Re: [tpm2] tpm2 Digest, Vol 21, Issue 16
by Desai, Imran
@songwu you can see the example for policycommandcode here https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_policyco...
________________________________________
From: tpm2 [tpm2-bounces(a)lists.01.org] on behalf of tpm2-request(a)lists.01.org [tpm2-request(a)lists.01.org]
Sent: Friday, March 29, 2019 12:28 AM
To: tpm2(a)lists.01.org
Subject: tpm2 Digest, Vol 21, Issue 16
Send tpm2 mailing list submissions to
tpm2(a)lists.01.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/tpm2
or, via email, send a message with subject or body 'help' to
tpm2-request(a)lists.01.org
You can reach the person managing the list at
tpm2-owner(a)lists.01.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of tpm2 digest..."
Today's Topics:
1. Re: Get error 0x99D in function Tss2_Sys_AC_Send() when
sending data from TPM to AC (Shen, Songwu)
----------------------------------------------------------------------
Message: 1
Date: Fri, 29 Mar 2019 07:27:59 +0000
From: "Shen, Songwu" <songwu.shen(a)intel.com>
To: "Struk, Tadeusz" <tadeusz.struk(a)intel.com>, "tpm2(a)lists.01.org"
<tpm2(a)lists.01.org>, "Tricca, Philip B" <philip.b.tricca(a)intel.com>
Subject: Re: [tpm2] Get error 0x99D in function Tss2_Sys_AC_Send()
when sending data from TPM to AC
Message-ID:
<14BD9F96BC6E0B4F8E42994AF8E306D4CAE1C9(a)shsmsx102.ccr.corp.intel.com>
Content-Type: text/plain; charset="us-ascii"
Hi Tadeusz,
Maybe before calling TSS2_Sys_AC_SEND(), we should call Tss2_Sys_PolicyCommandCode() to set policySession->commandCode to TPM2_CC_AC_Send according to the spec.
But I still don't know how to program it, could you provide any sample for Tss2_Sys_PolicyCommandCode() and Tss2_Sys_AC_SEND()?
Thanks
Songwu
From: Shen, Songwu
Sent: Friday, March 29, 2019 10:24 AM
To: Struk, Tadeusz <tadeusz.struk(a)intel.com>; tpm2(a)lists.01.org; Tricca, Philip B <philip.b.tricca(a)intel.com>
Subject: RE: Get error 0x99D in function Tss2_Sys_AC_Send() when sending data from TPM to AC
Hi Tadeusz,
Thank you for correction:)
I look into the spec and I'm sending TPM2_AC_SEND command,
it mentioned that policySession->commandCode of policy session context is required to be TPM_CC_AC_SEND, otherwise it will report TPM_RC_POLICY_FAIL.
But I can't find the definition of policySession in TPM spec part2, and commandCode:
[cid:image001.png@01D4E619.3AC002A0]
Could you help?
Thanks
Songwu
-----Original Message-----
From: Struk, Tadeusz
Sent: Friday, March 29, 2019 6:37 AM
To: Shen, Songwu <songwu.shen(a)intel.com<mailto:songwu.shen@intel.com>>; tpm2(a)lists.01.org<mailto:tpm2@lists.01.org>; Tricca, Philip B <philip.b.tricca(a)intel.com<mailto:philip.b.tricca@intel.com>>
Subject: Re: Get error 0x99D in function Tss2_Sys_AC_Send() when sending data from TPM to AC
Hello,
On 3/28/19 1:06 AM, Shen, Songwu wrote:
> Under Windows, I encounter an error 0x99D response from the TPM when calling function Tss2_Sys_AC_Send() to send data from TPM to Attached Component.
>
> And searching in the TPM spec, looks like this is the error:
As far as I can see the 0x99D is a policy check failed.
The spec says that for TPM2_AC_Send the authorization for sendObject is required to be a policy session.
Make sure that you setup your authorization correctly.
Thanks,
--
Tadeusz
1 year, 9 months
Get error 0x99D in function Tss2_Sys_AC_Send() when sending data from TPM to AC
by Shen, Songwu
Dear sir,
Under Windows, I encounter an error 0x99D response from the TPM when calling function Tss2_Sys_AC_Send() to send data from TPM to Attached Component.
And searching in the TPM spec, looks like this is the error:
[cid:image001.jpg@01D4E580.3C4ED180]
But I don't understand which one is the 6th authorization session handle for the function:
TSS2_RC Tss2_Sys_AC_Send(
TSS2_SYS_CONTEXT *sysContext,
TPMI_DH_OBJECT sendObject,
TPMI_RH_NV_AUTH authHandle,
TPMI_RH_AC ac,
TSS2L_SYS_AUTH_COMMAND const *cmdAuthsArray,
TPM2B_MAX_BUFFER *acDataIn,
TPMS_AC_OUTPUT *acDataOut,
TSS2L_SYS_AUTH_RESPONSE *rspAuthsArray)
Could anybody help me out here? And there is no sample code to show how to use this function, so I'm stuck by this issue.
Thanks in advance!
Songwu Shen
Shanghai, China
Tel: 86-18702108195
Email: songwu.shen(a)intel.com<mailto:songwu.shen@intel.com>
1 year, 9 months
Re: [tpm2] [openssl-tpm2-engine] Support for EAP-TLS with openssl TPM2 engine
by David Woodhouse
On Thu, 2019-03-14 at 10:50 -0700, James Bottomley wrote:
> On Thu, 2019-03-14 at 09:57 -0700, David Woodhouse wrote:
> > On Thu, 2019-03-14 at 09:27 -0700, James Bottomley wrote:
> > > On Thu, 2019-03-14 at 09:19 -0700, Andersen, John wrote:
> > > > On Wed, Mar 13, 2019 at 04:56:17PM -0700, David Woodhouse wrote:
> > > > > Here's a quick hack to make it work by abusing the OpenSC
> > > > > engine config, as a proof of concept. Making it work cleanly so
> > > > > that it can be merged is left as an exercise for the reader, or
> > > > > perhaps an interested party in one of the mailing lists I've
> > > > > added to Cc.
> > >
> > > Well, you can't have the engine name hard coded ... that really
> > > needs to be some type of parameter, which is going to be 99% of the
> > > hassle making a proper patch ...
> >
> > And of course, it shouldn't have to be specified at all. If given a
> > PEM file which happens to look like a TPM2 engine key, then the
> > appropriate engine should be invoked automatically.
>
> Hey don't beat me on the sore spot ...
:)
This isn't really that hard to do in applications. For those using
OpenSSL it's just a case of making them recognise the appropriate
-----BEGIN string and invoke the engine appropriately.
Once my support gets merged into GnuTLS, it really can be automatic
with the application not having to do anything at all. OpenSSL might
get there too, once we have STORE support working in applications.
> > Although if you just wanted to use those keys with GnuTLS, you could
> > have done that directly. I already ported it all except the new
> > "importable" keys support.
> >
> > http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/gnutls_tp...
>
> Well, you know, using engines with gnutls does mean we don't have to
> write the same code twice over ...
I'm not convinced that an OpenSSL ENGINE is the right form for
implementing this kind of thing in the general case. PKCS#11 is much
better as an existing portable standard, although it doesn't fit the
TPMv2 usage model very well.
Even OpenSSL is moving away from ENGINEs to a different plugin
mechanism.
1 year, 10 months
Re: [tpm2] [openssl-tpm2-engine] Support for EAP-TLS with openssl TPM2 engine
by David Woodhouse
On Thu, 2019-03-14 at 09:27 -0700, James Bottomley wrote:
> On Thu, 2019-03-14 at 09:19 -0700, Andersen, John wrote:
> > On Wed, Mar 13, 2019 at 04:56:17PM -0700, David Woodhouse wrote:
> > > Here's a quick hack to make it work by abusing the OpenSC engine
> > > config, as a proof of concept. Making it work cleanly so that it
> > > can be merged is left as an exercise for the reader, or perhaps an
> > > interested party in one of the mailing lists I've added to Cc.
>
> Well, you can't have the engine name hard coded ... that really needs
> to be some type of parameter, which is going to be 99% of the hassle
> making a proper patch ...
And of course, it shouldn't have to be specified at all. If given a PEM
file which happens to look like a TPM2 engine key, then the appropriate
engine should be invoked automatically.
> Just on this particular part: I recently got annoyed with the inability
> to use TPM keys on firefox. I did look at the tpm pkcs11 projects but
> they all looked deficient to say the least, so I put together this
>
> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl-pkcs11-expor...
>
> It's a generic engine key to pkcs11 exporter (will work for any openssl
> engine) driven by a simple ini like config file. The big advantage it
> has is that now I can use openssl engines with gnutls.
Nice. I like the fact that it interoperates with the key storage format
we agreed upon for the ENGINEs.
Although if you just wanted to use those keys with GnuTLS, you could
have done that directly. I already ported it all except the new
"importable" keys support.
http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/gnutls_tp...
> Going the pkcs11 route is definitely the heath robinson approach, so
> the direct engine route is definitely much better.
:)
1 year, 10 months