Calculating name of created AK- server side
by kuba.michal.n@gmail.com
Hello!
I would like to know if it is possible to calculate name of AK generated by host on a remote server? I have read about remote attestation. To ensure the AK matches EK we have to make credential using name of the AK. To achieve this we have to either:
a) calculate name of the AK on server
b) receive name of the AK from host and believe it's a name for a proper AK
Am I missing something?
I have searched for explanation in docs posted on TCG's site, but I just can't find anything useful for nameAlg.
I would be thankful for any help or advice :D
1 day, 22 hours
abrmd crashing - how to debug?
by Kenneth Goldman
Ubuntu focal with WSL, abrmd compiled from source
After about 5 minutes of sending commands, abrmd crashes. I originally
found it with keylime, but I can reproduce it with a simple bash loop on
pcrread.
abrmd exits, the tool output is:
** (process:21067): CRITICAL **: 17:25:10.862: failed to allocate dbus
proxy object: Could not connect: Connection refused
WARNING:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_init() TCTI init for
function 0x7ff5f6dbbe10 failed with a0008
WARNING:tcti:src/tss2-tcti/tctildr.c:109:tcti_from_info() Could not
initialize TCTI named: tcti-abrmd
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not
initialize TCTI file: tabrmd
ERROR:tcti:src/tss2-tcti/tctildr.c:416:Tss2_TctiLdr_Initialize_Ex() Failed
to instantiate TCTI
ERROR: Could not load tcti, got: "tabrmd:bus_name=com.intel.tss2.Tabrmd"
How would I debug?
I would expect that nothing that a single application does should crash
abrmd.
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
1 month
Re-provision TPM
by Anthony Arrascue
Hello,
I am learning about the TSS and TPM techonologies.
I have provisioned the TPM with the default settings, which means I am now using the ECC profile (P_ECCP256SHA256).
However, encryption was a requirement I needed to fulfill. I just didn't know that ECC encryption is currently not supported and now I realize RSA would be a better fit for me.
So here is my question:
* I see there is another profile in /usr/local/etc/tpm2-tss/fapi-profiles, namely P_RSA2048SHA256.json. Is there a way I can encrypt using the RSA profile instead of the ECC one? I tried to re-run tss2_provision, after setting it in fapi-config.json, but it seems this is not the way to proceed. I get the message that the TPM has been already provisioned. What is the correct way of "changing" profile? Is it even possible or do I need to reset the TPM?
Thank you for your help.
Anthony Arrascue
3 months
[RELEASE] tpm2-pkcs11 version 1.7.0
by Roberts, William C
Hello,
I would like to announce tpm2-pkcs11 version 1.7.0 with the following changelog:
1.7.0 - 2021-09-27
* DB Schema Change from 5 to 7.
- **Backup your DB before upgrading**
* Fixed compilation issues with GCC11.
* Fixed errors on releases due to newer compilers from failing by only adding `-Werror` for non-release builds.
* Fixed error message when the DB is too new in tpm2\_ptool.
* Added support for tpm2\_ptool import with ssh-keygen format keys. Note: Requires cryptography >= 3.0.
* Changed default long level from error to warning.
* Added better error message for FAPI backend errors along with [docs/FAPI.md](docs/FAPI.md) document.
* Changed `tpm2_ptool` make `--algorithm` optional.
* Fixed error message of wrong attribute name on expected attribute check to be false.
* Added support for ECDSA 256, 384 and 512.
* Fixed a bug in the Python code DB upgrade path from 4 to 5 where it didn't add AES mode CTR to
CKA\_ALLOWED\_MECHANISMS.
* Added tpm2\_ptool support for ECC key size 192.
* Added support passwordless login for tokens, ie not setting CKF\_LOGIN\_REQUIRED.
* Fixed Running integration tests when Java version has the `-ea`, like on Debian 11 and OpenJDK 17.
* Added support for HMAC keys using tpm2\_ptool and the C\_Sign and C\_Verify interfaces.
The following interfaces in ptool have support:
- addkey: previous working versions of tpm2-tools will support this.
- link: previous working versions of tpm2-tools will support this.
- import: requires tpm2-tools 5.2+ for support.
* Fixed leaking of temp file descriptors in tpm2\_ptool.
* Fixed wrong free in tpm code, should use Esys\_Free.
* Fixed a space formatting issue in tpm2\_ptool verify.
* Fixed leaked file descriptor in tpm2\_ptool.
* Fixed a few suspicious sizeof usages in str\_padded\_copy
* Fixed a memory leak of the token list on a failure condition in initialization.
The release can be found here:
- https://github.com/tpm2-software/tpm2-pkcs11/releases/tag/1.7.0
Thanks,
Bill
7 months, 3 weeks
tpm2-pkcs11 : import config from the deprecated tpm2-pk11 project
by Emmanuel Deloget
Hello y'all,
I'm trying to import my PKCS11 configuration from the old, fully deprecated
project tpm2-pk11. In this setup, the tpm2 holds persistent RSA keys and
associate them with adequately named certificates located on the file
system. I understand that this should have been done a lot earlier (but
then, even a lot earlier would not have change much as the development and
even the first distributed products predated the very first commit of
tpm2-pkcs11) ; unfortunately days are limited and my todo list is way too
long.
Keys were generated using tpm2_create a long, long time ago.
Since this is a really old setup, I no longer have the key.pub and key.priv
files available (they were trashed, as they are no longer useful). I can
get the public key through tpm2_readpublic but that won't help me much.
Now, the "Interoperability with Existing TPM2 Objects" document proposes a
way to init tpm2-pkcs11 using keys that were created with tpm2_create.
Unfortunatly, it seems it also requires two things I cannot provide it:
* pincodes, for /tpm2_ptool addtoken/ (this is an embedded platform; no
pin codes; if I'm forced to add them they'll end up as environment vars
anyway so there is no real interest for pincode in this situation)
* the key files, for /tpm2_ptool link/ (key.pub and key.priv are no
longer available)
Is there any other way to import my configuration into tpm2-pkcs11 ? Not
being able to do it means that some of our oldest customers will have a
bricked hardware (one of the current token is used to identify the hardware
and is set during production, so not being able to reload it essentially
means that this hardware will not be able to identify itself to our
services and will not work at all), and this is a hard sell...
Best regards,
-- Emmanuel Deloget
7 months, 3 weeks
[RELEASE CANDIDATE] tpm2-pkcs11 1.7.0-rc1
by Roberts, William C
Hello,
I would like to announce the release of 1.7.0-rc1 with the following CHANGELOG:
### 1.7.0-rc1 - 2021-09-10
* DB Schema Change from 5 to 7.
- **Backup your DB before upgrading**
* Fixed compilation issues with GCC11.
* Fixed errors on releases due to newer compilers from failing by only adding `-Werror` for non-release builds.
* Fixed error message when the DB is too new in tpm2\_ptool.
* Added support for tpm2\_ptool import with ssh-keygen format keys. Note: Requires cryptography >= 3.0.
* Changed default long level from error to warning.
* Added better error message for FAPI backend errors along with [docs/FAPI.md](docs/FAPI.md) document.
* Changed `tpm2_ptool` make `--algorithm` optional.
* Fixed error message of wrong attribute name on expected attribute check to be false.
* Added support for ECDSA 256, 384 and 512.
* Fixed a bug in the Python code DB upgrade path from 4 to 5 where it didn't add AES mode CTR to
CKA\_ALLOWED\_MECHANISMS.
* Added tpm2\_ptool support for ECC key size 192.
* Added support passwordless login for tokens, ie not setting CKF\_LOGIN\_REQUIRED.
* Fixed Running integration tests when Java version has the `-ea`, like on Debian 11 and OpenJDK 17.
* Added support for HMAC keys using tpm2\_ptool and the C\_Sign and C\_Verify interfaces.
The following interfaces in ptool have support:
- addkey: previous working versions of tpm2-tools will support this.
- link: previous working versions of tpm2-tools will support this.
- import: requires tpm2-tools 5.2+ for support.
* Fixed leaking of temp file descriptors in tpm2\_ptool.
* Fixed wrong free in tpm code, should use Esys\_Free.
* Fixed a space formatting issue in tpm2\_ptool verify.
* Fixed leaked file descriptor in tpm2\_ptool.
* Fixed a few suspicious sizeof usages in str\_padded\_copy
* Fixed a memory leak of the token list on a failure condition in initialization.
The release can be found at:
https://github.com/tpm2-software/tpm2-pkcs11/releases/tag/1.7.0-rc1
Thanks,
Bill
8 months, 1 week
CFLAGS and LIBS defines for tss versus other tpm2 projects
by Roberts, William C
So in all of the projects that need libcrypto, the configure.ac check using PKG_CHECK_MODULES
uses "CRYPTO" except tss project which uses LIBCRYPT. This means that when exporting variables
for building against a custom libcrypto, the variables will be LIBCRYPTO_CFLAGS and LIBCRYPTO_LIBS,
where as all the other projects are just CRYPTO_CFLAGS and CRYPTO_LIBS. While it's not difficult to
set both variables, I was wondering if we could unify this around CRYPTO (without the lib prefix) and
if we consider configure.ac to be stable, ie if we made this change would we make someones life miserable?
Thanks,
Bill
Configure.ac snippets below.
tpm2-openssl/configure.ac:PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 3.0.0],
tpm2-pkcs11/configure.ac:PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0])
tpm2-tools/configure.ac:PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0])
tpm2-tss/configure.ac: PKG_CHECK_MODULES([LIBCRYPTO],
tpm2-tss/configure.ac: [PKG_CHECK_MODULES([LIBCRYPTO],[libcrypto])])
tpm2-tss-engine/configure.ac:PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g],
8 months, 1 week