tpm2-tcti-uefi status and future direction
by Tricca, Philip B
Hello,
I've been working to clean up the tpm2-tcti-uefi build / repo (https://github.com/flihp/tpm2-tcti-uefi) now that we have better control over the compilation flags in the tpm2-tss build. The tpm2-tss submodule and all of the custom build logic has now been removed and I've got travis-ci building the example UEFI executables using libtss2-mu and libtss2-sys built using the appropriate autotools mechanisms (config.site: https://github.com/flihp/tpm2-tcti-uefi/blob/master/.travis.yml#L33). Currently I'm adding some details to the documentation and working on a set of instructions for testing the example UEFI application under qemu using the OVMF firmware.
While I'm finishing up the docs I wanted to get a message out to the list to solicit input from anyone interested in this work. If you have a few spare cycles I'd appreciate input on the repo as it stands now as well as any opinions on including this repo in the tpm2-software github org since this is my goal once the docs are done.
Thanks,
Philip
2 years, 1 month
tpm2-tools who uses transient handles in workflows?
by Roberts, William C
We're working on porting the tpm2-tools to use ESAPI so can we provide better session support and drive down session
related bugs.
With that said, ESAPI doesn't support using transient object handles. Internally the library keeps track of ESYS_TR handles,
Which are handles on steroids (meta data). Because there is no way to extract the transient object handle, as ESAPI considers
That an implementation detail that shouldn't be exposed to regular users, we can (in order of sanity with 1 being most sane):
1. Require save/load context
2. Try and change ESAPI to expose this
a. uses a serialized in memory ESYS_TR and find the handle via offset (sic)
3. serialize ESYS handles to disk
4. serialize ESYS handles and base64 output to stdout
I'm leaning towards 1, it would require additional TPM commands, but it works in RM and non-RM environments which
I think means fielding less questions about where did my object go on exit when it said it was handle XXX. However,
That breaks a possible workflow, and we want to get 4.0 release right, so we can stop with backwards incompatible
changes.
Thoughts, opinions?
Bill
2 years, 1 month
Set unique in template of tpm2_createprimary from CLI
by Marco De Benedictis
Hi all,
is it possible to include unique data in the TPM2B_PUBLIC template used
by tpm2_createprimary CLI function (in tpm2-tools)? I would try to
generate different primary keys in a given hierarchy that share same
algorithm/key size/type of key etc. (and same primary seed, obviously).
Thanks,
Marco
--
MARCO DE BENEDICTIS
Department of Control and Computer Engineering
Politecnico di Torino
E-mail: marco.debenedictis(a)polito.it - Phone: +39 (011) 090 7192
2 years, 1 month
Esys_Create Error
by Sourajit Mukhopadhyay
Dear team,
I am working on a test code to check the unseal functionality for
educational purposes. I am following the test module for ESAPI unseal, and
the test code is working on one system perfectly with the IBM simulator,
but failing on another system running the same version of the simulator
with:
WARNING:esys:src/tss2-esys/api/Esys_Create.c:421:Esys_Create_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Create.c:164:Esys_Create() Esys Finish
ErrorCode (0x00000921)
Esys_Create fail
I am unable to detect the cause of this error, since the same code is
running perfectly fine on a different system with same version of the
simulator. Any advice on the cause of this issue would be highly
appreciated.
Regards,
Sourajit Mukhopadhyay
2 years, 2 months
TPM2_Sign odd behavior
by Nick Meyer
Good afternoon all,
I'm seeing some odd behavior when trying to use the TPM2_Sign command in an
EFI application.
I'm guessing what I'm seeing is vendor-dependent, but I wanted to throw it
out here too in case there are other avenues I can look down while I'm
trying to contact the vendor.
What I'm seeing is, when trying to sign with a loaded key, I'm getting a
TPM_RC_VALUE error (exact code 0x84). The specification indicates this
would be received if "the value to sign is larger than allowed for the type
of keyHandle". However, I have intercepted the marshaled command and
inspected it, and this is not the case.
I have verified that the key has the Sign attribute; the key's signature
scheme is TPM_ALG_NULL and this is defined to SHA256 in the TPM2_Sign
command; and that the hash value being sent in the TPM2_Sign TPM2B_DIGEST
value is in fact the 32 bytes expected for an SHA256 hash.
The command is being sent via the EFI EFI_TCG2_PROTOCOL Submit Command
operation, and I've validated in the vendor BIOS this is the correct
protocol; plus there are some cases on other machines where this sign
operation DOES work.
Is there any other reason this error code might be returned from a
TPM2_Sign command? I can't believe it would be, but is there some kind of
format or value expected in the provided hash? (This is NOT a restricted
signing key)
For reference, here is an example marshaled command that fails:
| 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
------------------------------------------------------
0x00 | 80 02 00 00 00 49 00 00 01 5d 80 00 00 01 00 00
0x10 | 00 09 03 00 00 00 00 00 01 00 00 00 20 e8 d0 09
0x20 | 45 d9 65 bf 21 46 cd 48 1f 57 72 82 bb 38 a7 a6
0x30 | 70 c6 4d e3 a9 32 21 4f f3 7b 63 3f 8e 00 14 00
0x40 | 0b 80 24 40 00 00 07 00 00
Thanks for any insight.
--
*Nick Meyer*
*Oath:*
2 years, 2 months
Re: [tpm2] SPI TPM and SPI flash can not work at the same time
by Sherry Zhang(BJ-RD)
First of all, thank you!!!
Like:
tpm2_getcap -c properties-fixed
tpm2_getcap -c commands
These commands can not work well.
I do more experiments and find that tpm driver can not work well, but I do not know the reason :
spi port0/1: flash port2: TPM2.0
driver modules: tpm_tis.ko(tpm driiver) spi-zx.ko(spi controller driver) m25p80.ko(flash driver)
(1) When I boot with ubuntu16.04 of the kernel-4.16.2 , I find that the os only modprobe tpm_tis.ko and spi-zx.ko without m25p80.ko.
So I can see /dev/tpm0,but /dev/mtd0 and /dev/mtd1.
(2) If I do not modprobe m25p80, then /dev/tpm0 works well.
(3) Then I modprobe m25p80,and I test /dev/mtd1. It seems normal.
Then I rmmod spi_zx and m25p80 driver. It seems normal.
But when I rmmod tpm_tis,it shows:
Tpm tpm0: A TPM error (151) occurred stopping the TPM
(4)boot os
rmmod tpm_tis ----- normal
modprobe m25p80 -----normal
./spi_flash /dev/mtd1 --- normal
rmmod m25p80 -----normal
modprobe tpm_tis ------error
tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x101, rev-id 0)
tpm tpm0:A TPM error(151) occurred continue selftest
tpm tpm0: TPM self test failed
Best regards,
Sherry Zhang
>
> I wish I could help you more, but your TPM isn't returning a valid RC.
>
> Since bit 7 is set in 0x97, this indicates that it is a FMT 1 response code.
>
> Fmt 1 response codes have the handle encoded in bit positions 8-11
> inclusive.
> And is 1-based per
> https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-
> 2-Structures-01.38.pdf
> Section 6.6.
>
> It seems the error bits 0-5 inclusive are 0x17 which is TPM2_RC_TAG.
>
> Which is "a parameter that should be a structure tag has a value that is not
> supported by the TPM"
>
> I'm not sure why this is failing on your TPM, do any other tpm2_getcap
> commands work?
>
> Like:
> tpm2_getcap -c properties-fixed
> tpm2_getcap -c commands
>
> Bill
>
> > -----Original Message-----
> > From: tpm2 [mailto:tpm2-bounces@lists.01.org] On Behalf Of Sherry
> > Zhang(BJ-
> > RD)
> > Sent: Monday, November 5, 2018 8:14 PM
> > To: tpm2(a)lists.01.org
> > Subject: [tpm2] SPI TPM and SPI flash can not work at the same time
> >
> > Hi All,
> >
> > Ubuntu16.04 with the kernel 4.16.2:
> >
> > I use a spi port2 with a FIFO TPM2.0 and two flash on the spi port 0/1.
> >
> > First, I unload drivers of spi controller and test the TPM2.0
> > (built-in tpm_tis.o)
> >
> > #tpm2_abrmd �tcti=”device:/dev/tpm0” �allow-root &
> >
> > #tpm2_pcrlist
> >
> > #tpm2_nvlist
> >
> > And I can use tpm2-tools to test and it is normal .
> >
> >
> >
> > Then I load spi controller driver, and test /dev/mtd0 at spi port0
> > that can work well.
> >
> > But when I run the commad “tpm2_nvlist” , it shows a error.
> >
> > #tpm2_nvlist
> >
> > ERROR: Tss2_Sys_GetCapability(0x97) �tpm: handle(unk): incorrect
> > structure tag
> >
> > ERROR: Unable to run tpm2_nvlist
> >
> >
> >
> > PS:
> >
> > tpm2-tss 2.1.0
> >
> > Tpm2-abrmd 2.0.3_rc0
> >
> > Tpm2-tools 3.0.2
> >
> >
> >
> > Best regards,
> >
> > Sherry Zhang
> >
> >
保密声明:
本邮件含有保密或专有信息,仅供指定收件人使用。严禁对本邮件或其内容做任何未经授权的查阅、使用、复制或转发。
CONFIDENTIAL NOTE:
This email contains confidential or legally privileged information and is for the sole use of its intended recipient. Any unauthorized review, use, copying or forwarding of this email or the content of this email is strictly prohibited.
2 years, 2 months
SPI TPM and SPI flash can not work at the same time
by Sherry Zhang(BJ-RD)
Hi All,
Ubuntu16.04 with the kernel 4.16.2:
I use a spi port2 with a FIFO TPM2.0 and two flash on the spi port 0/1.
First, I unload drivers of spi controller and test the TPM2.0 (built-in tpm_tis.o)
#tpm2_abrmd -tcti="device:/dev/tpm0" -allow-root &
#tpm2_pcrlist
#tpm2_nvlist
And I can use tpm2-tools to test and it is normal .
Then I load spi controller driver, and test /dev/mtd0 at spi port0 that can work well.
But when I run the commad "tpm2_nvlist" , it shows a error.
#tpm2_nvlist
ERROR: Tss2_Sys_GetCapability(0x97) -tpm: handle(unk): incorrect structure tag
ERROR: Unable to run tpm2_nvlist
PS:
tpm2-tss 2.1.0
Tpm2-abrmd 2.0.3_rc0
Tpm2-tools 3.0.2
Best regards,
Sherry Zhang
?????
?????????????????????????????????????????????????????
CONFIDENTIAL NOTE:
This email contains confidential or legally privileged information and is for the sole use of its intended recipient. Any unauthorized review, use, copying or forwarding of this email or the content of this email is strictly prohibited.
2 years, 2 months
CertifyCreation and VerifySignature
by Davide Rutigliano
Hi all,
I want to verify the signature of creationHash produced by
TPM2_CertifyCreation command.
When I run the TPM2_VerifySignature on the same creationHash I get rc =
0x000002db (i.e. tpm:parameter(2):the signature is not valid).
Something goes wrong and I cannot understand what.
Should I do sign of HMAC( proof( TK | obj->name | creationHash) ) and then
verify the signature on it?
Thanks,
Davide.
2 years, 2 months
Generate restricted signing key under owner hierarchy
by Marco De Benedictis
Hi all,
I am using tpm2-tools on master (commit
a9fbf1879a8b008f89dc90f32b4ac701ac5ce2dd) and I am unable to generate a
restricted signing key under the owner hierarchy.
First, I have generated a primary key on the owner hierarchy:
tpm2_createprimary -a o -g sha256 -G ecc -o primary/context.ctx
and then I run:
tpm2_create -C primary/context.ctx \
-g sha256-G ecc \
-u child.pub \
-r child.priv \
-A
"fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|sign"
I get an error:
"ERROR: Tss2_Sys_Create(0x2D2) - tpm:parameter(2):unsupported or
incompatible scheme"
If I run the same command without the "restricted" object attribute, it
works. Any idea on this behavior? Does this comply with the specs?
Thanks,
Marco
--
MARCO DE BENEDICTIS
Department of Control and Computer Engineering
Politecnico di Torino
E-mail: marco.debenedictis(a)polito.it - Phone: +39 (011) 090 7192
2 years, 2 months
what the different between 0x1d5 and 0x3d5
by Terry An
[root@localhost tpm2-init]# tpm2_rc_decode 0x1d5
tpm:parameter(1):structure is the wrong size
[root@localhost tpm2-init]# tpm2_rc_decode 0x3d5
tpm:parameter(3):structure is the wrong size
I'm so confusing where my code is wrong.
2 years, 2 months
