TPM coverage in the HCL

130 views
Skip to first unread message

cprise

unread,
Dec 5, 2014, 7:16:35 PM12/5/14
to qubes...@googlegroups.com
It occured to me that info in the TPM column of the Qubes hardware
compatibility list is pretty sparse, and seems like it can give people
the wrong impression about the number of computer models than can
support Anti Evil Maid (hence, gaffneyiphone getting a T420 because it
seemed like the "only laptop" for AEM support). And I think it detracts
from Qubes' appeal overall if the chart suggests only one laptop for
AEM, which is a feature meant for laptops without which I'd probably
have overlooked Qubes.

You can start by adding a green indicator for the T430s TPM (it works
fine for me). Maybe we could hunt down info on some more models from
threads here in the list.

Is there some generic test using tcsd that the qubes-hcl-report could
run at least to say the TPM is communicative?

Hakisho Nukama

unread,
Dec 5, 2014, 8:49:35 PM12/5/14
to cprise, qubes...@googlegroups.com
On Sat, Dec 6, 2014 at 12:16 AM, cprise <cpr...@gmail.com> wrote:
> It occured to me that info in the TPM column of the Qubes hardware
> compatibility list is pretty sparse, and seems like it can give people the
> wrong impression about the number of computer models than can support Anti
> Evil Maid (hence, gaffneyiphone getting a T420 because it seemed like the
> "only laptop" for AEM support). And I think it detracts from Qubes' appeal
> overall if the chart suggests only one laptop for AEM, which is a feature
> meant for laptops without which I'd probably have overlooked Qubes.
>

Yes, sent in more reports of a working AEM installation.
And if you won't install and configure it, only report if a TPM module
is present.
We have no information on most reports containing a blank background.

> You can start by adding a green indicator for the T430s TPM (it works fine
> for me). Maybe we could hunt down info on some more models from threads here
> in the list.
>

Done. Is the problem with the tboot-induced memory allocation still there?

> Is there some generic test using tcsd that the qubes-hcl-report could run at
> least to say the TPM is communicative?
>

From the README:
# find /sys/devices -name pcrs
# cat <path_to_pcrs>

And another value information comes from logs.

[dom0]$ sudo systemctl start tcsd

[dom0]$ sudo systemctl status tcsd
tcsd.service - TCF Core Services Daemon
Loaded: loaded (/usr/lib/systemd/system/tcsd.service; disabled)
Active: failed (Result: exit-code) since $DATE
Process: 1234 ExecStart=/sbin/tcsd (code=exited, status=137)

$DATE dom0 systemd[1]: Starting TCG Core Services Daemon....
$DATE dom0 systemd[1]: tcsd.service: control process exited,
code=exited status=137
$DATE dom0 systemd[1]: Failed to start TCG Core Services Daemon.
$DATE dom0 systemd[1]: Unit tcsd.service entered failed state.

or
[dom0]$ sudo journalctl -xn
and report lines with tcsd like this one:

$DATE dom0 tcsd[1234]: TCSD TDDL[1234]: TrouSerS ERROR: Could not find
a device to open!
$DATE dom0 systemd[1]: tcsd.service: control process exited,
code=exited status=137
$DATE dom0 systemd[1]: Failed to start TCG Core Services Daemon.
$DATE dom0 systemd[1]: Unit tcsd.service entered failed state.

This are result with no TPM installed.

Best Regards,
Hakisho Nukama

Andrew

unread,
Dec 5, 2014, 10:31:23 PM12/5/14
to qubes...@googlegroups.com
I marked X230 and X230 2306CTO as having working TPMs. I have an X230
with the i5-3320M CPU, but model 2306CTO. So, I guess my experience of
a working TPM applies to both :).

Andrew

Zrubi

unread,
Dec 9, 2014, 9:00:59 AM12/9/14
to cprise, qubes...@googlegroups.com, nuk...@gmail.com
On 12/06/14 01:16, cprise wrote:
> Is there some generic test using tcsd that the qubes-hcl-report could
> run at least to say the TPM is communicative?

Let me know if there is a good way to check TPM.

But in general - just like VTx and VT-d - it really depends on the BIOS
as well. So the information if a chip is supporting this feature is not
enough to mark it working.

It is also not accepptable if we trying to start ANY services in dom0
just to guess if the TPM is usable.

if this method really works:
>> find /sys/devices -name pcrs

I would need some output from:
- a working and enabled TPM
- working but disabled in BIOS
- not working/missing

Then I can include this into the hcl report script.

--
Zrubi

signature.asc

cprise

unread,
Dec 9, 2014, 9:34:36 AM12/9/14
to Zrubi, qubes...@googlegroups.com, nuk...@gmail.com

On 12/09/14 09:00, Zrubi wrote:
> On 12/06/14 01:16, cprise wrote:
>> Is there some generic test using tcsd that the qubes-hcl-report could
>> run at least to say the TPM is communicative?
> Let me know if there is a good way to check TPM.
>
> But in general - just like VTx and VT-d - it really depends on the BIOS
> as well. So the information if a chip is supporting this feature is not
> enough to mark it working.
It would be helpful if you could indicate whether or not a TPM is
conversant with tcsd. It could be a note in a white field.

Also, just having the hcl report a negative will cause more users to
investigate whether their TPM is enabled and working.

> It is also not accepptable if we trying to start ANY services in dom0
> just to guess if the TPM is usable.
I won't agree with this. Starting a service for a test is not permanent.
Reply all
Reply to author
Forward
0 new messages