tpm2-tss question
by Yasuhiro Hosoda
MY name is Yasuhiro Hosoda.
I am developing a program using TSS1.0(Nov1.2016).
I encountered a problem with PolicySecret error 0x98e and need help.
My program uses tpmtest.cpp as a base of development.
The situation is as follows:
1 Create TPM Keys like this.
EK
|--------
| |
MK AK
|
SK
2 Execute PolicySecret twice using HMAC session. At first, it ends
without error. Then it ends with 0x98e
For clarification, I print out the values of Virtual Handle and Real Handle.
The value of Virtual/Real Handles differ at 2nd excution of the command.
(See NO 25/26 Below)
I understand that the resource manager assigns Virtual Handle and my
program calculates HMAC using that handles.
On the other hand, TPM may calculate HMAC using Real Handle.
That is my hypothesis.
Any suggestion about the usage of Session Handle?
NO Command Virtual/Real Handle LOC
1. CreatePrimary(EK) real=80000000, virtual=80000000 8381
2. HierarchyChangeAuth1 8421
3. HierarchyChangeAuth2 8431
4. StartAuthSession(Policy) real=3000000, virtual=3000000 8480
5. PolicySecret(ENDORSEMENT) 8494
6. Create(MK) 8515
7. PolicySecret(ENDORSEMENT) 8529
8. Load(MK) real=80000001, virtual=80000001 8542
9. Evict(MK) 8552
10. Create(SK) 8590
11. Load(SK) real=80000001, virtual=80000002 8598
12. PolicySecret(ENDORSEMENT) 8609
13. Create(AK) 8635
14. PolicySecret(ENDORSEMENT) 8645
15. Load(AK) real=80000001, virtual=80000003 8655
16. FlushContext(POLICY) 8664
17. StartAuthSession(POLICY) real=3000000, virtual=3000000 8668
18. StartAuthSession(HMAC) real=2000001, virtual=2000001 8678
19. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004 3706
20. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000005 3706
21. PolicySecret(SK) 8711
22. FlushContext(HMAC) 8717
23. FlushContext(POLICY) 8724
24. CertifyCreation(SK) 8738
25. StartAuthSession(POLICY) real=3000000, virtual=3000001 8745
26. StartAuthSession(HMAC) real=2000001, virtual=2000000 8754
27. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005 8782
28. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000004 8782
29. PolicySecret(SK) 8789
The whole source program can be found here.
https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2.txt
Kind regards,
--
Yasuhiro Hosoda
NTT Electronics Corporation (NEL)
Security Support Project
2 years, 4 months
TPM2TSS engine for OpenSSL
by Fuchs, Andreas
Hi all,
I just wanted to announce that we pushed a new crypto engine for OpenSSL using the tpm2-tss software stack.
It is licensed under the BSD 3-clause license.
It currently includes RSA sign, RSA decrypt and ECDSA with TPM generated keys.
It uses ESAPI/ESYS (so it's a good usage example) and thus relies on the 2.0 series of tpm2-tss.
I'd like to see some testing and bug reports if you don't mind.
You can find the project here: https://github.com/tpm2-software/tpm2-tss-engine
Big thanks to Infineon for sponsoring this work !
Best regards,
Andreas Fuchs
2 years, 6 months
Regarding storing simple data into nv memory of slb9670(tpm 2.0)
by Abbaraju Manojsai
We interfaced slb 9670 (TPM 2.0) with Msp430 16 bit controller through
spi which does not support Linux Kernel.
Our Main Task , is store a few bytes of data in NV memory as simple way
into SLB 9670 (TPM 2.0)
Now we able to access the spi communication of slb 9670 with controller,
we tested the reading sample registers of slb 9670 like DIDVID register
, version id of slb 9670, status register and writing a values into
registers through spi communication.
so spi read and spi write communication is working with chip by
accessing this registers.
Our Main Task , is store a few bytes of data into Nv memory of SLB
9670.please help me.
i am not able to properly understand the tcg stack documents of tpm 2.0
so kindly help me at what are required steps , should i follow ?
Regards,
Manoj ,
+91-9063249308.
2 years, 7 months
tpm2-tss and buildroot compilation error
by Tomasz Przybysz
Hi,
There is a problem during tpm2-tss compilation under buidroot.
tpm2-tss 2.0.0
Compilation under buildroot:
>>> tpm2-tss 2.0.0 Installing to staging directory
PATH="/home/tomaszpr/zynq_fresh/buildroot/output/host/bin:/home/tomaszpr/zynq_fresh/buildroot/output/host/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
/usr/bin/make -j9
DESTDIR=/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot
install -C /home/tomaszpr/zynq_fresh/buildroot/output/build/tpm2-tss-2.0.0/
/bin/mkdir -p
'/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib'
/bin/mkdir -p
'/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/man/man3'
/bin/bash ./libtool --mode=install /usr/bin/install -c
src/tss2-mu/libtss2-mu.la src/tss2-tcti/libtss2-tcti-device.la
src/tss2-tcti/libtss2-tcti-mssim.la src/tss2-sys/libtss2-sys.la
src/tss2-esys/libtss2-esys.la
'/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib'
/bin/mkdir -p
'/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/man/man7'
/bin/mkdir -p
'/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig'
/bin/mkdir -p
'/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/include/tss2'
/bin/mkdir -p
'/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/udev/rules.d'
/usr/bin/install -c -m 644 lib/tss2-mu.pc lib/tss2-tcti-device.pc
lib/tss2-tcti-mssim.pc lib/tss2-sys.pc lib/tss2-esys.pc
'/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig'
/usr/bin/install -c -m 644 dist/tpm-udev.rules
'/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/udev/rules.d'
/usr/bin/install -c -m 644 man/man7/tss2-tcti-device.7
man/man7/tss2-tcti-mssim.7
'/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/man/man7'
/usr/bin/install -c -m 644 man/man3/Tss2_Tcti_Device_Init.3
man/man3/Tss2_Tcti_Mssim_Init.3
'/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/man/man3'
/usr/bin/install -c -m 644 ./include/tss2/tss2_common.h
./include/tss2/tss2_tcti.h ./include/tss2/tss2_tpm2_types.h
./include/tss2/tss2_mu.h ./include/tss2/tss2_tcti_device.h
./include/tss2/tss2_tcti_mssim.h ./include/tss2/tss2_sys.h
./include/tss2/tss2_esys.h
'/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/include/tss2'
/usr/bin/make install-data-hook
make[4]: Nie ma nic do zrobienia w 'install-data-hook'.
libtool: install: /usr/bin/install -c
src/tss2-mu/.libs/libtss2-mu.so.0.0.0
/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libtss2-mu.so.0.0.0
libtool: install: (cd
/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib
&& { ln -s -f libtss2-mu.so.0.0.0 libtss2-mu.so.0 || { rm -f
libtss2-mu.so.0 && ln -s libtss2-mu.so.0.0.0 libtss2-mu.so.0; }; })
libtool: install: (cd
/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib
&& { ln -s -f libtss2-mu.so.0.0.0 libtss2-mu.so || { rm -f libtss2-mu.so
&& ln -s libtss2-mu.so.0.0.0 libtss2-mu.so; }; })
libtool: install: /usr/bin/install -c src/tss2-mu/.libs/libtss2-mu.lai
/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libtss2-mu.la
libtool: warning: relinking 'src/tss2-tcti/libtss2-tcti-device.la'
libtool: install: (cd
/home/tomaszpr/zynq_fresh/buildroot/output/build/tpm2-tss-2.0.0;
/bin/bash
"/home/tomaszpr/zynq_fresh/buildroot/output/build/tpm2-tss-2.0.0/libtool"
--tag CC --mode=relink
/home/tomaszpr/zynq_fresh/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-gcc
-I./src -I./include/tss2 -std=c99 -Wall -Wextra -Wformat-security
-Werror -fstack-protector-all -fpic -fPIC -D_DEFAULT_SOURCE
-D_BSD_SOURCE -D_POSIX_SOURCE -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -g
-O2 -Wno-missing-braces -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-D_FILE_OFFSET_BITS=64 -Os
-Wl,--version-script=./lib/tss2-tcti-device.map -o
src/tss2-tcti/libtss2-tcti-device.la -rpath /usr/lib
src/tss2-tcti/src_tss2_tcti_libtss2_tcti_device_la-tcti-common.lo
src/tss2-tcti/src_tss2_tcti_libtss2_tcti_device_la-tcti-device.lo
src/tss2-mu/libtss2-mu.la libutil.la -lgcrypt -inst-prefix-dir
/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot)
libtool: relink:
/home/tomaszpr/zynq_fresh/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-gcc
-shared -fPIC -DPIC
src/tss2-tcti/.libs/src_tss2_tcti_libtss2_tcti_device_la-tcti-common.o
src/tss2-tcti/.libs/src_tss2_tcti_libtss2_tcti_device_la-tcti-device.o
-Wl,--whole-archive ./.libs/libutil.a -Wl,--no-whole-archive
-L/home/tomaszpr/zynq_fresh/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib
-L/usr/lib -ltss2-mu -lgcrypt -fstack-protector-all -g -O2 -Os
-Wl,--version-script=./lib/tss2-tcti-device.map -Wl,-soname
-Wl,libtss2-tcti-device.so.0 -o
src/tss2-tcti/.libs/libtss2-tcti-device.so.0.0.0
arm-buildroot-linux-gnueabihf-gcc: ERROR: unsafe header/library path
used in cross-compilation: '-L/usr/lib'
libtool: error: error: relink 'src/tss2-tcti/libtss2-tcti-device.la'
with the above command before installing it
Makefile:4607: recipe for target 'install-libLTLIBRARIES' failed
make[3]: *** [install-libLTLIBRARIES] Error 1
Makefile:12965: recipe for target 'install-am' failed
make[2]: *** [install-am] Error 2
package/pkg-generic.mk:262: recipe for target
'/home/tomaszpr/zynq_fresh/buildroot/output/build/tpm2-tss-2.0.0/.stamp_staging_installed'
failed
make[1]: ***
[/home/tomaszpr/zynq_fresh/buildroot/output/build/tpm2-tss-2.0.0/.stamp_staging_installed]
Error 2
Makefile:79: recipe for target '_all' failed
make: *** [_all] Error 2
When I disable buildroot option:
make menuconfig
Build options ---> Advanced
[ ] paranoid check of library/header paths
compilation finishes correct, but default option for buildroot is
paranoid check of library/header paths enabled.
In my opinion it's not good idea to disable it.
Best regards,
--
*Tomasz Przybysz*
Software Engineer
B.R.Sp.P.M.S.A. Mikronika
2 years, 7 months
tpm2_getpubek EvictControl fails with 0x1c4 (TPM_RC_VALUE)
by Peter Magnusson
Hi,
I've run into tpm2_getpubek (3.0.4;
https://github.com/tpm2-software/tpm2-tools/blob/3.0.4/tools/tpm2_getpubek.c)
failing unexpectedly with Tss2_Sys_EvictControl emitting TPM_RC_VALUE.
Target system is an Intel NUC with a discrete infineon TPM.
Does the error make sense to anyone?
sudo -u tss TSS2_LOG=all+TRACE tpm2_getpubek -V --tcti
device:/dev/tpmrm0 -H 0x80000000 -g 0x0023 -f ek_ecc.pub
INFO on line: "217" in file: "tools/tpm2_getpubek.c": EK create
success. Got handle: 0x80ffffff
ERROR on line: "225" in file: "tools/tpm2_getpubek.c": EvictControl
failed. Could not make EK persistent.TPM Error:0x1c4
Makefile:8: recipe for target 'ek_ecc.bin' failed
tpm2_rc_decode 0x1c4
error layer
hex: 0x0
identifier: TSS2_TPM_ERROR_LEVEL
description: Error produced by the TPM
format 1 error code
hex: 0x04
identifier: TPM_RC_VALUE
description: value is out of range or is not correct for the context
parameter
hex: 0x100
identifier: TPM_RC_1
description: (null)
2 years, 7 months
Question
by Joshua Muscara
I dont know where to post a question. About the tpm2 software posted on
github it directed to to this list I was wondering how to set it up with my
opensuse linux pc it has an Intel tpm 2.0 tpm and I keep getting an error
saying "** (proccess:5542): warning **: failed to create connection with
service GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: the name
com.intel.tss2.Tabrmd was not provided by any .Service files Error failed
to initialize TABRMD TCTI context: 0xa0008" whenever I try to take
ownership of my tpm.
2 years, 7 months
tpm2-abrmd 2.0.1-rc0
by Philip Tricca
Good morning,
We've just tagged the first release candidate for 2.0.1. This is a
bugfix release and all issues addressed are in the CHAGNELOG.md. The RC
window for this release will likely be short given the nature of the
bugs fixed (one is a pretty nasty resource leak) and the fact that we
already have some features in the queue for 2.1.0. Expect the release
to happen early next week.
Philip
2 years, 7 months
tpm2-tools tpm2_takeownership w/ Intel NUC
by Agerstam, Mats G
Hi,
I'm pretty new to the TPM toolset, but have been struggling a bit getting some of the fundamental pieces working. The issue I'm running into is when trying to take ownership of the TPM which results in an error:
ERROR: Could not change hierarchy for Owner. TPM Error:0x9a2
Even though I have not been successful in previously trying to take ownership, tried to run with the -c option, which resulted in
ERROR: Clearing Failed! TPM error code: 0x921. Looking at the meaning of the result code it indicated TPM_RC_LOCKOUT.
Other basic commands, like getting random numbers through tpm_getrandom [x] works fine.
I have a NUC 7i7BNH, BIOS version 56 (from Oct 2017), Ubuntu 16.04 Kernel version 4.13.0-45. I'm currently running tpm2-tools 2.1.0, tpm2-tss-2.0.0 and tpm2-abrmd 1.1.1.
I have additionally tried to take out the BIOS security jumper, resetting/clearing the TPM and retrying, without any success. Any guidance or tips on what could be causing this?
Thanks,
Mats
2 years, 7 months
getting segfaults with tss-2.0.0, abrmd-2.0.0, tools-3.1.0
by Scheie, Peter M
The good news is that with help from Wind River, I've been able to get tpm2-tss 2.0.0, tpm2-abrmd 2.0.0, and tpm2-tools 3.1.0 to build in our WR Linux 8 environment. We had been on versions 1.4.0, 1.2.0, and 3.0.3 respectively, which are working fine, but I wanted to get onto current releases. Had to add a couple patches and a bunch of package declarations into our bbappend files (we're using @flihp's OE recipes which were written for the earlier versions), but now they all build without error.
The bad news is that now on the target I'm getting segfaults with the tools and I can't really use the TPM. As the system boots up, I see some abrmd errors in the log, but I think that's just abrmd trying to talk to the TPM before the TPM is ready; eventually systemd restarts abrmd and it does start without errors. Here's the log in case it's helpful:
Jun 27 22:27:14 localhost kernel: ACPI: TPM2 0x000000009CBF9000 000034 (v03 INSYDE HSW-LPT 00000000 ACPI 00040000)
Jun 27 22:27:15 localhost systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
Jun 27 22:27:15 localhost systemd[1]: tpm2-abrmd.service: Main process exited, code=exited, status=1/FAILURE
Jun 27 22:27:15 localhost systemd[1]: Failed to start TPM2 Access Broker and Resource Management Daemon.
Jun 27 22:27:15 localhost systemd[1]: tpm2-abrmd.service: Unit entered failed state.
Jun 27 22:27:15 localhost systemd[1]: tpm2-abrmd.service: Failed with result 'exit-code'.
Jun 27 22:27:15 localhost kernel[363]: ACPI: TPM2 0x000000009CBF9000 000034 (v03 INSYDE HSW-LPT 00000000 ACPI 00040000)
Jun 27 22:27:15 localhost tpm2-abrmd[366]: ERROR:tcti:/localhome/pscheie/workspace-mdsu-scheie/projects/mdsu/bitbake_build/tmp/work/broadwell-64-wrs-linux/tpm2-tss/2.0.0-r0/tpm2-tss-2.0.0/src/tss2-tcti/tcti-device.c:281:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory
Jun 27 22:27:15 localhost tpm2-abrmd[366]: ** (tpm2-abrmd:366): WARNING **: failed to initialize device TCTI context: 0xa000a
Jun 27 22:27:15 localhost tpm2-abrmd[366]: ** (tpm2-abrmd:366): CRITICAL **: TCTI initialization failed: 0xa000a
Jun 27 22:27:20 localhost systemd[1]: tpm2-abrmd.service: Service hold-off time over, scheduling restart.
Jun 27 22:27:20 localhost systemd[1]: Stopped TPM2 Access Broker and Resource Management Daemon.
Jun 27 22:27:20 localhost systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
Jun 27 22:27:20 localhost systemd[1]: Started TPM2 Access Broker and Resource Management Daemon.
By the way, does abrmd default to trying to connect to /dev/tpm0? When working with the emulator on my laptop, I have to start abrmd with '--tcti=libtss2-tcti-mssim.so' but I assume that's just for when there is no TPM device, right?
So, with tpm2-abrmd running, if I call, say, tpm2_pcrlist or tpm2_nvlist, to just query the TPM, it will display the PCRs or the NV indexes but then follow that with a "Segmentation fault", and syslog shows things like this:
Jun 27 22:32:42 localhost audit[1432]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=1 pid=1432 comm="gdbus" exe="/usr/bin/tpm2_pcrlist" sig=11
Jun 27 22:32:42 localhost kernel: gdbus[1432]: segfault at 7f8327acc750 ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in libtss2-mu.so.0.0.0[7f8328284000+3f000]
Jun 27 22:32:42 localhost kernel[363]: gdbus[1432]: segfault at 7f8327acc750 ip 00007f8327acc750 sp 00007f8326ab2c38 error 14 in libtss2-mu.so.0.0.0[7f8328284000+3f000]
Trying to write to the TPM, e.g., take ownership, doesn't work at all:
localhost:~$ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
ERROR: Could not change hierarchy for Owner. TPM Error:0x9a2
ERROR: Unable to run tpm2_takeownership
Segmentation fault
and syslog shows
Jun 27 23:08:03 localhost audit[1539]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=1 pid=1539 comm="gdbus" exe="/usr/bin/tpm2_takeownership" sig=11
Jun 27 23:08:03 localhost kernel: gdbus[1539]: segfault at 7ff2fe95c750 ip 00007ff2fe95c750 sp 00007ff2fd942c38 error 14 in libtss2-mu.so.0.0.0[7ff2ff114000+3f000]
Jun 27 23:08:03 localhost kernel[363]: gdbus[1539]: segfault at 7ff2fe95c750 ip 00007ff2fe95c750 sp 00007ff2fd942c38 error 14 in libtss2-mu.so.0.0.0[7ff2ff114000+3f000]
Any suggestions?
2 years, 7 months