Possible TPM uses in fprintd/libfprint
by Benjamin Berg
Hi,
I was wondering if someone has ideas about integrating the TPM with
Fingerprint readers.
Recently I started looking into supporting Secure Device Connection
Protocol (SDCP, [1]) in libfprint. The general idea is to verify that
the Fingerprint reader can be trusted, but I initially also imagined
that further use-cases like unsealing data in a TPM may be possible
(e.g. to retrieve disk encryption keys).
However, looking into it more, my current conclusion is that there is
little to no advantage to use the TPM. At least not unless one also has
a trusted (userspace) program which is capable of signing TPM
authorizations. One could easily offload the required parts into a
small helper, but that may require ensuring it runs in a trusted
execution environment.
Microsoft seems to run relevant parts as trustlets that are walled off
from the rest of the system. That seems sensible to me, but it also
means requiring all the infrastructure for execution and signing and I
doubt that is feasible currently.
Right now I'll probably go the way of not using the TPM at all. But I
am really not an expert for this. So should someone see scenarios where
a TPM is actually helpful in this context, then I would like to hear
about them.
Benjamin
PS: A quick summary of how SDCP works:
* Device has a private ECC key that signs the firmware and ephemeral
keys during boot (and is inaccessible afterwards)
* A certificate proofs that this key was provisioned in factory
* Device builds a shared secret with the host (s)
* Device sends id, HMAC_SHA256(s, "identify" || nonce || id)
when the finger "id" was presented.
* The HMAC proofs knowledge of the shared secret and authorizes the
print.
[1] https://github.com/microsoft/SecureDeviceConnectionProtocol/wiki/Secure-D...
2 months, 3 weeks
Calculating name of created AK- server side
by kuba.michal.n@gmail.com
Hello!
I would like to know if it is possible to calculate name of AK generated by host on a remote server? I have read about remote attestation. To ensure the AK matches EK we have to make credential using name of the AK. To achieve this we have to either:
a) calculate name of the AK on server
b) receive name of the AK from host and believe it's a name for a proper AK
Am I missing something?
I have searched for explanation in docs posted on TCG's site, but I just can't find anything useful for nameAlg.
I would be thankful for any help or advice :D
3 months, 1 week
abrmd crashing - how to debug?
by Kenneth Goldman
Ubuntu focal with WSL, abrmd compiled from source
After about 5 minutes of sending commands, abrmd crashes. I originally
found it with keylime, but I can reproduce it with a simple bash loop on
pcrread.
abrmd exits, the tool output is:
** (process:21067): CRITICAL **: 17:25:10.862: failed to allocate dbus
proxy object: Could not connect: Connection refused
WARNING:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_init() TCTI init for
function 0x7ff5f6dbbe10 failed with a0008
WARNING:tcti:src/tss2-tcti/tctildr.c:109:tcti_from_info() Could not
initialize TCTI named: tcti-abrmd
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not
initialize TCTI file: tabrmd
ERROR:tcti:src/tss2-tcti/tctildr.c:416:Tss2_TctiLdr_Initialize_Ex() Failed
to instantiate TCTI
ERROR: Could not load tcti, got: "tabrmd:bus_name=com.intel.tss2.Tabrmd"
How would I debug?
I would expect that nothing that a single application does should crash
abrmd.
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
5 months, 2 weeks
Re-provision TPM
by Anthony Arrascue
Hello,
I am learning about the TSS and TPM techonologies.
I have provisioned the TPM with the default settings, which means I am now using the ECC profile (P_ECCP256SHA256).
However, encryption was a requirement I needed to fulfill. I just didn't know that ECC encryption is currently not supported and now I realize RSA would be a better fit for me.
So here is my question:
* I see there is another profile in /usr/local/etc/tpm2-tss/fapi-profiles, namely P_RSA2048SHA256.json. Is there a way I can encrypt using the RSA profile instead of the ECC one? I tried to re-run tss2_provision, after setting it in fapi-config.json, but it seems this is not the way to proceed. I get the message that the TPM has been already provisioned. What is the correct way of "changing" profile? Is it even possible or do I need to reset the TPM?
Thank you for your help.
Anthony Arrascue
7 months, 2 weeks
Re: Schema of object.json
by Anthony Arrascue
Hi David,
Thank you for your reply. Do you know if I can find documentation about this?
I found what I believe is the serialization / deserialization of those JSON objects:
https://github.com/tpm2-software/tpm2-tss/blob/04a2853994eb31747c3e19c260...
https://github.com/tpm2-software/tpm2-tss/blob/04a2853994eb31747c3e19c260...
But this encryption process of the PrivK, with the PubKey of the SRK is then somewhere else?
Best,
Anthony
From: David Challener <david.c.challener(a)gmail.com>
Sent: Tuesday, 16 November 2021 16:56
To: Anthony Arrascue <AArrascue(a)neuroloop.de>
Subject: Re: [tpm2] Schema of object.json
I expect the private key is the encrytion of the real private key with the srk oublic key.
On Tue, Nov 16, 2021, 9:31 AM Anthony Arrascue <AArrascue(a)neuroloop.de<mailto:AArrascue@neuroloop.de>> wrote:
Hello,
I am using TPM2-TSS v. 2.4.x and TPM2-TOOLS v. 4.X.
Let’s suppose I create a key running:
tss2_createkey --path=HS/SRK/MyKey --type="sign,noDa,decrypt,system" --authValue=blabla
This creates a folder MyKey in […]/keystore/P_RSA2048SHA256/HS/SRK/MyKey and a file object.json inside.
I was wondering what the public / private keys are?
public":{
"size":278,
"publicArea":{…},
… "unique":"acc645e440fce2b34772dc94658c2b0daf3c18053ecfd7924ef3346dd764d7c5dd91ca207683a5ea884f03adf7e198728c39a8a59f01326a80f768a0f7302dd0b7e37b0c1efa22e8604f85c061c0a81e60ab97edb1e81cdc2b889ad2414045c273ce6af38260a91dd6857013bdffd7e5541a0a9f3221ea6bd1c41f650dd3f52f5cac75e76e0618541c622f48e0967867e1d40c632f5e87600442d7e534390741d4b4f0a9b7ac0a141ce07c0d5d7447c598183d2c48a8bccf9ddb867193518e2cb10c86f03bc996d3b054b383df7f10f2c6d0d070358c72a325e2ad5301ae1f4834160aaefa1cecb3e8e0441e1fb0ab60feefd35e2c9ec6439fdc9a0e5b6456ff"
}
},
…
"serialization":"",
"private":"00201f93bbec6eb3d00f08cb8cafd48dffe6b06150fa45b989072922b2049c962de80010baf3c7683d5039a27cb73036531a869137bc3a57d30b8c348b73ce134eb11066e45803e5ee7bba20192ab4f6881b21004261ab06af37c68a22758284d9d21fc91d49748f6eee1bc8f1011d0e4fd228642e98f3ee65a4161d1cc53af6b0dfb48aafc9cefde1ca8212b08e16b4c15d0a16adc36b19133350f73bace6f12d11c084d9eb953cf9c87d0a2f2b34617a2369ffc9fb299113bba531d9be465e033ec54511cf6b6e3463e84018e40eaded1fa6ad13da671946cd03a567f3",
…
Questions: what is the meaning of the “unique” and “private” keys?
Is there a place where a schema can be found for a key?
The private part cannot be the private key right? It would not make sense that this is stored as plain text.
Thank you very much for any help.
Best,
Anthony Arrascue
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2@lists.01.org>
To unsubscribe send an email to tpm2-leave(a)lists.01.org<mailto:tpm2-leave@lists.01.org>
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
10 months, 2 weeks
Schema of object.json
by Anthony Arrascue
Hello,
I am using TPM2-TSS v. 2.4.x and TPM2-TOOLS v. 4.X.
Let’s suppose I create a key running:
tss2_createkey --path=HS/SRK/MyKey --type="sign,noDa,decrypt,system" --authValue=blabla
This creates a folder MyKey in […]/keystore/P_RSA2048SHA256/HS/SRK/MyKey and a file object.json inside.
I was wondering what the public / private keys are?
public":{
"size":278,
"publicArea":{…},
… "unique":"acc645e440fce2b34772dc94658c2b0daf3c18053ecfd7924ef3346dd764d7c5dd91ca207683a5ea884f03adf7e198728c39a8a59f01326a80f768a0f7302dd0b7e37b0c1efa22e8604f85c061c0a81e60ab97edb1e81cdc2b889ad2414045c273ce6af38260a91dd6857013bdffd7e5541a0a9f3221ea6bd1c41f650dd3f52f5cac75e76e0618541c622f48e0967867e1d40c632f5e87600442d7e534390741d4b4f0a9b7ac0a141ce07c0d5d7447c598183d2c48a8bccf9ddb867193518e2cb10c86f03bc996d3b054b383df7f10f2c6d0d070358c72a325e2ad5301ae1f4834160aaefa1cecb3e8e0441e1fb0ab60feefd35e2c9ec6439fdc9a0e5b6456ff"
}
},
…
"serialization":"",
"private":"00201f93bbec6eb3d00f08cb8cafd48dffe6b06150fa45b989072922b2049c962de80010baf3c7683d5039a27cb73036531a869137bc3a57d30b8c348b73ce134eb11066e45803e5ee7bba20192ab4f6881b21004261ab06af37c68a22758284d9d21fc91d49748f6eee1bc8f1011d0e4fd228642e98f3ee65a4161d1cc53af6b0dfb48aafc9cefde1ca8212b08e16b4c15d0a16adc36b19133350f73bace6f12d11c084d9eb953cf9c87d0a2f2b34617a2369ffc9fb299113bba531d9be465e033ec54511cf6b6e3463e84018e40eaded1fa6ad13da671946cd03a567f3",
…
Questions: what is the meaning of the “unique” and “private” keys?
Is there a place where a schema can be found for a key?
The private part cannot be the private key right? It would not make sense that this is stored as plain text.
Thank you very much for any help.
Best,
Anthony Arrascue
10 months, 2 weeks
tss2_createkey - unable to set persistent handle
by z4pu@pm.me
Hello everyone
I am having issues using the Feature_API to create a key under the `/P_ECCP256SHA256/HS/SRK/` path. This is using `tss2_createkey` as well as using the Feature API programmatically. The issue is that I am able to generate a key at the path, but I am never able to set a persistent handle for it.
I would like to set a persistent handle for my child key as I am looking to use https://github.com/tpm2-software/tpm2-tss-engine/ programmatically. When loading a key using the engine library, according to https://github.com/tpm2-software/tpm2-tss-engine/blob/89327fa8b51962348c4..., I can load a key by:
- specifying the persistent handle or
- providing the path to the encrypted TSS key file.
I am using the following:
- Ubuntu 20.04
- swtpm --version: TPM emulator version 0.7.0, Copyright (c) 2014-2021 IBM Corp. This is running in a Docker container exposing ports 2322 and 2321 using `docker run --name swtpm -p 2322:2322 -p 2321:2321 --rm --detach swtpm:latest`
- https://github.com/tpm2-software/tpm2-tss: latest master branch, based on release 2.4.6
- https://github.com/tpm2-software/tpm2-tools: latest master branch, based on 5.2 2021-09-28
fapi-config.json :
```
{
"profile_name": "P_ECCP256SHA256",
"profile_dir": "/usr/local/etc/tpm2-tss/fapi-profiles/",
"user_dir": "~/.local/share/tpm2-tss/user/keystore",
"system_dir": "/usr/local/var/lib/tpm2-tss/system/keystore",
"tcti": "swtpm:port=2321",
"ek_cert_less":"YES",
"system_pcrs" : [],
"log_dir" : "/usr/local/var/run/tpm2-tss/eventlog/"
}
```
The profiles at /usr/local/etc/tpm2-tss/fapi-profiles are the defaults:
```
cat /usr/local/etc/tpm2-tss/fapi-profiles/P_ECCP256SHA256.json
{
"type": "TPM2_ALG_ECC",
"nameAlg":"TPM2_ALG_SHA256",
"srk_template": "system,restricted,decrypt,0x81000001",
"srk_description": "Storage root key SRK",
"srk_persistent": 0,
"ek_template": "system,restricted,decrypt",
"ek_description": "Endorsement key EK",
"ecc_signing_scheme": {
"scheme":"TPM2_ALG_ECDSA",
"details":{
"hashAlg":"TPM2_ALG_SHA256"
},
},
"sym_mode":"TPM2_ALG_CFB",
"sym_parameters": {
"algorithm":"TPM2_ALG_AES",
"keyBits":"128",
"mode":"TPM2_ALG_CFB"
},
"sym_block_size": 16,
"pcr_selection": [
{ "hash": "TPM2_ALG_SHA1",
"pcrSelect": [ ],
},
{ "hash": "TPM2_ALG_SHA256",
"pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
}
],
"curveID": "TPM2_ECC_NIST_P256",
"ek_policy": {
"description": "Endorsement hierarchy used for policy secret.",
"policy":[
{
"type":"POLICYSECRET",
"objectName": "4000000b",
}
]
}
}
```
I'm also making sure to remove the following folders in between my experiments:
- /usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256
- /root/.local/share/tpm2-tss/user/keystore/P_ECCP256SHA256 (as my Docker container is running as root)
- ~/.local/share/tpm2-tss/user/keystore/P_ECCP256SHA256
The handle I am choosing for the child key is `0x81020001`, based on my reading of Table 7 of and the surrounding text at https://www.trustedcomputinggroup.org/wp-content/uploads/131011-Registry-...
The sequence of commands I am running as root is:
- tss2_provision to provision the TPM
- tpm2_getcap handles-persistent to list the used handles: Output is `- 0x81800000 - 0x81800001`
- tss2_list to confirm that the keys under the hierarchies have been created. Output is `/P_ECCP256SHA256/HN:/P_ECCP256SHA256/HE:/P_ECCP256SHA256/HE/EK:/P_ECCP256SHA256/LOCKOUT:/P_ECCP256SHA256/HS/SRK:/P_ECCP256SHA256/HS`
- tss2_createkey --path="/P_ECCP256SHA256/HS/SRK/device_key" --type="sign, decrypt, noDa, 0x81020001" --authValue=""
- tss2_list again, Output is `/P_ECCP256SHA256/HN:/P_ECCP256SHA256/HE:/P_ECCP256SHA256/HE/EK:/P_ECCP256SHA256/LOCKOUT:/P_ECCP256SHA256/HS/SRK:/P_ECCP256SHA256/HS:/P_ECCP256SHA256/HS/SRK/device_key`
- tpm2_getcap handles-persistent does not list the requested handle: Output is `- 0x81800000 - 0x81800001`
However, when I restart the TPM, and do not provision it, I can run the following commands as root to generate a child key and the parent key with a persistent handle:
- tpm2_getcap handles-persistent: Output is `- 0x81800000 - 0x81800001`
- tpm2_createprimary --hierarchy=o --key-algorithm=ecc256 --key-context=owner_primary.ctx --format=pem --output=owner_primary_public_key.pem
output is
```
name-alg:
value: sha256
raw: 0xb
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt
raw: 0x30072
type:
value: ecc
raw: 0x23
curve-id:
value: NIST p256
raw: 0x3
kdfa-alg:
value: null
raw: 0x10
kdfa-halg:
value: (null)
raw: 0x0
scheme:
value: null
raw: 0x10
scheme-halg:
value: (null)
raw: 0x0
sym-alg:
value: aes
raw: 0x6
sym-mode:
value: cfb
raw: 0x43
sym-keybits: 128
x: 9eecfa05a9a8ddadc8adabe4c9ce3d34b60afe0fd35cc799e28badc638cae6ad
y: 30dfc43266c2aa3480f31366ac5d189abf793dae100f30b50b344b7207f03994
```
- tpm2_create --parent-context=owner_primary.ctx --key-algorithm=ecc256 --public=child_public.key --private=child_private.key
Output is
```
name-alg:
value: sha256
raw: 0xb
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign
raw: 0x60072
type:
value: ecc
raw: 0x23
curve-id:
value: NIST p256
raw: 0x3
kdfa-alg:
value: null
raw: 0x10
kdfa-halg:
value: (null)
raw: 0x0
scheme:
value: null
raw: 0x10
scheme-halg:
value: (null)
raw: 0x0
sym-alg:
value: null
raw: 0x10
sym-mode:
value: (null)
raw: 0x0
sym-keybits: 0
x: 801553461b62972e1e3894e1baa1d56196774f829285f714a163c63a57a219de
y: ebfd148f186f2560a0a6713b5f6f50bfaa39b7a320304f8620c36bdee4dfa379
```
- tpm2_load --parent-context=owner_primary.ctx --public=child_public.key --private=child_private.key --key-context=child_key.ctx
Output is `name: 000b18738b4a5366d3f863920c7b98db696c723fd88e030b7cad32e1d3ac33e6fb6c`
- tpm2_evictcontrol --hierarchy=o --object-context=child_key.ctx 0x81020001
Output is
```
persistent-handle: 0x81020001
action: persisted
```
- tpm2_evictcontrol --hierarchy=o --object-context=owner_primary.ctx 0x81010001
Output is
```
persistent-handle: 0x81010001
action: persisted
```
- tpm2_getcap handles-persistent
Output is
```
- 0x81010001
- 0x81020001
- 0x81800000
- 0x81800001
```
- tss2_list
Output is an error message
```
WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:216:Fapi_List_Finish() Path not found:
ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List
Fapi_List(0x60034) - fapi:Provisioning was not executed.
```
There isn't anything in `/usr/local/var/run/tpm2-tss/eventlog/` for me to look at, possibly because of the Dockerised setup.
I can later delete these persistent handles using e.g. tpm2_evictcontrol --hierarchy=o --object-context=0x81020001
Thanks very much in advance
Cheers
z.
10 months, 3 weeks
Help implementing "OR" PCR policy using C lib
by michael.g.millsap@intel.com
I'm implementing the sealing of a LUKS key against secure boot PCRs and am trying to enable firmware updates using Esys_PolicyOR(). I can't find any example code. I am currently doing an Esys_PolicyPCR(), followed by Esys_PolicyGetDigest() and then I seal against that digest. How would I add the PolicyOR step? Would I do an Esys_PolicyPCR() & Esys_PolicyGetDigest() for each set of PCR values, followed by a Esys_PolicyOR() and then another Esys_PolicyGetDigest() to get the final digest to seal against? What would the unseal process look like?
Thanks,
Mike
11 months
