TrouSerS TSS with Atmel TPM on IBM T42p

I’m trying to get TrouSerS TSS working on my laptop.

Currently, I think I need to use this library, instead of libtpm-2.0 from IBM, to take ownership of the TPM. During this process, I *think* the storage root key (SRK) will be written to /usr/local/var/tpm/system.data. This is good, because so far it is quite beyond my comprehension how one might load the SRK.

I had already taken ownership of the TPM with IBM’s libtpm-2.0. This is a problem, since the TSS specification dictates that there can be only one TSS. Thus, I cleared the owner with the `clearown` utility from libtpm-2.0.
Now we want to clear all keys from the TPM, which requires physical presence to be demonstrated to the laptop. The process for doing this:

  • Power down the laptop.
  • Hold down the blue Fn key while powering on the laptop.
  • Once the splash screen comes with a message about hitting the “blue Access IBM key,” release Fn and press “Access IBM”!
  • Press F1 to enter the BIOS setup.
  • There will now be a new option under Security -> IBM Security Chip entitled something like “Clear Encryption Keys.” Clear away. You’re done.

I was then able to take ownership of the TPM with Tspi_TPM_TakeOwnership01.c, which is included in the testsuites of TrouSerS. I received a strange error message on my first attempt. It had to do with the inability to generate a nonce during the call to Tspi_TPM_GetPubEndorsementKey(). I did not save the exact error message. To fix this problem, I cleared the TPM using the IBM BIOS utility once more. I was then able to take ownership successfully. I wanted to try to recreate the problem, but I was unsuccessful. I suspected the problem was either: (1) failure to do a hard reboot after clearing the TPM’s owner, or (2) failure to have tcsd running. However I retried both these scenarios, and got meaningful error messages: TCPA_DEACTIVATED and TSS_E_COMM_FAILURE, respectively.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s