June 2019 - tpm2 - Ml01.01.Org

by Roberts, William C

Release 3.2.0 is available: https://github.com/tpm2-software/tpm2-tools/releases/tag/3.2.0 Fixes: fix configure bug for linking against libmu. tpm2_changeauth: Support changing platform hierarchy auth. tpm2_flushcontext: Introduce new tool for flushing handles from the TPM. tpm2_checkquote: Introduce new tool for checking validity of quotes. tpm2_quote: Add ability to output PCR values for quotes. tpm2_makecredential: add support for executing tool off-TPM. tpm2_pcrreset: introduce new tool for resetting PCRs. tpm2_quote: Fix AK auth password not being used.

1 year, 10 months

1
0
0 / 0

How to implement key distribution using tpm2_import and tpm2_load？

by Caiqishen

In the book, "A Practical Guide to TPM 2.0", there's a process describing key distribution which is as the following: 1. The central IT system creates an HMAC key using TPM2_GetRandom. 2. The central IT system encrypts the HMAC key with the public portion of the target client’s storage key. 3. The central IT system signs the encrypted HMAC key with its private signing key. This is done so the local platform knows that what is being sent is authorized by IT. 4. The encrypted HMAC key is sent to the client along with a signature that proves it came from the central IT system. 5. The client verifies the signature on the encrypted key by loading the central server’s public key. (This can be done with the TPM using TPM2_Load and then using TPM2_VerifySignature, if you like.) 6. The client imports the verified, encrypted HMAC key into its system using TPM2_Import, getting out a loadable, encrypted blob containing the HMAC key. 7. The client loads the HMAC key when the user wishes to use it, using TPM2_Load, and uses it as normal. At this point, the local platform has received an HMAC key from the IT central 8. system that has never been decrypted in the local system’s memory. I wonder how to encrypts the HMAC key and how to import it using TPM2_Import? How to import a symmetric key encrypted by a rsa public key? Appreciate for any replies, thanks!

1 year, 10 months

2
1
1 / 0

tpm2-tools: 3.2.0-rc1

by Roberts, William C

New 3.2.0 RC1 of tools is available: CHANGES since 3.1.4 (all): RC1: - fix configure bug for linking against libmu. RC0: - tpm2_changeauth: Support changing platform hierarchy auth. - tpm2_flushcontext: Introduce new tool for flushing handles from the TPM. - tpm2_checkquote: Introduce new tool for checking validity of quotes. - tpm2_quote: Add ability to output PCR values for quotes. - tpm2_makecredential: add support for executing tool off-TPM. - tpm2_pcrreset: introduce new tool for resetting PCRs. - tpm2_quote: Fix AK auth password not being used. https://github.com/tpm2-software/tpm2-tools/releases/tag/3.2.0-rc1 ---- Bill

1 year, 10 months

1
0
0 / 0

PKCS#11 3.0 spec up for 30 day public review

by Tricca, Philip B

Given the interest in tpm2-pkcs11 work I thought some folks on the list would find this interesting: https://www.oasis-open.org/news/announcements/invitation-to-comment-on-fo...

1 year, 10 months

1
0
0 / 0

TPM Object Duplication questions

by Jordan Hand

Hello, I am wondering, is it possible to have the TPM duplicate a key without adding a policy digest with “Esys_PolicyCommandCode(TPM2_CC_DUPLICATION)” to the object's authPolicy. Here is why I ask: I have some data that I want to (1) seal to the PCR state on a TPM with EK, duplicate, (2) import/load on the same TPM as a child of the EK, and (3) unseal. I do this to test unsealing data that was sealed remotely. For background on why I need to do this: The remote service whose behavior I am emulating doesn't use a TPM to do the sealing, it implements the same functionality outside the TPM and uses the EK pub it gets from the client. But I am not able to run this code in my tests. The flow I use is: * Create and start a trial session * call Esys_PolicyCommandCode(TPM2_CC_DUPLICATION) on the session * call Esys_PolicyPcr on the session * Get the digest of the session * Set session digest as inPub.publicArea.authPolicy * Esys_CreateObject * Esys_Load(createdObject) * Start policy session * call same Esys_PolicyCommandCode and Esys_PolicyPcr * Esys_Duplicate This works fine. Now the problem is that the created object requires a policy that has Esys_PolicyCommandCode and Esys_PolicyPcr set. But the caller to Esys_Unseal should be able to unseal with just the PolicyPcr session. I need to set PolicyCommandCode to duplicate the object but then I don’t want to enforce that policy during Unseal. It seems like the policy digest from authPolicy needs to match exactly the session digest I use when calling Esys_Unseal. The other option is to create the object outside the TPM and just implement all the object creation/sealing myself. But I would rather have the TPM do the heavy lifting. Please let me know if I can clarify anything here. Thanks, Jordan

1 year, 10 months

2
1
0 / 0

tpm2-tools: 3.2.0-rc0

by Roberts, William C

New RC0 of tools is available: CHANGES since 3.1.4: - tpm2_changeauth: Support changing platform hierarchy auth. - tpm2_flushcontext: Introduce new tool for flushing handles from the TPM. - tpm2_checkquote: Introduce new tool for checking validity of quotes. - tpm2_quote: Add ability to output PCR values for quotes. - tpm2_makecredential: add support for executing tool off-TPM. - tpm2_pcrreset: introduce new tool for resetting PCRs. - tpm2_quote: Fix AK auth password not being used. https://github.com/tpm2-software/tpm2-tools/releases/tag/3.2.0-rc0 ---- Bill

1 year, 10 months

1
0
0 / 0

2021

2020

2019

2018

2017

tpm2 June 2019