what the different between 0x1d5 and 0x3d5
by Terry An
[root@localhost tpm2-init]# tpm2_rc_decode 0x1d5
tpm:parameter(1):structure is the wrong size
[root@localhost tpm2-init]# tpm2_rc_decode 0x3d5
tpm:parameter(3):structure is the wrong size
I'm so confusing where my code is wrong.
2 years, 5 months
Ansible role
by Luke Hinds
Hi,
I thought I would share this in case its useful to someone else.
https://github.com/lukehinds/ansible-tpm-simulator
Its an ansible role with Vagrantfile for deploying the tpm2 simulator and
building the tpm2-software suite from source. I used it to get a basic
development environment in place, and so it might be useful for someone who
wants a simple way to deploy the tpm2 tools / stack and resource manager +
simulator and get their feet wet.
You can set the branch you want to build from as ansible variables.
tpm2_tss_version: 2.1.0
tpm2_abrmd_version: 2.0.2
tpm2_tools_version: v1.1.0
There are few other things such as using the hosts /dev/urandom for more
entropy.
Note, its only been used by myself and not tested on many environments, so
consider it a WIP. Any issues just make a PR or raise an issue.
Regards,
Luke
2 years, 5 months
tpm2-tss and /dev/urandom seed
by Tomasz Przybysz
Hi,
I have found that there is a problem with tpm2-tss and /dev/urandom.
On our company embedded cpu board there is Infineon TPM-2.0 device and we want to have access to the TPM device immediately after board reboot.
As I found tpm2-tss library is based on libgcrypt library.
TSS2_RC iesys_cryptogcry_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
{
if (num_bytes == 0) {
nonce->size = sizeof(TPMU_HA);
} else {
nonce->size = num_bytes;
}
/*
* possible values for random level:
* GCRY_WEAK_RANDOM GCRY_STRONG_RANDOM GCRY_VERY_STRONG_RANDOM
*/
gcry_randomize(&nonce->buffer[0], nonce->size, GCRY_STRONG_RANDOM);
return TSS2_RC_SUCCESS;
}
The problem is that with the new kernel Linux buildroot 4.14.74-xilinx
/dev/urandom seed is ready after 120 secs from system reboot.
It's not acceptable for us to wait such long to get TPM device ready.
I test it on Zynq cpu:
processor : 0
model name : ARMv7 Processor rev 0 (v7l)
BogoMIPS : 666.66
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x3
CPU part : 0xc09
CPU revision : 0
processor : 1
model name : ARMv7 Processor rev 0 (v7l)
BogoMIPS : 666.66
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x3
CPU part : 0xc09
CPU revision : 0
I think that there is no problem with cpu performance.
I looked into kernel sources:
drivers/char/random.c
and it changed on april 2018
Previous it was:
#define crng_ready() (likely(crng_init > 0))
Now It's:
#define crng_ready() (likely(crng_init > 1))
* crng_init = 0 --> Uninitialized
* 1 --> Initialized
* 2 --> Initialized from input_pool
Is it possible that random level of gcry_randomize in tss library could be configurable, not fixed ?
Please add such functionality, maybe it could be determined while compilation.
Thanks,
Tomasz Przybysz
2 years, 5 months
How do I input password via tmp2_import
by Terry An
How do I input password via tpm2_import?
[root@bogon Test]# tpm2_import -C 0x81020009 -G rsa -k priv.pem -u pub.key
-r priv.key
Enter PEM pass phrase:
ERROR: Tss2_Sys_Import(0x98E) - tpm:session(1):the authorization HMAC check
failed and DA counter incremented
ERROR: Unable to run tpm2_import
2 years, 5 months
tpm2-tss question
by Yasuhiro Hosoda
MY name is Yasuhiro Hosoda.
I am developing a program using TSS1.0(Nov1.2016).
I encountered a problem with PolicySecret error 0x98e and need help.
My program uses tpmtest.cpp as a base of development.
The situation is as follows:
1 Create TPM Keys like this.
EK
|--------
| |
MK AK
|
SK
2 Execute PolicySecret twice using HMAC session. At first, it ends
without error. Then it ends with 0x98e
For clarification, I print out the values of Virtual Handle and Real Handle.
The value of Virtual/Real Handles differ at 2nd excution of the command.
(See NO 25/26 Below)
I understand that the resource manager assigns Virtual Handle and my
program calculates HMAC using that handles.
On the other hand, TPM may calculate HMAC using Real Handle.
That is my hypothesis.
Any suggestion about the usage of Session Handle?
NO Command Virtual/Real Handle LOC
1. CreatePrimary(EK) real=80000000, virtual=80000000 8381
2. HierarchyChangeAuth1 8421
3. HierarchyChangeAuth2 8431
4. StartAuthSession(Policy) real=3000000, virtual=3000000 8480
5. PolicySecret(ENDORSEMENT) 8494
6. Create(MK) 8515
7. PolicySecret(ENDORSEMENT) 8529
8. Load(MK) real=80000001, virtual=80000001 8542
9. Evict(MK) 8552
10. Create(SK) 8590
11. Load(SK) real=80000001, virtual=80000002 8598
12. PolicySecret(ENDORSEMENT) 8609
13. Create(AK) 8635
14. PolicySecret(ENDORSEMENT) 8645
15. Load(AK) real=80000001, virtual=80000003 8655
16. FlushContext(POLICY) 8664
17. StartAuthSession(POLICY) real=3000000, virtual=3000000 8668
18. StartAuthSession(HMAC) real=2000001, virtual=2000001 8678
19. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004 3706
20. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000005 3706
21. PolicySecret(SK) 8711
22. FlushContext(HMAC) 8717
23. FlushContext(POLICY) 8724
24. CertifyCreation(SK) 8738
25. StartAuthSession(POLICY) real=3000000, virtual=3000001 8745
26. StartAuthSession(HMAC) real=2000001, virtual=2000000 8754
27. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005 8782
28. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000004 8782
29. PolicySecret(SK) 8789
The whole source program can be found here.
https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2.txt
Kind regards,
--
Yasuhiro Hosoda
NTT Electronics Corporation (NEL)
Security Support Project
2 years, 5 months
bootstrap error on CentOS7
by Terry An
I have cloned the latest code of kms-tools from github, and I need to test
the command 'tpm2-import'
but the master branch doesn't have "configure" command, and "bootstrap"
return error
[root@localhost tpm2-tools]# ./bootstrap
Generating file lists: src_vars.mk
libtoolize: putting auxiliary files in `.'.
libtoolize: linking file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: linking file `m4/libtool.m4'
libtoolize: linking file `m4/ltoptions.m4'
libtoolize: linking file `m4/ltsugar.m4'
libtoolize: linking file `m4/ltversion.m4'
libtoolize: linking file `m4/lt~obsolete.m4'
configure.ac:65: error: possibly undefined macro: AC_MSG_ERROR
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1
[root@localhost tpm2-tools]# rpm -q libtool pkgconfig autoconf automake m4
libtool-2.4.2-22.el7_3.x86_64
pkgconfig-0.27.1-4.el7.x86_64
autoconf-2.69-11.el7.noarch
automake-1.13.4-3.el7.noarch
m4-1.4.16-10.el7.x86_64
2 years, 5 months
How do I import a PEM format privateKey into TPM2 ?
by Terry An
Hi everyone,
I generated a PEM format keypair using openssl:
# openssl genrsa -out priv.key
# openssl rsa -in priv.key -out pub.key -pubout
and then I used tpm2-tools to import:
# tpm2_createprimary -H o -g sha256 -G ecc -C context.out
ObjectAttribute: 0x00030072
CreatePrimary Succeed ! Handle: 0x800000ff
# tpm2_load -H 0x80000ff -c context.out -r priv.key
ERROR: File "priv.key" size is larger than buffer, got 1766 expected less
than 1552
an error appeared.
My purpose is to encrypt by public key and decrypt by tpm2.0
Encrypt:
# openssl rsautl -encrypt -inkey pub.key -pubin -in data.in -out data.enc
Decrypt:
what should I do?
2 years, 5 months
