Calculating name of created AK- server side
by kuba.michal.n@gmail.com
Hello!
I would like to know if it is possible to calculate name of AK generated by host on a remote server? I have read about remote attestation. To ensure the AK matches EK we have to make credential using name of the AK. To achieve this we have to either:
a) calculate name of the AK on server
b) receive name of the AK from host and believe it's a name for a proper AK
Am I missing something?
I have searched for explanation in docs posted on TCG's site, but I just can't find anything useful for nameAlg.
I would be thankful for any help or advice :D
1 day, 23 hours
abrmd crashing - how to debug?
by Kenneth Goldman
Ubuntu focal with WSL, abrmd compiled from source
After about 5 minutes of sending commands, abrmd crashes. I originally
found it with keylime, but I can reproduce it with a simple bash loop on
pcrread.
abrmd exits, the tool output is:
** (process:21067): CRITICAL **: 17:25:10.862: failed to allocate dbus
proxy object: Could not connect: Connection refused
WARNING:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_init() TCTI init for
function 0x7ff5f6dbbe10 failed with a0008
WARNING:tcti:src/tss2-tcti/tctildr.c:109:tcti_from_info() Could not
initialize TCTI named: tcti-abrmd
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not
initialize TCTI file: tabrmd
ERROR:tcti:src/tss2-tcti/tctildr.c:416:Tss2_TctiLdr_Initialize_Ex() Failed
to instantiate TCTI
ERROR: Could not load tcti, got: "tabrmd:bus_name=com.intel.tss2.Tabrmd"
How would I debug?
I would expect that nothing that a single application does should crash
abrmd.
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
1 month
Re-provision TPM
by Anthony Arrascue
Hello,
I am learning about the TSS and TPM techonologies.
I have provisioned the TPM with the default settings, which means I am now using the ECC profile (P_ECCP256SHA256).
However, encryption was a requirement I needed to fulfill. I just didn't know that ECC encryption is currently not supported and now I realize RSA would be a better fit for me.
So here is my question:
* I see there is another profile in /usr/local/etc/tpm2-tss/fapi-profiles, namely P_RSA2048SHA256.json. Is there a way I can encrypt using the RSA profile instead of the ECC one? I tried to re-run tss2_provision, after setting it in fapi-config.json, but it seems this is not the way to proceed. I get the message that the TPM has been already provisioned. What is the correct way of "changing" profile? Is it even possible or do I need to reset the TPM?
Thank you for your help.
Anthony Arrascue
3 months
Research
by joshkalonn567@gmail.com
Good afternoon, I'm on this forum for the first time. I want to spread my story about myself. I'm still studying at university, a future philologist. At the moment I need to write a lot of essays using excel assignment https://writessay.org/excel-homework-help/. I'm very happy that there is such a service today, in which they will help and write an essay very quickly. Therefore, I advise all students who want to write an essay quickly and efficiently to use this service.
8 months, 3 weeks
Essay
by joshkalonn567@gmail.com
Good afternoon, I'm on this forum for the first time. I want to spread my story about myself. I'm still studying at university, a future philologist. At the moment I need to write a lot of essays and I [url=https://writessay.org/write-my-report-for-me/]write my report online[/url]. I'm very happy that there is such a service today, in which they will help and write an essay very quickly. Therefore, I advise all students who want to write an essay quickly and efficiently, to use this service.
8 months, 3 weeks
Re: Example with multifactor authentication available?
by Felix Rubio Dalmau
Hi William,
Sorry for answering so late after your last email. I had to jump to another subject, then holidays... yeah, life I guess! I have started again looking at this matter, and... I do not understand the part of the rescue password and how to use it. I see that using policysecret is the way to go, because it does not set any flag to require a password when the create is issued, but I still do not see how to use it to input a password. In the help of policysecret, it states:
"/TPM2_PolicySecret/ command requires you to pass in the name of the object whose /password/ is required to satisfy the policy"
Does this mean that I should create an object, password-protected, just for the sake of using it later with policysecret?? It sounds weird to me, but I am not skilled enough to properly assess it.
Regards!
Felix
On Monday, 14 June 2021 20:51:14 CEST Roberts, William C wrote:
> Two things, if you need different PCR values than what's on the system, the TPM only cares about the hash of all the banks, so you can just specify that expected hash of the PCR state as argument 3 to tpm2_policypcr as shown in the man page (since 5.0). If on early versions, you can create a binary file, that's a list of binary hashes in order of the PCR selection. Ie if you did sha256:1,2,3, the file would be 3 * 32 bytes in size and contain the hashes of PCR1, 2, 3 in that order. This is the binary format from tpm2_pcrread -o, so if you have a system in the expected state, you can use that to output it, or hand jam it.
>
> policy password just says, hey require a password for this object, and it will be found in the TPM header in the command.
>
> So, the better way would be to look at policysecret, which effectively does the same thing, but puts it in the session
> over the command header. Thus, you can have multiple secrets for an object.
>
> Typically, for a recovery password, folks couple it to the hierarchy the object belongs in via policyauthorize.
>
> ________________________________
> From: Felix Rubio Dalmau <felix(a)kngnt.org>
> Sent: Saturday, June 12, 2021 12:58 AM
> To: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
> Subject: [tpm2] Example with multifactor authentication available?
>
>
> Hi everybody!
>
>
> I am still learning about tpm and tpm2-tools. Following the advice from William Roberts, I set the authentication policy up as AND(pcr, password) by doing the following:
>
>
> # create a policy that requires the pcr and the password
>
> tpm2_startauthsession -S session.dat
>
> tpm2_policypcr -S session.dat -l "sha1:0,1,2,3" -L policy.dat
>
> tpm2_policypassword -S session.dat -L policy.dat
>
> tpm2_flushcontext session.dat
>
>
> # and the sealing goes with
>
> echo mysecret | tpm2_create -C primary.ctx -u key.pub -r key.priv -i- -p password -L policy.dat
>
>
> William suggested I should set up a signed policy so that when UEFI gets updated I can regenerate the policy and not find myself lock out off the system, which I understand, but the problem is: to prevent from further unlock attemps, after unsealing the secret protected by that policy, I will extend one of the pcr registers... so, if I generate the pcr policy with the live system, I will be using pcr values that have been altered.
>
>
> Now, I have thought in either forcing the EFI updates to happen during the system boot (I download the update, recreate a initramfs including it, and during the following boot, in the unlocking script, the UEFI gets updated and the policy gets created before unlocking), or in having a multi factor authentication that allows me to get in with either the previous policy or with another policy composed by the previous password and a rescue password. In this case, AND(password1, OR(password2, pcr)), I have written the following statements:
>
>
> # session for auth based on pcr
> tpm2_startauthsession -S session.dat
> tpm2_policypcr -S session.dat -l "sha256:0,1" -L policy.pcr
> tpm2_flushcontext session.dat
> rm session.dat
>
> # session for auth based on rescue password
> tpm2_startauthsession -S session.dat
> tpm2_policypassword -S session.dat -L policy.rescue
> tpm2_flushcontext session.dat
>
> rm session.dat
>
> # compound both policies using OR and require always the password
> tpm2_startauthsession -S session.dat
> tpm2_policyor -S session.dat -L policy.dat sha256:policy.pcr,policy.rescue
> tpm2_policypassword -S session.dat -L policy.dat
> tpm2_flushcontext session.dat
>
> rm session.dat
>
>
>
> I think this is ok, but then.. I do not see how to initialize the password policies. Is there any example similar to what I want to achieve?
>
>
> Thank you!
>
> Felix
>
8 months, 3 weeks
TctiLdr_Initialize
by huzaifa.hashim6@gmail.com
I have been trying to use the TCTI for my programs and have even tried compiling the example code given in documentation but cannot seem to get it to compile.
https://www.mankier.com/3/Tss2_TctiLdr_Initialize
This page has example code for the library but it does not compile and warn against an undefined reference to the library.
Currently trying to compile a standalone file with this:
gcc testcheck.c -L=/usr/local/lib/ -ltss2-esys -ltss2-tcti-device -o testcheck
8 months, 3 weeks
TPM2 PKCS11 intergration error for Openstack Barbican
by parimalanitesh@gmail.com
Hello Everyone,
This is Nitesh. I'm working on integrating TPM as a backend to store keys for Openstack Barbican project.
Existing PKCS11 Crytpo Plugin procedure to generate the hmac and mkek is https://docs.openstack.org/barbican/stein/install/barbican-backend.html#p....
I'm trying to integrate TPM as backend with TPM2-PKCS11 package for Openstack Barbican. https://github.com/tpm2-software/tpm2-pkcs11
When i try to run "barbican-manage hsm gen_hmac --library-path /usr/lib64/pkcs11/libtpm2_pkcs11.so.0 --passphrase stack --slot-id 1 --label my_hmac_label"
ERROR: cannot load library '/usr/lib64/pkcs11/libtpm2_pkcs11.so.0': /usr/lib64/libtss2-fapi.so.1: undefined symbol: Esys_TRSess_GetAuthRequired. Additionally, ctypes.util.find_library() did not manage to locate a library called '/usr/lib64/pkcs11/libtpm2_pkcs11.so.0'
I don't know why i'm getting the error message.
Following are the packages which i've installed
libtss2-esys0-2.3.0-2.41.x86_64
libtss2-tctildr0-2.3.0-2.41.x86_64
libtss2-tcti-tabrmd0-2.0.2-12.18.x86_64
libtss2-fapi1-3.1.0-lp152.116.2.x86_64
libtss2-rc0-2.3.0-2.41.x86_64
tpm2-0-tss-2.3.0-2.41.x86_64
libtss2-mu0-2.3.0-2.41.x86_64
libtss2-tcti-device0-2.3.0-2.41.x86_64
tpm2-tss-engine-1.0.1-2.8.x86_64
libtss2-fapi0-2.4.5-1.11.x86_64
libtss2-sys0-2.3.0-2.41.x86_64
libtss2-tcti-mssim0-2.3.0-2.41.x86_64
libtss2-sys1-3.1.0-lp152.116.2.x86_64
tpm2-pkcs11-tool-1.6.0+git20210503.c2d53cc-lp152.6.1.noarch
tpm2.0-abrmd-2.0.2-12.18.x86_64
tpm2-pkcs11-1.6.0+git20210503.c2d53cc-lp152.6.1.x86_64
tpm2.0-tools-4.1-1.57.x86_64
tpm-tools-pkcs11-1.3.9.1-4.3.1.x86_64
tpm2-pkcs11-tool-1.6.0+git20210503.c2d53cc-lp152.6.1.noarch
openssl-ibmpkcs11-1.0.1-3.6.x86_64
libpkcs11-helper1-1.27.0+git20201117.9fa1503-lp152.38.1.x86_64
pkcs11-helper-1.27.0+git20201117.9fa1503-lp152.38.1.x86_64
Did i miss any package or any other configuration is required ?
I've debugged the error to some extent.
Actually "Esys_TRSess_SetAttributes" is a function which is giving the error at https://github.com/tpm2-software/tpm2-tss/blob/master/src/tss2-fapi/fapi_...
But that function defination is actually present in "https://github.com/tpm2-software/tpm2-tss/blob/5c178b2b61a05e1873be30cfeb..." and "https://github.com/tpm2-software/tpm2-tss/blob/9288970a3e657cdee85d08d381..."
I see "tss2_esys.h" is not included as a header file in "https://github.com/tpm2-software/tpm2-tss/blob/master/src/tss2-fapi/fapi_...."
Please let me know what i've to do to resolve this issue.
--
Regard's
Nitesh
9 months, 1 week
Re: Is the tpm2_create command safe against sniffing attacks?
by Joseph Lee (ZeronsoftN)
Hi Dimi,
Thank you for your kind answer. Looking at the link you gave, I think I
can get more ideas.
I've been trying session encryption via tpm2-tools all weekend.
But I haven't found a way to create an encrypted session in tpm2-tools
yet. Maybe tpm2-tools doesn't support encrypted sessions?
If this is clear, I will implement parameter encryption through
tpm2-tools with referring to wolfTPM.
Thanks & Regards,
Joseph
------ Original Message ------
보낸 사람: "Dimitar Tomov" <dimi(a)designfirst.ee>
받는 사람: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>; "Joseph Lee
(ZeronsoftN)" <joseph(a)zeronsoftn.com>
보낸 날짜: 2021-08-02 오전 4:33:02
제목: [tpm2] Re: Is the tpm2_create command safe against sniffing attacks?
>Hi Joseph,
>
>TPM 2.0 offers Parameter Encryption capability and HMAC sessions as
>measures against Man-in-the-middle attacks.
>
>Examples in wolfTPM demonstrate how to enable Parameter Encryption
>
>
>https://github.com/wolfSSL/wolfTPM/blob/b0a65e44b8a25be88b2f9ff4e35fbf083...
>
>There is also Keygen , Key import and Key loading examples with
>Parameter Encryption
>
>https://github.com/wolfSSL/wolfTPM/blob/b0a65e44b8a25be88b2f9ff4e35fbf083...
>
>Last week we discussed the Dolos Group story about a stolen laptop with
>TPM https://developers.tpm.dev/posts/15883726
>
>If Parameter Encryption and HMAC session have been used, this story
>would have developed differently.
>
>Hope this helps.
>
>Dimi
>--
>Founder of TPM.dev
>
>--------------------------------------------------------------------------------
>From: Joseph Lee (ZeronsoftN) <joseph(a)zeronsoftn.com>
>Sent: Saturday, July 31, 2021 2:09 AM
>To:tpm2@lists.01.org <tpm2(a)lists.01.org>
>Subject: [tpm2] Is the tpm2_create command safe against sniffing
>attacks?
>
>Hello,
>
>https://pulsesecurity.co.nz/articles/TPM-sniffing
>In this article, can see that communication with the TPM is vulnerable
>to sniffing if not careful.
>
>https://tpm2-software.github.io/2020/04/13/Disk-Encryption.html
>Is the disk encryption described in tpm2-software's blog safe against
>these attacks?
>
>tpm2_createprimary -Q -C o -c prim.ctx
>dd if=/dev/urandom bs=1 count=32 status=none | tpm2_create -Q -g sha256
>-u seal.pub -r seal.priv -i- -C prim.ctx
>tpm2_load -Q -C prim.ctx -u seal.pub -r seal.priv -n seal.name -c
>seal.ctx
>tpm2_evictcontrol -C o -c seal.ctx 0x81010001
>
>My question is:
> 1. Is there a tool in linux that can sniff communication with the
>current system's TPM?
> 2. How to encrypt communications if the methods described above are
>not secure?
> It seems that encryption is possible through
>tpm2_startauthsession , but I do not know how to apply it to
>tpm2_create . (The -S option simply did not work.)
>
>Thank you.
>
>
>
>
9 months, 2 weeks
Fwd: Re: authentication error
by parimala nitesh
Hi Fuchs Andreas,
I’m also getting the same error. In my case it is lined against tpm-tss2.3.
I’m getting the below error.
ERROR: cannot load library '/usr/lib64/pkcs11/libtpm2_pkcs11.so.0':
/usr/lib64/libtss2-fapi.so.1: undefined symbol:
Esys_TRSess_GetAuthRequired. Additionally, ctypes.util.find_library() did
not manage to locate a library called
'/usr/lib64/pkcs11/libtpm2_pkcs11.so.0'
Regards
Nitesh
--
Regard's
Nitesh
*-- Feel the Nature and get the utmost happiness.......*
* Live the moment....*
9 months, 2 weeks
