Resource manager failed to start - NUC7i7-BNH

[karimulla1993]

Hi , I have an NUC717-BNH mini pC which has the fTPM(firmware TPM2.0) . I have installed the tpm2-tss, tpm2-abrmd and tpm2-tools . Where I try to start the rm service using sudo service tpm2-abrmd start , I get an could not Connect error and something related to com.intel.tss2.Tabrmd . Does these tools support the fTPM ?.
I am using Ubuntu 16.04 and i see there is no device /dev/tpm0

[williamcroberts]

It should work with a firmware TPM2.0. I wonder if this is a permission issue on /dev/tpm0. What are the permissions on /dev/tpm0?

[karimulla1993]

tpm device is not listed in the dev folder. i.e ls /dev/tp* doesn't give result

Below is error I recieved
** (process:9127): WARNING **: Failed to create connection with service: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name com.intel.tss2.Tabrmd was not provided by any .service files
ERROR: Failed to initialize TABRMD TCTI context: 0xa0008

$ systemctl status tpm2-abrmd.service
● tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon
Loaded: loaded (/lib/systemd/system/tpm2-abrmd.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Fri 2018-07-27 14:24:25 IST; 2s ago
Process: 11212 ExecStart=/usr/local/sbin/tpm2-abrmd (code=exited, status=1/FAILURE)
Main PID: 11212 (code=exited, status=1/FAILURE)

Jul 27 14:24:25 intel-desktop systemd[1]: Failed to start TPM2 Access Broker and Resource Management Daemon.
Jul 27 14:24:25 intel-desktop systemd[1]: tpm2-abrmd.service: Unit entered failed state.
Jul 27 14:24:25 intel-desktop systemd[1]: tpm2-abrmd.service: Failed with result 'exit-code'.

[blaufish]

@karimulla1993 first: update kernel to get tpm2 support, there is none in Ubuntu 16.04 base kernel if I recall correctly, at least /dev/tpmrm0 support was added in much later kernels. Perform e.g. sudo apt install linux-image-4.15.0-20-generic to get a kernel which at least detects my discrete TPM on a NUC, you may need later versions if TPM still isn't detected. You can find kernels using apt-cache search linux-generic and identify current kernel using uname -mrs

second: if above did not help at all, review BIOS and ensure TPM related options are enabled.

[karimulla1993]

Thanks, Now I was able to locate the device in /dev/tpm0 was successfully able to start the abrmd service.
After this a new issue appeared , I was unable to clear and take ownership of the fTPM using tpm2_takeownership -c
tpm2_takeownership -L passphrase
commands and in the BIOS settings thier is only enable button .
Is thier any way we can clear the fTPM2.0 on NUC7i7BNH ?

[blaufish]

@karimulla1993 I think tpm2_takeownership -c is supposed to work on a fresh device.

Getting more verbose information:

• For many TPM2 tools you can add -V option for more debug
• You can also add TSS2_LOG=all+TRACE before the command (environment settings) for more debug.

Alternative way of running tpm2_tools, without abrmd:

• shutdown abrmd service
• run command with --tcti device:/dev/tpmrm0 option

[karimulla1993]

Tried as below and getting error
$ tpm2_takeownership -c --tcti device:/dev/tpmrm0
invalid TCTI, see --help

And also tried changing the cmd to rectify above and still ended up getting error
$ tpm2_takeownership -c -d:/dev/tpmrm0
ERROR: Clearing Failed! TPM error code: 0x98e

Tried same command after changing permissions for tpm0 and tpmrm0 to 777 (just in case if that is the issue), ended up with a different error code
ERROR: Clearing Failed! TPM error code: 0x921

Also tried clearing the TPM from BIOS menu as mentioned in the NUC data sheet by removing jumper but the issue still persists

[blaufish]

Okay so 0x98e means the authorization failed. I think maybe that means the tpm might be initialised with a password other than the well known secret.

Perhaps you successfully took ownership of it before with a password, so the TPM now expects your password instead of the well known secret?

0x921 appears to mean you've tried too many times, TPM is now in lockdown mode and needs to rest a few hours before more attempts are accepted.

Ways forward:

• Depending on how other commands behave, perhaps you can continue without claiming ownership right now.
• You might also consider moving the discussion to https://lists.01.org/mailman/listinfo/tpm2 in order to get access to more eyeballs on your problems.
• If you suspect the hardware failure due to clearing TPM still failing after a long wait, you may consider calling Intel support phone numbers - I had good experience from their NUC team debugging device boot problems.

tpm2_rc_decode 0x98e
error layer
  hex: 0x0
  identifier: TSS2_TPM_ERROR_LEVEL
  description: Error produced by the TPM
format 1 error code
  hex: 0x0e
  identifier: TPM_RC_AUTH_FAIL
  description: the authorization HMAC check failed and DA counter incremented
session
  hex: 0x100
  identifier: TPM_RC_1
  description:  (null)


tpm2_rc_decode 0x921
error layer
  hex: 0x0
  identifier: TSS2_TPM_ERROR_LEVEL
  description: Error produced by the TPM
format 0 warning code
  hex: 0x21
  name: TPM_RC_LOCKOUT
  description: authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode

[blaufish]

Also, use tpm2_getcap to learn about how the TPM lockout works on the particular TPM.
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.07-2014-03-13.pdf
TPM_PT_MAX_AUTH_FAIL, TPM_PT_LOCKOUT_RECOVERY, TPM_PT_LOCKOUT_INTERVAL etc.

I'm not 100% how to unlock a locked TPM, I think you have to wait until the lockout releases and then provide the unlock password with -L, if previously set with -l in a previous successful takeownership.
https://manpages.debian.org/testing/tpm2-tools/tpm2_takeownership.8.en.html

[williamcroberts]

-----Original Message----- From: karimulla1993 ***@***.*** Sent: Wednesday, August 1, 2018 4:09 AM To: tpm2-software/tpm2-abrmd ***@***.***> Cc: Roberts, William C ***@***.***>; Comment ***@***.***> Subject: Re: [tpm2-software/tpm2-abrmd] Resource manager failed to start - NUC7i7-BNH (#509) Tried as below and getting error $ tpm2_takeownership -c --tcti device:/dev/tpmrm0 invalid TCTI, see --help

Can you run help, perhaps it's not finding the device tcti shared library, are you on master or An older release?

…

And also tried changing the cmd to rectify above and still ended up getting error $ tpm2_takeownership -c -d:/dev/tpmrm0 ERROR: Clearing Failed! TPM error code: 0x98e Tried same command after changing permissions for tpm0 and tpmrm0 to 777 (just in case if that is the issue), ended up with a different error code ERROR: Clearing Failed! TPM error code: 0x921 Also tried clearing the TPM from BIOS menu as mentioned in the NUC data sheet by removing jumper but the issue still persists — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://github.com/tpm2- software/tpm2-abrmd/issues/509#issuecomment-409538989> , or mute the thread <https://github.com/notifications/unsubscribe-auth/AQ7bB- il5oONSiAM3oWcGSUHz9TfDAbRks5uMYxogaJpZM4VjZtK> . <https://github.com/notifications/beacon/AQ7bB79yw955r3LWOAyjrYN- 5Y6NUcYJks5uMYxogaJpZM4VjZtK.gif>

[karimulla1993]

Getting the following error on running command below, after performing following steps:

1. waited for lockout to be released
2. TPM2 has been cleared by removing jumper and selecting option on boot.
3. $ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
   ERROR: Could not change hierarchy for Owner. TPM Error:0x9a2

couldn't understand what is the exact issue in setting password after clearing the TPM.

[flihp]

Sorry for doing this but it looks like the issue initially brought up here has been resolved by a kernel upgrade on the platform. The discussion has devolved into an issue with setting authorization values and this should take place on the mailing list or possibly in the tools issue tracker. AFAIK the tabrmd is no longer involved and this thread should be closed.