Go to main content

Securing Systems and Attached Devices in Oracle® Solaris 11.4

Exit Print View

Updated: July 2019
 
 

Troubleshooting TPM

Monitoring TPM Status

Use the commands described in this section to monitor different operating components that enable you to successfully use TPM and troubleshoot TPM problems.

  • To verify that the tcsd daemon is running:

    # svcs tcsd
    STATE      STIME      FMRI
    online     Nov_07     svc:/application/security/tcsd:default
  • To ensure that the TPM device is installed:

    # ls -alF /dev/tpm
    lrwxrwxrwx 1 root 39 Dec 27 2011 /dev/tpm -> ../devices/pci@0,0/isa@1/tpm@1,1670:tpm
  • To verify that the TSS software package is installed:

    # pkg info trousers
    Name: library/security/trousers
    Summary: TrouSerS TCG software to access a TPM device
    Description: The TrouSerS library provides a software stack from the
    Trusted Computer Group (TCG) that accesses a Trusted Platform Module
    (TPM) hardware device.
    Category: System/Security
    State: Installed
    Publisher: solaris
    Version: 0.3.6
    Build Release: 5.11
    Branch: 0.175.1.0.0.24.0
    Packaging Date: September 4, 2012 05:28:21 PM
    Size: 3.65 MB
    FMRI: pkg://solaris/library/security/
    trousers@0.3.6,5.11-0.175.1.0.0.24.0:20120904T1728212
  • To check the current status of TPM:

    • The following output means that TPM is not initialized.

      # tpmadm status
      TPM Version: 1.2 (STM  Rev: 13.12, SpecLevel: 2, ErrataRev: 3)
      No TPM owner installed.
      
    • The following output means that the tcsd service needs to be started by using the svcadm enable tcsd command.

      # tpmadm status
      Connect context: Communication failure (TSS.TSS_E_COMM_FAILURE 0x3011).
      Make sure the tcsd service "svc:/application/security/tcsd" is running.
    • The following output means that TPM is initialized.

      # tpmadm status
      TPM Version: 1.2 (IFX Rev: 3.16, SpecLevel: 2, ErrataRev: 2)
      TPM resources
              Contexts: 32/32 available
              Sessions: 20/20 available
              Authentication Sessions: 20/20 available
              Loaded Keys: 8/10 available
      Platform Configuration Registers (24)
              PCR 0:  D1 8A 59 A6 64 6C 38 D7 01 14 F6 F5 05 77 2B 2C AA 4A AC 7F
              PCR 1:  AE 00 DE C4 9F 35 C6 A4 1B 5D E7 7D 57 73 87 2C B2 B9 F2 79
              PCR 2:  3C 80 7F A0 CE 0D 71 47 3D BB 27 62 B8 26 81 23 F6 37 C1 4C
              PCR 3:  3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
              PCR 4:  67 36 B9 7C 15 A0 1E 59 5A E5 83 F7 D5 B4 60 16 FB F3 9F 07
              PCR 5:  A0 AD 25 17 E3 1A 35 7D 70 2B 46 3C 2D 82 6A 64 8A DE 82 5A
              PCR 6:  3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
              PCR 7:  3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
              PCR 8:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              PCR 9:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              PCR 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              PCR 11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              PCR 12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              PCR 13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              PCR 14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              PCR 15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              PCR 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              PCR 17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
              PCR 18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
              PCR 19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
              PCR 20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
              PCR 21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
              PCR 22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
              PCR 23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      
  • To clear TPM as a requirement after TPM was previously reinitialized.

    • At the Oracle Solaris prompt:

      # tpmadm clear owner
    • At the ILOM prompt:

      -> stop /SYS
      -> set /HOST/tpm forceclear=true
      -> start /SYS

SPARC: TPM Failover Option

SPARC multi-domain servers that have Oracle Solaris 11.4 installed have the ability to fail over the SP/SPP board that contains the TPM. You can enable TPM failover by using the –failover option of the tpmadm command.

The –failover option prompts for the TPM Owner PIN and a new PIN for the Migration Key. These settings will be used to backup and restore the TPM keystore in case the TPM chip fails over to a new TPM chip on another SPARC SP/SPP board.

For instructions, see the backup step in How to Initialize TPM Using the Oracle ILOM Interface. See also the tpmadm(8) man page.

SPARC: Migrating or Restoring TPM Data and Keys

SPARC multi-domain servers that have Oracle Solaris 11.4 installed can, if the –failover option was previously enabled, fail over the SP/SPP board that contains the TPM. See TPM Failover Option.

All other platforms must have had a manual backup created. See How to Back Up TPM Data and Keys. If a manual backup was created, you can use the following procedure to install the backup of the TPM data and keys on a new SP.

SPARC: How to Migrate or Restore TPM Data and Keys

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Migrate the TPM data and keys.
    #  tpmadm migrate import
  2. Verify that the data has migrated.
    # tpmadm keyinfo
        [SYSTEM] 00000000-0000-0000-0000-000000000001 (loaded)
            [SYSTEM] 00000000-0000-0000-0000-00000000000b
             [USER] bc25ec53-239e-6ae8-f888-9e46d8f8f40f
               [USER] f5cc255c-2bd5-cb2d-e961-874f82dad286