TCG_PassThroughFail: 0xc0000 while unsealing the key #64
Comments
|
I don't think TPM is supported in a VM. |
|
It is and it works normally. But it looks like that SeaBIOS > 1.9.3 is broken for TPM 1.2 which known to be used in QEMU |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The general idea of this test case is the following: We will seal a piece of data using TPM and try to unlock it from TrustedGrub2. Every time I try to unseal the key I get a TCG_PassThroughFail: 0xc0000 error.
The test is as follows:
Download VirtualBox or VMWare
Download Ubuntu 16.04 (http://releases.ubuntu.com/16.04/ubuntu-16.04.2-desktop-amd64.iso)
Install the OS
sudo apt-get update
sudo apt-get install build-essential automake autopoint libtool libtspi-dev bison flex git
wget https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2/archive/1.4.0.tar.gz
tar xzf 1.4.0.tar.gz
cd TrustedGRUB2-1.4.0/
export INSTALL_DIR=/path/to/install_dir
./autogen.sh
./configure --prefix=$INSTALL_DIR --target=i386 -with-platform=pc
make CPPFLAGS=-DTGRUB_DEBUG && make install
If everything goes well we should have a file called grub-install under $INSTALL_DIR/sbin/
I installed TrustedGrub2 into a USB stick using the following command:
sudo $INSTALL_DIR/sbin/grub-install --directory=$INSTALL_DIR/lib/grub/i386-pc /dev/sdb ; # device name may be different in your case
Build tpm-tools and tpm ownership
I used Ubuntu 16.04 running on a machine that we want to seal/unseal a key.
Clear and enable TPM (from BIOS)
Boot the OS
sudo apt-get update
sudo apt-get install git
git clone https://github.com/shpedoikal/tpm-tools.git
git checkout tpm-sealdata-raw (# checking out this branch is very important because it adds the -r option to tpm_sealdata).
sudo apt-get install automake autoconf libtool gettext trousers trousers-devel libtspi-dev autopoint (link to instructions https://github.com/shpedoikal/tpm-tools)
sh ./bootstrap.sh
export TPM_DIR=/path/to/tpm_build_dir
./configure --prefix=$TPM_DIR
make && make install
$TPM_DIR/sbin/tpm_takeownership -y -z
$TPM_DIR/sbin/tpm_setenabled --enable -z
$TPM_DIR/sbin/tpm_setactive -z
Create a key
echo “TPM UNSEAL FROM GRUB” > /tmp/key
#seal the key now that we own the TPM using PCRs 8 and 9
$TPM_DIR/bin/tpm_sealdata -p 8 -p 9 -z -r -i /tmp/key -o /tmp/key.enc
If everything goes well we should have a sealed key named ‘/tmp/key.enc’.
We should now copy the sealed key to a place that we can access from TrustedGrub2. I copied /tmp/key.enc to the root of the USB drive that we installed TrustedGrub2.
Reboot the system and boot it using the newly created image. Press ‘c’ in the TrustedGrub2 menu. Execute the following command from the grub menu:
grub> unseal /root/key.enc
I always get an error after this step
TCG_PassThroughFail: 0xc0000
The text was updated successfully, but these errors were encountered: