March 2019 - tpm2 - Ml01.01.Org

Re: [tpm2] tpm2 Digest, Vol 21, Issue 16

by Desai, Imran

@songwu you can see the example for policycommandcode here https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_policyco... ________________________________________ From: tpm2 [tpm2-bounces(a)lists.01.org] on behalf of tpm2-request(a)lists.01.org [tpm2-request(a)lists.01.org] Sent: Friday, March 29, 2019 12:28 AM To: tpm2(a)lists.01.org Subject: tpm2 Digest, Vol 21, Issue 16 Send tpm2 mailing list submissions to tpm2(a)lists.01.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.01.org/mailman/listinfo/tpm2 or, via email, send a message with subject or body 'help' to tpm2-request(a)lists.01.org You can reach the person managing the list at tpm2-owner(a)lists.01.org When replying, please edit your Subject line so it is more specific than "Re: Contents of tpm2 digest..." Today's Topics: 1. Re: Get error 0x99D in function Tss2_Sys_AC_Send() when sending data from TPM to AC (Shen, Songwu) ---------------------------------------------------------------------- Message: 1 Date: Fri, 29 Mar 2019 07:27:59 +0000 From: "Shen, Songwu" <songwu.shen(a)intel.com> To: "Struk, Tadeusz" <tadeusz.struk(a)intel.com>, "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>, "Tricca, Philip B" <philip.b.tricca(a)intel.com> Subject: Re: [tpm2] Get error 0x99D in function Tss2_Sys_AC_Send() when sending data from TPM to AC Message-ID: <14BD9F96BC6E0B4F8E42994AF8E306D4CAE1C9(a)shsmsx102.ccr.corp.intel.com> Content-Type: text/plain; charset="us-ascii" Hi Tadeusz, Maybe before calling TSS2_Sys_AC_SEND(), we should call Tss2_Sys_PolicyCommandCode() to set policySession->commandCode to TPM2_CC_AC_Send according to the spec. But I still don't know how to program it, could you provide any sample for Tss2_Sys_PolicyCommandCode() and Tss2_Sys_AC_SEND()? Thanks Songwu From: Shen, Songwu Sent: Friday, March 29, 2019 10:24 AM To: Struk, Tadeusz <tadeusz.struk(a)intel.com>; tpm2(a)lists.01.org; Tricca, Philip B <philip.b.tricca(a)intel.com> Subject: RE: Get error 0x99D in function Tss2_Sys_AC_Send() when sending data from TPM to AC Hi Tadeusz, Thank you for correction:) I look into the spec and I'm sending TPM2_AC_SEND command, it mentioned that policySession->commandCode of policy session context is required to be TPM_CC_AC_SEND, otherwise it will report TPM_RC_POLICY_FAIL. But I can't find the definition of policySession in TPM spec part2, and commandCode: [cid:image001.png@01D4E619.3AC002A0] Could you help? Thanks Songwu -----Original Message----- From: Struk, Tadeusz Sent: Friday, March 29, 2019 6:37 AM To: Shen, Songwu <songwu.shen(a)intel.com<mailto:songwu.shen@intel.com>>; tpm2(a)lists.01.org<mailto:tpm2@lists.01.org>; Tricca, Philip B <philip.b.tricca(a)intel.com<mailto:philip.b.tricca@intel.com>> Subject: Re: Get error 0x99D in function Tss2_Sys_AC_Send() when sending data from TPM to AC Hello, On 3/28/19 1:06 AM, Shen, Songwu wrote: > Under Windows, I encounter an error 0x99D response from the TPM when calling function Tss2_Sys_AC_Send() to send data from TPM to Attached Component. > > And searching in the TPM spec, looks like this is the error: As far as I can see the 0x99D is a policy check failed. The spec says that for TPM2_AC_Send the authorization for sendObject is required to be a policy session. Make sure that you setup your authorization correctly. Thanks, -- Tadeusz

2 years

1
0
0 / 0

Get error 0x99D in function Tss2_Sys_AC_Send() when sending data from TPM to AC

by Shen, Songwu

Dear sir, Under Windows, I encounter an error 0x99D response from the TPM when calling function Tss2_Sys_AC_Send() to send data from TPM to Attached Component. And searching in the TPM spec, looks like this is the error: [cid:image001.jpg@01D4E580.3C4ED180] But I don't understand which one is the 6th authorization session handle for the function: TSS2_RC Tss2_Sys_AC_Send( TSS2_SYS_CONTEXT *sysContext, TPMI_DH_OBJECT sendObject, TPMI_RH_NV_AUTH authHandle, TPMI_RH_AC ac, TSS2L_SYS_AUTH_COMMAND const *cmdAuthsArray, TPM2B_MAX_BUFFER *acDataIn, TPMS_AC_OUTPUT *acDataOut, TSS2L_SYS_AUTH_RESPONSE *rspAuthsArray) Could anybody help me out here? And there is no sample code to show how to use this function, so I'm stuck by this issue. Thanks in advance! Songwu Shen Shanghai, China Tel: 86-18702108195 Email: songwu.shen(a)intel.com<mailto:songwu.shen@intel.com>

2 years

2
3
0 / 0

tpm2-tss 2.2.2

by Tadeusz Struk

Hello, I'm happy to announce that the tpm2-tss v2.2.2 is out. It can be found here: https://github.com/tpm2-software/tpm2-tss/releases/tag/2.2.2 All changes and fixed issues are listed in the CHANGELOG.md file. Thanks, -- Tadeusz

2 years

1
0
0 / 0

tpm2-tss-engine (for OpenSSL) v1.0.0-rc3

by Fuchs, Andreas

Hello all, a new rc for the first stable version of the tpm2-tss-engine 1.0.0-rc3 is out: https://github.com/tpm2-software/tpm2-tss-engine/releases/tag/v1.0.0-rc3 This updates the version of tpm2-tss to 2.2.2 in INSTALL.md. So no changed to the engine itself. We might even shorten the rc window to the end of this week, if tpm2-tss 2.2.2 releases until then. Thanks a lot, Andreas _______________________________________________ tpm2 mailing list tpm2(a)lists.01.org https://lists.01.org/mailman/listinfo/tpm2

2 years

1
0
0 / 0

tpm2-totp v0.1.1-rc0

by Fuchs, Andreas

Hello all, an updated bug-fix (right after stable) is out: https://github.com/tpm2-software/tpm2-totp/releases/tag/v0.1.1-rc0 Increases compatibility with TPMs. Thanks, Andreas ________________________________________ From: tpm2 [tpm2-bounces(a)lists.01.org] on behalf of Fuchs, Andreas [andreas.fuchs(a)sit.fraunhofer.de] Sent: Monday, March 25, 2019 14:24 To: tpm2(a)lists.01.org Subject: [tpm2] tpm2-totp v0.1.0 Hello all, the first release for tpm2-totp 0.1.0 is out: https://github.com/tpm2-software/tpm2-totp/releases/tag/v0.1.0 Thanks a lot, Andreas _______________________________________________ tpm2 mailing list tpm2(a)lists.01.org https://lists.01.org/mailman/listinfo/tpm2

2 years

1
0
0 / 0

tpm2-totp v0.1.0

by Fuchs, Andreas

Hello all, the first release for tpm2-totp 0.1.0 is out: https://github.com/tpm2-software/tpm2-totp/releases/tag/v0.1.0 Thanks a lot, Andreas

2 years

1
0
0 / 0

tpm2-tss-engine (for OpenSSL) v1.0.0-rc2

by Fuchs, Andreas

Hello all, a new rc for the first stable version of the tpm2-tss-engine 1.0.0-rc2 is out: https://github.com/tpm2-software/tpm2-tss-engine/releases/tag/v1.0.0-rc2 This time we only bump the required version of tpm2-tss to 2.2.2. So no changed to the engine itself. This is expected to be the last rc. We might even shorten the rc window to the end of this week, if tpm2-tss releases until then. Thanks a lot, Andreas

2 years

1
0
0 / 0

tpm2-tss 2.2.2-rc0

by Tadeusz Struk

Hello, A new release candidate for tpm2-tss 2.2.2 is out. It can be found here: https://github.com/tpm2-software/tpm2-tss/releases/tag/2.2.2_rc0 All changes and fixed issues are listed in the CHANGELOG.md file. Please give it some testing. Any feedback is appreciated. Thanks, -- Tadeusz

2 years

1
0
0 / 0

Re: [tpm2] [openssl-tpm2-engine] Support for EAP-TLS with openssl TPM2 engine

by David Woodhouse

On Thu, 2019-03-14 at 10:50 -0700, James Bottomley wrote: > On Thu, 2019-03-14 at 09:57 -0700, David Woodhouse wrote: > > On Thu, 2019-03-14 at 09:27 -0700, James Bottomley wrote: > > > On Thu, 2019-03-14 at 09:19 -0700, Andersen, John wrote: > > > > On Wed, Mar 13, 2019 at 04:56:17PM -0700, David Woodhouse wrote: > > > > > Here's a quick hack to make it work by abusing the OpenSC > > > > > engine config, as a proof of concept. Making it work cleanly so > > > > > that it can be merged is left as an exercise for the reader, or > > > > > perhaps an interested party in one of the mailing lists I've > > > > > added to Cc. > > > > > > Well, you can't have the engine name hard coded ... that really > > > needs to be some type of parameter, which is going to be 99% of the > > > hassle making a proper patch ... > > > > And of course, it shouldn't have to be specified at all. If given a > > PEM file which happens to look like a TPM2 engine key, then the > > appropriate engine should be invoked automatically. > > Hey don't beat me on the sore spot ... :) This isn't really that hard to do in applications. For those using OpenSSL it's just a case of making them recognise the appropriate -----BEGIN string and invoke the engine appropriately. Once my support gets merged into GnuTLS, it really can be automatic with the application not having to do anything at all. OpenSSL might get there too, once we have STORE support working in applications. > > Although if you just wanted to use those keys with GnuTLS, you could > > have done that directly. I already ported it all except the new > > "importable" keys support. > > > > http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/gnutls_tp... > > Well, you know, using engines with gnutls does mean we don't have to > write the same code twice over ... I'm not convinced that an OpenSSL ENGINE is the right form for implementing this kind of thing in the general case. PKCS#11 is much better as an existing portable standard, although it doesn't fit the TPMv2 usage model very well. Even OpenSSL is moving away from ENGINEs to a different plugin mechanism.

2 years, 1 month

1
0
0 / 0

Re: [tpm2] [openssl-tpm2-engine] Support for EAP-TLS with openssl TPM2 engine

by David Woodhouse

On Thu, 2019-03-14 at 09:27 -0700, James Bottomley wrote: > On Thu, 2019-03-14 at 09:19 -0700, Andersen, John wrote: > > On Wed, Mar 13, 2019 at 04:56:17PM -0700, David Woodhouse wrote: > > > Here's a quick hack to make it work by abusing the OpenSC engine > > > config, as a proof of concept. Making it work cleanly so that it > > > can be merged is left as an exercise for the reader, or perhaps an > > > interested party in one of the mailing lists I've added to Cc. > > Well, you can't have the engine name hard coded ... that really needs > to be some type of parameter, which is going to be 99% of the hassle > making a proper patch ... And of course, it shouldn't have to be specified at all. If given a PEM file which happens to look like a TPM2 engine key, then the appropriate engine should be invoked automatically. > Just on this particular part: I recently got annoyed with the inability > to use TPM keys on firefox. I did look at the tpm pkcs11 projects but > they all looked deficient to say the least, so I put together this > > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl-pkcs11-expor... > > It's a generic engine key to pkcs11 exporter (will work for any openssl > engine) driven by a simple ini like config file. The big advantage it > has is that now I can use openssl engines with gnutls. Nice. I like the fact that it interoperates with the key storage format we agreed upon for the ENGINEs. Although if you just wanted to use those keys with GnuTLS, you could have done that directly. I already ported it all except the new "importable" keys support. http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/gnutls_tp... > Going the pkcs11 route is definitely the heath robinson approach, so > the direct engine route is definitely much better. :)

2 years, 1 month

1
0
0 / 0

2021

2020

2019

2018

2017

tpm2 March 2019