January 2022 - tpm2 - Ml01.01.Org

Calculating name of created AK- server side

by kuba.michal.n＠gmail.com

Hello! I would like to know if it is possible to calculate name of AK generated by host on a remote server? I have read about remote attestation. To ensure the AK matches EK we have to make credential using name of the AK. To achieve this we have to either: a) calculate name of the AK on server b) receive name of the AK from host and believe it's a name for a proper AK Am I missing something? I have searched for explanation in docs posted on TCG's site, but I just can't find anything useful for nameAlg. I would be thankful for any help or advice :D

1 day, 23 hours

3
6
2 / 0

abrmd crashing - how to debug?

by Kenneth Goldman

Ubuntu focal with WSL, abrmd compiled from source After about 5 minutes of sending commands, abrmd crashes. I originally found it with keylime, but I can reproduce it with a simple bash loop on pcrread. abrmd exits, the tool output is: ** (process:21067): CRITICAL **: 17:25:10.862: failed to allocate dbus proxy object: Could not connect: Connection refused WARNING:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_init() TCTI init for function 0x7ff5f6dbbe10 failed with a0008 WARNING:tcti:src/tss2-tcti/tctildr.c:109:tcti_from_info() Could not initialize TCTI named: tcti-abrmd ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: tabrmd ERROR:tcti:src/tss2-tcti/tctildr.c:416:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI ERROR: Could not load tcti, got: "tabrmd:bus_name=com.intel.tss2.Tabrmd" How would I debug? I would expect that nothing that a single application does should crash abrmd. -- Ken Goldman kgoldman(a)us.ibm.com 914-945-2415 (862-2415)

1 month

6
13
0 / 0

tpm2_flushcontext stuck

by Han

Hi, I'm using tpm2-tools 5.0 in Debian 11 Bullseye based Raspberry Pi OS. I'm trying to run tpm2_flushcontext but the command got stuck and it's not showing anything. Is the data in TPM corrupted? How can I check? $ sudo tpm2_flushcontext 0x80000000 < no output at all and stuck here > (note: the handle 0x80000000 was obtained from previous command output when I was running previous version tpm2-tools 3.1.3 on Debian 10 Buster based OS: $ sudo tpm2_createprimary -H o -g sha256 -G ecc -C context.out ObjectAttribute: 0x00030072 CreatePrimary Succeed ! Handle: 0x80000000)

1 month, 3 weeks

5
19
0 / 0

Re-provision TPM

by Anthony Arrascue

Hello, I am learning about the TSS and TPM techonologies. I have provisioned the TPM with the default settings, which means I am now using the ECC profile (P_ECCP256SHA256). However, encryption was a requirement I needed to fulfill. I just didn't know that ECC encryption is currently not supported and now I realize RSA would be a better fit for me. So here is my question: * I see there is another profile in /usr/local/etc/tpm2-tss/fapi-profiles, namely P_RSA2048SHA256.json. Is there a way I can encrypt using the RSA profile instead of the ECC one? I tried to re-run tss2_provision, after setting it in fapi-config.json, but it seems this is not the way to proceed. I get the message that the TPM has been already provisioned. What is the correct way of "changing" profile? Is it even possible or do I need to reset the TPM? Thank you for your help. Anthony Arrascue

3 months

4
5
1 / 0

[RELEASE] tpm2-pytss version 1.0.0

by Roberts, William C

Hello, I am pleased to announce the release of tpm2-pytss version 1.0.0 with the following changelog: ## [1.0.0] - 2022-01-24 ### Added - Bindings to the Enhanced System (ESAPI) API. - Bindings to the Feature (FAPI) API . - Bindings to Dynamic TCTI Loading (TCTILdr) API . - Bindings to Marshalling and Unmarshalling (MU) API. - Bindings to rc-decode. - tpm2-tools context file loading support. - TSS2 PEM format support. This file format is used in OpenSSL Engine and Provider projects. - Utility routines for: TPM Less Make Credential, sensitive wrapping and unwrapping (import and duplication helpers). The release can be found in pypi here: - https://pypi.org/project/tpm2-pytss/1.0.0/ The documentation can be found on "read the docs" here: - https://tpm2-pytss.readthedocs.io/en/1.0.0/ Thanks, Bill

3 months, 3 weeks

1
0
0 / 0

[RELEASE CANDIDATE] tpm2-openssl 1.0.1-rc0

by Petr Gotthard

Hello, I am pleased to announce the release of tpm2-openssl 1.0.1-rc0: https://github.com/tpm2-software/tpm2-openssl/releases/tag/1.0.1-rc0 This is mostly a bugfix release, which makes the provider work with the recently released OpenSSL 3.0.1. Kind Regards, Petr

3 months, 4 weeks

1
1
0 / 0

[RELEASE CANDIDATE] tpm2-tss-engine 1.2.0-rc0

by Fuchs, Andreas

Hi everyone, I just tagged tpm2-tss-engine 1.2.0-rc0 that can be found here: https://github.com/tpm2-software/tpm2-tss-engine/releases/tag/1.2.0-rc0 NOTE: I changed the tag-scheme from v1.1.0 to 1.2.0 (i.e. removed the leading v) in order to use "git describe" during configure.ac If this breaks anything for you badly, please get in touch. For convenience, here's the changelog: ### Changed or Fixed - Updated minimal version of tpm2-tss to 2.4.x - Fix encoding of emptyauth - Fix some memory leaks - Change parent handle to BIGNUM ### Added - Use of restricted keys for signing - StirRandom - Run tests using swtpm - The ability to import key blobs from things like the tpm2-tools project. - Compatibility with openssl >=1.1.x - Support for ECDH - Fix QNX build issues. - Only set -Werror for non-release builds. - Additional checks on TPM responses - CODE_OF_CONDUCT Best regards, Andreas

4 months, 1 week

1
0
0 / 0

Re: tpm2_nvdefine fails with inconsistent attributes...

by Kenneth Goldman

Correct. Unless you are the platform firmware, you don't typically have access to the platform hierarchy. It's reserved for use of the platform OEM. Post-OS applications use either the storage or endorsement hierarchy. From: Steven Clark <davolfman(a)gmail.com> Sent: Monday, January 10, 2022 4:09 PM To: Kenneth Goldman <kgoldman(a)us.ibm.com> Cc: Sievert, James <james.sievert(a)bsci.com>; tpm2 <tpm2(a)lists.01.org> Subject: [EXTERNAL] Re: [tpm2] Re: tpm2_nvdefine fails with inconsistent attributes... might also just be attempting to use platform authorization on real hardware while not being the system firmware. UEFI tends to lock out the platform on every boot because that's what it's supposed to do? On Fri, Dec 3, 2021, 6:52 ZjQcmQRYFpfptBannerStart It might also just be attempting to use platform authorization on real hardware while not being the system firmware. UEFI tends to lock out the platform on every boot because that's what it's supposed to do? On Fri, Dec 3, 2021, 6:52 AM Kenneth Goldman <kgoldman(a)us.ibm.com<mailto:kgoldman@us.ibm.com>> wrote: My guess is that you do not set the TPMA_NVA_PLATFORMCREATE attribute. The IBM utility sets it for you when the platform hierarchy authorizes the command, since it must be set. -- Ken Goldman kgoldman(a)us.ibm.com<mailto:kgoldman@us.ibm.com> 914-945-2415 (862-2415) [Inactive hide details for "Sievert, James" ---12/03/2021 09:37:25 AM---Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m i]"Sievert, James" ---12/03/2021 09:37:25 AM---Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following command which is returnin From: "Sievert, James" <james.sievert(a)bsci.com<mailto:james.sievert@bsci.com>> To: "tpm2(a)lists.01.org<mailto:tpm2@lists.01.org>" <tpm2(a)lists.01.org<mailto:tpm2@lists.01.org>> Date: 12/03/2021 09:37 AM Subject: [EXTERNAL] [tpm2] tpm2_nvdefine fails with inconsistent attributes... ________________________________ Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following command which is returning an inconsistent attributes error: bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1 ‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍ Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following command which is returning an inconsistent attributes error: bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1 WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:333:Esys_NV_DefineSpace_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x00000182) ERROR: Failed to define NV area at index 0x1000025 ERROR: Esys_NV_DefineSpace(0x182) - tpm:handle(1):inconsistent attributes ERROR: Unable to run tpm2_nvdefine and yes, I am attempting to define the index using the platform hierarchy. ? This does work using the IBM utilities. Here are the current properties: bsci@ip-10-132-42-225:~$ tpm2_getcap properties-variable TPM2_PT_PERSISTENT: ownerAuthSet: 0 endorsementAuthSet: 0 lockoutAuthSet: 0 reserved1: 0 disableClear: 0 inLockout: 0 tpmGeneratedEPS: 0 reserved2: 0 TPM2_PT_STARTUP_CLEAR: phEnable: 1 shEnable: 1 ehEnable: 1 phEnableNV: 1 reserved1: 0 orderly: 0 TPM2_PT_HR_NV_INDEX: 0x6 TPM2_PT_HR_LOADED: 0x0 TPM2_PT_HR_LOADED_AVAIL: 0x3 TPM2_PT_HR_ACTIVE: 0x0 TPM2_PT_HR_ACTIVE_AVAIL: 0x40 TPM2_PT_HR_TRANSIENT_AVAIL: 0x3 TPM2_PT_HR_PERSISTENT: 0x0 TPM2_PT_HR_PERSISTENT_AVAIL: 0x11 TPM2_PT_NV_COUNTERS: 0x0 TPM2_PT_NV_COUNTERS_AVAIL: 0xD TPM2_PT_ALGORITHM_SET: 0x0 TPM2_PT_LOADED_CURVES: 0x2 TPM2_PT_LOCKOUT_COUNTER: 0x0 TPM2_PT_MAX_AUTH_FAIL: 0x20 TPM2_PT_LOCKOUT_INTERVAL: 0x1C20 TPM2_PT_LOCKOUT_RECOVERY: 0x15180 TPM2_PT_AUDIT_COUNTER_0: 0x0 TPM2_PT_AUDIT_COUNTER_1: 0x0 Any insight would be appreciated. Thanks!_______________________________________________ tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2@lists.01.org> To unsubscribe send an email to tpm2-leave(a)lists.01.org<mailto:tpm2-leave@lists.01.org> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s _______________________________________________ tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2@lists.01.org> To unsubscribe send an email to tpm2-leave(a)lists.01.org<mailto:tpm2-leave@lists.01.org> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

4 months, 1 week

2
1
0 / 0

[RELEASE CANDIDATES] tpm2-tss 3.2.0-rc0 3.1.1-rc0 3.0.5-rc0

by Fuchs, Andreas

Hi all, I wanted to announce that I've just tagged versions 3.2.0-rc0 3.1.1-rc0 and 3.0.5-rc0 of the tpm2-tss project. You can find the tags in git and here: https://github.com/tpm2-software/tpm2-tss/releases For your convenience, here are the changelog-changes for the 3.2.0 minor release: ## [3.2.0-rc0] - 2022-01-13 ### Fixed - Fixed file descriptor leak when tcti initialization failed. - 32 Bit builds of the integration tests. - Primary key creation, in some cases the unique field was not cleared before calling create primary. - Primary keys was used for signing the object were cleared after loading. So access e.g. to the certificate did not work. - Primary keys created with Fapi_Create with an auth value, the auth_value was not used in inSensitive to recreate the primary key. Now the auth value callback is used to initialize inSensitive. - The not possible usage of policies for primary keys generated with Fapi_CreatePrimary has been fixed. - An infinite loop when parsing erroneous JSON was fixed in FAPI. - A buffer overflow in ESAPI xor parameter obfuscation was fixed. - Certificates could be read only once in one application The setting the init state of the state automaton for getting certificates was fixed. - A double free when executing policy action was fixed. - A leak in Fapi_Quote was fixed. - The wrong file locking in FAPI IO was fixed. - Enable creation of tss group and user on systems with busybox for fapi. - One fapi integration test did change the auth value of the storage hierarchy. - A leak in fapi crypto with ossl3 was fixed. - Add initial camelia support to FAPI - Fix tests of fapi PCR - Fix tests of ACT functionality if not supported by pTPM - Fix compiler (unused) warning when building without debug logging - Fix leaks in error cases of integration tests - Fix memory leak after ifapi_init_primary_finish failed - Fix double-close of stream in FAPI - Fix segfault when ESYS_TR_NONE is passed to Esys_TR_GetName - Fix the authorization of hierarchy objects used in policy secret. - Fix check of qualifying data in Fapi_VerifyQuote. - Fix some leaks in FAPI error cases. - Make scripts compatible with non-posix shells where `test` does not know `-a` and `-o`. - Fix usage of variable not initialized when fapi keystore is empty. ### Added - Added support for SM2, SM3 and SM4. - Added support for OpenSSL 3.0.0. - Added authPolicy field to the TPMU_CAPABILITIES union. - Added actData field to the TPMU_CAPABILITIES union. - Added TPM2_CAP_AUTH_POLICIES - Added TPM2_CAP_ACT constants. - Added updates to the marshalling and unmarshalling of the TPMU_CAPABILITIES union. - Added updated to the FAPI serializations and deserializations of the TPMU_CAPABILITIES union and associated types. - Add CODE_OF_CONDUCT - tcti-mssim and tcti-swtpm gained support for UDX communication - Missing constant for TPM2_RH_PW ### Removed - Removed support for OpenSSL < 1.1.0. - Marked TPMS_ALGORITHM_DESCRIPTION and corresponding MU routines as deprecated. Those were errorous typedefs that are not use and not useful. So we will remove this with 3.3 - Marked TPM2_RS_PW as deprecated. Use TPM2_RH_PW instead. Best regards, Andreas

4 months, 1 week

1
0
0 / 0

Re: tpm2_nvdefine fails with inconsistent attributes...

by Kenneth Goldman

My guess is that you do not set the TPMA_NVA_PLATFORMCREATE attribute. The IBM utility sets it for you when the platform hierarchy authorizes the command, since it must be set. -- Ken Goldman kgoldman(a)us.ibm.com 914-945-2415 (862-2415) From: "Sievert, James" <james.sievert(a)bsci.com> To: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org> Date: 12/03/2021 09:37 AM Subject: [EXTERNAL] [tpm2] tpm2_nvdefine fails with inconsistent attributes... Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following command which is returning an inconsistent attributes error: bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1 ‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍ Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following command which is returning an inconsistent attributes error: bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1 WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:333:Esys_NV_DefineSpace_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x00000182) ERROR: Failed to define NV area at index 0x1000025 ERROR: Esys_NV_DefineSpace(0x182) - tpm:handle(1):inconsistent attributes ERROR: Unable to run tpm2_nvdefine and yes, I am attempting to define the index using the platform hierarchy. ? This does work using the IBM utilities. Here are the current properties: bsci@ip-10-132-42-225:~$ tpm2_getcap properties-variable TPM2_PT_PERSISTENT: ownerAuthSet: 0 endorsementAuthSet: 0 lockoutAuthSet: 0 reserved1: 0 disableClear: 0 inLockout: 0 tpmGeneratedEPS: 0 reserved2: 0 TPM2_PT_STARTUP_CLEAR: phEnable: 1 shEnable: 1 ehEnable: 1 phEnableNV: 1 reserved1: 0 orderly: 0 TPM2_PT_HR_NV_INDEX: 0x6 TPM2_PT_HR_LOADED: 0x0 TPM2_PT_HR_LOADED_AVAIL: 0x3 TPM2_PT_HR_ACTIVE: 0x0 TPM2_PT_HR_ACTIVE_AVAIL: 0x40 TPM2_PT_HR_TRANSIENT_AVAIL: 0x3 TPM2_PT_HR_PERSISTENT: 0x0 TPM2_PT_HR_PERSISTENT_AVAIL: 0x11 TPM2_PT_NV_COUNTERS: 0x0 TPM2_PT_NV_COUNTERS_AVAIL: 0xD TPM2_PT_ALGORITHM_SET: 0x0 TPM2_PT_LOADED_CURVES: 0x2 TPM2_PT_LOCKOUT_COUNTER: 0x0 TPM2_PT_MAX_AUTH_FAIL: 0x20 TPM2_PT_LOCKOUT_INTERVAL: 0x1C20 TPM2_PT_LOCKOUT_RECOVERY: 0x15180 TPM2_PT_AUDIT_COUNTER_0: 0x0 TPM2_PT_AUDIT_COUNTER_1: 0x0 Any insight would be appreciated. Thanks!_______________________________________________ tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to tpm2-leave(a)lists.01.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

4 months, 1 week

3
2
0 / 0

2022

2021

2020

2019

2018

2017

tpm2 January 2022