Securing Systems and Attached Devices in Oracle^® Solaris 11.3

Troubleshooting TPM

This section covers the following:

• Monitoring TPM Status

• TPM Failover Option

• Migrating or Restoring TPM Data and Keys

Monitoring TPM Status

Use the commands described in this section to monitor different operating components that enable you to successfully use TPM and troubleshoot TPM problems.

• To verify that the tcsd daemon is running:

  # svcs tcsd
  STATE      STIME      FMRI
  online     Nov_07     svc:/application/security/tcsd:default

• To ensure that the TPM device is installed:

  # ls -alF /dev/tpm
  lrwxrwxrwx 1 root 39 Dec 27 2011 /dev/tpm -> ../devices/pci@0,0/isa@1/tpm@1,1670:tpm

• To verify that the TSS software package is installed:

  # pkg info trousers
  Name: library/security/trousers
  Summary: TrouSerS TCG software to access a TPM device
  Description: The TrouSerS library provides a software stack from the
  Trusted Computer Group (TCG) that accesses a Trusted Platform Module
  (TPM) hardware device.
  Category: System/Security
  State: Installed
  Publisher: solaris
  Version: 0.3.6
  Build Release: 5.11
  Branch: 0.175.1.0.0.24.0
  Packaging Date: September 4, 2012 05:28:21 PM
  Size: 3.65 MB
  FMRI: pkg://solaris/library/security/
  trousers@0.3.6,5.11-0.175.1.0.0.24.0:20120904T1728212

• To check the current status of TPM:

  • The following output means that TPM is not initialized.

    # tpmadm status
    TPM Version: 1.2 (STM  Rev: 13.12, SpecLevel: 2, ErrataRev: 3)
    No TPM owner installed.
    

  • The following output means that the tcsd service needs to be started by using the svcadm enable tcsd command.

    # tpmadm status
    Connect context: Communication failure (TSS.TSS_E_COMM_FAILURE 0x3011).
    Make sure the tcsd service "svc:/application/security/tcsd" is running.

  • The following output means that TPM is initialized.

    # tpmadm status
    TPM Version: 1.2 (IFX Rev: 3.16, SpecLevel: 2, ErrataRev: 2)
    TPM resources
            Contexts: 32/32 available
            Sessions: 20/20 available
            Authentication Sessions: 20/20 available
            Loaded Keys: 8/10 available
    Platform Configuration Registers (24)
            PCR 0:  D1 8A 59 A6 64 6C 38 D7 01 14 F6 F5 05 77 2B 2C AA 4A AC 7F
            PCR 1:  AE 00 DE C4 9F 35 C6 A4 1B 5D E7 7D 57 73 87 2C B2 B9 F2 79
            PCR 2:  3C 80 7F A0 CE 0D 71 47 3D BB 27 62 B8 26 81 23 F6 37 C1 4C
            PCR 3:  3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
            PCR 4:  67 36 B9 7C 15 A0 1E 59 5A E5 83 F7 D5 B4 60 16 FB F3 9F 07
            PCR 5:  A0 AD 25 17 E3 1A 35 7D 70 2B 46 3C 2D 82 6A 64 8A DE 82 5A
            PCR 6:  3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
            PCR 7:  3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
            PCR 8:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            PCR 9:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            PCR 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            PCR 11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            PCR 12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            PCR 13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            PCR 14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            PCR 15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            PCR 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            PCR 17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
            PCR 18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
            PCR 19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
            PCR 20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
            PCR 21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
            PCR 22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
            PCR 23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    

• To clear TPM as a requirement after TPM was previously reinitialized.

  • At the Oracle Solaris prompt:

    # tpmadm clear owner

  • At the ILOM prompt:

    -> stop /SYS
    -> set /HOST/tpm forceclear=true
    -> start /SYS

SPARC: TPM Failover Option

SPARC multi-domain servers that have Oracle Solaris 11.3 installed can fail over the SP/SPP board that contains the TPM. You can enable TPM failover by using the –failover option of the tpmadm command.

The –failover option prompts for the TPM Owner PIN and a new PIN for the Migration Key. These settings will be used to backup and restore the TPM keystore in case the TPM chip fails over to a new TPM chip on another SPARC SP/SPP board.

For instructions, see the backup step in How to Initialize TPM Using the Oracle ILOM Interface. See also the tpmadm(1M) man page.

SPARC: Migrating or Restoring TPM Data and Keys

SPARC multi-domain servers that have Oracle Solaris 11.3 installed can, if the –failover option was previously enabled, fail over the SP/SPP board that contains the TPM. See TPM Failover Option.

All other platforms must have had a manual backup created. See How to Back Up TPM Data and Keys. If a manual backup was created, you can use the following procedure to install the backup of the TPM data and keys on a new SP.

SPARC: How to Migrate or Restore TPM Data and Keys

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

1. Migrate the TPM data and keys.

   # tpmadm migrate import

2. Verify that the data has migrated.

   # tpmadm keyinfo
       [SYSTEM] 00000000-0000-0000-0000-000000000001 (loaded)
           [SYSTEM] 00000000-0000-0000-0000-00000000000b
            [USER] bc25ec53-239e-6ae8-f888-9e46d8f8f40f
              [USER] f5cc255c-2bd5-cb2d-e961-874f82dad286