/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PCR Sanity check Failed / AEM #3457

Closed
ThierryIT opened this Issue Jan 14, 2018 · 1 comment

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
No milestone
2 participants
@ThierryIT @andrewdavidwong
@ThierryIT

ThierryIT commented Jan 14, 2018

Qubes OS version:

R3.2

Laptop information:

Lenovo W520 / 4284CY1 / Sandy Bridge i7-2620M / Chipset QM67

SINIT module: 2nd-gen-i5-i7-SINIT-51

Affected TemplateVMs:

Dom0

Steps to reproduce the behavior:

sudo qubes-dom0-update anti-evil-maid
sudo systemctl enable tcsd
sudo systemctl restart tcsd
sudo tpm_takeownership -y
sudo anti-evil-maid-install /dev/sda1 (/boot)

tcsd -e -f : TCSD TDDL Error: Could not find a device to open

Expected behavior:

no such error

Actual behavior:

Error

General notes:

Doesn't work for me

[code]
janv. 13 21:41:14 dom0 systemd[1]: Started Anti Evil Maid unsealing.
janv. 13 19:41:43 dom0 systemd[1]: Started Anti Evil Maid sealing.
-- Reboot --
janv. 13 21:59:41 dom0 systemd[1]: Starting Anti Evil Maid unsealing...
janv. 13 21:59:41 dom0 anti-evil-maid-unseal[527]: anti-evil-maid-unseal: Mounting the aem device...
janv. 13 21:59:41 dom0 anti-evil-maid-unseal[527]: anti-evil-maid-unseal: Initializing TPM...
janv. 13 21:59:41 dom0 anti-evil-maid-unseal[527]: tcsd_changer_identify: identifying TPM
janv. 13 21:59:41 dom0 TCSD[586]: TrouSerS Config file /etc/tcsd.conf not found, using defaults.
janv. 13 21:59:41 dom0 tcsd[586]: TCSD TDDL[586]: TrouSerS ioctl: (25) Inappropriate ioctl for device
janv. 13 21:59:41 dom0 tcsd[586]: TCSD TDDL[586]: TrouSerS Falling back to Read/Write device support.
janv. 13 21:59:41 dom0 TCSD[587]: TrouSerS trousers 0.3.13: TCSD up and running.
janv. 13 21:59:42 dom0 anti-evil-maid-unseal[527]: tpm_id: ignore the first "Tspi_TPM_GetPubEndorsementKey failed"
janv. 13 21:59:42 dom0 anti-evil-maid-unseal[527]: Tspi_TPM_GetPubEndorsementKey failed: 0x00000008 - layer=tpm, code=0008 (8), The TPM target command has been disabled
janv. 13 21:59:42 dom0 anti-evil-maid-unseal[527]: tcsd_changer_identify: TPM identity: 613805355a27c77a94b688b5fd36331d7314be67a5e5410da4da844a1c3f459d
janv. 13 21:59:44 dom0 TCSD[635]: TrouSerS Config file /etc/tcsd.conf not found, using defaults.
janv. 13 21:59:44 dom0 tcsd[635]: TCSD TDDL[635]: TrouSerS ioctl: (25) Inappropriate ioctl for device
janv. 13 21:59:44 dom0 tcsd[635]: TCSD TDDL[635]: TrouSerS Falling back to Read/Write device support.
janv. 13 21:59:44 dom0 TCSD[636]: TrouSerS trousers 0.3.13: TCSD up and running.
janv. 13 21:59:44 dom0 anti-evil-maid-unseal[527]: anti-evil-maid-unseal: Extending PCR 13, value 58f0b7f7a60c86f583aa0f3fe9648278f266038e, device 32d35c43-0640-48ba-94b0-785866d51870...
janv. 13 21:59:44 dom0 anti-evil-maid-unseal[527]: tpm_z_srk: detecting whether SRK is password protected
janv. 13 21:59:44 dom0 anti-evil-maid-unseal[527]: Tspi_Key_CreateKey failed: 0x00000001 - layer=tpm, code=0001 (1), Authentication failed
janv. 13 21:59:44 dom0 anti-evil-maid-unseal[527]: tpm_z_srk: yes, SRK is password protected; resetting dictionary attack lock...
janv. 13 21:59:44 dom0 anti-evil-maid-unseal[527]: anti-evil-maid-unseal: Prompting for SRK password...
janv. 13 22:00:34 dom0 anti-evil-maid-unseal[527]: Enter SRK password: Tspi_Key_CreateKey failed: 0x00000001 - layer=tpm, code=0001 (1), Authentication failed
janv. 13 22:00:34 dom0 anti-evil-maid-unseal[527]: anti-evil-maid-unseal: Wrong SRK password, resetting dictionary attack lock...
janv. 13 22:00:34 dom0 anti-evil-maid-unseal[527]: anti-evil-maid-unseal: Prompting for SRK password...
janv. 13 22:00:43 dom0 anti-evil-maid-unseal[527]: Enter SRK password: anti-evil-maid-unseal: Correct SRK password
janv. 13 22:00:43 dom0 anti-evil-maid-unseal[527]: anti-evil-maid-unseal: Unsealing the secret...
janv. 13 22:00:43 dom0 anti-evil-maid-unseal[527]: Unable to write output file
janv. 13 22:00:43 dom0 anti-evil-maid-unseal[527]: anti-evil-maid-unseal: Unmounting the aem device...
janv. 13 22:00:43 dom0 systemd[1]: Started Anti Evil Maid unsealing.
janv. 13 20:01:17 dom0 systemd[1]: Starting Anti Evil Maid sealing...
janv. 13 20:01:21 dom0 anti-evil-maid-seal[2675]: tpm_z_srk: detecting whether SRK is password protected
janv. 13 20:01:21 dom0 anti-evil-maid-seal[2675]: Tspi_Key_CreateKey failed: 0x00000001 - layer=tpm, code=0001 (1), Authentication failed
janv. 13 20:01:21 dom0 anti-evil-maid-seal[2675]: tpm_z_srk: yes, SRK is password protected; resetting dictionary attack lock...
janv. 13 20:01:21 dom0 anti-evil-maid-seal[2675]: PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
janv. 13 20:01:21 dom0 anti-evil-maid-seal[2675]: PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
janv. 13 20:01:21 dom0 anti-evil-maid-seal[2675]: PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
janv. 13 20:01:21 dom0 systemd[1]: anti-evil-maid-seal.service: Main process exited, code=exited, status=1/FAILURE
janv. 13 20:01:21 dom0 systemd[1]: Failed to start Anti Evil Maid sealing.
janv. 13 20:01:21 dom0 systemd[1]: anti-evil-maid-seal.service: Unit entered failed state.
janv. 13 20:01:21 dom0 systemd[1]: anti-evil-maid-seal.service: Failed with result 'exit-code'.

[/code]

Related issues:

Did i have downloaded the right SINIT module version ?
The TPM seems to be supported on this laptop

Thx
@ThierryIT

This comment has been minimized.

Show comment
Hide comment
@ThierryIT

ThierryIT Jan 14, 2018

seems to work now

ThierryIT commented Jan 14, 2018

seems to work now

@ThierryIT ThierryIT closed this Jan 14, 2018

@andrewdavidwong andrewdavidwong added the resolved label Jan 14, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment