tpm2_nvwrite failing
by Ian Oliver
Hi
Using 1.3-rc2 of tpm2_tools
We're seeing tpm2_nvwrite fail with policies, both in the nv.sh test file
and when run manually
Here's the script which basically follows nv.sh. NB: the file /tmp/idfile
exists and contains data!
#!/bin/sh
NVRAM=0x1800005
HIERACHY=0x40000001
PCRS=sha256:0,1,2,3
PCRVALUE=/tmp/pcrvalue
POLICY=/tmp/policy
echo "Releasing NVRAM - this might fail, but this is OK"
tpm2_nvrelease -x $NVRAM -a $HIERACHY
echo "Constructing policy"
tpm2_pcrlist -Q -L $PCRS -o $PCRVALUE
tpm2_createpolicy -P -L $PCRS -F $PCRVALUE -f $POLICY
echo "Defining area"
tpm2_nvdefine -x $NVRAM -a $HIERACHY -s 64 -L $POLICY -t
"policyread|policywrite"
#tpm2_nvdefine -x $NVRAM -a $HIERACHY -s 64 -t "policyread|policywrite"
echo "Writing ID"
cat /tmp/idfile | tpm2_nvwrite -x $NVRAM -a $HIERACHY -L $PCRS -F $PCRVALUE
#cat /tmp/idfile | tpm2_nvwrite -x $NVRAM -a $HIERACHY
echo "Reading ID - first attempt should fail if the policy works"
tpm2_nvread -x $NVRAM -a $HIERACHY
tpm2_nvread -x $NVRAM -a $HIERACHY -L $PCRS -F $PCRVALUE
Specifically:
15$tpm2_nvrelease -x 0x1800005 -a 0x40000001
16$tpm2_pcrlist -Q -L sha256:0,1,2,3 -o /tmp/pcrvalue
17$tpm2_createpolicy -P -L sha256:0,1,2,3 -F /tmp/pcrvalue -f /tmp/policy
18$tpm2_nvdefine -x 0x1800005 -a 0x40000001 -s 64 -L /tmp/policy -t
"policyread|policywrite"
19$tpm2_nvlist
0x1800005:
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: policywrite|policyread
value: 0x8000800
size: 64
authorization policy:
60DF98CF0931EE42B5372DBC49E7B1966559A62A159B12C90556240D37E2D938
20$echo -n "test" | tpm2_nvwrite -x 0x1800005 -a 0x40000001 -L
sha256:0,1,2,3 -F /tmp/pcrvalue
ERROR: Failed to write NV area at index 0x1800005 (25165829) offset 0x0.
Error:0x12f
21$cat /tmp/idfile | tpm2_nvwrite -x 0x1800005 -a 0x40000001 -L
sha256:0,1,2,3 -F /tmp/pcrvalue
ERROR: Failed to write NV area at index 0x1800005 (25165829) offset 0x0.
Error:0x12f
22$tpm2_rc_decode 0x12f
error layer
hex: 0x0
identifier: TSS2_TPM_ERROR_LEVEL
description: Error produced by the TPM
format 0 error code
hex: 0x2f
name: TPM_RC_AUTH_UNAVAILABLE
description: authValue or authPolicy is not available for selected entity.
t.
Ian
--
*Dr. Ian Oliver*
===============================
Privacy Engineering: via Amazon <http://www.amazon.co.uk/dp/1497569710>
*Twitter: @i_j_oliver*
2 years, 11 months
TPM 2.0 in embedded systems
by Sven Schwermer
Hi!
I am looking into using a TPM 2.0 in an embedded Linux system. I am facing a few challenges that I couldn’t really find answers to. Some of the open questions are:
- What are the best practices for what hierarchies to use? Since there is no “end user”, but only a platform manufacturer, all hierarchies seem similarly suited.
- How does authorisation work on an embedded system? All pre-shared secrets (plain text passwords/HMAC) would need to be baked into the firmware, so there is no real security benefit. Are we stuck with the complex but powerful policy-based authorisation (likely PCR based)?
- How to provision the device? What needs to be done at the factory, what is done on boot?
- Best practices for common problems, e.g. how securely authenticate against a server.
Are there resources out there that answer the above mentioned types of questions?
Thanks,
Sven
2 years, 11 months
ESAPI Release & FAPI Implementation
by Sven Schwermer
Hi!
I was wondering when there will be a tpm2-tss release including the
ESAPI layer? Secondly, I couldn't find an open source implementation of
the highest API layer (FAPI). Are there any out there? Will this be or
is this in the scope of tpm2-tss?
Thanks, Sven
2 years, 11 months
