Possible TPM uses in fprintd/libfprint
by Benjamin Berg
Hi,
I was wondering if someone has ideas about integrating the TPM with
Fingerprint readers.
Recently I started looking into supporting Secure Device Connection
Protocol (SDCP, [1]) in libfprint. The general idea is to verify that
the Fingerprint reader can be trusted, but I initially also imagined
that further use-cases like unsealing data in a TPM may be possible
(e.g. to retrieve disk encryption keys).
However, looking into it more, my current conclusion is that there is
little to no advantage to use the TPM. At least not unless one also has
a trusted (userspace) program which is capable of signing TPM
authorizations. One could easily offload the required parts into a
small helper, but that may require ensuring it runs in a trusted
execution environment.
Microsoft seems to run relevant parts as trustlets that are walled off
from the rest of the system. That seems sensible to me, but it also
means requiring all the infrastructure for execution and signing and I
doubt that is feasible currently.
Right now I'll probably go the way of not using the TPM at all. But I
am really not an expert for this. So should someone see scenarios where
a TPM is actually helpful in this context, then I would like to hear
about them.
Benjamin
PS: A quick summary of how SDCP works:
* Device has a private ECC key that signs the firmware and ephemeral
keys during boot (and is inaccessible afterwards)
* A certificate proofs that this key was provisioned in factory
* Device builds a shared secret with the host (s)
* Device sends id, HMAC_SHA256(s, "identify" || nonce || id)
when the finger "id" was presented.
* The HMAC proofs knowledge of the shared secret and authorizes the
print.
[1] https://github.com/microsoft/SecureDeviceConnectionProtocol/wiki/Secure-D...
1 week, 5 days
[RC] tpm2-pytss 1.0.0-rc1
by Roberts, William C
Hello,
I am pleased to announce the release of the tpm2-pytss (python bindings and utilities) version 1.0.0 RC 1 with the following CHANGELOG over RC0:
## [1.0.0-rc1] - 2022-01-10
### Fixed:
- Misspellings in Code on things like RuntimeError.
- Fix documentation of ESAPI methods and exceptions.
- Double ESAPI.Close call resulting in "Esys_Finalize() Finalizing NULL context."
- type hint for verify_signature was an int, should be a str.
- Parent cdata memory being freed when no parent reference. This causes sub-field references to parent cdata to
be invalid.
- in util method unwrap, fix variable `encdupsens` does not exist, it is `decsens` instead.
### Changed:
- Renamed ESAPI.set_auth to ESAPI.tr_set_auth for consistenency.
- Use None over 0 for default auth_handle.
### Added:
- Check for bad type enum type in ESAPI.load_blob.
- Support for deprecation of `TPM2_RH_PW` in tpm2-tss with proper TPM2_RS_PW attribute.
The release can be found here:
- https://pypi.org/project/tpm2-pytss/1.0.0rc1/
Sorry for the long delay on this RC period, we wanted to make sure we got as much bugs and broken things before the
1.0 release to help minimize breaking changes in the future.
Thanks,
Bill
1 week, 5 days
Calculating name of created AK- server side
by kuba.michal.n@gmail.com
Hello!
I would like to know if it is possible to calculate name of AK generated by host on a remote server? I have read about remote attestation. To ensure the AK matches EK we have to make credential using name of the AK. To achieve this we have to either:
a) calculate name of the AK on server
b) receive name of the AK from host and believe it's a name for a proper AK
Am I missing something?
I have searched for explanation in docs posted on TCG's site, but I just can't find anything useful for nameAlg.
I would be thankful for any help or advice :D
2 weeks, 1 day
[RELEASE CANDIDATE] tpm2-pytss 1.1.0-rc0
by Roberts, William C
Hello,
I would like to announce the release of tpm2-pytss version 1.1.0-rc0 which can be found on pypi at:
- https://pypi.org/project/tpm2-pytss/1.1.0rc0/
With the following CHANGELOG:
## 1.1.0-rc0 - 2022-03-14
### Fixed
- Spelling of "Enhanced" in CHANGELOG for 1.0.0 release.
- Ensure that TPM2_GENERATED.VALUE is encoded the same way as other constants.
- Add support to unmarshal simple TPM2B types (such as TPM2B_ATTEST and TPM2B_NAME) directly using the
unmarshal method
### Changed
- Drop pkgconfig from runtime dependencies, thus no longer need dev packages of built bindings at runtime.
- NOTE: Version information is cached, a change in the TSS libraries requires a rebuild of the bindings.
### Added
- Support session contexts from tpm2-tools as well as function to marshal context to tpm2-tools format.
- Support two new encoding/decoding classes to go to/from hex or json representation of objects.
- Support for creating EK from templates and optionally NV index based templates.
- Binding to `Esys_TR_GetTpmHandle` as `ESAPI` method `tr_get_tpm_handle`.
Thanks,
Bill
1 month
abrmd crashing - how to debug?
by Kenneth Goldman
Ubuntu focal with WSL, abrmd compiled from source
After about 5 minutes of sending commands, abrmd crashes. I originally
found it with keylime, but I can reproduce it with a simple bash loop on
pcrread.
abrmd exits, the tool output is:
** (process:21067): CRITICAL **: 17:25:10.862: failed to allocate dbus
proxy object: Could not connect: Connection refused
WARNING:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_init() TCTI init for
function 0x7ff5f6dbbe10 failed with a0008
WARNING:tcti:src/tss2-tcti/tctildr.c:109:tcti_from_info() Could not
initialize TCTI named: tcti-abrmd
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not
initialize TCTI file: tabrmd
ERROR:tcti:src/tss2-tcti/tctildr.c:416:Tss2_TctiLdr_Initialize_Ex() Failed
to instantiate TCTI
ERROR: Could not load tcti, got: "tabrmd:bus_name=com.intel.tss2.Tabrmd"
How would I debug?
I would expect that nothing that a single application does should crash
abrmd.
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
2 months, 2 weeks
Installing on FreeBSD?
by John Connett
Is there a simple, step-by-step guide for installing tpm2 on FreeBSD?
I started with a FreeBSD 13.0-RELEASE-p10 installation on x86_64 and
installed the following with "pkg install":
* tpm2-abrmd-2.4.0
* tpm2-tools-5.2
* tpm2-tss-3.1.0
then added tpm2_abrmd_enable="YES" and dbus_enable="YES" to
/etc/rc.conf. The user includes "_tss" in its groups.
Attempts to run tpm2_getrandom fail with "Could not initialize TCTI file".
It appears that I have missed some important steps!
The equivalent on Ubuntu just works.
Thanks
--
John
2 months, 3 weeks
tpm2_flushcontext stuck
by Han
Hi,
I'm using tpm2-tools 5.0 in Debian 11 Bullseye based Raspberry Pi OS. I'm
trying to run tpm2_flushcontext but the command got stuck and it's not
showing anything. Is the data in TPM corrupted? How can I check?
$ sudo tpm2_flushcontext 0x80000000
< no output at all and stuck here >
(note: the handle 0x80000000 was obtained from previous command output when
I was running previous version tpm2-tools 3.1.3 on Debian 10 Buster based
OS:
$ sudo tpm2_createprimary -H o -g sha256 -G ecc -C context.out
ObjectAttribute: 0x00030072
CreatePrimary Succeed ! Handle: 0x80000000)
3 months
TPM2 for PKCS#11 for SoftEther Client Smart Card
by duncan@touch-fire.com
Hi,
I have been searching for a way to use the TPM2 module already in my windows laptop, to use as a Smart Card for the SoftEther windows VPN client that I use to connect to work.
SoftEther states that it requires a PKCS#11 device driver, and when I google for this, every possible combination of TPM2 and PKCS#11 and windows points to the tpm2-pkcs11 github project.
However, I cannot see any module / dll download link and I only see a very occasional mention of windows in the github issue list.
I feel like this might be a dumb question, but could I ask if there is an easy way to achieve this?
If this project is only for application developers, then does anyone know of any projects or products that support this? Or even if it is already part of windows?
(I am assuming that I am misunderstanding something here, as this seems like there would be a huge demand for this with everyone working from home these days).
Thank you!
Duncan.
3 months
[RELEASE] tpm2-pytss version 1.1.0
by Roberts, William C
Hello,
I would like to announce the release of tpm2-pytss version 1.1.0 which can be found on PyPi:
- https://pypi.org/project/tpm2-pytss/1.1.0/
The release contains the following CHANGELOG:
## 1.1.0 - 2022-03-29
### Fixed
- Spelling of "Enhanced" in CHANGELOG for 1.0.0 release.
- Ensure that TPM2_GENERATED.VALUE is encoded the same way as other constants.
- Add support to unmarshal simple TPM2B types (such as TPM2B_ATTEST and TPM2B_NAME) directly using the
unmarshal method
- utils: catch the ImportError as "e" enabling raising the exception later
- types: add check in TPMS_CONTEXT.to_tools for session handles
### Changed
- Drop pkgconfig from runtime dependencies, thus no longer need dev packages of built bindings at runtime.
- NOTE: Version information is cached, a change in the TSS libraries requires a rebuild of the bindings.
### Added
- Support session contexts from tpm2-tools as well as function to marshal context to tpm2-tools format.
- Support two new encoding/decoding classes to go to/from hex or json representation of objects.
- Support for creating EK from templates and optionally NV index based templates.
- Binding to `Esys_TR_GetTpmHandle` as `ESAPI` method `tr_get_tpm_handle`.
Thanks,
Bill
3 months
[RELEASE] tpm2-openssl 1.1.0
by Petr Gotthard
Hello,
I released the tpm2-openssl version 1.1.0 (same as 1.1.0-rc0):
### Fixed
- Fixed segmentation fault when a signature algorithm is being initialized
without a private key.
### Added
- Added support for the `TPM2OPENSSL_PARENT_AUTH` environment variable.
- Added the Code of Conduct and Contributing guidelines.
The release can be found here:
https://github.com/tpm2-software/tpm2-openssl/releases/tag/1.1.0
Regards,
Petr
3 months, 1 week
