December 2019 - tpm2 - Ml01.01.Org

Made an ZFS root pool auto-unlock, please give review of method

by Garrett Fields

Back in the end of July, I wrote a message on this discussion list titled "PCR Policy enforcement when using nvram". In that, I asked for a way to have both a PCR check AND a password lock an nvram range (not an OR). I really appreciated everyone's help, especially William Roberts, who gave some sample code of using a session to accomplish this goal. Now that Ubuntu has updated its repositories for the upcoming 20.04 LTS release and included TPM-tools v4.x, I figured it was time to take another look. My goal is to provide a method to auto-unlock a ZFS encrypted root filesystem. Currently, ZFS allows for unlocking via a prompt or file containing a raw, hex, or passphrase values. The mechanisms are already inplace to prompt on startup. So far I have just done a proof of concept. It probably loads of bad code and tons of polish needed: https://github.com/ghfields/zfs/compare/master...ghfields:tpm2-autounlock I forked the zfs project, expanded the its initramfs hooks to include the required tpm2-tools binaries, and added another stanza to init script's decrypting section. I also created a pair of scripts that configures the system and tests readback. The nvram index and the PCRs used are stored/read from the zfs filesystem properties. I used the filesytem's GUID as the required password as another check to verify the NVRAM range was intended for that filesystem. I also intend to issue an nvreadlock to prevent snooping once the key is used. I'd be interested in a critique of the method overall I expect there ways to make this more secure. With enough effort, one could issue a break=premount on the kernel line and manually extract the password from the TPM. Any way to tighten that up? I'm a total novice at TPM in general, but am completely open to advise and guidance. Thanks, Garrett Fields

3 months

4
5
0 / 0

[RC] tpm2-pkcs11: 1.0.1-RC0

by Roberts, William C

Hello, A new release candidate is available for the tpm2-pkcs11 project: https://github.com/tpm2-software/tpm2-pkcs11/releases/tag/1.0.1-RC0 CHANGELOG: 1.0.1-RC0 - 2019-12-30 * stop linking against libdl * add missing test integration scripts to dist tarball. --- Bill

5 months, 1 week

1
0
0 / 0

[RELEASE] tpm2-pkcs11: v1.0

by Roberts, William C

tpm2-pkcs11 is released v1.0. https://github.com/tpm2-software/tpm2-pkcs11/releases/tag/1.0 Thank you for all that participated in the release process and development of the library. There is still a long way to go, but many of the core features are in place. Bill

5 months, 1 week

1
0
0 / 0

tpm2-totp v0.2.1_rc0

by Jonas Witschel

Hi, I just tagged a release candidate for tpm2-totp, see https://github.com/tpm2-software/tpm2-totp/releases/tag/v0.2.1_rc0 It includes two small fixes regarding the installation of the dracut module and building with musl. Best, Jonas

5 months, 1 week

1
2
0 / 0

tpm2-abrmd 2.3.1-rc0

by Philip Tricca

The first release candidate for tpm2-abrmd version 2.3.1 has been tagged: https://github.com/tpm2-software/tpm2-abrmd/releases/tag/2.3.1-rc0. The changelog will materialize as a PR during the RC window. Regards, Philip

5 months, 1 week

1
1
0 / 0

Question about how to get session handle when create policy

by Zhao, Shirley

Hello, I want to get the session handle when creating policy, how to do it? For example, # tpm2_createpolicy --policy-pcr --pcr-list sha256:7 --policy pcr.policy --policy-session 2781c435e602b97eef2a95333b72d085a393907cf32b9f825febe37b1af54820 I use tpm2_createpolicy to create the policy, and start a policy session of type TPM_SE_POLICY. The policy digest is returned, but I can't get the session handle. So how to get the session handle? Thanks. * Shirley

5 months, 2 weeks

2
3
0 / 0

[RC] tpm2-tools: 4.1.1-RC0

by Roberts, William C

Hello, I'd like to announce that tpm2-tools release 4.1.1-RC0 is now available: https://github.com/tpm2-software/tpm2-tools/releases/tag/4.1.1-RC0 The changes are below: * tpm2_certify: Fix output of attestation data including size field. Now outputs just bytes. * tpm2_certifycreation: Fix tool to match manpage where the code had the -C and -c options reversed. * tpm2_gettime: Fix output of attestation data including size field. Now outputs just bytes. * tpm2_nvcertify: Fix output of attestation data including size field. Now outputs just bytes. * tpm2_nvreadpublic: add name hash output. * tpm2_import: Support object policies when importing raw key material. * Fix overflow in pcrs.h where sizeof() was used instead of ARRAY_LEN(). * build: - Fix compilation inssue: lib/tpm2_hash.c:17:19: note: 'left' was declared here. * man: - Fix manpage examples that have "sha" instead of "sha1" - tpm2_shutdown manpage was missing, add it to build. I'd like to point out these 3 changes: * tpm2_certify: Fix output of attestation data including size field. Now outputs just bytes. * tpm2_gettime: Fix output of attestation data including size field. Now outputs just bytes. * tpm2_nvcertify: Fix output of attestation data including size field. Now outputs just bytes. We had a bug where we outputting the structure rather than just the signature bytes, *so there is a format change on this*. We considered this a bug, and since the on-disk format is likely not long lived (like a key blob would be), we didn't do a major or minor version bump, just a patch level bump. Please let me know if this is a problem for you. Bill

5 months, 2 weeks

1
0
0 / 0

[RC] tpm2-pkcs11: 1.0-RC1 is now available

by Roberts, William C

Hello, 1.0-RC1 of the tpm2-pkcs11 project is now available. This fixes the dist packaging to now include tpm2_ptool as well is issue #264 where command createloaded was used, and some TPM's do not support that command. It will now fall back to the individual create/load commands. https://github.com/tpm2-software/tpm2-pkcs11/releases/tag/1.0-RC1

5 months, 2 weeks

1
0
0 / 0

tpm2_create signature verification fails due to "RSA_padding_check_PKCS_type1:invalid padding"

by Niklas Andersson

openssl can not verify plain signature (256 bytes) from tpm2_certify due to bad padding. *This should work (verification of signature from tpm2_certifycreation works fine):* openssl dgst -verify ../AIKOpaque.der -keyform der -sha1 -signature Signature KeyAttest.bin Verification Failure *....examine:* openssl rsautl -verify -inkey ../AIKOpaque.der -in Signature -pubin -keyform der -pkcs > decrypted.bin RSA operation error 140654247387584:error:0407008A:rsa routines:R*SA_padding_check_PKCS1_type_1:invalid padding:../crypto/rsa/rsa_pk1.c:67:* 140654247387584:error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../crypto/rsa/rsa_ossl.c:582: *..Same operation on a plain signature from tpm2_certifycreation works:* openssl rsautl -verify -inkey ../AIKOpaque.der -in ../IdBinding.EXTRACTED_TPMT_SIGNATURE -pubin -keyform der > decrypted.bin dumpasn1 decrypted.bin 0 33: SEQUENCE { 2 9: SEQUENCE { 4 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 11 0: NULL : } 13 20: OCTET STRING 2D A1 D1 30 3A D2 FD 68 A1 5A 2F 9B 8B C1 1E DB 36 A7 7C D4 : } So. It looks like a bug in tpm2_certify. tool="tpm2_certify" version="4.1" tctis="libtss2-tctildr" tcti-default=tcti-device tpm2-tss 2.3.2-rc0 Regards, Niklas

5 months, 3 weeks

3
10
0 / 0

tpm2-pcs11: Release 1.0-RC0

by Roberts, William C

Hello, I'd like to announce the first release candidate for tpm2-pkcs11: https://github.com/tpm2-software/tpm2-pkcs11/releases/tag/1.0-RC0 Well there is still a lot of features to add and bugs to address, this provides a great base to work from and stabilizes the database. Having the database finally stable means that objects generated will continue to work as we advance forward with development. During the RC process we will only address bugs critical to the release, other issues, like needed features will be worked on in subsequent releases. Thanks, Bill

5 months, 3 weeks

1
0
0 / 0

2020

2019

2018

2017

tpm2 December 2019