# Install Tpm 2.0?

## tmcca

Trying to figure out how to install Tpm 2.0 and use Intel Txt. Or is Intel Txt not needed? 

I have a Xeon E3-1230 V3 and don't see it on list of ACM Modules listed here:

https://www.intel.com/content/www/us/en/developer/articles/tool/intel-trusted-execution-technology.html

I installed tboot and tpm2_tools and not sure what to do next. TPM is new to me and what I can do with this

My understanding is secure boot and add SSH keys to make it more secure is this correct?

----------

## salahx

You do not need TXT to use TPM 2.0 (although you do need a TPM to use TXT).

I recommend you install tpm2-tools and tpm2-ambrd (both ~arch). Then when they are installed, tun tss2_provision -l <lockout password>.. That the bare minimum to do. 

If your processor support TXT (look in /proc/cpuinfo and look for "smx"), you can get an idea of what do from a wiki article I rewrote: https://wiki.gentoo.org/wiki/Trusted_Boot . I only cover TPM 1.2 because I do not have a TPM 2.0, but if you've got the hardware I can walk you through what to do (and if successful, update the article). Also, make sure you have the newest version of tboot - I have an open PR https://github.com/gentoo/gentoo/pull/24464

----------

## salahx

For tboot, it should go like this (assuming the default settings) - note lcp2_mlehash is broken in 1.10.4, you need 1.10.5 !

```

lcp2_mlehash --create --alg sha256 --cmdline "logging=serial,memory,vga" /boot/tboot.gz > mle_hash

lcp2_crtpolelt --create --type mle2 --minver 17 --alg sha256 --out mle.elt mle_hash

# optional PCONF2 element

lcp2_crtpolelt --create --type pconf2 --alg sha256 --pcr0 $(< /sys/class/tpm/tpm0/pcr-sha256/0) --out pcr.elt

# create VErified Launch policy (assuming current kernel is the desired one)

tb_polgen --create --alg sha1 --type continue vl.pol

tb_polgen --add --num 0 --pcr 19 --hash image --cmdline "$(</proc/cmdline) intel_iommu=on noefi" --image "/boot/vmlinuz-$(uname -r)" vl.pol

tb_polgen --add --num 1 --pcr 20 --hash image --image "/boot/initramfs-$(uname -r).img" vl.pol

lcp2_crtpolelt --create --type custom --out vl.elt --uuid tboot vl.pol

# If your PC is recent, listver is probably 0x300

lcp2_crtpollist --create --listver 0x300 --out list_unsig.lst mle.elt pcr.elt vl.elt

# You only need to the next block once. Ntoe TPM 2.0 supports EC keys as well (not shown)

openssl genpkey -out tboot.priv -algorithm rsa

openssl rsa -in tboot.priv -pubout -out tboot.pub

# Sign the list

cp list_unsig.lst list_sig.lst

lcp2_crtpollist --sign --sigalg rsapss --hashalg sha256 --pub tboot.pub --priv tboot.priv --out list_sig.lst

# generate the file we need. Ypu POLVER may vary. 

lcp2_crtpol --create --alg sha256 --polver 3.2 --type list --pol list.pol --data list.data list_sig.lst

# You only need to define and write the policy once

tpm2_nvdefine -s $(( 38 + 32 )) -a 'ownerwrite|policywrite|authread|no_da' 0x1c10106

tpm2_nvwrite -i list.pol 0x1c10106

sudp cp list.data /boot

```

Be sure to edit /etc/default/grub-tboot and set GRUB_TBOOT_POLICY_DATA='list.data'

Run grub-mkconfig -o /boot/grub/grub.cfg

Then reboot. Select tboot 1.10.5, and the kernel you create the config for. If it works, it'll boot. If not, it will reboot.Last edited by salahx on Sat Mar 19, 2022 1:36 am; edited 3 times in total

----------

## salahx

By the want, the proper ACM for your machine 4th_gen_i5_i7_SINIT_75.BIN . You may or may not needed it, in some machine its built into the BIOS. Don't worry though, you BIOS has a newest version the supplied version will be ignore. If its wrong, nothing bad will happen.

----------

## tmcca

I get pconf.elt no such file or directory after this command

```
lcp2_crtpollist --create --listver 0x300 --out list_unsig.lst mle.elt pconf.elt vl.elt
```

----------

## salahx

My bad. The command should have been:

```
lcp2_crtpollist --create --listver 0x300 --out list_unsig.lst mle.elt pcr.elt vl.elt
```

----------

## tmcca

in this code:

```
lcp2_crtpollist --sign --sigalg rsa --hashalg sha256 --pub tboot.pub --priv tboot.priv --out list_sig.lst

```

Getting error

```
TPM_ALG_RSASSA is not supported use TPM_ALG_RSAPSS I am guessing use rsapss instead of rsa
```

----------

## salahx

Correct, I meant 

```
lcp2_crtpollist --sign --sigalg rsapss --hashalg sha256 --pub tboot.pub --priv tboot.priv --out list_sig.lst
```

----------

## tmcca

Now I tried Polver 3.2 I got an error and didnt get an error after I entered polver 2.4 

this erro until I entered 2.4 and went away

```
Error: LCPv3 signing alg mask not supported or not specified

```

after entering this command

```
 tpm2_nvdefine -s $(( 38 + 32 )) -a 'ownerwrite|policywrite|authread|no_da' 0x1c10106
```

```

** (process:11049): CRITICAL **: 21:37:03.654: failed to allocate dbus proxy object: Could not connect: No such file or directory

ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0

WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:344:Esys_NV_DefineSpace_Finish() Received TPM Error

ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x0000014c)

ERROR: Failed to define NV area at index 0x1C10106

ERROR: Esys_NV_DefineSpace(0x14C) - tpm:error(2.0): NV Index or persistent object already defined

ERROR: Failed to create NV index 0x1c10106.

ERROR: Unable to run tpm2_nvdefine
```

Last edited by tmcca on Sat Mar 19, 2022 1:46 am; edited 1 time in total

----------

## salahx

That means its already defined. In that case, skip tpm2_nvdefine and go to the next step.

IF you do tpm2_nvreadpublic 0x1c10106 you should see this:

```
0x1c10106:

  name: 000bb7190ae6305b3c4792227d67e2beb4d6c9c426daea318223650f0f0197fa3a92

  hash algorithm:

    friendly: sha256

    value: 0xB

  attributes:

    friendly: ownerwrite|policywrite|authread|no_da

    value: 0xA000402

  size: 70
```

Depending on the existing contacts the "name" value might be different, but the rest should lbe the same.

----------

## tmcca

Yes I got that

----------

## salahx

Good, its already defined for you. Skip the define step and write list.pol to 0x1c10106 

By the way, you should enable the start tpm2-abrmd if you have it installed. Its not required for this, but you'll eventually run into problems without it.

----------

## tmcca

Ok I am going to enable that on startup; I am rebooting now

----------

## tmcca

It rebooted then did something now rebooting again. I did add that ACM Module should I delete that and retry?

----------

## tmcca

Can I add screenshots here?

----------

## salahx

Leave the entry. It won't hurt. If we did something wrong, TXT will reboot your computer when you try. It will, however, leave an error message for use (We can retrieve after the restart wirh txt-parse_err. Must be run as root).

----------

## tmcca

I deleted the ACM module I am able to boot into tboot. If I leae that 4th_gen ACM file computer keeps rebooting unable to log in. 

after I did txt-parse_err

```
ERRORCODE: 0xc0037c41

AC module error : acm_type=0x1, progress=0x04, error=0x1f

```

----------

## salahx

Don't delete the ACM module. Even if your computer reboot, that's a GOOD sign. It means it tried (but failed). In that case, when your machine restart, go to GRUB and start your kernel normally. Don't worry, TXT error codes are preserved across warm reboots. 

Now the fun begins. Remember the ZIP file you downloaded with the SINIT module? There's a PDF file called SINIT_Error.pdf which tells you how to decode the error and what the codes mean. 

In this case it corresponds to Class Code 4, Maoor Code 1F, and Minor Code 3 (Driver error: Response timeout (ERR_WAIT_STATUS_VALID)). Shouldn't happen (or maybe I decoded it wrong)? Make sure the ACM modules it loading,  do a hard power cycle and try again. If you get the same error, clear the TPM (Note this will clear the NV Indexes, so you may need to redefine the NV index we need. and rewrite the policy to it). Reprovision the TPM with tss2_proivision -l <lockout password>.

----------

## tmcca

Ok, I will try that

----------

## tmcca

I am getting errors when I try to use tpm2_clear

I am guessing you want me to try command tss2_provision -L <lockout pass>

----------

## salahx

Clear you TPM from the BIOS. You don't need the lockout password there.

By the way, the following scriptlet may help you decode the errors:

```
TXT_ERRORCODE="0xc0037c41"; printf "Class: 0x%X Major: 0x%X Minor: 0x%X\n" "$(( ( $TXT_ERRORCODE & 0x000003f0 ) >> 4 ))" "$(( ( $TXT_ERRORCODE & 0x00007c00 ) >> 10 ))" "$(( ( $TXT_ERRORCODE & 0x00ff0000 ) >> 16 ))"
```

Simple replace TXT_ERRORCODEwith the error code you get.

----------

## tmcca

Ok now after I put TPM Clear in bios

```
 tpm2_nvreadpublic 0x1c10106
```

gave me this error

```

** (process:1759): CRITICAL **: 05:32:13.800: failed to allocate dbus proxy object: Could not connect: No such file or directory

ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0

0x1c10106:

  name: 000bb7190ae6305b3c4792227d67e2beb4d6c9c426daea318223650f0f0197fa3a92

  hash algorithm:

    friendly: sha256

    value: 0xB

  attributes:

    friendly: ownerwrite|policywrite|authread|no_da

    value: 0xA000402

  size: 70
```

----------

## Hu

 *tmcca wrote:*   

> Can I add screenshots here?

 No, but you can link to an image-sharing site, or you can share the text that was shown.  Text is preferred whenever possible.

----------

## salahx

That usually means tpm2-abrmd isn't running. Its harmless though, it'll fall back to using the kernel resource manager or directly accessing the TPM (though you may need to be root to use it then).

----------

## tmcca

After further looking at it tpm2-abrmd status says crashed. What would cause that?

The commands should be run as root or user?

----------

## salahx

If you are using tpm2-abrmd, the commands should be run as the user. If tpm2-abrmd is crashing make sure dbus is started and the permission on /dev/tpm0 are correct,if not "udevadm trigger" should fix it. Otherwise, check the logs.

----------

## tmcca

this look correct permissions? 

I am thinking supposed to be tss:tss for both right?

I did commands as root user what you gave me,I am guessing that could be issue

```
 ls -lh /dev/tpm*

crw-rw---- 1 tss root  10,   224 Mar 19 19:42 /dev/tpm0

crw-rw---- 1 tss tss  254, 65536 Mar 19 19:42 /dev/tpmrm0
```

Last edited by tmcca on Sat Mar 19, 2022 11:47 pm; edited 1 time in total

----------

## salahx

Yup, you permissions are the same as mine. No need to change anything. Make sure dbus is running, if it is, check your logs (systemctl if you are using systemd, otherwise check /var/log/messages)

----------

## tmcca

dbus wasnt enabled.

Ok I rebooted and no errors found when I ran txt-parse_err

I am going to enable Intel Txt now.

This protects boot I am guessing from attack correct? I am still learning TPM functions and how this makes it more secure.

Interesting so enabled Intel Txt and reboots right after Disabling VGA logging

----------

## salahx

It more complicated what it does. TXT does not prevent someone from booting around your configuration. However, if they do so, the Platform Configuration Registers in the TPM will not have the same value. Use TPM2 "policies" you can "seal" to a particular PCR value. You can also do remote attestation to a particular PCR (or multiple PCRs). Because the PCR won't match in a boot-around scenario. the keys will be inaccessible to an attacj (and remote attestation will fail).

Note this is possible even without TXT. However, with TXT, you don;t have to trust the the upper layers, just TXT itself and  kernel and initramfs. So in the configuration I gave you, the kernel will extend PCR19 and the initamds will extend PCR20, (for the same kernel and same initramfs, it will be the same on every machine, even if the machines are heterogeneous). PCR17 is will vary. The PCR18, under the "Details & Authorities" model; using a signed policy, should produce the same result on PCR18 on each machine, when if its policy is updated to a different kernel, as long its signed by the same key.

----------

## salahx

Reboot is how TXT deals with errors. If it reboot, something went wrong. Boot a kernel normally (without tboot)  Use txt-parse_err to get the error code, and use the scriptlet I gave you earlier to decode it. TXT error codes are preserved across warm restarts.

----------

## tmcca

When I ran that errorcode snippet I got this:

Class: 0x4 Major: 0x1F Minor: 0x3

Driver error: Response timeout (ERR_WAIT_STATUS_VALID)

What the heck does that mean?

----------

## salahx

OK same error as before. The hard power cycle and  TPM clear must not have helped. Maybe we need a newer ACM. There are newer ACM in Intel's site but they a difficult to find. THe URL is https://cdrdv2.intel.com/v1/dl/getContent/630744?wapkw=TXT%20ACM . If the direct link doesn't work, search Intel's site for Content ID 630744. You should get a file called 630744_001.zip, in that module there's a few SINIT models. The one you want is BDW_SINIT_20190708_1.3.2_PW.bin .Delete the old ACM, copy the new one to /boot , run grub-mconfig and try again.

Oh and when you provide me the error give me the raw error code as well.

----------

## tmcca

It worked! thanks so much

Now I can add SSH keys to TPM without messing this up correct?

Can you also add your website certificate to TPM as well?

I appreciate the help. you're a lifesaver.

Only thing I get now is unable to find TBOOT log no big deal

----------

## salahx

If you get the message "unable to find tboot log" then it didn't work. You didn't get an error but tboot didn't load either and was just bypassed. 

ssh does not support TPM2 encoded keys directly, so you can't use it by itself for a TPM2 key. But, ssh DOES support PKCS11, and there's a tpm2-pkcs11 application that allows you to use TPM2 as a PKCS11 device.

To see which packages directly support the TPM. run this:

```
equery depends -a app-crypt/tpm2-tss
```

----------

## tmcca

I don't have any errors:

sudo txt-stat reveals 

```

Intel(r) TXT Configuration Registers:

        STS: 0x00018091

            senter_done: TRUE

            sexit_done: FALSE

            mem_config_lock: FALSE

            private_open: TRUE

            locality_1_open: TRUE

            locality_2_open: TRUE

        ESTS: 0x00

            txt_reset: FALSE

        E2STS: 0x000000000000000e

            secrets: TRUE

        ERRORCODE: 0x00000000

        DIDVID: 0x00000001b0028086

            vendor_id: 0x8086

            device_id: 0xb002

            revision_id: 0x1

        FSBIF: 0xffffffffffffffff

        QPIIF: 0x000000009d003000

        SINIT.BASE: 0xdf6f0000

        SINIT.SIZE: 196608B (0x30000)

        HEAP.BASE: 0xdf720000

        HEAP.SIZE: 917504B (0xe0000)

        DPR: 0x00000000df800041

            lock: TRUE

            top: 0xdf800000

            size: 4MB (4194304B)

        PUBLIC.KEY:

            2d 67 dd d7 5e f9 33 92 66 a5 6f 27 18 95 55 ae

            77 a2 b0 de 77 42 22 e5 de 24 8d be b8 e3 3d d7

***********************************************************

         TXT measured launch: TRUE

         secrets flag set: TRUE

***********************************************************

unable to find TBOOT log

```

What can it be now?

----------

## salahx

Weird there no log, but it looks like it might have worked.

Try this command:

```
tpm2_pcrread sha256:17
```

If you see something other than "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", it worked. If it shows that value, it didn't work,

----------

## tmcca

yes have other than that weird says unable to find TBOOT log. I asked Supermicro support maybe they can tell me. I appreciate the help

----------

## tmcca

in my syslog I see the following:

tboot: non-0 tboot_addr but it is not of type E820_RESERVED

I read up on this that UEFI maybe issue with tboot is that the case?

How one goes from UEFI to legacy?

----------

## tmcca

That looks like what it is. I went from UEFI to legacy and now getting log.

Now to fix some errors or maybe have to start over. Not a big deal as I just started. 

I am guessing UEFI is issue at least with my board.

----------

## salahx

The log spits out a lot of information, if its present I wouldn't worry too much about it about the contents, as long as PCR17 is populated. Note that changing boot from to/from UEFI may change PCR0, so you'll need to take a new measurement for the pconf2 element.

----------

## tmcca

Supermicro told me the SINIT should be included in Bios.

Now they told me to update my Bios, so thats what I will do now

I do see this note:

Updated the SINIT ACM to 20190708 for Denlow Server IPU 2019.2 for INTEL-SA-00240 to address

CVE-2019-0151 (7.5, High) security issue.

Supermicro told me in order to get EFI to work under tboot

the command line should be 

logging=vga,serial,memory in that order.

----------

## salahx

There's no harm in explicitly specifying the ACM. If there's both one in the BIOS and one on the command line, the newer one will be used.

----------

