tpm2-tss question
by Yasuhiro Hosoda
MY name is Yasuhiro Hosoda.
I am developing a program using TSS1.0(Nov1.2016).
I encountered a problem with PolicySecret error 0x98e and need help.
My program uses tpmtest.cpp as a base of development.
The situation is as follows:
1 Create TPM Keys like this.
EK
|--------
| |
MK AK
|
SK
2 Execute PolicySecret twice using HMAC session. At first, it ends
without error. Then it ends with 0x98e
For clarification, I print out the values of Virtual Handle and Real Handle.
The value of Virtual/Real Handles differ at 2nd excution of the command.
(See NO 25/26 Below)
I understand that the resource manager assigns Virtual Handle and my
program calculates HMAC using that handles.
On the other hand, TPM may calculate HMAC using Real Handle.
That is my hypothesis.
Any suggestion about the usage of Session Handle?
NO Command Virtual/Real Handle LOC
1. CreatePrimary(EK) real=80000000, virtual=80000000 8381
2. HierarchyChangeAuth1 8421
3. HierarchyChangeAuth2 8431
4. StartAuthSession(Policy) real=3000000, virtual=3000000 8480
5. PolicySecret(ENDORSEMENT) 8494
6. Create(MK) 8515
7. PolicySecret(ENDORSEMENT) 8529
8. Load(MK) real=80000001, virtual=80000001 8542
9. Evict(MK) 8552
10. Create(SK) 8590
11. Load(SK) real=80000001, virtual=80000002 8598
12. PolicySecret(ENDORSEMENT) 8609
13. Create(AK) 8635
14. PolicySecret(ENDORSEMENT) 8645
15. Load(AK) real=80000001, virtual=80000003 8655
16. FlushContext(POLICY) 8664
17. StartAuthSession(POLICY) real=3000000, virtual=3000000 8668
18. StartAuthSession(HMAC) real=2000001, virtual=2000001 8678
19. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004 3706
20. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000005 3706
21. PolicySecret(SK) 8711
22. FlushContext(HMAC) 8717
23. FlushContext(POLICY) 8724
24. CertifyCreation(SK) 8738
25. StartAuthSession(POLICY) real=3000000, virtual=3000001 8745
26. StartAuthSession(HMAC) real=2000001, virtual=2000000 8754
27. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005 8782
28. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000004 8782
29. PolicySecret(SK) 8789
The whole source program can be found here.
https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2.txt
Kind regards,
--
Yasuhiro Hosoda
NTT Electronics Corporation (NEL)
Security Support Project
2 years, 5 months
TPM2 changing the DictionaryAttackParamaters
by Litjes, Christian
Hi everyone,
I'm trying to setup a system with the cryptfs2 and tpm2-tooling which is currently working but I'd like to change the DictionaryAttackParamater recovery time.
I've tried the following (scenario 1)
Reset TPM from the bios
Tmp2_takeownership -T "device" -L "1234567890"
Tpm2_dictionarylockout -s -n 32 -l 86400 -t 5 -p "1234567890"
I get a warning: the command may require writing of NV and NV is not current accessible.
If I check the settings with:
Tpm2_getcap -c properties-variable
I notice they are not changed
Reset TPM from the bios
Tpm2_dictionarylockout -s -n 32 -l 86400 -t 5 -p "1234567890"
Tpm2_getcap -c properties-variable
Values are written
Tmp2_takeownership -T "device" -L "1234567890"
Tpm2_getcap -c properties-variable
Settings are reset to default
What would I need to do to get the first scenario to work? I know I'm combining tools from 2.x with master. But that's because the cryptfs tooling is dependent on 2.x.
How can I unlock the NV, I've found tpm2_release but I've got no clue what to release.
Kind Regards,
Christian Litjes
________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
2 years, 6 months
In emulator, why do PCRs 17-22 default to ff?
by Scheie, Peter M
In the emulator, PCRs 0-16 and 23 default to 00 when the emulator is started. But PCRs 17-22 default to ff. Why is that? Why not have them all be 00 or all be ff? (Actually, I notice PCR0 is 03 upon startup; why is that?)
Peter
2 years, 7 months
TPM2TSS engine for OpenSSL
by Fuchs, Andreas
Hi all,
I just wanted to announce that we pushed a new crypto engine for OpenSSL using the tpm2-tss software stack.
It is licensed under the BSD 3-clause license.
It currently includes RSA sign, RSA decrypt and ECDSA with TPM generated keys.
It uses ESAPI/ESYS (so it's a good usage example) and thus relies on the 2.0 series of tpm2-tss.
I'd like to see some testing and bug reports if you don't mind.
You can find the project here: https://github.com/tpm2-software/tpm2-tss-engine
Big thanks to Infineon for sponsoring this work !
Best regards,
Andreas Fuchs
2 years, 7 months
AIK Enrollment Process implementations using tpm2-tools or similar
by Peter Magnusson
Hello,
TL;DR:
Is there any AIK Enrollment / POP examples available using tpm2-tools
(or other open source tools, code bases)?
Long version:
I had some success with tpm2-tools based attestation, e.g. generating
AIK, extracting EKpub and EKCert from TPM, performing the tpm2
quotation, etc.
However, my understanding of the relevant spec's is that for TPM2 User
Devices (and many other devices), the EK is limited to performing the
Enrolment Processes (Proof of Possession). So to complete a meaningful
Remote Attestation flow, there is a need to get AIKCert externally
using AIK Enrollment Process[1] against an Attestation CA (formerly
known as Privacy CA).
I fail to find public examples (tools, example code, etc) of the
enrolment step. Most of what I find when googling, for example
strongswan's TPM pages, appears to skip the AIK Enrollment Process /
POP and just issue the the certificate without any proof of
possession.
Any links or insights would be appreciated =)
[1]. Section 2.3.
https://trustedcomputinggroup.org/wp-content/uploads/IWG_CMC_Profile_Cert...
2 years, 7 months
tpm2_loadexternal - enhancements
by Roberts, William C
Previously, tpm2_loadexternal was quite limited. It could only load a public/private file in the TSS format (aka generated via readpublic or create).
Recently, on master, I have been working on a series that allows loading both the public and private portions of an object from PEM files.
This way, folks can seamlessly use openssl objects in the TPM. The man pages have been updated, to show full examples, as well as
tests for this.
Tpm2_loadexternal supports:
1. AES keys (raw key byte files)
2. RSA keys
3. ECC keys
We still need support for XOR and HMAC, but that should follow the AES key code closely. We dropped support for tpm2_loadexternal for TSS format private objects,
as no command response returns such a structure from the TPM.
Remember, that loadexternal loaded objects have restrictions on their use, since they are *NOT* tpm managed objects. This is the major
Difference between tpm2_loadexternal and tpm2_import. ECC support has not been added to tpm2_import at this time.
2 years, 7 months
regarding a storing a data in nv memory of tpm , without using authorisation or key storing techniques.
by Abbaraju Manojsai
Hello,
actually main problem is we interfaced slb 9670(tpm-2.0) with 16 bit msp430
controller which does not support linux kernel or any OS.
now our task is to store a 100 byes of data in NV memory, without any
authorisation technique, as simple as possible.
please guide me in that way.
slb 9670 is interfaced with msp430 controller through SPI protocol.
I able to read device id , version id of slb9670 , so spi communication is
working fine with our controller .
what is packet format to be send with our data , i am not able to
understand the TCG documents .
theoretically iam able to understand we have to do nvdefinespace , nvwrite
,nvread .. internaly what is the format i have to be send not able to
understand
can you please guide me , or share any code snippet .
sorry if i trouble you or any irrelevant questions.
Regards,
Manoj,
mail : abbarajumanojsai(a)gmail.com
+91-9063249308
2 years, 7 months
