May 2020 - tpm2 - Ml01.01.Org

by Lester Cordeiro

hi all, i'm trying to define TPM non volatile index under the platform hierachy with this command tpm2_nvdefine -Q 1 -C p -s 128 -P 123456 -a "ppread|ppwrite" but it's gives the following errors... WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:337:Esys_NV_DefineSpace_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x00000182) ERROR: Failed to define NV area at index 0x1000001 ERROR: Esys_NV_DefineSpace(0x182) - tpm:handle(1):inconsistent attributes ERROR: Unable to run tpm2_nvdefine And idea what attributes are inconsistent and what values to provide? regards, lester cordeiro

2 years, 1 month

2
1
0 / 0

tpm2-tss v2.4.1

by Tadeusz Struk

Hello, I'm happy to announce a new tpm2-tss 2.4.1 bugfix release. https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.1 The release includes number of fixes as follows: - Fixed systemd-sysusers/-tmpfiles creation without systemd - Removed expired coverity token from travis.yaml - Fixed uninitialized context of FAPI command Fapi_ChangeAuth issue - Fixed handling of tcti pointer in Esys_Initialize - Fixed usages of EC routines deprecated in OSSL 1.2 and greater - Fixed FAPI handling of TPMs without stored certificates Thanks, -- Tadeusz

2 years, 1 month

1
0
0 / 0

configure of tpm2-tss looking for json-c

by ted.h.kim＠oracle.com

When running ./configure for tpm2-tss (2.4.x branch), pkg-config complains about not finding "json-c". What is it looking for? I do have a /usr/lib64/libjson-c.so.4.0.0. What is it supposed to be finding? Thanks, -ted -- Ted H. Kim, PhD ted.h.kim(a)oracle.com +1 310-258-7515

2 years, 1 month

2
1
0 / 0

Use PCR10 of sha256 PCR bank

by eduardolfalcao＠gmail.com

Hello guys. I am new to TPM2, and I'm trying it for approx 3 weeks. First, I set up my environment, and configured the default IMA policy: #!/bin/sh # PROC_SUPER_MAGIC dont_measure fsmagic=0x9fa0 # SYSFS_MAGIC dont_measure fsmagic=0x62656572 # DEBUGFS_MAGIC dont_measure fsmagic=0x64626720 # TMPFS_MAGIC dont_measure fsmagic=0x01021994 # RAMFS_MAGIC dont_measure fsmagic=0x858458f6 # SECURITYFS_MAGIC dont_measure fsmagic=0x73636673 # MEASUREMENTS measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC measure func=MODULE_CHECK uid=0 The I configured the grub to use sha256: sudo sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ima_policy=tcb ima_hash=sha256"/' /etc/default/grub sudo update-grub After rebooting, I just noticed that PCR10 is used for sha1, but it is not used for sha256. ubuntu@ubuntu:~$ tpm2_pcrread sha1: 0 : 0x4F7F3D318FC01183E7DE3A0DCC4BE34FBCCDBA7D 1 : 0xD0DF6DEABE5A83A927BE7F1AC5C76DF42B5FF333 2 : 0x9D360B5F970A10C59FBF023EF5C5D9E546ABDDCD 3 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 4 : 0x8AF8DEDB82AC4B6C134217F96D6CCA75B71283E2 5 : 0x0E892480CC081670FC80BCDF3B87EA3FB1D218D4 6 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 7 : 0x518BD167271FBB64589C61E43D8C0165861431D8 8 : 0x0000000000000000000000000000000000000000 9 : 0x0000000000000000000000000000000000000000 10: 0xBB07F51CB74DC7BE01AF413A0557C0DA6FD1E61A 11: 0x0000000000000000000000000000000000000000 12: 0x0000000000000000000000000000000000000000 13: 0x0000000000000000000000000000000000000000 14: 0x0000000000000000000000000000000000000000 15: 0x0000000000000000000000000000000000000000 16: 0x0000000000000000000000000000000000000000 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 23: 0x0000000000000000000000000000000000000000 sha256: 0 : 0xE4B28BC5903BADFD7F4D33EA968A902B25CAB39599DE43E9BD1D86A4235905EF 1 : 0x150FD1738628C5852A6FF5B63B3185EFA55B3BB37E19ADC1A40522182061A33D 2 : 0xD907F34E551760DAE63FD94BFC44B2D629CB556596D3914C4170B1F3D605A3FE 3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 4 : 0x3D3B637E8C2D01305762025C4F3B7E3DEB169D8976A29607C387DC028A5514B8 5 : 0xAB79C14B70120A8F628C73B4D9B460A980752EEDED1B149A6D3DFED57E8ACABB 6 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 7 : 0x65CAF8DD1E0EA7A6347B635D2B379C93B9A1351EDC2AFC3ECDA700E534EB3068 8 : 0x0000000000000000000000000000000000000000000000000000000000000000 9 : 0x0000000000000000000000000000000000000000000000000000000000000000 10: 0x0000000000000000000000000000000000000000000000000000000000000000 11: 0x0000000000000000000000000000000000000000000000000000000000000000 12: 0x0000000000000000000000000000000000000000000000000000000000000000 13: 0x0000000000000000000000000000000000000000000000000000000000000000 14: 0x0000000000000000000000000000000000000000000000000000000000000000 15: 0x0000000000000000000000000000000000000000000000000000000000000000 16: 0x0000000000000000000000000000000000000000000000000000000000000000 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 23: 0x0000000000000000000000000000000000000000000000000000000000000000 How do I manage to use sha256 and get the IMA measurements displayed on PCR10 of sha256 bank? Could anyone help me? Best regards :)

2 years, 1 month

4
8
0 / 0

[RELEASE] tpm2-tools 4.2.1-RC0

by Roberts, William C

Hello, I would like to announce the 4.2.1 https://github.com/tpm2-software/tpm2-tools/releases/tag/4.2.1-rc0 The changelog is: - Fix missing handle maps for ESY3 handle breaks. See #1994. - Fix error: 'for' loop initial declarations are only allowed in C99 mode Note that I forgot the " Fix error: 'for' loop initial declarations are only allowed in C99 mode", in the doc/CHANGELOG.md file I will roll a changelog Update with RC1 if we get feedback or include It in the actual release changelog. Thanks, Bill

2 years, 1 month

1
0
0 / 0

[RELEASE] tpm2-tools: 4.1.2-RC0

by Roberts, William C

Hello, I would like to announce a 4.1.2-RC0 release candidate for the tpm2-tools project with the following changes: * Fix missing handle maps for ESY3 handle breaks. See #1994. The release can be found here: https://github.com/tpm2-software/tpm2-tools/releases/tag/4.1.2-rc0 Thanks, Bill

2 years, 1 month

1
0
0 / 0

Re: Usage of openssl command line API as library function

by Muthukumar S

Hi Roberts, Any pointers in below request. The problem that I was discussing with you in another thread was related to createcsr. The below one is different one. BR, Muthukumar On Mon, May 4, 2020, 8:35 PM Muthukumar S <muthu.smk(a)gmail.com wrote: > Hi William Robers, > > Thanks for your guidance. Sorry for writing such a long email. > I tried finding below two solutions, which i feel will resolve my purpose. > Request you to have a look and let me know your thoughts. > > Below is the main function , which will create private key using > tpm2tss_rsa_genkey() and random key using esys_getrandom API and send this > as input to openssl > function to encrypt and decrypt back and get the original rsa key > generated by tpm2tss_rsa_genkey() API. > > main() > { > RSA *rsa = NULL; > rsa = RSA_new(); > TPM2_DATA *tpm2Data ; > tpm2tss_rsa_genkey(rsa,..,..,..); > tpm2Data = calloc(1, sizeof(*tpm2Data)); > memcpy(tpm2Data, RSA_get_app_data(rsa), sizeof(*tpm2Data)); > if (!tpm2tss_tpm2data_write(tpm2Data, outputfile)) /* cat of this " > outputfile" will have key starting with > .. > .. > /* I could able to print the "rsa" key generated using above > tpm2tss_rsa_genkey() API */ > PEM_write_RSA_PUBKEY(stdout, rsa); > > /* calling below openssl encrypt and decrypt function to encrypt the > "rsa" key along with "random num" generated using Esys_GetRandom */ > openssl_encrypt_decrypt(rsa,opt); > } > > /*created a function to perform openssl enc/dec for the "private key" > created using above mentioned tpm2tss_rsa_genkey() API*/ > ./*used a "random number" buffer as well ,as input key to openssl along > with "private key" and generated the encrypted key as shown below*/ > unsigned char * openssl_encrypt_decrypt(RSA *rsa, struct optn opt) /* here "rsa" is the key output generated by tpm2tss_rsa_genkey > & opt will have random buffer */ > *{* > > *}* > *Excepted output :* > During *encryption* ,below openssl API will take "RANDOM NUMBER" and "RSA > KEY" generated by tpm and generated a output encrypted file > /* input args : size - size of get_random buffer, from - random number > buffer , rsa - rsa key generated using tpm , No padding) > RSA_private_encrypt(size, from, encrypt, rsa, > RSA_NO_PADDING); > *Result *: If i do cat on "encrypt file" i could see the encrypted > content. Not sure whether the proper encryption is happening over here by > using this "priv key" + "rand number". > > During *decryption* , below openssl API will take "ENCRYPTED OUTPUT > buffer" as input along with "RSA KEY" generated by tpm */ > /* input args : size of (rsa) , output buffer generated by > RSA_private_encrypt (API) , decrypt - input buffer to store the decrypted > content ,) > RSA_public_decrypt(size, encrypt, decrypt, rsa, > RSA_NO_PADDING); > > *Result* : Ideally the output buffer of above openssl decrypt API should > have data of original encrypted "RSA" key generated by tpm. But am getting > some other encrypted content. Not sure what am i missing here. > > I am looking for *symmetric** kind of encryption* so tried with below > combination of openssl APIs . Not sure whether am i missing some thing over > here., do i need to set the PADDING stuff ? or some trying with wrong APIs > ? > > Tried with RSA_private_encrypt () - RSA_private_decrypt > RSA_private_encrypt () - RSA_public_decrypt > RSA_public_encrypt () - RSA_public_decrypt > RSA_pubic_encrypt () - RSA_private_decrypt > > Do the below APIs (reference > <https://github.com/llubu/mpro/blob/master/crypt/src/aes2.c>) will solve > my purpose ? > EVP_EncryptInit_ex () > EVP_EncryptUpdate() > EVP_EncryptFinal_ex() > > FYI : Below are the two command line API that am currently using for the > above purpose . Am trying to achieve the above openssl API(s) as a library > function inside my application: > # openssl enc -aes-256-cbc -salt -in rsa_key_genby_tpm -out enc_key -k > rand_key_genby_tpm > # openssl enc -aes-256-cbc -d -in enc_key -out final decrypted_key -k > rand_key_genby_tpm > > > > ============================================================================================== > *One more query , while giving the input private key to openssl , do i > need to give the output file of below API(tpm2tss_tpm2data_write()*)* or > the "RSA" key generated as output using tpm2tss_rsa_genkey(). Since both > the key output looks different that why i had this doubt ?? Shared the > below two keys for your reference. * > > *outputfile* : tpm2tss_tpm2data_write () api output file : > -----BEGIN TSS2 PRIVATE KEY----- > MIICDwYGZ4EFCgEDoAMBAQECAQAEggEYARYAAQALAAYEcgAAABAAEAgAAAEAAQEA > vnCX8AAA9glkEkSBNliWYJ/S/CUQsszZ4YWLbEJDRuQ7e0oMbUHDtTbwuF2qvNkj > In492EQqDemnSlCsICYdLUKa253cSNYfWS82zaX9cG7ktQ5yON/umX6QacnGeC72 > kmCjpzOyq1G4BdyWgZCpZQIqUEibGUOosrBn/S7NYFFtIMKN7/b/qmwg1NaBCVha > lK9NCOm438FUT+gMEAw71tskE2BpGgbHcLmAII1xo4hKtDfh9jvvSSo4mc3/YRzt > QlaK9TDaAkJPGV2Hcf16z4eFvw61Qd+w1na8bJR+TvUw85w2DE9ClDS7vWZhYci/ > NKsK3J7uMd+Lgx24KDL9KwSB4ADeACBxX0jMtapSINLe5s+G+mSCb/5aYXdyKyOt > Iooob20g8QAQY5o2OTdDKBR8WoB4j/UV3as2x5pVlmc0x/0+gyX8AXdKvzpNlPNM > P8bPLkA2XsNlydyIaxEsR/5J1mtGlxNFGcZLsa7XmmIfbCwN0wmysS2cQrUmugZh > B2YDc2Rjpg7NDIaHHEBQELg4IRpCP2BKSnyPCCOZ1g8zILwDZs4LKtL8vAiaF9Bq > hp8NE6fnUD1FTc3gtCPqA+PPmH4LbK2qO5dqGpkm3VdScJIW7OWxZVYqljUxDCSi > 3WVy > -----END TSS2 PRIVATE KEY----- > > > RSA public key file : below key is the output of > PEM_write_RSA_PUBKEY(stdout, rsa) API , here this input "rsa" key is the > output of tpm2tss-rsa-genkey() ; > > -----BEGIN PUBLIC KEY----- > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvnCX8AAA9glkEkSBNliW > YJ/S/CUQsszZ4YWLbEJDRuQ7e0oMbUHDtTbwuF2qvNkjIn492EQqDemnSlCsICYd > LUKa253cSNYfWS82zaX9cG7ktQ5yON/umX6QacnGeC72kmCjpzOyq1G4BdyWgZCp > ZQIqUEibGUOosrBn/S7NYFFtIMKN7/b/qmwg1NaBCVhalK9NCOm438FUT+gMEAw7 > 1tskE2BpGgbHcLmAII1xo4hKtDfh9jvvSSo4mc3/YRztQlaK9TDaAkJPGV2Hcf16 > z4eFvw61Qd+w1na8bJR+TvUw85w2DE9ClDS7vWZhYci/NKsK3J7uMd+Lgx24KDL9 > KwIDAQAB > -----END PUBLIC KEY----- > > > *NOTE* : I didn't tried PKCS11 yet : > https://github.com/OpenSC/libp11/blob/master/examples/auth.c . Will try > this out and let you know > > BR, > Muthukumar > > On Tue, Apr 28, 2020 at 10:27 PM Roberts, William C < > william.c.roberts(a)intel.com> wrote: > >> > -----Original Message----- >> > From: Muthukumar S [mailto:muthu.smk@gmail.com] >> > Sent: Tuesday, April 28, 2020 11:38 AM >> > To: Roberts, William C <william.c.roberts(a)intel.com> >> > Cc: tpm2(a)lists.01.org >> > Subject: Re: [tpm2] Re: Usage of openssl command line API as library >> function >> > >> > Hi Robert, >> > >> > Thanks for your quick response. >> > >> > >> > As you said , I am exactly looking for openssl symmetric key operation. >> > >> > As said in my intial thead ,below are the implementation that I have >> done so far in >> > my application. >> > >> > 1) created rsa "priv_key" using tpm2tss-rsa-gen key using tpm >> > 2) created a random key (and saved as input_random_key) using >> > Esys_GetRandom() using tpm and kept as it is . >> > >> > 3) By using below openssl s/w APIs ,just want to encrypt the "private >> key" along >> > with "random key" and save the encrypted file . >> > openssl enc -aes-256-cbc -salt -in priv_key -out output_enc_key -k >> > input_random_key >> > >> > 4) do decrypt with below openssl command with input "random key" and get >> > back the "private key" >> > >> > openssl enc -aes-256-cbc -d -in output_enc_key -out >> decrypted_output_key -k >> > input_random_rum >> > >> > >> > Here comes my query, how to use the above two openssl command line API >> as >> > an library function inside "c" code. >> >> https://lmgtfy.com/?q=openssl+aes+encryption+example+in+c >> >> Learn to fish: >> 1. Google things >> 2. Look at the openssl commandlets, its open source, trace what they are >> doing >> 3. pkcs11 does some of this as well, look there. >> >> Good luck. >> >> > >> > On Tue, Apr 28, 2020, 8:12 PM Roberts, William C < >> william.c.roberts(a)intel.com >> > <mailto:william.c.roberts@intel.com> wrote: >> > >> > >> > After you generate the keypair, can't you call: >> > openssl rsa -in key.pem -pubout -out pubkey.pem >> > >> > Specifying the inkey and the engine, there are examples in the >> > Test scripts. Then from there you have a normal public key pem >> file >> > You can pass to openssl like normal without engine stuff, so it >> wont >> > Use the engine and just do software. >> > >> > If you want a random key, again just generate it and use the >> openssl >> > symmetric >> > Key operations. So if you wanted to do something like encrypt a >> file and >> > share >> > The decryption key, the steps would be >> > 1. generate aes key >> > 2. encrypt the file data >> > 3. encrypt the key with the public key >> > 4. decrypt the key with the private key >> > 5. decrypt the file with the obtained decrypted aes key >> > >> > >> > > -----Original Message----- >> > > From: muthu.smk(a)gmail.com <mailto:muthu.smk@gmail.com> >> > [mailto:muthu.smk@gmail.com <mailto:muthu.smk@gmail.com> ] >> > > Sent: Tuesday, April 28, 2020 7:33 AM >> > > To: tpm2(a)lists.01.org <mailto:tpm2@lists.01.org> >> > > Subject: [tpm2] Re: Usage of openssl command line API as library >> > function along >> > > with tpm-tss engine >> > > >> > > seems this iesys_crypto_sym_aes_encrypt() API and >> > iesys_crypto_pk_encrypt() >> > > API uses TPM for encryption and decryption . What i want is to >> use >> > pure openssl >> > > API (s/w based encryption) with the input of tpm generated >> hardware >> > priv key >> > > and random key and do encrypt & decrypt it as explained in the >> first >> > thread . >> > > _______________________________________________ >> > > tpm2 mailing list -- tpm2(a)lists.01.org <mailto: >> tpm2(a)lists.01.org> >> > > To unsubscribe send an email to tpm2-leave(a)lists.01.org >> <mailto:tpm2- >> > leave(a)lists.01.org> >> > > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s >> > >> >>

2 years, 1 month

2
1
0 / 0

How CreateCsr using openssl API flow works , when is passes via tpm2-tss-engine

by muthu.smk＠gmail.com

I have below openssl command with tpmengine which generate csr using the private key generated using tpm2tss-genkey. /* Generating private using below tpm2tss-genkey API*/ tpm2tss-genkey -a rsa -s 2048 tpm2tss_rsa_genkey_2048 /* using below openssl API creating a csr with input key (private key generated by tpm2tss) , via engine tpm2tss */ openssl req -new -engine tpm2tss -keyform engine -out openssl_created_mod_rsa_key.csr -key tpm2tss_rsa_genkey_2048 While creating the similar application what the above tpm2-genkey creation and openssl does using tpm2/tpm2-tss api , am getting my app crash in below signing API . I tried checking the tpm2-tss-engine code which works for openssl to perform tpm2 tss task . But i could not able to get any clue regarding where this "sign" is happening . Since this "sign" is part of csr generation , am not sure how come the command line above openssl api works . Can any one give me some inputs on this . X509_REQ_sign () Thanks

2 years, 1 month

3
4
0 / 0

tpm2_clear

by lester.corderio＠ufomoviez.com

hi, i am complete newbie to TPM so please excuse me if my question is silly, i wanted to know if anyone uses tpm2_clear command is all the data and keys lost?? so what if a disgrunted employee takes access and clears the TPM how can we recover from this?

2 years, 1 month

6
8
0 / 0

tpm2-tss v2.4.1-rc1

by Tadeusz Struk

Hello, A new release candidate rc-1 for tpm2-tss v2.4.1 is out. https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.1-rc1 All changes and fixes are listed in the CHANGELOG.md file. Any feedback welcomed. Thanks, -- Tadeusz

2 years, 1 month

1
0
0 / 0

2022

2021

2020

2019

2018

2017

tpm2 May 2020