New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 702680 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

platform_BootLockbox test fails for tpm 2.0 boards

Project Member Reported by apronin@chromium.org, Mar 17 2017

Issue description

The following was seen in the logs for R59-9373.0.0:
2017-03-16T18:51:58.884116-07:00 INFO cryptohomed[2390]: Creating new boot-lockbox key.
2017-03-16T18:52:06.716407-07:00 ERR cryptohomed[2390]: Sign: Error signing digest: Session 1: TPM_RC_POLICY_FAIL
2017-03-16T18:52:06.716606-07:00 ERR cryptohomed[2390]: Error signing: Session 1: TPM_RC_POLICY_FAIL
 
apronin, any progress here?
Cc: xzhou@chromium.org
Status: Started (was: Assigned)
Looks like the issue is with the default PCR value that the signing key is bound to defined as 
  const unsigned char kPCRValue[20] = {0};

Should be 32 bytes instead for TPM2.0 (or an empty string to auto-detect).
Turned out indeed to be just the issue in comment #2. Quick-patching the value to be 32 bytes long for 2.0 (and removing the old key) solved the issue. Preparing a proper CL.
Project Member

Comment 4 by bugdroid1@chromium.org, Sep 5 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/cd6afc27c56b9144ec36d4d2337f598911b69853

commit cd6afc27c56b9144ec36d4d2337f598911b69853
Author: Andrey Pronin <apronin@chromium.org>
Date: Tue Sep 05 20:44:02 2017

cryptohome: use the right PCR size in boot lockbox checks

Boot lockbox uses PCR15 to lock key from being used for signing
after the lockbox is finalized. TPM 1.2 and 2.0 use PCRs of different
sizes. Modify boot lockbox to select the PCR value size based on the
tpm model.

BUG= chromium:702680 
TEST=platform_BootLockbox and unit tests

Change-Id: I707cf3d1c0e0f7cb1874635e7faa53d5f51003f8
Reviewed-on: https://chromium-review.googlesource.com/648646
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>

[modify] https://crrev.com/cd6afc27c56b9144ec36d4d2337f598911b69853/cryptohome/boot_lockbox.cc
[modify] https://crrev.com/cd6afc27c56b9144ec36d4d2337f598911b69853/cryptohome/boot_lockbox.h

Status: Fixed (was: Started)

Comment 6 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Comment 7 by dchan@chromium.org, Jan 23 2018

Status: Fixed (was: Archived)

Sign in to add a comment