tpm2-tss 2.3.0-rc0
by Fuchs, Andreas
Hi all,
I just taged the release candidate for version 2.3.0-rc0
Please find it here:
https://github.com/tpm2-software/tpm2-tss/releases/tag/2.3.0-rc0
It includes a lot of new things, most notably, two new libraries:
- tss2-tctildr: simplifying and unifying the setting of custom tctis.
it's as simple as Tss2_TctiLdr_Initilialize(getenv("MY_TCTI", &tcti));
so give it a try.
- tss2-rc: converts tpm and tss return codes into strings
Also, we fixed some dependency bug with the tss2-esys.pc file that
falsely reuired tss2-mu.pc. If you encounter linker errors, please consider
adding tss2-mu.pc directly in your build scripts.
Finally, this release marks the end of life for the 2.1.x series. Upgrading
is highly recommended. (Everything < 2.2.x is eol)
Please give this some thorough testing. We'll also not merge non-bugfix
PRs until 2.3.0 is finally release.
Happy testing,
Andreas
2 years, 9 months
PCR Policy enforcement when using nvram
by Garrett Fields
Hey all. I'm new here. I've been browsing several guides and the wikis to
learn tpm2-tools and I have had some successes.
I work with the ZFS on Linux project, which has recently incorporated
encryption. The system, so far, allows a single passphrase or keyfile,
which can be piped into the unlock command. Manual passprhase entry during
initramfs works, but I wanted to store that passphrase in the tpm and have
the system autounlock with successful pcr system checks. I started with
tpm 1.2 and now trying with 2.0.
What I implemented via 1.2:
Create a nvram index that unlocks with after pcr values are verified and
correct index passphrase (which is the GUID of the drive) is supplied.
Then I block later reads of that index until reboot by doing a 0-byte read
of the index (just to block nosy individuals).
With the expanded TPM2.0 toolset, is nvram the preferred way to do this?
Should I be using TPM objects instead? Something else?
I am developing this using Ubuntu 18.04.2 LTS (tpm2-tools 2.1.0-1build1).
I've noticed that the options shift significantly with the version of
tpm2-tools.
Here's what I have working so far (nvram index secured with password only
and lockable):
------
export TPM2TOOLS_TCTI="device:/dev/tpm0"
tpm2_takeownership -o ownerpass -e endorsepass
tpm2_nvdefine -x 0x1000000 -a o -P ownerpass -p indexsecret -b
"authread|authwrite|read_stclear" -s 11
echo "hdpassword" | tpm2_nvwrite -x 0x1000000 -a 0x1000000 -P indexsecret
tpm2_nvread -x 0x1000000 -a 0x1000000 -P indexsecret
tpm2_nvreadlock -x 0x1000000 -a 0x1000000 -P indexsecret
# when needed: tpm2_nvrelease -x 0x1000000 -a 0 -P ownerpass
------
I would really like to incorporate the pcr system check also (kinda the
whole point). I tried:
-----------
tpm2_listpcrs --tcti=device #To see current values
tpm2_createpolicy -L sha1:0,1,2,3,4,5,6,7 -o ./0-7policy.pol --policy-pcr
tpm2_nvdefine -x 0x1000000 -a o -P ownerpass -p indexsecret -L
./0-7policy.pol -b "authread|authwrite|read_stclear" -s 11
echo "hdpassword" | tpm2_nvwrite -x 0x1000000 -a 0x1000000 -P indexsecret
tpm2_nvlist # Verfiied that 0x1000000 has a "authorization policy"
tpm2_nvread -x 0x1000000 -a 0x1000000 -P indexsecret #Expected to work
since PCRs are the same as policy creation
tpm2_pcrextend 4:sha1=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
tpm2_listpcrs #Verify pcr4 is different
tpm2_nvread -x 0x1000000 -a 0x1000000 -P indexsecret #Expected to fail
-----------
The last line I would expect to fail, because of the PCR4 change, but it
still produces the password. Am I missing something on the nvdefine to
enable policy enforcement?
I'd be eager to receive comments on my entire usage. I know there is a lot
of TPM2 that I haven't started wrapping my head around. Suggestions or
pointers would be appreciated.
2 years, 9 months
Re: [tpm2] tpm2-tss 2.3.0-rc0 - bug
by Roberts, William C
Hi,
I'm seeing spurious error messages about the default tcti not being configured and thus
open fails with file not found. I would imagine we would want to ignore errno ENOENT.
I reported bug against rc0:
https://github.com/tpm2-software/tpm2-tss/issues/1482
Thanks,
Bill
> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces@lists.01.org] On Behalf Of Fuchs, Andreas
> Sent: Friday, July 26, 2019 4:21 AM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] tpm2-tss 2.3.0-rc0
>
> Hi all,
>
> I just taged the release candidate for version 2.3.0-rc0 Please find it here:
> https://github.com/tpm2-software/tpm2-tss/releases/tag/2.3.0-rc0
>
> It includes a lot of new things, most notably, two new libraries:
> - tss2-tctildr: simplifying and unifying the setting of custom tctis.
> it's as simple as Tss2_TctiLdr_Initilialize(getenv("MY_TCTI", &tcti));
> so give it a try.
> - tss2-rc: converts tpm and tss return codes into strings
>
> Also, we fixed some dependency bug with the tss2-esys.pc file that falsely
> reuired tss2-mu.pc. If you encounter linker errors, please consider adding tss2-
> mu.pc directly in your build scripts.
>
> Finally, this release marks the end of life for the 2.1.x series. Upgrading is highly
> recommended. (Everything < 2.2.x is eol)
>
> Please give this some thorough testing. We'll also not merge non-bugfix PRs until
> 2.3.0 is finally release.
>
> Happy testing,
> Andreas
> _______________________________________________
> tpm2 mailing list
> tpm2(a)lists.01.org
> https://lists.01.org/mailman/listinfo/tpm2
2 years, 9 months
question about ecdh capability
by Gallagher, James
Hello,
I was wondering if the tpm2 currently supports the ecdh process. I am looking to verify the authenticity of a raspberry pi and an infineon tpm by running ecdh process on some shared secret data, but I am unsure if tpm2 supports that. I was looking around and found esys_ecdh_keygen and esys_ecdh_zgen, which may be applicable, but I am unsure what they really are or how to use them. Any help would be greatly appreciated.
Thank you for your time,
James Gallagher
2 years, 10 months
Hmac session
by ramyasnair ramyasnair
Hi,
What is the use of HMAC session authorisation and how to create a HMAC
session?
Thanks and Regards
Ramya
2 years, 10 months
Re: [tpm2] tpm2 Digest, Vol 25, Issue 9
by Oliver, Dario N
Hello Nick
The TPM Event Log is usually in /sys/kernel/security/tpm0/binary_boot_measurements (at least in Fedora distros)
That log is in binary format, following the TCG specification for log events.
It can be read in human friendly format with a parser:
1. iml2text https://www.mankier.com/8/iml2text
2. binary_bios_measurement_parser https://github.com/ValdikSS/binary_bios_measurements_parser
Both parsers are not 100% complete, but they show very useful information.
----------------------------------------------------------------------
Message: 1
Date: Mon, 15 Jul 2019 15:04:46 -0500
From: Nick Meyer <nimeyer(a)verizonmedia.com>
To: tpm2(a)lists.01.org
Subject: [tpm2] Read event log in booted Linux
Message-ID:
<CAO6U=OZu5skEEnBVX2OWA6ue=355jx2Xe8851-SSQxpgySBTGg(a)mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hello all,
Is there a way to read the TCG event log in the booted OS on an EFI Linux system?
I am trying to confirm some behavior I am seeing between different vendors'
implementations and how they are handling ExitBootServices().
Thanks,
Nick Meyer
Verizon Media
2 years, 10 months
