ESYS_TR to TPM2_HANDLE
by Roberts, William C
In tpm2_evictcontrol, I can load a serialized ESYS_TR object. The tool output, which I must keep stable, uses a TPM2_HANDLE in the output and whether or not that handle
was persisted or evicted. In the case of persisted, that is simple, I know it. In the case of evicted, I cannot know it. Is there a way to get the TPM2_HANDLE for that
ESYS_TR? I see ESAPI knows it... The other option I have considered is just to print out a 0 or some other dummy value for the handle on evict, but I am not super
fond of that.
Bill
2 years, 6 months
tpm2_rsadecrypt to stdout
by Trey Weaver
I know there has to be an easy answer for this.
You use to be able to call tpm2_rsadecrypt and not give an output file and the result would go to stdout.
But on version 3.1.3 it gives an error if you do not use the -o filename parameter.
And if you do something like **-o /dev/stdout** or **-o >(/dev/stdout)** it give you an error that the file already exist.
I do not want to put the encrypted data into a file and then read it because even if it is erased it still can be recovered and it has the decrypted material in it.
So what is the solution to get the result of tpm2_rsadecrypt to the stdout?
2 years, 6 months
Signing and verifying signature
by khongyew.ste@gmail.com
My test setup is as follow:
- Ubuntu 19.04 (x86_64)
- TPM Simulator (ibmtpm1332)
- tpm2-abrmd (version 2.1.0)
- tpm2 tools (version 3.1.3)
I'm trying to perform signing and verifying the signature
My steps are as follow:
- Create an example message using random
- tpm2_getrandom -o sample.msg 32
- Create Primary Object
- tpm2_createprimary -H o -g sha256 -G rsa -C primary.ctx
- Generate RSA keypair
- tpm2_create -c primary.ctx -g sha256 -G rsa -u key.pub -r key.priv
- Load RSA keypair into TPM
- tpm2_load -c primary.ctx -u key.pub -r key.priv -C subkey.ctx
- Sign the message with public key
- tpm2_sign -c subkey.ctx -f plain -g sha256 -m sample.msg -s encrypted_hash.msg
- Verify the signature
- tpm2_verifysignature -c subkey.ctx -g sha256 -m sample.msg -s encrypted_hash.msg -t ticket
I am getting the following error:
ERROR: Tss2_Sys_VerifySignature failed, error code: 0x2d2
ERROR: Verify signature failed!
ERROR: Unable to run tpm2_verifysignature
2 years, 6 months
unique identifier
by Max Halldén
Hi all,
I'm looking for some kind of unique identifier for the tpm that can't
be cleared. AFAICT the TPM2 standard doesn't contain anything like
this? The closest thing is the EK I guess, but even that can be cleared.
Regards,
Max
2 years, 6 months
Persisted primary key not usable, tpm2-tools 4.0.0
by Steven Clark
I've got my new recipes building for tpm2-tools 4.0.0, tpm2-tss 2.3.1 and
tpm2-abrmd 2.2.0. Mostly my work seems to port over (from an old nightly)
fine but I just tried to persist a new SRK and seal with it and I ran into
a problem. I can create a new primary and store it to a context blob, from
which I can read the public portion. And tpm2_evictcontrol runs
successfully when asked to persist it. The handle even shows up in
tpm2_getcap handles-persistent. But I can't run a tpm2_readpublic on the
handle, use it as the parent for another object, or use evict-control to
remove it. It just sits there.
root@localhost:~# tpm2_clear
root@localhost:~# tpm2_createprimary -C o -G rsa -c prim.ctx
name-alg:
value: sha256
raw: 0xb
attributes:
value:
fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt
raw: 0x30072
type:
value: rsa
raw: 0x1
exponent: 0x0
bits: 2048
scheme:
value: null
raw: 0x10
scheme-halg:
value: (null)
raw: 0x0
sym-alg:
value: aes
raw: 0x6
sym-mode:
value: cfb
raw: 0x43
sym-keybits: 128
rsa:
d94ae68bd5f2d5037c862e85b1bd18e05a988784611679b27cddc93499ae16bb77ff9826a22c40d07d922aa0f87fcaf485f5098dc09ad431c9c579523c5788277c0793e16c4b58e2d82084f9afbe46daac4329101457e029ce3dbc0f2ade9035982dba6efae036c4af155b4956c6f0ce80d851879d93bdbc9c809b5d194c940ba63529f7ae109f707749bf1fa2b50ddd5a9c7c6015245b7628e967696ff0470774d4f933ce310f1fb19661c21f32abe7b764e0b382b626efd40dd4f2644965d6bd49b3b7266d4bc59fb1db6c9c82a1f9660b6b45eaf1e9b6539675033090b0647f5735c7f351b0e18ca571fc70a620194f181ca8474af849b4ffa395529c6fad
root@localhost:~# tpm2_evictcontrol -C o -c prim.ctx 0x81000001
persistent-handle: 0x81000001
action: persisted
root@localhost:~# tpm2_readpublic -c 0x81000001
WARNING:esys:../tpm2-tss/src/tss2-esys/api/Esys_ReadPublic.c:320:Esys_ReadPublic_Finish()
Received TPM Error
ERROR:esys:../tpm2-tss/src/tss2-esys/api/Esys_ReadPublic.c:104:Esys_ReadPublic()
Esys Finish ErrorCode (0x0000018b)
ERROR: Esys_ReadPublic(0x18B) - tpm:handle(1):the handle is not correct for
the use
ERROR: Unable to run tpm2_readpublic
root@localhost:~# tpm2_readpublic -c prim.ctx
name: 000bdac8ee72f2c6cb0b1821e3d16af63cf9bbc642cfb1ed9f7eb00e1271063f07f3
qualified name:
000be7f403a999591dd1dc26a1812bccd9256eee1c7c9eae4f4fd1849181cf5e95a3
name-alg:
value: sha256
raw: 0xb
attributes:
value:
fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt
raw: 0x30072
type:
value: rsa
raw: 0x1
exponent: 0x0
bits: 2048
scheme:
value: null
raw: 0x10
scheme-halg:
value: (null)
raw: 0x0
sym-alg:
value: aes
raw: 0x6
sym-mode:
value: cfb
raw: 0x43
sym-keybits: 128
rsa:
d94ae68bd5f2d5037c862e85b1bd18e05a988784611679b27cddc93499ae16bb77ff9826a22c40d07d922aa0f87fcaf485f5098dc09ad431c9c579523c5788277c0793e16c4b58e2d82084f9afbe46daac4329101457e029ce3dbc0f2ade9035982dba6efae036c4af155b4956c6f0ce80d851879d93bdbc9c809b5d194c940ba63529f7ae109f707749bf1fa2b50ddd5a9c7c6015245b7628e967696ff0470774d4f933ce310f1fb19661c21f32abe7b764e0b382b626efd40dd4f2644965d6bd49b3b7266d4bc59fb1db6c9c82a1f9660b6b45eaf1e9b6539675033090b0647f5735c7f351b0e18ca571fc70a620194f181ca8474af849b4ffa395529c6fad
2 years, 6 months
Implementing a TPM EA Policy with Fingerprints
by Arun Sudhir
Hi,
I have read about EA Policies in the book "A Practical Guide to TPM 2.0". I
understand the theoritical part of how everything works with EA policies.
My question is regarding how to implement an EA policy with a fingerprint
authentication attached to it in Windows.
How does communication work between the TPM and the fingerprint reader if
someone tries to access an object attached to such a policy? I read in the
TPM Software Stack chapter on the same book that policies can have
callbacks. So does the policy have a callback function to code that we
write - which , in turn, shows up the fingerprint dialog, captures the
fingerprint and then hashes a string "Arun's fingerprint" (say) if the
fingerprint matches "Arun". If that is the case, what stops someone some
swapping out that function to just supplying a hash of that string (and
skip the fingerprint altogether)?
If there is someone who has done this, i'd really appreciate tips or even
sample code on how it is done.
Thanks
Arun
2 years, 6 months
sending commands to simulator
by Roberts, William C
Just thought this might be valuable to others. To be more thorough in a test, we needed a way to send platform commands to the simulator, ideally through bash so we don't need to carry any other C programs.
I threw this little bash function together and thought I would share it for others.
mssim_command() {
local raw="no"
local port="2322"
local ip="127.0.0.1"
while getopts "a:p:rh" opt; do
case ${opt} in
h)
echo "Send a command to the simulator"
echo "mssim_command [option] <command>"
echo "Valid commands are: "
echo " on, off, reset, phys_on, phys_off, nv_on, nv_off and failure_mode"
echo "Additionally any other string can be passed and is interpreted as is"
echo ""
echo "Valid Options are:"
echo " -p: Setting port number, defaults to 2321"
echo " -a: Setting the IP Address, defaults to 127.0.0.1"
echo " -r: For raw mode, do not interpret the string as a 4 byte u32 via xxd -p -r first"
echo " -h: Show this help message"
;;
p )
port=$OPTARG
;;
a )
ip=$OPTARG
;;
r )
raw="yes"
;;
\? )
echo "Invalid option: $OPTARG" 1>&2
;;
: )
echo "Invalid option: $OPTARG requires an argument" 1>&2
;;
esac
shift
done
local arg1="$1"
if [ -z "$arg1" ]; then
echo "Expected command as argument"
return 1
fi
local cmd;
case "$arg1" in
on)
cmd="0000001"
;;
off)
cmd="0000002"
;;
reset)
cmd="00000011"
;;
phys_on)
cmd="00000003"
;;
phys_off)
cmd="00000004"
;;
cancel_on)
cmd="00000009"
;;
cancel_off)
cmd="0000000a"
;;
nv_on)
cmd="0000000b"
;;
nv_off)
cmd="0000000c"
;;
failure_mode)
cmd="0000001e"
;;
*)
cmd="$1"
;;
esac
if [ "$raw" == "yes" ]; then
echo -n "$cmd" | nc -N "$ip" "$port"
else
echo -n "$cmd" | xxd -p -r | nc -N "$ip" "$port"
fi
}
2 years, 6 months
