September 2021 - tpm2

by Benjamin Berg

Hi, I was wondering if someone has ideas about integrating the TPM with Fingerprint readers. Recently I started looking into supporting Secure Device Connection Protocol (SDCP, [1]) in libfprint. The general idea is to verify that the Fingerprint reader can be trusted, but I initially also imagined that further use-cases like unsealing data in a TPM may be possible (e.g. to retrieve disk encryption keys). However, looking into it more, my current conclusion is that there is little to no advantage to use the TPM. At least not unless one also has a trusted (userspace) program which is capable of signing TPM authorizations. One could easily offload the required parts into a small helper, but that may require ensuring it runs in a trusted execution environment. Microsoft seems to run relevant parts as trustlets that are walled off from the rest of the system. That seems sensible to me, but it also means requiring all the infrastructure for execution and signing and I doubt that is feasible currently. Right now I'll probably go the way of not using the TPM at all. But I am really not an expert for this. So should someone see scenarios where a TPM is actually helpful in this context, then I would like to hear about them. Benjamin PS: A quick summary of how SDCP works: * Device has a private ECC key that signs the firmware and ephemeral keys during boot (and is inaccessible afterwards) * A certificate proofs that this key was provisioned in factory * Device builds a shared secret with the host (s) * Device sends id, HMAC_SHA256(s, "identify" || nonce || id) when the finger "id" was presented. * The HMAC proofs knowledge of the shared secret and authorizes the print. [1] https://github.com/microsoft/SecureDeviceConnectionProtocol/wiki/Secure-D...

2 months, 2 weeks

5
7
0 / 0

Calculating name of created AK- server side

by kuba.michal.n＠gmail.com

Hello! I would like to know if it is possible to calculate name of AK generated by host on a remote server? I have read about remote attestation. To ensure the AK matches EK we have to make credential using name of the AK. To achieve this we have to either: a) calculate name of the AK on server b) receive name of the AK from host and believe it's a name for a proper AK Am I missing something? I have searched for explanation in docs posted on TCG's site, but I just can't find anything useful for nameAlg. I would be thankful for any help or advice :D

3 months, 1 week

4
8
2 / 0

abrmd crashing - how to debug?

by Kenneth Goldman

Ubuntu focal with WSL, abrmd compiled from source After about 5 minutes of sending commands, abrmd crashes. I originally found it with keylime, but I can reproduce it with a simple bash loop on pcrread. abrmd exits, the tool output is: ** (process:21067): CRITICAL **: 17:25:10.862: failed to allocate dbus proxy object: Could not connect: Connection refused WARNING:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_init() TCTI init for function 0x7ff5f6dbbe10 failed with a0008 WARNING:tcti:src/tss2-tcti/tctildr.c:109:tcti_from_info() Could not initialize TCTI named: tcti-abrmd ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: tabrmd ERROR:tcti:src/tss2-tcti/tctildr.c:416:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI ERROR: Could not load tcti, got: "tabrmd:bus_name=com.intel.tss2.Tabrmd" How would I debug? I would expect that nothing that a single application does should crash abrmd. -- Ken Goldman kgoldman(a)us.ibm.com 914-945-2415 (862-2415)

5 months, 1 week

6
13
0 / 0

Re-provision TPM

by Anthony Arrascue

Hello, I am learning about the TSS and TPM techonologies. I have provisioned the TPM with the default settings, which means I am now using the ECC profile (P_ECCP256SHA256). However, encryption was a requirement I needed to fulfill. I just didn't know that ECC encryption is currently not supported and now I realize RSA would be a better fit for me. So here is my question: * I see there is another profile in /usr/local/etc/tpm2-tss/fapi-profiles, namely P_RSA2048SHA256.json. Is there a way I can encrypt using the RSA profile instead of the ECC one? I tried to re-run tss2_provision, after setting it in fapi-config.json, but it seems this is not the way to proceed. I get the message that the TPM has been already provisioned. What is the correct way of "changing" profile? Is it even possible or do I need to reset the TPM? Thank you for your help. Anthony Arrascue

7 months, 1 week

4
5
1 / 0

[Release Announcement] tpm2-openssl 1.0.0

by Petr Gotthard

Hello, I am pleased to announce the release of tpm2-openssl 1.0.0. This is a provider for integration of TPM 2.0 to OpenSSL 3.0, which makes the TPM 2.0 accessible via the standard OpenSSL API and command-line tools. See the README for more details: https://github.com/tpm2-software/tpm2-openssl The release is available here: https://github.com/tpm2-software/tpm2-openssl/releases/tag/1.0.0 Kind Regards, Petr

12 months

1
0
0 / 0

[Release Announcement] tpm2-tools v5.2

by Imran Desai

Hello all, Pleased to announce the release of tpm2-tools v5.2. Thank you to all the contributors. The release is available here: https://github.com/tpm2-software/tpm2-tools/releases/tag/5.2 Please reference the release notes for changes in this release. Thanks, and regards, Imran Desai

12 months

1
0
0 / 0

[RELEASE] tpm2-pkcs11 version 1.7.0

by Roberts, William C

Hello, I would like to announce tpm2-pkcs11 version 1.7.0 with the following changelog: 1.7.0 - 2021-09-27 * DB Schema Change from 5 to 7. - **Backup your DB before upgrading** * Fixed compilation issues with GCC11. * Fixed errors on releases due to newer compilers from failing by only adding `-Werror` for non-release builds. * Fixed error message when the DB is too new in tpm2\_ptool. * Added support for tpm2\_ptool import with ssh-keygen format keys. Note: Requires cryptography >= 3.0. * Changed default long level from error to warning. * Added better error message for FAPI backend errors along with [docs/FAPI.md](docs/FAPI.md) document. * Changed `tpm2_ptool` make `--algorithm` optional. * Fixed error message of wrong attribute name on expected attribute check to be false. * Added support for ECDSA 256, 384 and 512. * Fixed a bug in the Python code DB upgrade path from 4 to 5 where it didn't add AES mode CTR to CKA\_ALLOWED\_MECHANISMS. * Added tpm2\_ptool support for ECC key size 192. * Added support passwordless login for tokens, ie not setting CKF\_LOGIN\_REQUIRED. * Fixed Running integration tests when Java version has the `-ea`, like on Debian 11 and OpenJDK 17. * Added support for HMAC keys using tpm2\_ptool and the C\_Sign and C\_Verify interfaces. The following interfaces in ptool have support: - addkey: previous working versions of tpm2-tools will support this. - link: previous working versions of tpm2-tools will support this. - import: requires tpm2-tools 5.2+ for support. * Fixed leaking of temp file descriptors in tpm2\_ptool. * Fixed wrong free in tpm code, should use Esys\_Free. * Fixed a space formatting issue in tpm2\_ptool verify. * Fixed leaked file descriptor in tpm2\_ptool. * Fixed a few suspicious sizeof usages in str\_padded\_copy * Fixed a memory leak of the token list on a failure condition in initialization. The release can be found here: - https://github.com/tpm2-software/tpm2-pkcs11/releases/tag/1.7.0 Thanks, Bill

12 months

1
0
0 / 0

tpm2-pkcs11 : import config from the deprecated tpm2-pk11 project

by Emmanuel Deloget

Hello y'all, I'm trying to import my PKCS11 configuration from the old, fully deprecated project tpm2-pk11. In this setup, the tpm2 holds persistent RSA keys and associate them with adequately named certificates located on the file system. I understand that this should have been done a lot earlier (but then, even a lot earlier would not have change much as the development and even the first distributed products predated the very first commit of tpm2-pkcs11) ; unfortunately days are limited and my todo list is way too long. Keys were generated using tpm2_create a long, long time ago. Since this is a really old setup, I no longer have the key.pub and key.priv files available (they were trashed, as they are no longer useful). I can get the public key through tpm2_readpublic but that won't help me much. Now, the "Interoperability with Existing TPM2 Objects" document proposes a way to init tpm2-pkcs11 using keys that were created with tpm2_create. Unfortunatly, it seems it also requires two things I cannot provide it: * pincodes, for /tpm2_ptool addtoken/ (this is an embedded platform; no pin codes; if I'm forced to add them they'll end up as environment vars anyway so there is no real interest for pincode in this situation) * the key files, for /tpm2_ptool link/ (key.pub and key.priv are no longer available) Is there any other way to import my configuration into tpm2-pkcs11 ? Not being able to do it means that some of our oldest customers will have a bricked hardware (one of the current token is used to identify the hardware and is set during production, so not being able to reload it essentially means that this hardware will not be able to identify itself to our services and will not work at all), and this is a hard sell... Best regards, -- Emmanuel Deloget

12 months

2
1
0 / 0

tpm.dev 2021 conference topic "Enhanced authorization and TPM2 mutable policies"

by Desai, Imran

Hello all, Want to know what TPM2-enhanced-authorization is and how you can have more than one policy for authorizing objects and operations on a TPM? Join me! I will be speaking at tpm.dev 2021 conference on the 22nd of September at 7:00 AM Pacific time. The conference is live September 21st and 22nd at https://hopin.com/events/tpm-dev-2021-conference Thanks, and regards, Imran Desai

1 year

1
0
0 / 0

[RELEASE CANDIDATE] tpm2-pkcs11 1.7.0-rc1

by Roberts, William C

Hello, I would like to announce the release of 1.7.0-rc1 with the following CHANGELOG: ### 1.7.0-rc1 - 2021-09-10 * DB Schema Change from 5 to 7. - **Backup your DB before upgrading** * Fixed compilation issues with GCC11. * Fixed errors on releases due to newer compilers from failing by only adding `-Werror` for non-release builds. * Fixed error message when the DB is too new in tpm2\_ptool. * Added support for tpm2\_ptool import with ssh-keygen format keys. Note: Requires cryptography >= 3.0. * Changed default long level from error to warning. * Added better error message for FAPI backend errors along with [docs/FAPI.md](docs/FAPI.md) document. * Changed `tpm2_ptool` make `--algorithm` optional. * Fixed error message of wrong attribute name on expected attribute check to be false. * Added support for ECDSA 256, 384 and 512. * Fixed a bug in the Python code DB upgrade path from 4 to 5 where it didn't add AES mode CTR to CKA\_ALLOWED\_MECHANISMS. * Added tpm2\_ptool support for ECC key size 192. * Added support passwordless login for tokens, ie not setting CKF\_LOGIN\_REQUIRED. * Fixed Running integration tests when Java version has the `-ea`, like on Debian 11 and OpenJDK 17. * Added support for HMAC keys using tpm2\_ptool and the C\_Sign and C\_Verify interfaces. The following interfaces in ptool have support: - addkey: previous working versions of tpm2-tools will support this. - link: previous working versions of tpm2-tools will support this. - import: requires tpm2-tools 5.2+ for support. * Fixed leaking of temp file descriptors in tpm2\_ptool. * Fixed wrong free in tpm code, should use Esys\_Free. * Fixed a space formatting issue in tpm2\_ptool verify. * Fixed leaked file descriptor in tpm2\_ptool. * Fixed a few suspicious sizeof usages in str\_padded\_copy * Fixed a memory leak of the token list on a failure condition in initialization. The release can be found at: https://github.com/tpm2-software/tpm2-pkcs11/releases/tag/1.7.0-rc1 Thanks, Bill

1 year

1
0
0 / 0

2022

2021

2020

2019

2018

2017

tpm2 September 2021