October 2020 - tpm2 - Ml01.01.Org

by Fuchs, Andreas

Hi all, I just wanted to announce the availability of a policy editor for tpm2-tss libtss2-fapi.so and the tpm2-tools tss2_* tools on our community page: https://tpm2-software.github.io/fapipolicies/ This is based on an effort by Peter Huewe and Jürgen Repp. It's still _very_ beta, so be careful when using. Cheers, Andreas

1 year, 3 months

1
0
0 / 0

[Release Candidate] tpm2-tools 5.0-rc0

by Imran Desai

I am pleased to announce the pre-release of tpm2-tools version 5.0 available here: https://github.com/tpm2-software/tpm2-tools/releases/tag/5.0-rc0 Thank you to all the contributors for participating in this release. Your feedback for this major release is much appreciated. Some highlights: Update tpm2-tss dependency version to 3.0.1 and tpm2-abrmd dependency version to 2.3.3 tpm2_tools and tss2_tools are now a busybox style commandlet. Ie tpm2_getrandom becomes tpm2 getrandom. make install will install symlinks to the old tool names. Important enhancements and bug fixes to the FAPI tools. New tools that support TPM2 commands: TPM2_CC_CertifyX509, TPM2_CC_GetSessionAuditDigest, TPM2_CC_GetCommandAuditDigest, TPM2_CC_SetCommandCodeAuditStatus, TPM2_CC_ECC_Parameters, TPM2_CC_EC_Ephemeral, TPM2_CC_Commit, TPM2_CC_ECDH_KeyGen, TPM2_CC_ECDH_ZGen, TPM2_CC_ZGen_2Phase. Numerous bug fixes and enhancements. Please see the full release note for all the details. Thanks and Regards, Imran Desai

1 year, 3 months

2
1
0 / 0

CFP: TPM.DEV Miniconference Oct 21/22

by Ian Oliver

Call For Participation: First TPM.DEV Miniconference 2020 https://hopin.to/events/tpm-dev-2020-miniconf Agenda: Day 1 - Wednesday 21st of October 7 am PDT / 17:00 EEST Making Remote Attestation a mass practice Dimitar Tomov, Founder of TPM.dev 8 am PDT / 18:00 EEST Device ID considerations: PKI and Trust Anchors Michael Richardson 9 am PDT / 19:00 EEST Trustworthy 2020 Platforms: Mighty Mini AMD for Digital Work, Play, and Currencies Piotr Król, 3mdeb 10 am PDT / 20:00 EEST Real-life examples of wolfTPM and wolfBoot David Garske, wolfSSL Day 2 - Thursday 22nd of October 7 am PDT / 17:00 EEST Attestation meets Safety-Critical Systems Ian Oliver, Nokia Bell Labs 8 am PDT / 18:00 EEST Remote Attestation at Enterprise Scale Mathew Garret, Google 9 am PDT / 19:00 EEST An introduction to Keylime’s Remote Attestation Michael Peters, RedHat 10 am PDT / 20:00 EEST The Secure Enclaves and Attestation Ilhan Gurel, Ericsson We lower the barrier to using hardware-based security. Cloud application or IoT device, a modern connected system is at risk without a way to verify the integrity of the systems in the network. Join our mini-conference to learn how to use hardware-based security to protect your software and infrastructure. We want to remove the knowledge barrier that limits the adoption of this state-of-the-art security. Who are we? See http://tpm.dev We are a group of developers who want to make our applications and systems trusted using hardware-based security. So, the Users can verify the (cloud) servers that are used to run their applications. We want our IoT devices to existing in an Ecosystem of Trust thanks to a hardware root of trust and remote attestation. To do this we are sharing experience, we meet online every Wednesday and collaborate openly at TPM.dev Welcome to the TPM.dev 2020 Mini Conference! Please note that the Conference is open & free to attend.

1 year, 3 months

1
0
0 / 0

Re: QUEMU and TPM2 device emulation

by Roberts, William C

> -----Original Message----- > From: Serge E. Hallyn <serge(a)hallyn.com> > Sent: Wednesday, October 14, 2020 10:58 AM > To: Roberts, William C <william.c.roberts(a)intel.com> > Cc: tpm2(a)lists.01.org; ryaharpe(a)cisco.com; scmoser(a)cisco.com; linux- > integrity(a)vger.kernel.org > Subject: Re: QUEMU and TPM2 device emulation > > On Wed, Oct 14, 2020 at 03:27:53PM +0000, Roberts, William C wrote: > > Has anyone ever setup a QUEMU instance with a virtualized TPM? I need > > to try and replicate an issue with the in-kernel Resource manager. My goal is to > use the integrated QUEMU support To bring up an emulated TPM device and it's > associated RM node @ /dev/tpmrm0. > > > > I am looking at: > > https://android.googlesource.com/platform/external/qemu/+/emu-master-d > > ev/docs/specs/tpm.txt > > > > Which shows this command: > > > > qemu-system-x86_64 -display sdl -enable-kvm \ > > -m 1024 -boot d -bios bios-256k.bin -boot menu=on \ > > -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \ > > -tpmdev emulator,id=tpm0,chardev=chrtpm \ > > -device tpm-tis,tpmdev=tpm0 test.img > > > > <snip> > > #> dmesg | grep -i tpm > > [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1) > > > > I have a few questions around this that I cannot seem to dig up any > documentation on: > > 1. How to specify TPM2.0 device? The project > https://github.com/stefanberger/swtpm/wiki seems to indicate it would be > supported. > > > > 2. Does anyone know the minimum QUEMU version for this support? I > > looked in the CHANGELOG here, https://wiki.qemu.org/ChangeLog from > version 2.8 to 5.2 and never saw anything Call out TPM 2.0 specifically. > > 2.11 should suffice. > > > 3. Does anyone have or know of better documentation to set this up? If their > isn't better documentation, should we (read I) create it? This seems like a pretty > handy feature. > > I'm not sure how relevant this is any more, but I did this about two years ago and > documented it at https://s3hh.wordpress.com/2018/06/03/tpm-2-0-in-qemu/ Thanks, yeah I stumbled into this, it was super helpful. I got it working and posted back With my commands.

1 year, 3 months

2
4
0 / 0

Question: standardized development environment for TPM2 testing, regressions, etc.

by matthew＠giassa.net

Good day, Are there any "standardized" setups for TPM2 development, automated regression testing, etc.? I ask because I've replicated an existing setup where a QEMU-based VM exposes a virtualized TPM2 device that's actually just offloading to an SWTPM simulator (i.e. https://www.qemu.org/docs/master/specs/tpm.html). I created a top-level Docker-in-Docker (aka "DIND") setup where a top-level container instantiates the QEMU VM (plus some customizations, custom kernel, etc.) in one sub-container, and the simulator in another sub-container, then "wires" the two together. All 3x containers expose an SSH server instance, so it's pretty easy to access them all directly, run automated regression tests against them, etc.; without requiring a real physical TPM2 device. It's mainly intended for use as an easy-to-recreate tool for training and automated regression tests. I'm wondering if other people have created such setups, and if there's any merit in releasing the Dockerfile + build scripts for this setup (once I've resolved an issue with sysfs in another post: https://lists.01.org/hyperkitty/list/tpm2@lists.01.org/thread/FMBZO6V6QO5...). Also, I'm trying to determine where it would be be stored (i.e. which repo) if there's perceived value to it. Cheers!

1 year, 3 months

3
4
0 / 0

tpm2_clear command misbehaving?

by Petr Gotthard

Hello, I am trying to become acquainted with a TPM2.0 (an actual chip from ST) and I found an unexplainable behaviour of the tpm2_clear command. (I suspect the fault is on my side though.) As written on the man page, I did expect the tpm2_clear "Clears lockout, endorsement and owner hierarchy authorization values." (1) The -c parameter takes a hierarchy, it works on platform hierarchy, but does not work on owner. I tried: tpm2_clear -c owner which fails with "Unexpected handle - TPM2_RH_OWNER", probably because the owner hierarchy is not expected there https://github.com/tpm2-software/tpm2-tools/blob/master/tools/tpm2_clear.... Is there a reason for that, please? (2) I did expect the authorization to be cleared. So, after I set a password "p1" for the platform hierarchy with tpm2_changeauth -c p p1 I thought it will be cleared after calling tpm2_clear -c p p1 so a subsequent tpm2_clear or tpm2_changeauth will not need any password anymore, but it does as if nothing was cleared actually. I need to call tpm2_changeauth -c p p1 p2 to change the password again, despite I called tpm2_clear before. What does the tpm2_clear actually clear, please? Am I doing a mistake somewhere, please? Kind Regards, Petr

1 year, 3 months

1
0
0 / 0

Question: missing "tpm0" in securityfs/sysfs, trying to parse TPM2 event log.

by matthew＠giassa.net

Good day, I have a setup with Ubuntu 20.04 "focal" x86_64 running in a QEMU based VM. I've upgraded the default kernel to 5.8.15, mainly to leverage the patch noted below (bottom of message). My understanding (please correct me if I'm off) is that it would allow a userspace application (i.e. "tpm2_eventlog") to access the TPM2 event log once the OS has fully booted. The QEMU instance itself connects to a Unix domain socket that's owned by a TPM2 simulator running in a Docker container (i.e. https://www.qemu.org/docs/master/specs/tpm.html). I can run various "tpm2_*" binaries in my QEMU VM, and view the low-level logs in the simulator, so this setup appears to be working. However, there are no "/sys/kernel/security/tpm0" objects, or anything I can find in "sysfs" and/or "securityfs" to get a handle to the TPM2 event logs. My ultimate goal is to be able to acquire these logs, and have a service of mine parse them, and validate each message against the TPM (i.e. verify it it's legitimate TPM_GENERATED content). To my questions: 1. How would I go about getting access to the TPM2 event logs on a running system (i.e. are certain kernel build-time parameters needed, or does QEMU require specific flags in order to run, or does the simulator need to be executed in a certain manner). 2. Is my appraisal of the features provided by the kernel patch (below) correct? 3. In general, is a UEFI-enabled BIOS required to get access to the TPM2 event log (i.e. for BIOS' other than SeaBios, for example)? commit 85467f63a05c43364ba0b90d0c05bb89191543fa Author: Stefan Berger <stefanb(a)linux.ibm.com> Date: Mon Jul 6 19:58:07 2020 -0400 tpm: Add support for event log pointer found in TPM2 ACPI table In case a TPM2 is attached, search for a TPM2 ACPI table when trying to get the event log from ACPI. If one is found, use it to get the start and length of the log area. This allows non-UEFI systems, such as SeaBIOS, to pass an event log when using a TPM2. Cc: Peter Huewe <peterhuewe(a)gmx.de> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com> Reviewed-by: Jerry Snitselaar <jsnitsel(a)redhat.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen(a)linux.intel.com>

1 year, 3 months

2
1
0 / 0

Re: QUEMU and TPM2 device emulation

by Roberts, William C

> -----Original Message----- > From: James Bottomley <James.Bottomley(a)HansenPartnership.com> > Sent: Wednesday, October 14, 2020 11:32 AM > To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org; linux- > integrity(a)vger.kernel.org > Subject: Re: QUEMU and TPM2 device emulation > > On Wed, 2020-10-14 at 15:27 +0000, Roberts, William C wrote: > > Has anyone ever setup a QUEMU instance with a virtualized TPM? I need > > to try and replicate an issue with the in-kernel Resource manager. My > > goal is to use the integrated QUEMU support To bring up an emulated > > TPM device and it's associated RM node @ /dev/tpmrm0. > > > > I am looking at: > > https://android.googlesource.com/platform/external/qemu/+/emu-master-d > > ev/docs/specs/tpm.txt > > > > Which shows this command: > > > > qemu-system-x86_64 -display sdl -enable-kvm \ > > -m 1024 -boot d -bios bios-256k.bin -boot menu=on \ > > -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \ > > -tpmdev emulator,id=tpm0,chardev=chrtpm \ > > -device tpm-tis,tpmdev=tpm0 test.img > > > > <snip> > > #> dmesg | grep -i tpm > > [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1) > > > > I have a few questions around this that I cannot seem to dig up any > > documentation on: > > 1. How to specify TPM2.0 device? The project > > https://github.com/stefanberger/swtpm/wiki seems to indicate it would > > be supported. > > All QEMU is doing is passing through a socket to something as a TPM. > Either TPM 1.2 or 2.0 could be on the end of that socket, so what really matters is > what's at the other end of /tmp/mytpm1/swtpm-sock. > If you change that to be TPM 2.0 then QEMU will see it. Thanks James, once I started fiddling with it, it started to make sense. You need to start the swtpm component with the option --tpm2, then pass through everything else in qemu the same way, as you point out. Ill post my commands for anyone else who may stumble into this on their quest: ## Start TPM Emulator Note that one needs the --tpm2 option to start a TPM2.0 emulator. mkdir /tmp/mytpm1 swtpm socket --tpmstate dir=/tmp/mytpm1 --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock --log level=20 --tpm2 ## Boot the VM qemu-system-x86_64 -hda ~/qemu-images/ubuntu-20.04-amd64.img -boot d -m 2048 -enable-kvm -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0

1 year, 3 months

1
0
0 / 0

QUEMU and TPM2 device emulation

by Roberts, William C

Has anyone ever setup a QUEMU instance with a virtualized TPM? I need to try and replicate an issue with the in-kernel Resource manager. My goal is to use the integrated QUEMU support To bring up an emulated TPM device and it's associated RM node @ /dev/tpmrm0. I am looking at: https://android.googlesource.com/platform/external/qemu/+/emu-master-dev/... Which shows this command: qemu-system-x86_64 -display sdl -enable-kvm \ -m 1024 -boot d -bios bios-256k.bin -boot menu=on \ -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \ -tpmdev emulator,id=tpm0,chardev=chrtpm \ -device tpm-tis,tpmdev=tpm0 test.img <snip> #> dmesg | grep -i tpm [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1) I have a few questions around this that I cannot seem to dig up any documentation on: 1. How to specify TPM2.0 device? The project https://github.com/stefanberger/swtpm/wiki seems to indicate it would be supported. 2. Does anyone know the minimum QUEMU version for this support? I looked in the CHANGELOG here, https://wiki.qemu.org/ChangeLog from version 2.8 to 5.2 and never saw anything Call out TPM 2.0 specifically. 3. Does anyone have or know of better documentation to set this up? If their isn't better documentation, should we (read I) create it? This seems like a pretty handy feature. Thanks, Bill

1 year, 3 months

2
1
0 / 0

authentication error

by FIXED-TERM Schick Felix (CR/APA3)

Hello everyone, I am currently struggling with the usage of tpm2-tss and co. on an Raspberry Pi 3. I've been using the Stack on a Software TPM for a while now and never had any big issues, but after I started working with an Infineon Hardware TPM on an Raspberry Pi 3 I ran into some problems. I have not run into errors while compiling and installing the stack but I kept getting the linker error: undefined symbol: Esys_TRSess_GetAuthRequired for libtss2-fapi.so. I was able to work around this error by just disabling the FAPI before compiling, but now I get the following error on every command call: ERROR:esys:src/tss2-esys/api/Esys_ReadClock.c:170:Esys_ReadClock_Async() SAPI error on SetCmdAuths ErrorCode (0x00080010) ERROR:esys:src/tss2-esys/api/Esys_ReadClock.c:68:Esys_ReadClock() Error in async function ErrorCode (0x00080010) ERROR: Esys_ReadClock(0x80010) - sys:If size of a parameter is incorrect ERROR: Unable to run tpm2_readclock I guess both have something to do with the Authentication. I would be very grateful if someone could help me with this issue. Thank you very much and Best regards Felix Schick

1 year, 3 months

2
1
0 / 0

2022

2021

2020

2019

2018

2017

tpm2 October 2020