This section covers the following:
Use the commands described in this section to monitor different operating components that enable you to successfully use TPM and troubleshoot TPM problems.
To verify that the tcsd daemon is running:
# svcs tcsd STATE STIME FMRI online Nov_07 svc:/application/security/tcsd:default
To ensure that the TPM device is installed:
# ls -alF /dev/tpm lrwxrwxrwx 1 root 39 Dec 27 2011 /dev/tpm -> ../devices/pci@0,0/isa@1/tpm@1,1670:tpm
To verify that the TSS software package is installed:
# pkg info trousers Name: library/security/trousers Summary: TrouSerS TCG software to access a TPM device Description: The TrouSerS library provides a software stack from the Trusted Computer Group (TCG) that accesses a Trusted Platform Module (TPM) hardware device. Category: System/Security State: Installed Publisher: solaris Version: 0.3.6 Build Release: 5.11 Branch: 0.175.1.0.0.24.0 Packaging Date: September 4, 2012 05:28:21 PM Size: 3.65 MB FMRI: pkg://solaris/library/security/ trousers@0.3.6,5.11-0.175.1.0.0.24.0:20120904T1728212
To check the current status of TPM:
The following output means that TPM is not initialized.
# tpmadm status TPM Version: 1.2 (STM Rev: 13.12, SpecLevel: 2, ErrataRev: 3) No TPM owner installed.
The following output means that the tcsd service needs to be started by using the svcadm enable tcsd command.
# tpmadm status Connect context: Communication failure (TSS.TSS_E_COMM_FAILURE 0x3011). Make sure the tcsd service "svc:/application/security/tcsd" is running.
The following output means that TPM is initialized.
# tpmadm status TPM Version: 1.2 (IFX Rev: 3.16, SpecLevel: 2, ErrataRev: 2) TPM resources Contexts: 32/32 available Sessions: 20/20 available Authentication Sessions: 20/20 available Loaded Keys: 8/10 available Platform Configuration Registers (24) PCR 0: D1 8A 59 A6 64 6C 38 D7 01 14 F6 F5 05 77 2B 2C AA 4A AC 7F PCR 1: AE 00 DE C4 9F 35 C6 A4 1B 5D E7 7D 57 73 87 2C B2 B9 F2 79 PCR 2: 3C 80 7F A0 CE 0D 71 47 3D BB 27 62 B8 26 81 23 F6 37 C1 4C PCR 3: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 PCR 4: 67 36 B9 7C 15 A0 1E 59 5A E5 83 F7 D5 B4 60 16 FB F3 9F 07 PCR 5: A0 AD 25 17 E3 1A 35 7D 70 2B 46 3C 2D 82 6A 64 8A DE 82 5A PCR 6: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 PCR 7: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 PCR 8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR 9: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR 11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR 12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR 13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR 14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR 15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR 17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR 18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR 19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR 20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR 21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR 22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR 23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
To clear TPM as a requirement after TPM was previously reinitialized.
At the Oracle Solaris prompt:
# tpmadm clear owner
At the ILOM prompt:
-> stop /SYS -> set /HOST/tpm forceclear=true -> start /SYS
SPARC multi-domain servers that have Oracle Solaris 11.3 installed can fail over the SP/SPP board that contains the TPM. You can enable TPM failover by using the –failover option of the tpmadm command.
The –failover option prompts for the TPM Owner PIN and a new PIN for the Migration Key. These settings will be used to backup and restore the TPM keystore in case the TPM chip fails over to a new TPM chip on another SPARC SP/SPP board.
For instructions, see the backup step in How to Initialize TPM Using the Oracle ILOM Interface. See also the tpmadm(1M) man page.
SPARC multi-domain servers that have Oracle Solaris 11.3 installed can, if the –failover option was previously enabled, fail over the SP/SPP board that contains the TPM. See TPM Failover Option.
All other platforms must have had a manual backup created. See How to Back Up TPM Data and Keys. If a manual backup was created, you can use the following procedure to install the backup of the TPM data and keys on a new SP.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
# tpmadm migrate import
# tpmadm keyinfo [SYSTEM] 00000000-0000-0000-0000-000000000001 (loaded) [SYSTEM] 00000000-0000-0000-0000-00000000000b [USER] bc25ec53-239e-6ae8-f888-9e46d8f8f40f [USER] f5cc255c-2bd5-cb2d-e961-874f82dad286