May 2020 - tpm2 - Ml01.01.Org

by Benjamin Berg

Hi, I was wondering if someone has ideas about integrating the TPM with Fingerprint readers. Recently I started looking into supporting Secure Device Connection Protocol (SDCP, [1]) in libfprint. The general idea is to verify that the Fingerprint reader can be trusted, but I initially also imagined that further use-cases like unsealing data in a TPM may be possible (e.g. to retrieve disk encryption keys). However, looking into it more, my current conclusion is that there is little to no advantage to use the TPM. At least not unless one also has a trusted (userspace) program which is capable of signing TPM authorizations. One could easily offload the required parts into a small helper, but that may require ensuring it runs in a trusted execution environment. Microsoft seems to run relevant parts as trustlets that are walled off from the rest of the system. That seems sensible to me, but it also means requiring all the infrastructure for execution and signing and I doubt that is feasible currently. Right now I'll probably go the way of not using the TPM at all. But I am really not an expert for this. So should someone see scenarios where a TPM is actually helpful in this context, then I would like to hear about them. Benjamin PS: A quick summary of how SDCP works: * Device has a private ECC key that signs the firmware and ephemeral keys during boot (and is inaccessible afterwards) * A certificate proofs that this key was provisioned in factory * Device builds a shared secret with the host (s) * Device sends id, HMAC_SHA256(s, "identify" || nonce || id) when the finger "id" was presented. * The HMAC proofs knowledge of the shared secret and authorizes the print. [1] https://github.com/microsoft/SecureDeviceConnectionProtocol/wiki/Secure-D...

2 months, 3 weeks

5
7
0 / 0

Re: How we authorize the EK hierarchy to create AIK?

by nicolasoliver03＠gmail.com

Hello Dimitar! I have a gist with an script on how to create EK and AK here https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d/#file-e... # Clear the TPM tpm2_clear # Create Endorsment Key tpm2_createek -c ek.ctx -G rsa -u ek.pub # Create Attestation Key tpm2_createak -C ek.ctx -c ak.ctx -G rsa -g sha256 -s rsassa tpm2_evictcontrol -C o -c ak.ctx 0x81010002 tpm2_readpublic -c ak.ctx -f pem -o ak.pem > ak.yaml cat ak.yaml | grep '^name:' | awk '{ print $2 }' > ak.name # Generate the nonce and credential for challenge openssl rand -hex 6 > nonce.plain tpm2_makecredential -e ek.pub -s nonce.plain -n $(cat ak.name) -o nonce.encrypted # Decrypt nonce with Endorsement Key tpm2_startauthsession --policy-session -S session.ctx TPM2_RH_ENDORSEMENT=0x4000000B tpm2_policysecret -S session.ctx -c ${TPM2_RH_ENDORSEMENT} tpm2_activatecredential -c 0x81010002 -C ek.ctx -i nonce.encrypted -o nonce.decrypted -P "session:session.ctx" tpm2_flushcontext session.ctx # Generate Attestation Quote tpm2_quote -c 0x81010002 -l sha256:0,1,2,3,4,5,6,7,8,9 -q $(cat nonce.decrypted) -m quote.message -s quote.signature -o quote.pcrs -g sha256 # Validate Attestation Quote in the server tpm2_checkquote -u ak.pem -m quote.message -s quote.signature -f quote.pcrs -g sha256 -q $(cat nonce.plain) The code for tpm2_createek and tpm2_createak is at: https://github.com/tpm2-software/tpm2-tools/blob/master/tools/tpm2_create... https://github.com/tpm2-software/tpm2-tools/blob/master/tools/tpm2_create...

2 years, 3 months

3
6
0 / 0

key destruction

by ted.h.kim＠oracle.com

Folks, Sorry for what might be an obvious question ... What is the right command sequence to destroy keys, despite the users possibly still having context files? I read something about resetting the seed for a hierarchy through the TPM2_Clear operation (presumably the tpm2_clear command can do this). But that is too drastic. I just want to kill off a single key and make it not usable. If I kill off a parent presumably I can destroy a whole tree of keys. But that just moves the problem, potentially up to a primary key. What is the right way to do this? I suppose there is some trick whereby you make a policy not able to be satisfied. But then it seems you still need to retain state to prevent the key from being used. I would rather just have all the key state be gone and not able to be recreated. Thanks, -ted -- Ted H. Kim, PhD ted.h.kim(a)oracle.com +1 310-258-7515

2 years, 4 months

2
3
0 / 0

Trying to decrypt a file encrypted with a TPM.

by oscargomezf＠gmail.com

Hi everyone, I have encrypted a file using a TPM with the following commands: tpm2_createprimary -c primary.ctx tpm2_create -C primary.ctx -Grsa2048 -u key.pub -r key.priv tpm2_flushcontext -t tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx echo "my message" > msg.dat tpm2_rsaencrypt -c key.ctx -o msg.enc msg.dat Therefore, I am able to encrypt the file msg.dat to msg.enc. And I have the following keys: 1. primary.ctx 2. key.pub 3. key.priv 4. key.ctx So far so good. However, I need to decrypt the file in msg.enc in another embedded system (Linux platform) without a TPM. How can I do that? What tools do I need to use?

2 years, 4 months

3
4
1 / 0

[RELEASE] tpm2-tools: 4.2.1

by Roberts, William C

Hello, I would like to announce the release of tpm2-tools version 4.2.1 with the following changelog: ### 4.2.1 - 2020-05-25 * Fix missing handle maps for ESY3 handle breaks. See #1994. * Bump ESYS minimum dependency version from 2.3.0 to 2.4.0. * Fix for loop declarations build error. You can find the release here: https://github.com/tpm2-software/tpm2-tools/releases/tag/4.2.1 Thanks, Bill

2 years, 4 months

1
0
0 / 0

[RELEASE CANDIDATE] tpm2-tools: 4.1.3-rc0

by Roberts, William C

Hello, I would like to announce tpm2-tools version 4.1.3-rc0, with the following changes over 4.1.2: 4.1.3-rc0 - 2020-05-22 * tpm2_create: Fix issue with userauth attribute being cleared if policy is specified. (I know the date is wrong, I was living in the past. Will update with the final release) You can find the release at: https://github.com/tpm2-software/tpm2-tools/releases/tag/4.1.3-rc0 Thanks, Bill

2 years, 4 months

1
0
0 / 0

Stablishing trust on to TPM simulator

by Eduardo Falcão

Hello, everyone :) I am creating a demo where I attest the state of a machine (VM) using a simulated TPM. I think I've done properly the core operations of my demonstration, but I'm still wondering how would I stablish trust with TPM in this simulated scenario. I think that in a real setup, with a real TPM, there may be a service that validates the TPM Ek certificate. Is there something similar I could do in simulation mode, or I would have to mock this action (in simulation environment)? Also, in case I have a real TPM, how would I use this service (for instance, with a TPM from Intel)? Where would I check the parameters of this API? -------- More info on my setup: The TPM I am using is simulated. Thus, my setup involves installing the SWTPM (https://github.com/stefanberger/swtpm.git and https://github.com/stefanberger/libtpms.git), QEMU (https://github.com/qemu/qemu), and EDK2 (https://github.com/tianocore/edk2.git). When configuring my simulator, I run it with --createek, --create-ek-cert, and --create-platform-cert flag, as follows: sudo swtpm_setup --tpmstate ${VTPM_DIR_PATH} --createek --create-ek-cert --create-platform-cert --allow-signing --tpm2 Through Qemu, I am able to start a VM with TPM2 features, and then I install TSS (https://github.com/tpm2-software/tpm2-tss), ABRMD (https://github.com/tpm2-software/tpm2-abrmd), and TPM2_TOOLS (https://github.com/tpm2-software/tpm2-tools). This setup allows me to try out TPM in simulation mode. Steps of attestation: 1. (VM to be attested) getting the public portion of my endorsement key 2. (VM to be attested) creating an attestation key (AK) 3. (VM to be attested) quoting given PCRs with freshly created AK (outputing the quote, pcrs, and signature) 4. (Attestator VM) run python program that checks quote signatue, and checks if value of PCR digest from quote matches an expected value Missing step: 1. (Attestator VM) check if vendor root certificates validate the EK certificate -------- Best regards

2 years, 4 months

3
3
0 / 0

How we authorize the EK hierarchy to create AIK?

by Dimitar Tomov

Hi everyone, I am having a hard time finding where happens the creation of policy(authorization) for the tpm2-tools to create AIK under the EK hierarchy? I know the sequence goes like this: Createk ... Creatak ... using the object context created by EK But the EK context object does not carry the Policy Authorization for creating AIK, so I am guessing the TSS2 stack is creating it based on the input form the tools. I also tried looking up in the TCG spec for more information what is the authorization procedure to enable use of the EK Hierarchy, but the search on the TCG website returned only blog posts and two mentions of AIK in https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisi... In this document, endorsementPolicy and endorsementAuth are mentioned, but I am having hard time finding how the TSS / Tools interact to set those and later use them for the creation of AIK. Could someone point me to the right place of code? Best, Dimi

2 years, 4 months

1
0
0 / 0

trying duplication and then rsa_en/decrypt

by ted.h.kim＠oracle.com

Folks, Sorry for what is probably an obvious question ... I tried the examples in the tpm2_duplicate(1) and tpm2_policyduplicationselect(1) man pages. Afterwards, I just wanted to try out the duplicated keys. So I tried tpm2_rsaencrypt followed by tpm2_rsadecrypt. But when doing the latter, I got: WARNING:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:305:Esys_RSA_Decrypt_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:102:Esys_RSA_Decrypt() Esys Finish ErrorCode (0x0000012f) ERROR: Esys_RSA_Decrypt(0x12F) - tpm:error(2.0): authValue or authPolicy is not available for selected entity ERROR: Unable to run tpm2_rsadecrypt Which I guess means I didn't satisfy the policy for the object. But if I try to run tpm2_startauthsession like those man page examples show, I get this error: WARNING:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:305:Esys_RSA_Decrypt_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:102:Esys_RSA_Decrypt() Esys Finish ErrorCode (0x000009a4) ERROR: Esys_RSA_Decrypt(0x9A4) - tpm:session(1):the commandCode in the policy is not the commandCode of the command or the command code in a policy command references a command that is not implemented ERROR: Unable to run tpm2_rsadecrypt And so, I am confused now about what I need to do to get these duplicated keys to work with tpm2_rsadecrypt. Thanks, -ted -- Ted H. Kim, PhD ted.h.kim(a)oracle.com +1 310-258-7515

2 years, 4 months

3
12
0 / 0

authHandle issues

by Muthukumar S

Hi Roberts, Thanks a lot for your response. As per your suggestion , I remember that I set "authHandle" as ESYS_TR type. And the test code that I have shared also has the same implementation. Below is how I set the "authHandle" , which is of ESYS_TR type and passed as argument to below Esys_NV_Read () API. ESYS_TR authHandle = 0x40000001; rc = Esys_NV_Read( ectx, authHandle, nv_index2, /* the nv index to read from */ ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, 20, 0, &read_data); if (rc != TSS2_RC_SUCCESS) { printf("Esys_NV_Read <ERROR>: 0x%x\n", rc); goto out; } Let me know , anything else am I missing? BR, Muthukumar

2 years, 4 months

2
3
0 / 0

2022

2021

2020

2019

2018

2017

tpm2 May 2020