7:52 a.m.
My guess is that you do not set the TPMA_NVA_PLATFORMCREATE attribute.
The IBM utility sets it for you when the platform hierarchy authorizes the
command, since it must be set.
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
From: "Sievert, James" <james.sievert(a)bsci.com>
To: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>
Date: 12/03/2021 09:37 AM
Subject: [EXTERNAL] [tpm2] tpm2_nvdefine fails with inconsistent
attributes...
Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following
command which is returning an inconsistent attributes error:
bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1
Hi,
I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following
command which is returning an inconsistent attributes error:
bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1
WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:333:Esys_NV_DefineSpace_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace()
Esys Finish ErrorCode (0x00000182)
ERROR: Failed to define NV area at index 0x1000025
ERROR: Esys_NV_DefineSpace(0x182) - tpm:handle(1):inconsistent attributes
ERROR: Unable to run tpm2_nvdefine
and yes, I am attempting to define the index using the platform hierarchy.
? This does work using the IBM utilities.
Here are the current properties:
bsci@ip-10-132-42-225:~$ tpm2_getcap properties-variable
TPM2_PT_PERSISTENT:
ownerAuthSet: 0
endorsementAuthSet: 0
lockoutAuthSet: 0
reserved1: 0
disableClear: 0
inLockout: 0
tpmGeneratedEPS: 0
reserved2: 0
TPM2_PT_STARTUP_CLEAR:
phEnable: 1
shEnable: 1
ehEnable: 1
phEnableNV: 1
reserved1: 0
orderly: 0
TPM2_PT_HR_NV_INDEX: 0x6
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x3
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x3
TPM2_PT_HR_PERSISTENT: 0x0
TPM2_PT_HR_PERSISTENT_AVAIL: 0x11
TPM2_PT_NV_COUNTERS: 0x0
TPM2_PT_NV_COUNTERS_AVAIL: 0xD
TPM2_PT_ALGORITHM_SET: 0x0
TPM2_PT_LOADED_CURVES: 0x2
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0x20
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
TPM2_PT_LOCKOUT_RECOVERY: 0x15180
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0
Any insight would be appreciated.
Thanks!_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
8:10 a.m.
New subject: {External} Re: tpm2_nvdefine fails with inconsistent attributes...
That was it. Thanks, Ken.
According to the documentation for tpm2_nvdefine, the defaults for the platform hierarchy
are PPREAD and PPWRITE. Strangely, PLATFORMCREATE is not included. The following is
sufficient:
tpm2_nvdefine 0x01000025 -C p -s 1 -a "ppwrite|ppread|platformcreate"
Is there some reason the defaults for the platform hierarchy don’t include
PLATFORMCREATE?
From: Kenneth Goldman <kgoldman(a)us.ibm.com>
Sent: Friday, December 3, 2021 9:52 AM
To: Sievert, James <james.sievert(a)bsci.com>
Cc: tpm2(a)lists.01.org
Subject: {External} [tpm2] Re: tpm2_nvdefine fails with inconsistent attributes...
My guess is that you do not set the TPMA_NVA_PLATFORMCREATE attribute.
The IBM utility sets it for you when the platform hierarchy authorizes the command, since
it must be set.
--
Ken Goldman kgoldman@us.ibm.com<mailto:kgoldman@us.ibm.com>
914-945-2415 (862-2415)
[Inactive hide details for "Sievert, James" ---12/03/2021 09:37:25 AM---Hi, I’m
using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m i]"Sievert, James" ---12/03/2021
09:37:25 AM---Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following
command which is returnin
From: "Sievert, James"
<james.sievert@bsci.com<mailto:james.sievert@bsci.com>>
To: "tpm2@lists.01.org<mailto:tpm2@lists.01.org>"
<tpm2@lists.01.org<mailto:tpm2@lists.01.org>>
Date: 12/03/2021 09:37 AM
Subject: [EXTERNAL] [tpm2] tpm2_nvdefine fails with inconsistent attributes...
________________________________
Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following command which is
returning an inconsistent attributes error: bsci@ip-10-132-42-225:~$ tpm2_nvdefine
0x1000025 -C p -s 1
Hi,
I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following command which is
returning an inconsistent attributes error:
bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1
WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:333:Esys_NV_DefineSpace_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace() Esys Finish
ErrorCode (0x00000182)
ERROR: Failed to define NV area at index 0x1000025
ERROR: Esys_NV_DefineSpace(0x182) - tpm:handle(1):inconsistent attributes
ERROR: Unable to run tpm2_nvdefine
and yes, I am attempting to define the index using the platform hierarchy. ? This does
work using the IBM utilities.
Here are the current properties:
bsci@ip-10-132-42-225:~$ tpm2_getcap properties-variable
TPM2_PT_PERSISTENT:
ownerAuthSet: 0
endorsementAuthSet: 0
lockoutAuthSet: 0
reserved1: 0
disableClear: 0
inLockout: 0
tpmGeneratedEPS: 0
reserved2: 0
TPM2_PT_STARTUP_CLEAR:
phEnable: 1
shEnable: 1
ehEnable: 1
phEnableNV: 1
reserved1: 0
orderly: 0
TPM2_PT_HR_NV_INDEX: 0x6
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x3
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x3
TPM2_PT_HR_PERSISTENT: 0x0
TPM2_PT_HR_PERSISTENT_AVAIL: 0x11
TPM2_PT_NV_COUNTERS: 0x0
TPM2_PT_NV_COUNTERS_AVAIL: 0xD
TPM2_PT_ALGORITHM_SET: 0x0
TPM2_PT_LOADED_CURVES: 0x2
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0x20
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
TPM2_PT_LOCKOUT_RECOVERY: 0x15180
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0
Any insight would be appreciated.
Thanks!_______________________________________________
tpm2 mailing list -- tpm2@lists.01.org<mailto:tpm2@lists.01.org>
To unsubscribe send an email to
tpm2-leave@lists.01.org<mailto:tpm2-leave@lists.01.org>
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
2:08 p.m.
New subject: tpm2_nvdefine fails with inconsistent attributes...
It might also just be attempting to use platform authorization on real
hardware while not being the system firmware. UEFI tends to lock out the
platform on every boot because that's what it's supposed to do?
On Fri, Dec 3, 2021, 6:52 AM Kenneth Goldman <kgoldman(a)us.ibm.com> wrote:
My guess is that you do not set the TPMA_NVA_PLATFORMCREATE
attribute.
The IBM utility sets it for you when the platform hierarchy authorizes the
command, since it must be set.
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
[image: Inactive hide details for "Sievert, James" ---12/03/2021 09:37:25
AM---Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m i]"Sievert,
James" ---12/03/2021 09:37:25 AM---Hi, I’m using tpm2-tools 4.1.1 on Ubuntu
20.04. I’m issuing the following command which is returnin
From: "Sievert, James" <james.sievert(a)bsci.com>
To: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>
Date: 12/03/2021 09:37 AM
Subject: [EXTERNAL] [tpm2] tpm2_nvdefine fails with inconsistent
attributes...
------------------------------
Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following
command which is returning an inconsistent attributes error:
bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1
Hi,
I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following
command which is returning an inconsistent attributes error:
bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1
WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:333:Esys_NV_DefineSpace_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace()
Esys Finish ErrorCode (0x00000182)
ERROR: Failed to define NV area at index 0x1000025
ERROR: Esys_NV_DefineSpace(0x182) - tpm:handle(1):inconsistent attributes
ERROR: Unable to run tpm2_nvdefine
and yes, I am attempting to define the index using the platform hierarchy.
? This does work using the IBM utilities.
Here are the current properties:
bsci@ip-10-132-42-225:~$ tpm2_getcap properties-variable
TPM2_PT_PERSISTENT:
ownerAuthSet: 0
endorsementAuthSet: 0
lockoutAuthSet: 0
reserved1: 0
disableClear: 0
inLockout: 0
tpmGeneratedEPS: 0
reserved2: 0
TPM2_PT_STARTUP_CLEAR:
phEnable: 1
shEnable: 1
ehEnable: 1
phEnableNV: 1
reserved1: 0
orderly: 0
TPM2_PT_HR_NV_INDEX: 0x6
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x3
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x3
TPM2_PT_HR_PERSISTENT: 0x0
TPM2_PT_HR_PERSISTENT_AVAIL: 0x11
TPM2_PT_NV_COUNTERS: 0x0
TPM2_PT_NV_COUNTERS_AVAIL: 0xD
TPM2_PT_ALGORITHM_SET: 0x0
TPM2_PT_LOADED_CURVES: 0x2
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0x20
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
TPM2_PT_LOCKOUT_RECOVERY: 0x15180
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0
Any insight would be appreciated.
Thanks!_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
138
days inactive
176
days old
2 comments
3 participants
participants (3)
-
Kenneth Goldman -
Sievert, James -
Steven Clark