November 2020 - tpm2 - Ml01.01.Org

by Benjamin Berg

Hi, I was wondering if someone has ideas about integrating the TPM with Fingerprint readers. Recently I started looking into supporting Secure Device Connection Protocol (SDCP, [1]) in libfprint. The general idea is to verify that the Fingerprint reader can be trusted, but I initially also imagined that further use-cases like unsealing data in a TPM may be possible (e.g. to retrieve disk encryption keys). However, looking into it more, my current conclusion is that there is little to no advantage to use the TPM. At least not unless one also has a trusted (userspace) program which is capable of signing TPM authorizations. One could easily offload the required parts into a small helper, but that may require ensuring it runs in a trusted execution environment. Microsoft seems to run relevant parts as trustlets that are walled off from the rest of the system. That seems sensible to me, but it also means requiring all the infrastructure for execution and signing and I doubt that is feasible currently. Right now I'll probably go the way of not using the TPM at all. But I am really not an expert for this. So should someone see scenarios where a TPM is actually helpful in this context, then I would like to hear about them. Benjamin PS: A quick summary of how SDCP works: * Device has a private ECC key that signs the firmware and ephemeral keys during boot (and is inaccessible afterwards) * A certificate proofs that this key was provisioned in factory * Device builds a shared secret with the host (s) * Device sends id, HMAC_SHA256(s, "identify" || nonce || id) when the finger "id" was presented. * The HMAC proofs knowledge of the shared secret and authorizes the print. [1] https://github.com/microsoft/SecureDeviceConnectionProtocol/wiki/Secure-D...

2 months, 4 weeks

5
7
0 / 0

question: how to test a case where the selftest command fails

by Dafna Hirschfeld

Hi, I am working for Collabora on a list of patches in the Chromeos kernel. I want to check if I can upstream those patches to the mainline kernel. There is one patch [1] to ignore the case that the 'selftest' command failed when adding the '/dev/tpm' device. The idea is that userspace could still interact with the device to some extent event if it fails. I was wandering how do I test such a case. I thought that I can test it with a tpm emulator and change the emulator code to fail on 'selftest'. I am new to TPM and still know little about it so I thought maybe some of the people here have better ideas? [1] https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1065c2f... Thanks a lot, Dafna Hirschfeld.

1 year, 10 months

2
1
0 / 0

RELEASE tpm2-tss 3.0.3 and 2.4.5

by Fuchs, Andreas

Hi all, I'm happy to announce the releases 3.0.3 and 2.4.5 of tpm2-tss that fixes some regression of the previous version. You can find them here: https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.3 https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.5 Thanks, Andreas

1 year, 10 months

1
0
0 / 0

RELEASE CANDIDATE tpm2-tss 3.0.3-rc0 and 2.4.5-rc0

by Fuchs, Andreas

Hi all, due to a regression in the latest stable releases, I just taged 3.0.3-rc0 and 2.4.5-rc0 for a shortened review period. I'll be posting the final release tomorrow. Happy testing: https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.3-rc0 https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.5-rc0 Thanks, Andreas

1 year, 10 months

2
1
0 / 0

RELEASE tpm2-tss 3.0.2 and 2.4.4

by Fuchs, Andreas

Hi all, I'm happy to announce the stable releases 3.0.2 and 2.4.4 of tpm2-tss. They can be found here: https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.2 https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.4 Thanks, Andreas

1 year, 10 months

1
0
0 / 0

RELEASE tpm2-tss-engine v1.1.0

by Fuchs, Andreas

Hi all, I can announce the next release of tpm2-tss-engine v1.1.0 You can find it at: https://github.com/tpm2-software/tpm2-tss-engine/releases/tag/v1.1.0 Thanks, Andreas

1 year, 10 months

1
0
0 / 0

tpm2_getekcertificate: certificate not found on Infineon SLB 9670

by nicolasoliver03＠gmail.com

Hello, I had some problems getting the Endorsement Key Certificate on a server using a TPM 2.0 Infineon SLB 9670. Version of the TPM2 Tools are 4.3 tagged release, compiled from source. The TPM seems to have the cert in the expected handle (0x1C00002 RSA, 0x1C0000a ECC) $ tpm2_getcap handles-nv-index - 0x1C00002 - 0x1C0000A I initially tried to get that with the tpm2_getekcertificate, but when I run the tool, it returns an exit code 0, and a string saying that the cert could not be found $ tpm2_createek -G rsa -u ek.pub -c key.ctx $ ls ek.pub key.ctx $ tpm2_getekcertificate -u ek.pub Certificate not found $ echo $? 0 Then, I executed the tool with --verbose mode, and I saw that is trying to pull the cert from ekop.intel.com. I could not find the url for Infineon. Later, I found this post https://www.infineonforums.com/threads/6044-Optiga-Endorsement-Credential... and I could use that to retrieve the cert from the handle: $ tpm2_nvread 0x1c00002 > nvread.1c00002.crt $ tpm2_nvread 0x1c0000a > nvread.1c0000a.crt So, a couple of questions and comments: 1. I noticed that the latest master tpm2_getekcertificate man page specifies that it will fetch the cert from the nvindex now. So, with the next release, getting the nvindex cert with tpm2_getekcertificate should work right? Also, is this version returning non 0 exit code if the cert was not found? 2. Does Infineon provides a server for fetching the EK Cert? Having that service is important if you are doing bulk operations over several servers. It took some time to get this figured out for us, so I think any help future users can get in the UX of using this tools is valuable!

1 year, 10 months

3
2
0 / 0

RELEASE CANDIDATE tpm2-tss 2.4.4-rc1 and 3.0.2-rc1

by Fuchs, Andreas

Hi all, I just tagged tpm2-tss release candidates 2.4.4-rc1 and 3.0.2-rc1. You can find them here: https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.4-rc1 https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.2-rc1 Cheers, Andreas

1 year, 10 months

1
0
0 / 0

[Release] tpm2-tools v5.0

by Imran Desai

Hello all, I am pleased to announce the release of tpm2-tools version 5.0. For release details, please visit https://github.com/tpm2-software/tpm2-tools/releases/tag/5.0 Thank you to all the contributors for participating in this release. Thanks and Regards, Imran Desai

1 year, 10 months

1
0
0 / 0

Question: TPM2.0 auditing services/programs for S/W solutions using TPM chips.

by Matthew Giassa

Good day, I'm trying to find a specific type of guideline and/or certification relating to TPM-based (software) product, and wasn't able to find what I'm looking for here (so far), or at other sites I was advised to check out (i.e. [1], [2]), so I'm reaching out here for guidance/advice. Are there companies or programs (i.e. formally recognized or recommended by TCG or a similar authority) that pen-test/assess the quality of a software-based solution that depends on a TPM (i.e. 2.0) chip? Or, failing that, are there guidelines or certification/assessment programs for qualifying software solutions (i.e. Linux-based) that make use of a TPM device? I'm putting together some proof-of-concept examples, and while the design seems sound, it's my opinion that the person implementing the solution shouldn't be the same person assessing it for weaknesses. It's effectively a measured-boot-based solution to support full disk encryption via LUKS, and later, remote attestation. I started considering the topic after coming across a post [3], which strikes me as a bit of a "gotcha" (i.e. secret can be unsealed due to accidentally leaving a blank/default password enabled; "oops"). Any documentation/guides/resources that can help with assessing the quality of a s/w-based solution and "keeping it on the rails" is appreciated. Thank you. 1. "TPMDeveloper - Topics", <https://developers.tpm.dev/topics>, last accessed 2020-11-16. 2. "Trusted Computing Group - Resources", <https://trustedcomputinggroup.org/resources?>, last accessed 2020-11-16. 3. "Unsealing data despite PCR policy", <https://github.com/tpm2-software/tpm2-tools/issues/1123>, last accessed 2020-11-16.

1 year, 10 months

2
2
0 / 0

2022

2021

2020

2019

2018

2017

tpm2 November 2020