
https://github.com/tpm2-software/tpm2-tools/issues/1356
Official kernel's includes the fix:
https://github.com/torvalds/linux/commit/7110629263469b4664d00b38ef80a656eddf3637#diff-694c702fe379e115a3c42d926cedf6de
Could you please include the fix from 5.0.10 in forthcoming Ubuntu kernel update to fix the TPM 2.0 regression?
How to reproduce
----------------
You may want to execute those commands as a root or alternative add yourself to tss group. (ubuntu's tpm2tss setup does not work so easily yet).
Those commands from tpm2-tools issue can be used to test it out:
$ tpm2_nvlist
ERROR: GetCapability:Get NV Index list Error. TPM Error:0xa0008
ERROR: Unable to run tpm2_nvlist
$ tpm2_pcrlist
ERROR: GetCapability: Get PCR allocation status Error. TPM Error:0xa000a......
ERROR: Unable to run tpm2_pcrlist
Both of those commands should work nicely and produce list of NV objects (nvlist) or PCR register contents (pcrlist). Latter one is probably easier to see that it works.
Note: randomly some commands may progress so try them multiple times if it happens to success. More complex commands seems to have better rate to fail. This randomness is due to async nature of the problem that was fixed.
What you are required to have in hardware:
- TPM 2.0 chip so that:
$ ls -1 /dev/tpm*
/dev/tpm0
/dev/tpmrm0
Easiest is to have either laptop with integrated tpm 2.0 which is not in active use or then desktop with tpm 2.0 addon card (or integrated solution) where it is not in active use. Commands listed above can also be safely executed on TPM 2.0 enabled system without causing problems. With other commands I would be more cautious especially with TPM 2.0 enabled system if you are not familiar with TPM2 commands.
What packages you need to install (may require some more):
- tpm2-tools
- libtss2-udev
- libtss2-tcti-tabrmd0
Thanks,
Vesa Jääskeläinen
ProblemType: Bug
DistroRelease: Ubuntu 19.04
Package: linux-image-5.0.0-17-generic 5.0.0-17.18
ProcVersionSignature: Ubuntu 5.0.0-17.18-generic 5.0.8
Uname: Linux 5.0.0-17-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.10-0ubuntu27
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC1: chaac 2503 F.... pulseaudio
/dev/snd/controlC0: chaac 2503 F.... pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Tue Jun 18 22:52:14 2019
HibernationDevice: RESUME=UUID=1c9f002c-f771-48de-8e73-c73ee21a6410
InstallationDate: Installed on 2018-09-02 (289 days ago)
InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725)
MachineType: System manufacturer System Product Name
ProcFB: 0 EFI VGA
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.0.0-17-generic root=UUID=383abbcb-8fac-4f16-a3bd-2747d4f334cf ro quiet splash vt.handoff=1
RelatedPackageVersions:
linux-restricted-modules-5.0.0-17-generic N/A
linux-backports-modules-5.0.0-17-generic N/A
linux-firmware 1.178.1
RfKill:
SourcePackage: linux
UpgradeStatus: Upgraded to disco on 2019-04-19 (60 days ago)
dmi.bios.date: 12/12/2017
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 0606
dmi.board.asset.tag: Default string
dmi.board.name: ROG STRIX Z370-F GAMING
dmi.board.vendor: ASUSTeK COMPUTER INC.
dmi.board.version: Rev X.0x
dmi.chassis.asset.tag: Default string
dmi.chassis.type: 3
dmi.chassis.vendor: Default string
dmi.chassis.version: Default string
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr0606:bd12/12/2017:svnSystemmanufacturer:pnSystemProductName:pvrSystemVersion:rvnASUSTeKCOMPUTERINC.:rnROGSTRIXZ370-FGAMING:rvrRevX.0x:cvnDefaultstring:ct3:cvrDefaultstring:
dmi.product.family: To be filled by O.E.M.
dmi.product.name: System Product Name
dmi.product.sku: SKU
dmi.product.version: System Version
dmi.sys.vendor: System manufacturer
[Impact]
Most of the TPM2 commands fail to execute due to tpm2 kernel driver having async access problem.
[Fix]
Fix an invalid poll condition.
[Test Case]
After applied the fix patch on 19.04, the TPM2 commands tpm2_nvlist and tpm2_pcrlist worked.
[Regression Potential]
Low, only a fix for the commit 9488585b21bef0df12 ("tpm: add support for partial reads") |
|
