May 2018 - tpm2 - Ml01.01.Org

by Duncan.Palmer＠data61.csiro.au

Apologies if this is slightly OT for this list... We're running the tpm2 tools in Intel NUCs (a NUC5i7RYH to be exact), using Linux kernel 4.4.59 (shipped by Ubuntu as 4.4.0-77). The tpm drivers on this kernel don't work out of the box, and I had to put in a fairly nasty hack to make them work. The same driver now does not work on a newer NUC7i7 model. Are other people using NUCs, and if so, are you having similar issues? Cheers, Dunk Duncan Palmer Senior Software Engineer | Autonomous Systems Data61 | CSIRO E duncan.palmer(a)csiro.au Queensland Centre for Advanced Technologies (QCAT), 1 Technology Court, Pullenvale QLD, 4069 www.data61.csiro.au<http://my.csiro.au/Business-Units/Operations/Communication/CSIRO-Branding...> CSIRO's Digital Productivity business unit and NICTA have joined forces to create digital powerhouse Data61

2 years, 11 months

3
7
0 / 0

Re: [tpm2] clevis with tpm-tools 2.1.0 (tpm2_create proper use for tpm2_unseal compatibility)

by Javier Martinez Canillas

[adding back the mailing list since I dropped it by mistake] On 05/03/2018 04:50 PM, Peter Magnusson wrote: > Thanks! > > Any particular tag that you would recommend building the tools from, or is > master:head the way to go? > I would recommend the latest stable versions. So that would be the following: tpm2-tools 3.0.4 tpm2-tss 1.4.0 tpm2-abrmd 1.3.1 The problem with master is that it's still a moving target. As mentioned in the clevis issue, I'll propose a patch to make the tpm2 pin to support tpm2-tools 4 as soon as this is released. > //P > On Thu, May 3, 2018 at 2:56 PM Javier Martinez Canillas <javierm(a)redhat.com> > wrote: > >> Hi Peter, > >> On 05/03/2018 12:44 PM, Peter Magnusson wrote: >>> Hi, >>> >>> I'm trying to get clevis 9 working with Ubuntu18 tpm-tools 2.1.0, but >>> clevis decrypt (tpm2_unseal) fail. l suspect the obj_attr values feed > >> I don't think that's going to work. The reason why I started contributing >> to this project was because the 2.X unseal support wasn't really working. > >> The problem is that some TPM2.0 commands require an authorization session >> (if the tag is TPM_ST_SESSIONS), and this is the case for the TPM2_Unseal >> command but support for this isn't supported in the 2.X release. > >> So you need at the very least the following commits that landed in 3.X: > >> 287eeb92555a tpm2_unseal: use build_policy() from tpm2 policy instead > open coding it >> 5435e1d79662 tpm2_unseal: add support to unseal an object using a PCR > policy for auth >> 141974c84508 tools: don't use relative path for tpm2_util.h header include >> b8a442325361 tpm2_unseal: Adding support for session handle input for > policy based authorization >> 1b3efb759117 tpm2_unseal: don't copy optarg variable for context item file >> 8aa7f644386d tpm2_unseal: allow to write unsealed data to the standard > output >> 2cd3feaff067 tpm2_unseal: don't copy the optarg variable for the output > file option >> df751ae5bea0 tpm2_unseal: fix unsealed data object serialization > >> More information is on the issue I opened at the time and the follow-up: > >> https://github.com/tpm2-software/tpm2-tools/issues/313 >> https://github.com/tpm2-software/tpm2-tools/issues/510 > >>> >>> tpm2_unseal -T device -d /dev/tpmrm0 -c ...load.context -o - >>> ERROR: Sys_Unseal failed. Error Code: 0x12f >>> Unsealing jwk from TPM failed! > >> $ tpm2_rc_decode 0x12f >> tpm:error(2.0): authValue or authPolicy is not available for selected > entity > >> You can see that's the issue I mentioned above about the missing >> authorization session. > Best regards, -- Javier Martinez Canillas Software Engineer - Desktop Hardware Enablement Red Hat

2 years, 11 months

2
2
0 / 0

clevis with tpm-tools 2.1.0 (tpm2_create proper use for tpm2_unseal compatibility)

by Peter Magnusson

Hi, I'm trying to get clevis 9 working with Ubuntu18 tpm-tools 2.1.0, but clevis decrypt (tpm2_unseal) fail. l suspect the obj_attr values feed to tpm2_create in clevis-encrypt-tpm2 might be root cause, but I haven't succeeded in making sense of it. A diff on clevis-encrypt-tpm2 is included in the end of this mail. Any helpful pointers on what appropriate change of clevis-encrypt would be appreciated. echo hi | clevis encrypt tpm2 '{}' | clevis decrypt tpm2_createprimary -A o --halg 0xB --kalg 0x23 -C ...primary.context -T device -d /dev/tpmrm0 nameAlg = 0x000b type = 0x0023 contextFile = ...primary.context CreatePrimary Succeed ! Handle: 0x80ffffff tpm2_load -T device -d /dev/tpmrm0 -c ...primary.context -u ...jwk.pub -r ...jwk.priv -C ...load.context -n ...name.structure contextParentFile = ...primary.context contextFile = ...load.context Load succ. LoadedHandle: 0x80fffffe tpm2_unseal -T device -d /dev/tpmrm0 -c ...load.context -o - ERROR: Sys_Unseal failed. Error Code: 0x12f Unsealing jwk from TPM failed! diff ~/gits/clevis/src/clevis-encrypt-tpm2 /usr/local/bin/clevis-encrypt-tpm2 25c25,30 < alg_create_key="keyedhash" --- > > #***************************************************** > #alg_create_key="keyedhash" > alg_create_key=0x8 > #***************************************************** > 27c32,56 < obj_attr="fixedtpm|fixedparent|sensitivedataorigin|noda|adminwithpolicy" --- > > #***************************************************** > #obj_attr="fixedtpm|fixedparent|sensitivedataorigin|noda|adminwithpolicy" > #obj_attr=0x4B2 #0x00000002 + 0x00000010 + 0x00000020 + 0x00000400 + 0x00000080 -- error 0x2d2: incompatible scheme > #obj_attr=0x4A2 #0x00000002 + 0x00000020 + 0x00000400 + 0x00000080 -- error 0x2c2: inconsistent attributes > #obj_attr=0x492 #0x00000002 + 0x00000010 + 0x00000020 + 0x00000400 + 0x00000080 -- error 0x1c2: inconsistent attributes > #obj_attr=0x432 #0x00000002 + 0x00000010 + 0x00000020 + 0x00000400 -- error 0x2d2 > obj_attr=0x404B2 > #define TPMA_OBJECT_RESERVED1_MASK 0x00000001 /* shall be zero */ > #define TPMA_OBJECT_FIXEDTPM 0x00000002 /* SET 1 The hierarchy of the object as indicated by its Qualified Name may not change. CLEAR 0 The hierarchy of the object may change as a result of this object or an ancestor key being duplicated for use in another hierarchy. */ > #define TPMA_OBJECT_STCLEAR 0x00000004 /* SET 1 Previously saved contexts of this object may not be loaded after StartupCLEAR. CLEAR 0 Saved contexts of this object may be used after a ShutdownSTATE and subsequent Startup. */ > #define TPMA_OBJECT_RESERVED2_MASK 0x00000008 /* shall be zero */ > #define TPMA_OBJECT_FIXEDPARENT 0x00000010 /* SET 1 The parent of the object may not change. CLEAR 0 The parent of the object may change as the result of a TPM2_Duplicate of the object. */ > #define TPMA_OBJECT_SENSITIVEDATAORIGIN 0x00000020 /* SET 1 Indicates that when the object was created with TPM2_Create or TPM2_CreatePrimary the TPM generated all of the sensitive data other than the authValue. CLEAR 0 A portion of the sensitive data other than the authValue was provided by the caller. */ > #define TPMA_OBJECT_USERWITHAUTH 0x00000040 /* SET 1 Approval of USER role actions with this object may be with an HMAC session or with a password using the authValue of the object or a policy session. CLEAR 0 Approval of USER role actions with this object may only be done with a policy session. */ > #define TPMA_OBJECT_ADMINWITHPOLICY 0x00000080 /* SET 1 Approval of ADMIN role actions with this object may only be done with a policy session. CLEAR 0 Approval of ADMIN role actions with this object may be with an HMAC session or with a password using the authValue of the object or a policy session. */ > #define TPMA_OBJECT_RESERVED3_MASK 0x00000300 /* shall be zero */ > #define TPMA_OBJECT_NODA 0x00000400 /* SET 1 The object is not subject to dictionary attack protections. CLEAR 0 The object is subject to dictionary attack protections. */ > #define TPMA_OBJECT_ENCRYPTEDDUPLICATION 0x00000800 /* SET 1 If the object is duplicated then symmetricAlg shall not be TPM2_ALG_NULL and newParentHandle shall not be TPM2_RH_NULL. CLEAR 0 The object may be duplicated without an inner wrapper on the private portion of the object and the new parent may be TPM2_RH_NULL. */ > #define TPMA_OBJECT_RESERVED4_MASK 0x0000F000 /* shall be zero */ > #define TPMA_OBJECT_RESTRICTED 0x00010000 /* SET 1 Key usage is restricted to manipulate structures of known format the parent of this key shall have restricted SET. CLEAR 0 Key usage is not restricted to use on special formats. */ > #define TPMA_OBJECT_DECRYPT 0x00020000 /* SET 1 The private portion of the key may be used to decrypt. CLEAR 0 The private portion of the key may not be used to decrypt. */ > #define TPMA_OBJECT_SIGN_ENCRYPT 0x00040000 /* SET 1 For a symmetric cipher object the private portion of the key may be used to encrypt. For other objects the private portion of the key may be used to sign. CLEAR 0 The private portion of the key may not be used to sign or encrypt. */ > #define TPMA_OBJECT_RESERVED5_MASK 0xFFF80000 /* shall be zero */ > #***************************************************** 102c131,161 < if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C $TMP/primary.context; then --- > #if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C $TMP/primary.context; then > #************************************************************ > case $hash in > sha1) > __hash='0x4' > ;; > sha256) > __hash='0xB' > ;; > sha384) > __hash='0xC' > ;; > *) > echo "*** hash converter failed...****" >&2 > exit 1; > esac > case $key in > rsa) > __key='0x1' > ;; > ecc) > __key='0x23' > ;; > *) > echo "*** key converter failed...****" >&2 > exit 1; > esac > > #echo tpm2_createprimary -A "$auth" --halg "$__hash" --kalg "$__key" -C $TMP/primary.context -T $TPM2TOOLS_TCTI_NAME -d $TPM2TOOLS_DEVICE_FILE > if ! tpm2_createprimary -A "$auth" --halg "$__hash" --kalg "$__key" -C $TMP/primary.context -T $TPM2TOOLS_TCTI_NAME -d $TPM2TOOLS_DEVICE_FILE >/dev/null; then > #************************************************************ 128,129c187,191 < if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \ < -r $TMP/jwk.priv -A "$obj_attr" $policy_options -I- <<< "$jwk"; then --- > #if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \ > # -r $TMP/jwk.priv -A "$obj_attr" $policy_options -I- <<< "$jwk"; then > #echo tpm2_create -A "$obj_attr" -g "$__hash" -G "$alg_create_key" -c $TMP/primary.context --opu $TMP/jwk.pub --opr $TMP/jwk.priv $policy_options -T $TPM2TOOLS_TCTI_NAME -d $TPM2TOOLS_DEVICE_FILE >&2 > if ! tpm2_create -A "$obj_attr" -g "$__hash" -G "$alg_create_key" -c $TMP/primary.context --opu $TMP/jwk.pub --opr $TMP/jwk.priv $policy_options -T $TPM2TOOLS_TCTI_NAME -d $TPM2TOOLS_DEVICE_FILE <<< "$jwk" >/dev/null; then > #if ! tpm2_create -A "$obj_attr" -g "$__hash" -G "$alg_create_key" -c $TMP/primary.context --opu $TMP/jwk.pub --opr $TMP/jwk.priv $policy_options -T $TPM2TOOLS_TCTI_NAME -d $TPM2TOOLS_DEVICE_FILE <<< "$jwk"; then

2 years, 11 months

1
0
0 / 0

[ANNOUNCE] Brace yourself: API & ABI incompatible changes in coming!

by Philip Tricca

Hello, We're getting pretty close to an RC0 for the next major release of the TSS2 libraries. Before we can make RCo though there are a number of changes that still need to be made to the header files to bring them in line with the latest TPM2 and TSS2 specifications. We've just started rolling these out and during this time, due to the nature of the changes, we'll be breaking backward compatibility (API and ABI both). If you're following along at home you've probably seen changes to the TCTI headers and implemnetation happening in rapid succession over the last few days (when our CI isn't down). Expect similar changes to happen in the rest of the public headers over the course of this week. These changes will likely cause some issues for downstream projects but feel free to get on the list and we'll help sort things out. Regards, Philip

2 years, 11 months

1
2
0 / 0

2021

2020

2019

2018

2017

tpm2 May 2018