[RELEASE] tpm2-tools: release 3.2.0
by Roberts, William C
Release 3.2.0 is available:
https://github.com/tpm2-software/tpm2-tools/releases/tag/3.2.0
Fixes:
fix configure bug for linking against libmu.
tpm2_changeauth: Support changing platform hierarchy auth.
tpm2_flushcontext: Introduce new tool for flushing handles from the TPM.
tpm2_checkquote: Introduce new tool for checking validity of quotes.
tpm2_quote: Add ability to output PCR values for quotes.
tpm2_makecredential: add support for executing tool off-TPM.
tpm2_pcrreset: introduce new tool for resetting PCRs.
tpm2_quote: Fix AK auth password not being used.
1 year, 10 months
How to implement key distribution using tpm2_import and tpm2_load?
by Caiqishen
In the book, "A Practical Guide to TPM 2.0", there's a process describing key distribution which is as the following:
1. The central IT system creates an HMAC key using TPM2_GetRandom.
2. The central IT system encrypts the HMAC key with the public portion of the target client’s storage key.
3. The central IT system signs the encrypted HMAC key with its private signing key. This is done so the local platform knows that what is being sent is authorized by IT.
4. The encrypted HMAC key is sent to the client along with a signature that proves it came from the central IT system.
5. The client verifies the signature on the encrypted key by loading the central server’s public key. (This can be done with the TPM using TPM2_Load and then using TPM2_VerifySignature, if you like.)
6. The client imports the verified, encrypted HMAC key into its system using TPM2_Import, getting out a loadable, encrypted blob containing the HMAC key.
7. The client loads the HMAC key when the user wishes to use it, using TPM2_Load, and uses it as normal. At this point, the local platform has received an HMAC key from the IT central
8. system that has never been decrypted in the local system’s memory.
I wonder how to encrypts the HMAC key and how to import it using TPM2_Import? How to import a symmetric key encrypted by a rsa public key? Appreciate for any replies, thanks!
1 year, 10 months
tpm2-tools: 3.2.0-rc1
by Roberts, William C
New 3.2.0 RC1 of tools is available:
CHANGES since 3.1.4 (all):
RC1:
- fix configure bug for linking against libmu.
RC0:
- tpm2_changeauth: Support changing platform hierarchy auth.
- tpm2_flushcontext: Introduce new tool for flushing handles from the TPM.
- tpm2_checkquote: Introduce new tool for checking validity of quotes.
- tpm2_quote: Add ability to output PCR values for quotes.
- tpm2_makecredential: add support for executing tool off-TPM.
- tpm2_pcrreset: introduce new tool for resetting PCRs.
- tpm2_quote: Fix AK auth password not being used.
https://github.com/tpm2-software/tpm2-tools/releases/tag/3.2.0-rc1
----
Bill
1 year, 10 months
TPM Object Duplication questions
by Jordan Hand
Hello,
I am wondering, is it possible to have the TPM duplicate a key without
adding a policy digest with
“Esys_PolicyCommandCode(TPM2_CC_DUPLICATION)” to the object's
authPolicy.
Here is why I ask:
I have some data that I want to (1) seal to the PCR state on a TPM
with EK, duplicate, (2) import/load on the same TPM as a child of the
EK, and (3) unseal. I do this to test unsealing data that was sealed
remotely.
For background on why I need to do this: The remote service whose
behavior I am emulating doesn't use a TPM to do the sealing, it
implements the same functionality outside the TPM and uses the EK pub
it gets from the client. But I am not able to run this code in my
tests.
The flow I use is:
* Create and start a trial session
* call Esys_PolicyCommandCode(TPM2_CC_DUPLICATION) on the session
* call Esys_PolicyPcr on the session
* Get the digest of the session
* Set session digest as inPub.publicArea.authPolicy
* Esys_CreateObject
* Esys_Load(createdObject)
* Start policy session
* call same Esys_PolicyCommandCode and Esys_PolicyPcr
* Esys_Duplicate
This works fine. Now the problem is that the created object requires a
policy that has Esys_PolicyCommandCode and Esys_PolicyPcr set. But the
caller to Esys_Unseal should be able to unseal with just the PolicyPcr
session. I need to set PolicyCommandCode to duplicate the object but
then I don’t want to enforce that policy during Unseal. It seems like
the policy digest from authPolicy needs to match exactly the session
digest I use when calling Esys_Unseal.
The other option is to create the object outside the TPM and just
implement all the object creation/sealing myself. But I would rather
have the TPM do the heavy lifting.
Please let me know if I can clarify anything here.
Thanks,
Jordan
1 year, 10 months
tpm2-tools: 3.2.0-rc0
by Roberts, William C
New RC0 of tools is available:
CHANGES since 3.1.4:
- tpm2_changeauth: Support changing platform hierarchy auth.
- tpm2_flushcontext: Introduce new tool for flushing handles from the TPM.
- tpm2_checkquote: Introduce new tool for checking validity of quotes.
- tpm2_quote: Add ability to output PCR values for quotes.
- tpm2_makecredential: add support for executing tool off-TPM.
- tpm2_pcrreset: introduce new tool for resetting PCRs.
- tpm2_quote: Fix AK auth password not being used.
https://github.com/tpm2-software/tpm2-tools/releases/tag/3.2.0-rc0
----
Bill
1 year, 10 months