tpm2-tss question
by Yasuhiro Hosoda
MY name is Yasuhiro Hosoda.
I am developing a program using TSS1.0(Nov1.2016).
I encountered a problem with PolicySecret error 0x98e and need help.
My program uses tpmtest.cpp as a base of development.
The situation is as follows:
1 Create TPM Keys like this.
EK
|--------
| |
MK AK
|
SK
2 Execute PolicySecret twice using HMAC session. At first, it ends
without error. Then it ends with 0x98e
For clarification, I print out the values of Virtual Handle and Real Handle.
The value of Virtual/Real Handles differ at 2nd excution of the command.
(See NO 25/26 Below)
I understand that the resource manager assigns Virtual Handle and my
program calculates HMAC using that handles.
On the other hand, TPM may calculate HMAC using Real Handle.
That is my hypothesis.
Any suggestion about the usage of Session Handle?
NO Command Virtual/Real Handle LOC
1. CreatePrimary(EK) real=80000000, virtual=80000000 8381
2. HierarchyChangeAuth1 8421
3. HierarchyChangeAuth2 8431
4. StartAuthSession(Policy) real=3000000, virtual=3000000 8480
5. PolicySecret(ENDORSEMENT) 8494
6. Create(MK) 8515
7. PolicySecret(ENDORSEMENT) 8529
8. Load(MK) real=80000001, virtual=80000001 8542
9. Evict(MK) 8552
10. Create(SK) 8590
11. Load(SK) real=80000001, virtual=80000002 8598
12. PolicySecret(ENDORSEMENT) 8609
13. Create(AK) 8635
14. PolicySecret(ENDORSEMENT) 8645
15. Load(AK) real=80000001, virtual=80000003 8655
16. FlushContext(POLICY) 8664
17. StartAuthSession(POLICY) real=3000000, virtual=3000000 8668
18. StartAuthSession(HMAC) real=2000001, virtual=2000001 8678
19. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004 3706
20. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000005 3706
21. PolicySecret(SK) 8711
22. FlushContext(HMAC) 8717
23. FlushContext(POLICY) 8724
24. CertifyCreation(SK) 8738
25. StartAuthSession(POLICY) real=3000000, virtual=3000001 8745
26. StartAuthSession(HMAC) real=2000001, virtual=2000000 8754
27. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005 8782
28. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000004 8782
29. PolicySecret(SK) 8789
The whole source program can be found here.
https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2.txt
Kind regards,
--
Yasuhiro Hosoda
NTT Electronics Corporation (NEL)
Security Support Project
3 years, 11 months
best way to verify tpm is alive
by Scheie, Peter M
What is the best way to verify the TPM is available, that is, that it hasn't died? I have a requirement to send an alert if the TPM stops working. We have snmp processes that run every five seconds, so I figure I can, say, check for something in /sys/class/tpm/tpm0 and as long as I get an expected response, I'll report that everything is fine. But what exactly should I look for? Is the simple presence of /sys/class/tpm/tpm0 sufficient, because it means the kernel thinks the TPM is there? If I cat /sys/class/tpm/tpm0/dev I get the major and minor numbers; I could look at those, or just test for the presence of the dev file on the premise that if the TPM failed that file would disappear. Is that a good test? Suggestions?
Peter
4 years
Any way to change NVRAM index password?
by Scheie, Peter M
When I define an NVRAM index using tpm2_nvdefine, one thing I set is the index password with the -I option. I'm also setting the attribute ownerwrite for the index so the index can be written only if one knows the index password. Is there any way to change this password after I've set it, or do I have to remove the whole index (tpm2_nvrelease) and recreate it with the new password?
Peter
4 years
tabrmd 1.3.2 and 2.0.2 RCs
by Philip Tricca
Hello all,
I just tagged RC0 for a bugfix release for both the 1.3.2 and 2.0.2
releases. RCs for both releases will happen in parallel. Any testing
you can do would be appreciated.
Thanks,
Philip
4 years
tpm2-tools 3.1.3 release candidate 0
by Joshua Lock
I've just tagged and signed an rc0 for tpm2-tools 3.1.3. The folks at
Red Hat found a couple of unintended behavioural changes which violate
the semantic versioning policy. This release addresses those changes
and should be updated to in order to preserve expected behaviour for
users.
* Restore support for the TPM2TOOLS_* env vars for TCTI configuration,
in addition to supporting the new unified TPM2TOOLS_ENV_TCTI (#1171)
* Fix tpm2_getcap to print properties with the TPM_PT prefix, rather
than TPM2_PT (1175)
https://github.com/tpm2-software/tpm2-tools/releases/tag/3.1.3-rc0
Please do test this release. If there aren't any reported issues I'll
do a final release in a week.
Regards,
Joshua
4 years
TPM2 changing the DictionaryAttackParamaters
by Litjes, Christian
Hi everyone,
I'm trying to setup a system with the cryptfs2 and tpm2-tooling which is currently working but I'd like to change the DictionaryAttackParamater recovery time.
I've tried the following (scenario 1)
Reset TPM from the bios
Tmp2_takeownership -T "device" -L "1234567890"
Tpm2_dictionarylockout -s -n 32 -l 86400 -t 5 -p "1234567890"
I get a warning: the command may require writing of NV and NV is not current accessible.
If I check the settings with:
Tpm2_getcap -c properties-variable
I notice they are not changed
Reset TPM from the bios
Tpm2_dictionarylockout -s -n 32 -l 86400 -t 5 -p "1234567890"
Tpm2_getcap -c properties-variable
Values are written
Tmp2_takeownership -T "device" -L "1234567890"
Tpm2_getcap -c properties-variable
Settings are reset to default
What would I need to do to get the first scenario to work? I know I'm combining tools from 2.x with master. But that's because the cryptfs tooling is dependent on 2.x.
How can I unlock the NV, I've found tpm2_release but I've got no clue what to release.
Kind Regards,
Christian Litjes
________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
4 years
In emulator, why do PCRs 17-22 default to ff?
by Scheie, Peter M
In the emulator, PCRs 0-16 and 23 default to 00 when the emulator is started. But PCRs 17-22 default to ff. Why is that? Why not have them all be 00 or all be ff? (Actually, I notice PCR0 is 03 upon startup; why is that?)
Peter
4 years, 1 month
