November 2020 - tpm2 - Ml01.01.Org

question: how to test a case where the selftest command fails

by Dafna Hirschfeld

Hi, I am working for Collabora on a list of patches in the Chromeos kernel. I want to check if I can upstream those patches to the mainline kernel. There is one patch [1] to ignore the case that the 'selftest' command failed when adding the '/dev/tpm' device. The idea is that userspace could still interact with the device to some extent event if it fails. I was wandering how do I test such a case. I thought that I can test it with a tpm emulator and change the emulator code to fail on 'selftest'. I am new to TPM and still know little about it so I thought maybe some of the people here have better ideas? [1] https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1065c2f... Thanks a lot, Dafna Hirschfeld.

1 month, 2 weeks

2
1
0 / 0

RELEASE tpm2-tss 3.0.3 and 2.4.5

by Fuchs, Andreas

Hi all, I'm happy to announce the releases 3.0.3 and 2.4.5 of tpm2-tss that fixes some regression of the previous version. You can find them here: https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.3 https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.5 Thanks, Andreas

1 month, 3 weeks

1
0
0 / 0

RELEASE CANDIDATE tpm2-tss 3.0.3-rc0 and 2.4.5-rc0

by Fuchs, Andreas

Hi all, due to a regression in the latest stable releases, I just taged 3.0.3-rc0 and 2.4.5-rc0 for a shortened review period. I'll be posting the final release tomorrow. Happy testing: https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.3-rc0 https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.5-rc0 Thanks, Andreas

1 month, 3 weeks

2
1
0 / 0

RELEASE tpm2-tss 3.0.2 and 2.4.4

by Fuchs, Andreas

Hi all, I'm happy to announce the stable releases 3.0.2 and 2.4.4 of tpm2-tss. They can be found here: https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.2 https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.4 Thanks, Andreas

1 month, 3 weeks

1
0
0 / 0

RELEASE tpm2-tss-engine v1.1.0

by Fuchs, Andreas

Hi all, I can announce the next release of tpm2-tss-engine v1.1.0 You can find it at: https://github.com/tpm2-software/tpm2-tss-engine/releases/tag/v1.1.0 Thanks, Andreas

1 month, 3 weeks

1
0
0 / 0

tpm2_getekcertificate: certificate not found on Infineon SLB 9670

by nicolasoliver03＠gmail.com

Hello, I had some problems getting the Endorsement Key Certificate on a server using a TPM 2.0 Infineon SLB 9670. Version of the TPM2 Tools are 4.3 tagged release, compiled from source. The TPM seems to have the cert in the expected handle (0x1C00002 RSA, 0x1C0000a ECC) $ tpm2_getcap handles-nv-index - 0x1C00002 - 0x1C0000A I initially tried to get that with the tpm2_getekcertificate, but when I run the tool, it returns an exit code 0, and a string saying that the cert could not be found $ tpm2_createek -G rsa -u ek.pub -c key.ctx $ ls ek.pub key.ctx $ tpm2_getekcertificate -u ek.pub Certificate not found $ echo $? 0 Then, I executed the tool with --verbose mode, and I saw that is trying to pull the cert from ekop.intel.com. I could not find the url for Infineon. Later, I found this post https://www.infineonforums.com/threads/6044-Optiga-Endorsement-Credential... and I could use that to retrieve the cert from the handle: $ tpm2_nvread 0x1c00002 > nvread.1c00002.crt $ tpm2_nvread 0x1c0000a > nvread.1c0000a.crt So, a couple of questions and comments: 1. I noticed that the latest master tpm2_getekcertificate man page specifies that it will fetch the cert from the nvindex now. So, with the next release, getting the nvindex cert with tpm2_getekcertificate should work right? Also, is this version returning non 0 exit code if the cert was not found? 2. Does Infineon provides a server for fetching the EK Cert? Having that service is important if you are doing bulk operations over several servers. It took some time to get this figured out for us, so I think any help future users can get in the UX of using this tools is valuable!

1 month, 3 weeks

3
2
0 / 0

RELEASE CANDIDATE tpm2-tss 2.4.4-rc1 and 3.0.2-rc1

by Fuchs, Andreas

Hi all, I just tagged tpm2-tss release candidates 2.4.4-rc1 and 3.0.2-rc1. You can find them here: https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.4-rc1 https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.2-rc1 Cheers, Andreas

1 month, 4 weeks

1
0
0 / 0

[Release] tpm2-tools v5.0

by Imran Desai

Hello all, I am pleased to announce the release of tpm2-tools version 5.0. For release details, please visit https://github.com/tpm2-software/tpm2-tools/releases/tag/5.0 Thank you to all the contributors for participating in this release. Thanks and Regards, Imran Desai

2 months

1
0
0 / 0

Question: TPM2.0 auditing services/programs for S/W solutions using TPM chips.

by Matthew Giassa

Good day, I'm trying to find a specific type of guideline and/or certification relating to TPM-based (software) product, and wasn't able to find what I'm looking for here (so far), or at other sites I was advised to check out (i.e. [1], [2]), so I'm reaching out here for guidance/advice. Are there companies or programs (i.e. formally recognized or recommended by TCG or a similar authority) that pen-test/assess the quality of a software-based solution that depends on a TPM (i.e. 2.0) chip? Or, failing that, are there guidelines or certification/assessment programs for qualifying software solutions (i.e. Linux-based) that make use of a TPM device? I'm putting together some proof-of-concept examples, and while the design seems sound, it's my opinion that the person implementing the solution shouldn't be the same person assessing it for weaknesses. It's effectively a measured-boot-based solution to support full disk encryption via LUKS, and later, remote attestation. I started considering the topic after coming across a post [3], which strikes me as a bit of a "gotcha" (i.e. secret can be unsealed due to accidentally leaving a blank/default password enabled; "oops"). Any documentation/guides/resources that can help with assessing the quality of a s/w-based solution and "keeping it on the rails" is appreciated. Thank you. 1. "TPMDeveloper - Topics", <https://developers.tpm.dev/topics>, last accessed 2020-11-16. 2. "Trusted Computing Group - Resources", <https://trustedcomputinggroup.org/resources?>, last accessed 2020-11-16. 3. "Unsealing data despite PCR policy", <https://github.com/tpm2-software/tpm2-tools/issues/1123>, last accessed 2020-11-16.

2 months

2
2
0 / 0

[RELEASE] tpm2-pkcs11 1.5.0

by Roberts, William C

Hello, I would like to announce the release of tpm2-pkcs11 version 1.5.0 with the following changelog: ### 1.5.0 - 2020-11-16 * C_Decrypt: Fix CKM_RSA_PKCS11 scheme not removing PKCS v1.5 block padding from returned plaintext. * C_Digest/C_DigestFinal: Fix Section 5.2 style returns. * C_OpenSession: fix valid session handles starting at 0, 0 is invalid per the spec. * C_OpenSession: fix handle issuance bug where handles could be exhausted at out of bounds. * Support swtpm in testing infrastructure. * Fix C_Encrypt/C_Decrypt interface not setting size when output buffer in NULL. * Fix warning ../configure: line 14383: ]: command not found * Fix CKM_RSA_PKCS_PSS mechanism. * C_GetMechanismList: Fix index 0 of the returned list being invalid. * C_GetMechanismInfo: Fix errors like ERROR: Unknown mechanism, got: 0xd. * Docs: use full paths from project root to help fix 404 errors. * tpm2_ptool init to attempt to persistent created primary object at 0x81000001 and fallback to first available address on failure. The release can be found here: https://github.com/tpm2-software/tpm2-pkcs11/releases/tag/1.5.0 Thanks, Bill

2 months

1
0
0 / 0

2021

2020

2019

2018

2017

tpm2 November 2020