RC 0x99d TPM_RC_POLICY_FAIL causes?
by Nick Meyer
Hello,
We have a set of boxes that use TPM2_Sign() to sign a cryptographic
challenge during a startup process. The signing key is protected by a PCR
policy; this policy is the only policy in the session authorizing the sign.
Occasionally, one of these boxes will start returning 0x99d and refuse to
sign the challenge, after which it seems to be stuck in this inconsistent
state until we generate a new signing key.
We are currently in the process of investigating if the PCRs have changed
in these cases; in the meantime, I wanted to ask here if there are any
other causes beyond the PCRs changing that could cause this error code, so
that we can investigate. We also believe it unlikely that the PCR update
counter is an issue as we would be expecting a TPM_RC_PCR_CHANGED return
code in this case.
Appreciate any insight you may have.
<http://www.verizonmedia.com>
Nick Meyer
3 years
Help needed to setup an AES key
by Nicolas Broquet
Hello everyone,
New to the TPM world, I've been reading various docs and forums the past
two weeks and I am now attempting to put all the learning into practice.
More specifically, I'm trying to have the TPM create an AES key.
Here is what I did so far:
DEFAULT_HIERARCHY="o"
DEFAULT_ATTRIBUTES="restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda"
DEFAULT_PERSISTENT_HANDLE="0x81010001"
PARENT_PERSISTENT_HANDLE="0x81010002"
tpm2_createprimary --hierarchy=$DEFAULT_HIERARCHY
--auth-hierarchy="$OWNER_PASSWORD" --object-attributes=$DEFAULT_ATTRIBUTES
--halg sha256 --kalg rsa2048:aes128cfb --out-context-name=$PRIMARY_CONTEXT
tpm2_evictcontrol --hierarchy=$DEFAULT_HIERARCHY --context=$PRIMARY_CONTEXT
--auth-hierarchy=$OWNER_PASSWORD --persistent=$DEFAULT_PERSISTENT_HANDLE
tpm2_create --context-parent=$PRIMARY_CONTEXT
--object-attributes=$DEFAULT_ATTRIBUTES --pubfile=$PUBFILE
--privfile=$PRIVFILE --halg sha256 --kalg rsa2048:aes128cfb
tpm2_load --quiet --context=$PRIMARY_CONTEXT --pubfile=$PUBFILE
--privfile=$PRIVFILE --out-context=$PARENT_CONTEXT
tpm2_evictcontrol --hierarchy=$DEFAULT_HIERARCHY --context=$PARENT_CONTEXT
--auth-hierarchy=$OWNER_PASSWORD --persistent=$PARENT_PERSISTENT_HANDLE
All of that is working great; a call to tpm2_listpersistent shows the two
keys and their persistent handle.
Then I try to add an AES key to that hierarchy. I want this key to be
usable only if some policy is satisfied:
tpm2_create --context-parent=$PARENT_CONTEXT --kalg=aes --pubfile=$PUBFILE
--privfile=$PRIVFILE --policy-file=$AUTHORIZED_POLICY
This call returns the following:
WARNING:esys:src/tss2-esys/api/Esys_Create.c:412:Esys_Create_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys Finish
ErrorCode (0x000002c4)
ERROR: Esys_Create(0x2C4) - tpm:parameter(2):value is out of range or is
not correct for the context
ERROR: Unable to run tpm2_create
I then tried with "aes128" as key algorithm, instead of just "aes":
WARNING:esys:src/tss2-esys/api/Esys_Create.c:412:Esys_Create_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys Finish
ErrorCode (0x000002c9)
ERROR: Esys_Create(0x2C9) - tpm:parameter(2):mode of operation not supported
ERROR: Unable to run tpm2_create
I also tried to specify a mode instead ("aes128cfb"):
WARNING:esys:src/tss2-esys/api/Esys_Create.c:412:Esys_Create_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys Finish
ErrorCode (0x000002c2)
ERROR: Esys_Create(0x2C2) - tpm:parameter(2):inconsistent attributes
ERROR: Unable to run tpm2_create
After having read all the MAN pages twice, I still have no idea what is
going on or what I did wrong. Most if not all of those commands were merely
copy/pasted from the MAN pages at
https://github.com/tpm2-software/tpm2-tools/tree/master/man .
I'm using a Lenovo X1 Carbon (3rd gen) with Intel PTT enabled, so the
system sees a TPM2.0 device. I can provide more information if needed.
I would greatly appreciate if someone could provide some guidance on this
issue; the TPM world being fascinating so far, I wouldn't want to be stuck
on that problem.
Thanks in advance for your help,
Regards,
Nicolas
3 years
unsealing and evictcontrol issues
by Luke Flinders
Hi all,
Sorry for digging up potentially old issues but I have run into two issues that have been listed in your 2019-February archive.
Those being;
Invalid nonce size and during unsealing ( when using the master repositories )
Error code: 0x1c4 during tpm2_evictcontrol (when using Tools 3.1.4-rc0 , tss = 2.1.3_rc0 , abrmd = 2.1.1_rc0 )
For both the above I am using a physical TPM.
I was just wondering if any progress had been made with these issues and if I could help with some testing?
Kind regards,
Luke Flinders
Network Engineer
IP Performance Ltd
1-3 Merietts Court, Long Ashton Business Park,
Long Ashton, Bristol, BS41 9LW
Office: +44 1275 393382
24/7 Support: +44 8708 409100
Email : lflinders(a)ip-performance.co.uk<mailto:lflinders@ip-performance.co.uk>
[IPP Iogo newsmaller]
CONFIDENTIALITY NOTICE:
The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
3 years
Issue with tpm2_sign
by Ian Oliver
Just starting having this issue with the latest master builds of
tpm2_tools ( also latest tss/abrmd )
I have a small file to be signed
$ls -l hash.file
-rw-r--r-- 1 xxx xxx 64 huhti 1 14:10 hash.file
$tpm2_sign -V -c 0x81010003 -G sha256 -m hash.file -o hash.sig
WARNING:esys:src/tss2-esys/api/Esys_Sign.c:340:Esys_Sign_Finish() Received
TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Sign.c:133:Esys_Sign() Esys Finish
ErrorCode (0x000003e0)
ERROR on line: "81" in file: "./lib/log.h": Eys_Sign(0x3E0) -
tpm:parameter(3):invalid ticket
ERROR on line: "171" in file: "tools/tpm2_tool.c": Unable to run tpm2_sign
The key at 0x8101003 is a signing key (actually it is the AK)
$tpm2_listpersistent
<cut....>
- handle: 0x81010003
name-alg:
value: sha256
raw: 0xb
attributes:
value:
fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|sign
raw: 0x50072
type:
value: rsa
raw: 0x1
<cut....>
Working from the test file (./test/integration/tests/sign.sh) the syntax
appears correct for this command (the man file is different)
tpm2_sign -Q -c $handle_signing_key -G $alg_hash -m $file_input_data -o
$file_output_data
Machine details:
$uname -a
Linux ioliver-ThinkPad-X1-Carbon-5th 4.15.0-46-generic #49-Ubuntu SMP Wed
Feb 6 09:33:07 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$cat /etc/issue
Ubuntu 18.04.2 LTS
t.
Ian
--
*Dr. Ian Oliver*
===============================
Privacy Engineering: via Amazon <http://www.amazon.co.uk/dp/1497569710>
*Twitter: @i_j_oliver*
3 years, 1 month
ROCA and firmware version
by Ralf Schlatterbeck
I have an Infineon TPM2 (and TPM 1.2) module for the raspi
https://www.infineon.com/cms/en/product/evaluation-boards/iridium9670-tpm...
It is available both, as tpm 2.0 and as tpm 1.2.
It has the SLB 9670VQ2.0 or SLB 9670VQ1.2 chips with SPI supported by
the tpm_tis_spi kernel module.
These modules have/had the ROCA vulnerability
https://en.wikipedia.org/wiki/ROCA_vulnerability
I'd like to check if mine are affected. Is there
- a way to find out the firmware version of the module (preferrably
using tpm2_tools)
- a possibility to upgrade the firmware (provided I can extract one from
the various upgrades for windows) using tpm2_tools? Or any other way?
Thanks
Ralf Schlatterbeck
--
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: http://www.runtux.com
Reichergasse 131, A-3411 Weidling email: office(a)runtux.com
3 years, 1 month
tpm2-tss-engine
by Ralf Schlatterbeck
I'm testing with a TPM-2 module for the Raspberry-Pi from Infineon
running on an Orange-Pi zero (also a single-board computer a little
smaller than the raspi).
I've successfully built tpm2-tss-engine and have the following questions:
- The key generation examples in the README.md create the private key in
a file on the local filesystem. Isn't the purpose of a
hw-security-module that the key stays inside the device and can't be
extracted? Or am I missing something here? Is there a way to create a
protected key inside the device in a way that it cannot be extracted?
- I'm not familiar with the engine concept of OpenSSL, is there a way to
use the engine with a software that is not engine-aware? In my case
the mosquitto message broker. Or would I have to modify the software?
Thanks
Ralf Schlatterbeck
--
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: http://www.runtux.com
Reichergasse 131, A-3411 Weidling email: office(a)runtux.com
3 years, 1 month
