Need some suggestions about tpm2-tss in Windows
by Duc Duong
Hi,
I just start doing research in tpm-software, I had a running instance in Ubuntu, build and install four projects: tpm2-tss, tpm2-tss-engine, tpm2-tools and tpm2-abrmd
For professional purposes, I'd like to use this TPM TSS to generate key and CSR with OpenSSL and I've already proof the concept in Ubuntu, but actually trying to do the same thing in Windows is the final goal.
The first challenge I met is how to build tpm2-tss in Windows, other projects are even not VS project.
I'm trying to build tpm2-tss with the environment they have tested, like VS 2017 + v141 clang/c2 + UCRT 10.0.16299.0.
But after that, how can I install it and test it? Cause without tpm2-tss-engine I can not test it through command right?
If it's not too tedious, please give me some suggestion, the more the better.
Like, it there a better way to build tpm2-tss and other project in Windows.
Thanks!
Paul
6 months, 3 weeks
[RELEASE CANDIDATE] tpm2-tools 4.3.0-rc0
by Roberts, William C
Hello,
I would like to announce tpm2-tools release 4.3.0-rc0, with the following changelog:
4.3.0-rc0 - 2020-08-13
* tss2_*: Fix double-free errors in commands asking for password authorization
* tss2_*: Fix shorthand command -f that was falsely requiring an argument
* tss2_*: Update tss2_encrypt to the new FAPI interface
- The argument 'policyPath' is removed which was never read anyway
* tss2_*: Remove the additional '\n' that was appended when redirecting to stdout
* tss2_*: Update mandatory vs optional treatment of arguments according to latest Fapi spec
* tss2_*: tss2_getinfo now retrieves the correct FAPI version from Fapi_GetInfo
* tss2_*: Fix the error handling in case of multiple inputs and/or outputs from stdin/stdout
* tss2_*: Fix syntax errors and update content of man pages according to latest Fapi spec
* tss2_*: Add parameter types to all man page
* tss2_*: tss2_setappdata now reads from file or stdin allowing to store also binary data
* tss2_*: Memory leaks are fixed in cases when a returned empty non-char output value was passed to file output
The release can be found here:
- https://github.com/tpm2-software/tpm2-tools/releases/tag/4.3.0-rc0
Bill
6 months, 3 weeks
FAPI delete issue
by Phani Srinivas
Hello All,
Having using FAPI API's for a while for some exploratory work, I have provisioning the FAPI with a password using the following call and used macro set to PASSWORD set as "1234"
rc = Fapi_Provision(global_fapi_context,PASSWORD,PASSWORD,PASSWORD);
Again tried to clear the TPM using the following calls after doing the FAPI_Initialize.
rc = Fapi_SetAuthCB(global_fapi_context, auth_callback, NULL);
if (rc != TSS2_RC_SUCCESS){
printf("Failed to set the callback \n");
}
printf("clearing the TPM \n");
rc = Fapi_Delete(global_fapi_context, "/");
if (rc != TSS2_RC_SUCCESS){
printf("Failed to clear TPM\n");
ret = ERR_FAIL;
}
But I see the following error,
ERROR:esys:src/tss2-esys/esys_iutil.c:1070:esys_GetResourceObject() Error: Esys handle does not exist (70018).
ERROR:fapi:src/tss2-fapi/fapi_util.c:380:ifapi_set_auth() Set auth value. ErrorCode (0x00070018)
ERROR:fapi:src/tss2-fapi/api/Fapi_Delete.c:377:Fapi_Delete_Finish() ErrorCode (0x00070018) Set owner authorization
ERROR:fapi:src/tss2-fapi/api/Fapi_Delete.c:89:Fapi_Delete() ErrorCode (0x00070018) Entity_Delete
Failed to clear TPM
Any thoughts what went wrong here.
Regards
Phani Srinivas S
6 months, 3 weeks
Re: Debugging tpm2 tools based of FAPI
by Florian.Schreiner@infineon.com
Hi Phani,
unfortunately I don't have the environment to replicate your error and I also haven't heard of this error yet. It would be good to share the root cause when you have found it, so that other users don't run into the same error.
I would propose that you setup a TPM system with the respective hardware setup and software versions, which doesn't run into this API error. Then you can verify what the difference is to your setup and where the error comes from. One possibility of a basic reference setup would be a Raspberry Pi. There is an application note available on the Infineon website here: https://www.infineon.com/cms/en/product/promopages/tpm-tss-quickstarter/ in the link at the bottom of the page. The Application Note describes a specific system setup that should work and in section 9 there is also a description on how to include the TPM Simulator. Therefore the TPM Simulator should work on this setup. If the error on this system and these chosen software versions also occurs, we have a common basis to compare and replicate the error.
Best,
Florian
From: Phani Srinivas <phani.srinivas(a)in.abb.com>
Sent: Freitag, 7. August 2020 07:49
To: Schreiner Florian (IFAG DSS ESS STM) <Florian.Schreiner(a)infineon.com>; tpm2(a)lists.01.org
Subject: RE: Debugging tpm2 tools based of FAPI
Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe<http://iweb.infineon.com/en-US/Support/security/CDC/pse/Pages/pce.aspx>.
Hello Florian,
I am using the simulator(mssim config) and removing the persistent data(NVChip), But it seems of no help, I see the following error after the clean up
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision
Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
Do you have any preliminary steps to run the tools based out FAPI implementation before running the tool as mentioned in the man pages.
Regards
Phani Srinivas S
From: Florian.Schreiner(a)infineon.com<mailto:Florian.Schreiner@infineon.com> <Florian.Schreiner(a)infineon.com<mailto:Florian.Schreiner@infineon.com>>
Sent: Thursday, August 6, 2020 7:03 PM
To: Phani Srinivas <phani.srinivas(a)in.abb.com<mailto:phani.srinivas@in.abb.com>>; tpm2(a)lists.01.org<mailto:tpm2@lists.01.org>
Subject: RE: Debugging tpm2 tools based of FAPI
This email originated from outside of your organization. Please do not click on links or open attachments unless you recognize the sender and know the content is safe.
Hi Phani,
I don't know the error code in particular, but the messages say, that you triggered the DA Lockout the security mechanism. This mechanism is implemented to block Dictionary Attacks (DA), which are used by attackers to try out as many passwords as possible in a short amount of time. Dictionaries with typical passwords improve the efficiency of those attacks.
The TPM blocks this with a lockout, i.e. if you have tried to many false authorizations in a short period of time, the TPM blocks any further requests until a time runs out. The time increases as more false authorizations are being executed.
Therefore it seems you triggeded the DA lockout with this timeout in the first runs and later on the TPM reports, that it is still in the DA Lockout.
A recovery method is that you let the TPM powered and wait for the timeout to be over. After that the TPM should work normally.
There are commands available where you can read the amount of time the timeout still takes. There are also commands that allow to reset the DA Lockout using the DA Lockout Auth, so that you don't need to wait for the timeout. The DA Lockout Auth is for example the password of the admin.
As you are using the Simulator, there should be also a simple method to erase the persistent data stored in the simulator as it provides no security.
Best,
Florian
Infineon Technologies AG
Security Architect
IFAG DSS ESS TCE
Office: +49 89 234 21833
Mobile: +49 (160) 90105611
Fax: +49 (89) 234 152183300
Florian.Schreiner(a)infineon.com<mailto:Florian.Schreiner@infineon.com>
81726 Munich
Germany
www.infineon.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.infi...> Discoveries<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.infi...> Facebook<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.face...> Twitter<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twit...> LinkedIn<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.link...>
Part of your life. Part of tomorrow.
Infineon Technologies AG
Chairman of the Supervisory Board: Dr. Wolfgang Eder
Management Board: Dr. Reinhard Ploss (CEO), Dr. Helmut Gassel, Jochen Hanebeck, Dr. Sven Schneider
Registered Office: Neubiberg
Commercial Register: München HRB 126492
This e-mail and any attachments are confidential. They are intended solely for the attention and use of the named addressee(s). If you are not the named addressee(s) you must not use, disclose, retain or reproduce all or any part of the information contained in this e-mail or any attachments. Any unauthorized use or disclosure may be unlawful. If you have received this e-mail by mistake, please inform the sender immediately and delete it and all copies from your system and destroy any hard copies of it.
From: Phani Srinivas <phani.srinivas(a)in.abb.com<mailto:phani.srinivas@in.abb.com>>
Sent: Donnerstag, 6. August 2020 15:17
To: tpm2(a)lists.01.org<mailto:tpm2@lists.01.org>
Subject: [tpm2] Debugging tpm2 tools based of FAPI
Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fiweb.inf...>.
Hello All,
I was successful in making the FAPI integration tests work and tried out some of the scenarios in creating the keys and perform the key operations
But when I used the tools based out of FAPI, I see the following errors
export TPM20TEST_TCTI=mssim:host=127.0.0.1,port=2321
root@edgesec101:/home/edgesec100/phaniWS/tpm2_tools/tpm2-tools/tools/fapi# ./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x0000098e) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x0000098e) Provision
Fapi_Provision(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented
And later I have removed the NVChip created in simulator dir, and ran again I see a different error
./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision
Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
Couldn't get from the documentation any pre-requisites to follow to make the tpm2 tools based out of fapi to make them work.
I see some RM configuration to be done, but not successful in my trials, any suggestions how the environment shall be set up to make the tpm2 tools based out of fapi to work.
Regards
Phani Srinivas S
R&D Prinicipal Engineer ABB
6 months, 3 weeks
[RELEASE] tpm2-pkcs11: 1.3.2
by Roberts, William C
Hello,
I would like to announce the release of tpm2-pkcs11 version 1.3.2 with the following changelog:
### 1.3.2 - 2020-08-10
* Fix C\_InitToken, ensure no embedded nul byte.
* Fix free of mutex being held in C\_InitToken failures: #573
* Fix C\_Login CKU\_USER login attempt before pin is setup: #563
* Fix C\_InitToken double init issues #577
The release can be found here:
https://github.com/tpm2-software/tpm2-pkcs11/releases/tag/1.3.2
Thanks,
Bill
6 months, 3 weeks
Take part in TPM libraries usability study (by Aalto University and Nokia Bell Labs)
by sidtechnical@gmail.com
Hello everyone,
I am Sid Rao, a security researcher from Aalto University, Finland. Along with my colleague Gabriela Limonta from Nokia Bell Labs, we are conducting a study on the usability of TPM libraries.
We want to understand the current trends and usage of the libraries in day-to-day life. Right now, we are doing a preliminary survey to identify volunteers for participating in our study. Your efforts will be compensated in the next phase of our study. Here is the link to that:
https://bit.ly/2CBI7oB
It would be very much helpful if you take part in our study. Also, please share this survey with people in your network who also work on trusted computing. [Retweet (https://twitter.com/sidnext2none/status/1286246151709130753), if you are on Twitter]
Feel free to contact me (siddharth.rao(a)aalto.fi) or Gabriela (gabriela.limonta(a)nokia-bell-labs.com) if you have any questions!
Best regards,
Sid
7 months
Re: Debugging tpm2 tools based of FAPI
by Florian.Schreiner@infineon.com
Hi Phani,
I don't know the error code in particular, but the messages say, that you triggered the DA Lockout the security mechanism. This mechanism is implemented to block Dictionary Attacks (DA), which are used by attackers to try out as many passwords as possible in a short amount of time. Dictionaries with typical passwords improve the efficiency of those attacks.
The TPM blocks this with a lockout, i.e. if you have tried to many false authorizations in a short period of time, the TPM blocks any further requests until a time runs out. The time increases as more false authorizations are being executed.
Therefore it seems you triggeded the DA lockout with this timeout in the first runs and later on the TPM reports, that it is still in the DA Lockout.
A recovery method is that you let the TPM powered and wait for the timeout to be over. After that the TPM should work normally.
There are commands available where you can read the amount of time the timeout still takes. There are also commands that allow to reset the DA Lockout using the DA Lockout Auth, so that you don't need to wait for the timeout. The DA Lockout Auth is for example the password of the admin.
As you are using the Simulator, there should be also a simple method to erase the persistent data stored in the simulator as it provides no security.
Best,
Florian
Infineon Technologies AG
Security Architect
IFAG DSS ESS TCE
Office: +49 89 234 21833
Mobile: +49 (160) 90105611
Fax: +49 (89) 234 152183300
Florian.Schreiner(a)infineon.com<mailto:Florian.Schreiner@infineon.com>
81726 Munich
Germany
www.infineon.com<http://www.infineon.com> Discoveries<http://www.infineon.com/discoveries> Facebook<http://www.facebook.com/infineon> Twitter<http://www.twitter.com/Infineon> LinkedIn<http://www.linkedin.com/company/infineon-technologies>
Part of your life. Part of tomorrow.
Infineon Technologies AG
Chairman of the Supervisory Board: Dr. Wolfgang Eder
Management Board: Dr. Reinhard Ploss (CEO), Dr. Helmut Gassel, Jochen Hanebeck, Dr. Sven Schneider
Registered Office: Neubiberg
Commercial Register: München HRB 126492
This e-mail and any attachments are confidential. They are intended solely for the attention and use of the named addressee(s). If you are not the named addressee(s) you must not use, disclose, retain or reproduce all or any part of the information contained in this e-mail or any attachments. Any unauthorized use or disclosure may be unlawful. If you have received this e-mail by mistake, please inform the sender immediately and delete it and all copies from your system and destroy any hard copies of it.
From: Phani Srinivas <phani.srinivas(a)in.abb.com>
Sent: Donnerstag, 6. August 2020 15:17
To: tpm2(a)lists.01.org
Subject: [tpm2] Debugging tpm2 tools based of FAPI
Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe<http://iweb.infineon.com/en-US/Support/security/CDC/pse/Pages/pce.aspx>.
Hello All,
I was successful in making the FAPI integration tests work and tried out some of the scenarios in creating the keys and perform the key operations
But when I used the tools based out of FAPI, I see the following errors
export TPM20TEST_TCTI=mssim:host=127.0.0.1,port=2321
root@edgesec101:/home/edgesec100/phaniWS/tpm2_tools/tpm2-tools/tools/fapi# ./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x0000098e) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x0000098e) Provision
Fapi_Provision(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented
And later I have removed the NVChip created in simulator dir, and ran again I see a different error
./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision
Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
Couldn't get from the documentation any pre-requisites to follow to make the tpm2 tools based out of fapi to make them work.
I see some RM configuration to be done, but not successful in my trials, any suggestions how the environment shall be set up to make the tpm2 tools based out of fapi to work.
Regards
Phani Srinivas S
R&D Prinicipal Engineer ABB
7 months
Debugging tpm2 tools based of FAPI
by Phani Srinivas
Hello All,
I was successful in making the FAPI integration tests work and tried out some of the scenarios in creating the keys and perform the key operations
But when I used the tools based out of FAPI, I see the following errors
export TPM20TEST_TCTI=mssim:host=127.0.0.1,port=2321
root@edgesec101:/home/edgesec100/phaniWS/tpm2_tools/tpm2-tools/tools/fapi# ./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x0000098e) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x0000098e) Provision
Fapi_Provision(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented
And later I have removed the NVChip created in simulator dir, and ran again I see a different error
./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision
Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
Couldn't get from the documentation any pre-requisites to follow to make the tpm2 tools based out of fapi to make them work.
I see some RM configuration to be done, but not successful in my trials, any suggestions how the environment shall be set up to make the tpm2 tools based out of fapi to work.
Regards
Phani Srinivas S
R&D Prinicipal Engineer ABB
7 months
Obtain Public Key
by Brijesh Patel
Hi All,
Slightly general question.
- Want to retrieve a public certificate from the TPM (don't really care
which EK or SRK as long as the private key is only known to the TPM).
- Will use the public certificate to encrypt other keys off of the
device.
- Want to be able to decrypt these keys on the device with the TPM.
I saw the following:
https://github.com/tpm2-software/tpm2-tools/issues/1765 which
is using AIKs and OpenSSL to try and achieve this.
Any suggestions?
Thanks!
7 months
