April 2019 - tpm2 - Ml01.01.Org

by Nick Meyer

Hello, We have a set of boxes that use TPM2_Sign() to sign a cryptographic challenge during a startup process. The signing key is protected by a PCR policy; this policy is the only policy in the session authorizing the sign. Occasionally, one of these boxes will start returning 0x99d and refuse to sign the challenge, after which it seems to be stuck in this inconsistent state until we generate a new signing key. We are currently in the process of investigating if the PCRs have changed in these cases; in the meantime, I wanted to ask here if there are any other causes beyond the PCRs changing that could cause this error code, so that we can investigate. We also believe it unlikely that the PCR update counter is an issue as we would be expecting a TPM_RC_PCR_CHANGED return code in this case. Appreciate any insight you may have. <http://www.verizonmedia.com> Nick Meyer

1 year, 8 months

3
3
0 / 0

Help needed to setup an AES key

by Nicolas Broquet

Hello everyone, New to the TPM world, I've been reading various docs and forums the past two weeks and I am now attempting to put all the learning into practice. More specifically, I'm trying to have the TPM create an AES key. Here is what I did so far: DEFAULT_HIERARCHY="o" DEFAULT_ATTRIBUTES="restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda" DEFAULT_PERSISTENT_HANDLE="0x81010001" PARENT_PERSISTENT_HANDLE="0x81010002" tpm2_createprimary --hierarchy=$DEFAULT_HIERARCHY --auth-hierarchy="$OWNER_PASSWORD" --object-attributes=$DEFAULT_ATTRIBUTES --halg sha256 --kalg rsa2048:aes128cfb --out-context-name=$PRIMARY_CONTEXT tpm2_evictcontrol --hierarchy=$DEFAULT_HIERARCHY --context=$PRIMARY_CONTEXT --auth-hierarchy=$OWNER_PASSWORD --persistent=$DEFAULT_PERSISTENT_HANDLE tpm2_create --context-parent=$PRIMARY_CONTEXT --object-attributes=$DEFAULT_ATTRIBUTES --pubfile=$PUBFILE --privfile=$PRIVFILE --halg sha256 --kalg rsa2048:aes128cfb tpm2_load --quiet --context=$PRIMARY_CONTEXT --pubfile=$PUBFILE --privfile=$PRIVFILE --out-context=$PARENT_CONTEXT tpm2_evictcontrol --hierarchy=$DEFAULT_HIERARCHY --context=$PARENT_CONTEXT --auth-hierarchy=$OWNER_PASSWORD --persistent=$PARENT_PERSISTENT_HANDLE All of that is working great; a call to tpm2_listpersistent shows the two keys and their persistent handle. Then I try to add an AES key to that hierarchy. I want this key to be usable only if some policy is satisfied: tpm2_create --context-parent=$PARENT_CONTEXT --kalg=aes --pubfile=$PUBFILE --privfile=$PRIVFILE --policy-file=$AUTHORIZED_POLICY This call returns the following: WARNING:esys:src/tss2-esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys Finish ErrorCode (0x000002c4) ERROR: Esys_Create(0x2C4) - tpm:parameter(2):value is out of range or is not correct for the context ERROR: Unable to run tpm2_create I then tried with "aes128" as key algorithm, instead of just "aes": WARNING:esys:src/tss2-esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys Finish ErrorCode (0x000002c9) ERROR: Esys_Create(0x2C9) - tpm:parameter(2):mode of operation not supported ERROR: Unable to run tpm2_create I also tried to specify a mode instead ("aes128cfb"): WARNING:esys:src/tss2-esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys Finish ErrorCode (0x000002c2) ERROR: Esys_Create(0x2C2) - tpm:parameter(2):inconsistent attributes ERROR: Unable to run tpm2_create After having read all the MAN pages twice, I still have no idea what is going on or what I did wrong. Most if not all of those commands were merely copy/pasted from the MAN pages at https://github.com/tpm2-software/tpm2-tools/tree/master/man . I'm using a Lenovo X1 Carbon (3rd gen) with Intel PTT enabled, so the system sees a TPM2.0 device. I can provide more information if needed. I would greatly appreciate if someone could provide some guidance on this issue; the TPM world being fascinating so far, I wouldn't want to be stuck on that problem. Thanks in advance for your help, Regards, Nicolas

1 year, 9 months

2
2
0 / 0

tpm2-tss 2.2.3_rc0 and 2.1.4_rc0

by Fuchs, Andreas

Hi all, I just published a new rc for both, the 2.2.x and 2.1.x branch. They can be found here: https://github.com/tpm2-software/tpm2-tss/releases/tag/2.1.4_rc0 https://github.com/tpm2-software/tpm2-tss/releases/tag/2.2.3_rc0 Both include a fix for nonce-size calculation in ESYS. Best regards, Andreas

1 year, 9 months

1
0
0 / 0

unsealing and evictcontrol issues

by Luke Flinders

Hi all, Sorry for digging up potentially old issues but I have run into two issues that have been listed in your 2019-February archive. Those being; Invalid nonce size and during unsealing ( when using the master repositories ) Error code: 0x1c4 during tpm2_evictcontrol (when using Tools 3.1.4-rc0 , tss = 2.1.3_rc0 , abrmd = 2.1.1_rc0 ) For both the above I am using a physical TPM. I was just wondering if any progress had been made with these issues and if I could help with some testing? Kind regards, Luke Flinders Network Engineer IP Performance Ltd 1-3 Merietts Court, Long Ashton Business Park, Long Ashton, Bristol, BS41 9LW Office: +44 1275 393382 24/7 Support: +44 8708 409100 Email : lflinders(a)ip-performance.co.uk<mailto:lflinders@ip-performance.co.uk> [IPP Iogo newsmaller] CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.

1 year, 9 months

3
2
0 / 0

tpm2-tss 2.1.3

by Tadeusz Struk

Hello, I'm happy to announce that the tpm2-tss v2.1.3 is out. It can be found here: https://github.com/tpm2-software/tpm2-tss/releases/tag/2.1.3 All changes and fixed issues are listed in the CHANGELOG.md file. Thanks, -- Tadeusz

1 year, 9 months

1
0
0 / 0

Issue with tpm2_sign

by Ian Oliver

Just starting having this issue with the latest master builds of tpm2_tools ( also latest tss/abrmd ) I have a small file to be signed $ls -l hash.file -rw-r--r-- 1 xxx xxx 64 huhti 1 14:10 hash.file $tpm2_sign -V -c 0x81010003 -G sha256 -m hash.file -o hash.sig WARNING:esys:src/tss2-esys/api/Esys_Sign.c:340:Esys_Sign_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Sign.c:133:Esys_Sign() Esys Finish ErrorCode (0x000003e0) ERROR on line: "81" in file: "./lib/log.h": Eys_Sign(0x3E0) - tpm:parameter(3):invalid ticket ERROR on line: "171" in file: "tools/tpm2_tool.c": Unable to run tpm2_sign The key at 0x8101003 is a signing key (actually it is the AK) $tpm2_listpersistent <cut....> - handle: 0x81010003 name-alg: value: sha256 raw: 0xb attributes: value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|sign raw: 0x50072 type: value: rsa raw: 0x1 <cut....> Working from the test file (./test/integration/tests/sign.sh) the syntax appears correct for this command (the man file is different) tpm2_sign -Q -c $handle_signing_key -G $alg_hash -m $file_input_data -o $file_output_data Machine details: $uname -a Linux ioliver-ThinkPad-X1-Carbon-5th 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $cat /etc/issue Ubuntu 18.04.2 LTS t. Ian -- *Dr. Ian Oliver* =============================== Privacy Engineering: via Amazon <http://www.amazon.co.uk/dp/1497569710> *Twitter: @i_j_oliver*

1 year, 9 months

2
3
0 / 0

ROCA and firmware version

by Ralf Schlatterbeck

I have an Infineon TPM2 (and TPM 1.2) module for the raspi https://www.infineon.com/cms/en/product/evaluation-boards/iridium9670-tpm... It is available both, as tpm 2.0 and as tpm 1.2. It has the SLB 9670VQ2.0 or SLB 9670VQ1.2 chips with SPI supported by the tpm_tis_spi kernel module. These modules have/had the ROCA vulnerability https://en.wikipedia.org/wiki/ROCA_vulnerability I'd like to check if mine are affected. Is there - a way to find out the firmware version of the module (preferrably using tpm2_tools) - a possibility to upgrade the firmware (provided I can extract one from the various upgrades for windows) using tpm2_tools? Or any other way? Thanks Ralf Schlatterbeck -- Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16 Open Source Consulting www: http://www.runtux.com Reichergasse 131, A-3411 Weidling email: office(a)runtux.com

1 year, 9 months

2
3
0 / 0

tpm2-tss-engine

by Ralf Schlatterbeck

I'm testing with a TPM-2 module for the Raspberry-Pi from Infineon running on an Orange-Pi zero (also a single-board computer a little smaller than the raspi). I've successfully built tpm2-tss-engine and have the following questions: - The key generation examples in the README.md create the private key in a file on the local filesystem. Isn't the purpose of a hw-security-module that the key stays inside the device and can't be extracted? Or am I missing something here? Is there a way to create a protected key inside the device in a way that it cannot be extracted? - I'm not familiar with the engine concept of OpenSSL, is there a way to use the engine with a software that is not engine-aware? In my case the mosquitto message broker. Or would I have to modify the software? Thanks Ralf Schlatterbeck -- Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16 Open Source Consulting www: http://www.runtux.com Reichergasse 131, A-3411 Weidling email: office(a)runtux.com

1 year, 9 months

4
7
0 / 0

tpm2-totp release candidate v0.1.2-rc0

by Fuchs, Andreas

Hello all, the release candidate for bugfix release for tpm2-totp 0.1.2-rc0 is out: https://github.com/tpm2-software/tpm2-totp/releases/tag/v0.1.2-rc0 The bugfix-branch for v0.1.x has also been updated accordingly: https://github.com/tpm2-software/tpm2-totp/tree/v0.1.x I moved away from providing signed tar balls and only provide signed tags for release candidates for now. If you'd desire signed tar balls, please let me know and I'll start them again. Hope you enjoy, Andreas

1 year, 9 months

3
3
0 / 0

tpm2-tss 2.1.3-rc0

by Tadeusz Struk

Hello, A new release candidate for tpm2-tss 2.1.3 is out. It can be found here: https://github.com/tpm2-software/tpm2-tss/releases/tag/2.1.3_rc0 All changes and fixed issues are listed in the CHANGELOG.md file. Please give it some testing. Any feedback is appreciated. Thanks, -- Tadeusz

1 year, 9 months

1
0
0 / 0

2021

2020

2019

2018

2017

tpm2 April 2019