Re: How we authorize the EK hierarchy to create AIK?
by nicolasoliver03@gmail.com
Hello Dimitar!
I have a gist with an script on how to create EK and AK here https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d/#file-e...
# Clear the TPM
tpm2_clear
# Create Endorsment Key
tpm2_createek -c ek.ctx -G rsa -u ek.pub
# Create Attestation Key
tpm2_createak -C ek.ctx -c ak.ctx -G rsa -g sha256 -s rsassa
tpm2_evictcontrol -C o -c ak.ctx 0x81010002
tpm2_readpublic -c ak.ctx -f pem -o ak.pem > ak.yaml
cat ak.yaml | grep '^name:' | awk '{ print $2 }' > ak.name
# Generate the nonce and credential for challenge
openssl rand -hex 6 > nonce.plain
tpm2_makecredential -e ek.pub -s nonce.plain -n $(cat ak.name) -o nonce.encrypted
# Decrypt nonce with Endorsement Key
tpm2_startauthsession --policy-session -S session.ctx
TPM2_RH_ENDORSEMENT=0x4000000B
tpm2_policysecret -S session.ctx -c ${TPM2_RH_ENDORSEMENT}
tpm2_activatecredential -c 0x81010002 -C ek.ctx -i nonce.encrypted -o nonce.decrypted -P "session:session.ctx"
tpm2_flushcontext session.ctx
# Generate Attestation Quote
tpm2_quote -c 0x81010002 -l sha256:0,1,2,3,4,5,6,7,8,9 -q $(cat nonce.decrypted) -m quote.message -s quote.signature -o quote.pcrs -g sha256
# Validate Attestation Quote in the server
tpm2_checkquote -u ak.pem -m quote.message -s quote.signature -f quote.pcrs -g sha256 -q $(cat nonce.plain)
The code for tpm2_createek and tpm2_createak is at:
https://github.com/tpm2-software/tpm2-tools/blob/master/tools/tpm2_create...
https://github.com/tpm2-software/tpm2-tools/blob/master/tools/tpm2_create...
1 year, 11 months
key destruction
by ted.h.kim@oracle.com
Folks,
Sorry for what might be an obvious question ...
What is the right command sequence to destroy keys, despite the users
possibly still having context files?
I read something about resetting the seed for a hierarchy through the
TPM2_Clear operation (presumably the tpm2_clear command can do this).
But that is too drastic.
I just want to kill off a single key and make it not usable. If I kill
off a parent presumably I can destroy a whole tree of keys. But that
just moves the problem, potentially up to a primary key.
What is the right way to do this?
I suppose there is some trick whereby you make a policy not able to be
satisfied. But then it seems you still need to retain state to prevent
the key from being used. I would rather just have all the key state be
gone and not able to be recreated.
Thanks,
-ted
--
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515
1 year, 11 months
Possible TPM uses in fprintd/libfprint
by Benjamin Berg
Hi,
I was wondering if someone has ideas about integrating the TPM with
Fingerprint readers.
Recently I started looking into supporting Secure Device Connection
Protocol (SDCP, [1]) in libfprint. The general idea is to verify that
the Fingerprint reader can be trusted, but I initially also imagined
that further use-cases like unsealing data in a TPM may be possible
(e.g. to retrieve disk encryption keys).
However, looking into it more, my current conclusion is that there is
little to no advantage to use the TPM. At least not unless one also has
a trusted (userspace) program which is capable of signing TPM
authorizations. One could easily offload the required parts into a
small helper, but that may require ensuring it runs in a trusted
execution environment.
Microsoft seems to run relevant parts as trustlets that are walled off
from the rest of the system. That seems sensible to me, but it also
means requiring all the infrastructure for execution and signing and I
doubt that is feasible currently.
Right now I'll probably go the way of not using the TPM at all. But I
am really not an expert for this. So should someone see scenarios where
a TPM is actually helpful in this context, then I would like to hear
about them.
Benjamin
PS: A quick summary of how SDCP works:
* Device has a private ECC key that signs the firmware and ephemeral
keys during boot (and is inaccessible afterwards)
* A certificate proofs that this key was provisioned in factory
* Device builds a shared secret with the host (s)
* Device sends id, HMAC_SHA256(s, "identify" || nonce || id)
when the finger "id" was presented.
* The HMAC proofs knowledge of the shared secret and authorizes the
print.
[1] https://github.com/microsoft/SecureDeviceConnectionProtocol/wiki/Secure-D...
1 year, 11 months
Trying to decrypt a file encrypted with a TPM.
by oscargomezf@gmail.com
Hi everyone,
I have encrypted a file using a TPM with the following commands:
tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -Grsa2048 -u key.pub -r key.priv
tpm2_flushcontext -t
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
echo "my message" > msg.dat
tpm2_rsaencrypt -c key.ctx -o msg.enc msg.dat
Therefore, I am able to encrypt the file msg.dat to msg.enc. And I have the following keys:
1. primary.ctx
2. key.pub
3. key.priv
4. key.ctx
So far so good. However, I need to decrypt the file in msg.enc in another embedded system (Linux platform) without a TPM.
How can I do that? What tools do I need to use?
1 year, 11 months
Stablishing trust on to TPM simulator
by Eduardo Falcão
Hello, everyone :)
I am creating a demo where I attest the state of a machine (VM) using a simulated TPM. I think I've done properly the core operations of my demonstration, but I'm still wondering how would I stablish trust with TPM in this simulated scenario.
I think that in a real setup, with a real TPM, there may be a service that validates the TPM Ek certificate. Is there something similar I could do in simulation mode, or I would have to mock this action (in simulation environment)?
Also, in case I have a real TPM, how would I use this service (for instance, with a TPM from Intel)? Where would I check the parameters of this API?
--------
More info on my setup:
The TPM I am using is simulated. Thus, my setup involves installing the SWTPM (https://github.com/stefanberger/swtpm.git and https://github.com/stefanberger/libtpms.git), QEMU (https://github.com/qemu/qemu), and EDK2 (https://github.com/tianocore/edk2.git).
When configuring my simulator, I run it with --createek, --create-ek-cert, and --create-platform-cert flag, as follows:
sudo swtpm_setup --tpmstate ${VTPM_DIR_PATH} --createek --create-ek-cert --create-platform-cert --allow-signing --tpm2
Through Qemu, I am able to start a VM with TPM2 features, and then I install TSS (https://github.com/tpm2-software/tpm2-tss), ABRMD (https://github.com/tpm2-software/tpm2-abrmd), and TPM2_TOOLS (https://github.com/tpm2-software/tpm2-tools). This setup allows me to try out TPM in simulation mode.
Steps of attestation:
1. (VM to be attested) getting the public portion of my endorsement key
2. (VM to be attested) creating an attestation key (AK)
3. (VM to be attested) quoting given PCRs with freshly created AK (outputing the quote, pcrs, and signature)
4. (Attestator VM) run python program that checks quote signatue, and checks if value of PCR digest from quote matches an expected value
Missing step:
1. (Attestator VM) check if vendor root certificates validate the EK certificate
--------
Best regards
1 year, 12 months
How we authorize the EK hierarchy to create AIK?
by Dimitar Tomov
Hi everyone,
I am having a hard time finding where happens the creation of policy(authorization) for the tpm2-tools to create AIK under the EK hierarchy?
I know the sequence goes like this:
Createk ...
Creatak ... using the object context created by EK
But the EK context object does not carry the Policy Authorization for creating AIK, so I am guessing the TSS2 stack is creating it based on the input form the tools.
I also tried looking up in the TCG spec for more information what is the authorization procedure to enable use of the EK Hierarchy, but the search on the TCG website returned only blog posts and two mentions of AIK in https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisi...
In this document, endorsementPolicy and endorsementAuth are mentioned, but I am having hard time finding how the TSS / Tools interact to set those and later use them for the creation of AIK.
Could someone point me to the right place of code?
Best,
Dimi
1 year, 12 months
trying duplication and then rsa_en/decrypt
by ted.h.kim@oracle.com
Folks,
Sorry for what is probably an obvious question ...
I tried the examples in the tpm2_duplicate(1) and
tpm2_policyduplicationselect(1) man pages. Afterwards, I just wanted to
try out the duplicated keys. So I tried tpm2_rsaencrypt followed by
tpm2_rsadecrypt. But when doing the latter, I got:
WARNING:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:305:Esys_RSA_Decrypt_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:102:Esys_RSA_Decrypt()
Esys Finish ErrorCode (0x0000012f)
ERROR: Esys_RSA_Decrypt(0x12F) - tpm:error(2.0): authValue or authPolicy
is not available for selected entity
ERROR: Unable to run tpm2_rsadecrypt
Which I guess means I didn't satisfy the policy for the object. But if I
try to run tpm2_startauthsession like those man page examples show, I
get this error:
WARNING:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:305:Esys_RSA_Decrypt_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:102:Esys_RSA_Decrypt()
Esys Finish ErrorCode (0x000009a4)
ERROR: Esys_RSA_Decrypt(0x9A4) - tpm:session(1):the commandCode in the
policy is not the commandCode of the command or the command code in a
policy command references a command that is not implemented
ERROR: Unable to run tpm2_rsadecrypt
And so, I am confused now about what I need to do to get these
duplicated keys to work with tpm2_rsadecrypt.
Thanks,
-ted
--
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515
1 year, 12 months
authHandle issues
by Muthukumar S
Hi Roberts,
Thanks a lot for your response. As per your suggestion , I remember that I
set "authHandle" as ESYS_TR type. And the test code that I have shared also
has the same implementation.
Below is how I set the "authHandle" , which is of ESYS_TR type and passed
as argument to below Esys_NV_Read () API.
ESYS_TR authHandle = 0x40000001;
rc = Esys_NV_Read(
ectx,
authHandle,
nv_index2, /* the nv index to read from */
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
ESYS_TR_NONE,
20,
0,
&read_data);
if (rc != TSS2_RC_SUCCESS) {
printf("Esys_NV_Read <ERROR>: 0x%x\n", rc);
goto out;
}
Let me know , anything else am I missing?
BR,
Muthukumar
1 year, 12 months