i'm trying to define TPM non volatile index under the platform
hierachy with this command
tpm2_nvdefine -Q 1 -C p -s 128 -P 123456 -a "ppread|ppwrite"
but it's gives the following errors...
Received TPM Error
Esys Finish ErrorCode (0x00000182)
ERROR: Failed to define NV area at index 0x1000001
ERROR: Esys_NV_DefineSpace(0x182) - tpm:handle(1):inconsistent attributes
ERROR: Unable to run tpm2_nvdefine
And idea what attributes are inconsistent and what values to provide?
I'm happy to announce a new tpm2-tss 2.4.1 bugfix release.
The release includes number of fixes as follows:
- Fixed systemd-sysusers/-tmpfiles creation without systemd
- Removed expired coverity token from travis.yaml
- Fixed uninitialized context of FAPI command Fapi_ChangeAuth issue
- Fixed handling of tcti pointer in Esys_Initialize
- Fixed usages of EC routines deprecated in OSSL 1.2 and greater
- Fixed FAPI handling of TPMs without stored certificates
When running ./configure for tpm2-tss (2.4.x branch),
pkg-config complains about not finding "json-c".
What is it looking for?
I do have a /usr/lib64/libjson-c.so.4.0.0.
What is it supposed to be finding?
Ted H. Kim, PhD
I would like to announce the 4.2.1
The changelog is:
- Fix missing handle maps for ESY3 handle breaks. See #1994.
- Fix error: 'for' loop initial declarations are only allowed in C99 mode
Note that I forgot the " Fix error: 'for' loop initial declarations are only allowed in C99 mode", in the doc/CHANGELOG.md file I will roll a changelog
Update with RC1 if we get feedback or include It in the actual release changelog.
Any pointers in below request.
The problem that I was discussing with you in another thread was related to
The below one is different one.
On Mon, May 4, 2020, 8:35 PM Muthukumar S <muthu.smk(a)gmail.com wrote:
> Hi William Robers,
> Thanks for your guidance. Sorry for writing such a long email.
> I tried finding below two solutions, which i feel will resolve my purpose.
> Request you to have a look and let me know your thoughts.
> Below is the main function , which will create private key using
> tpm2tss_rsa_genkey() and random key using esys_getrandom API and send this
> as input to openssl
> function to encrypt and decrypt back and get the original rsa key
> generated by tpm2tss_rsa_genkey() API.
> RSA *rsa = NULL;
> rsa = RSA_new();
> TPM2_DATA *tpm2Data ;
> tpm2Data = calloc(1, sizeof(*tpm2Data));
> memcpy(tpm2Data, RSA_get_app_data(rsa), sizeof(*tpm2Data));
> if (!tpm2tss_tpm2data_write(tpm2Data, outputfile)) /* cat of this "
> outputfile" will have key starting with
> /* I could able to print the "rsa" key generated using above
> tpm2tss_rsa_genkey() API */
> PEM_write_RSA_PUBKEY(stdout, rsa);
> /* calling below openssl encrypt and decrypt function to encrypt the
> "rsa" key along with "random num" generated using Esys_GetRandom */
> /*created a function to perform openssl enc/dec for the "private key"
> created using above mentioned tpm2tss_rsa_genkey() API*/
> ./*used a "random number" buffer as well ,as input key to openssl along
> with "private key" and generated the encrypted key as shown below*/
> unsigned char * openssl_encrypt_decrypt(RSA *rsa, struct optn opt) /* here "rsa" is the key output generated by tpm2tss_rsa_genkey
> & opt will have random buffer */
> *Excepted output :*
> During *encryption* ,below openssl API will take "RANDOM NUMBER" and "RSA
> KEY" generated by tpm and generated a output encrypted file
> /* input args : size - size of get_random buffer, from - random number
> buffer , rsa - rsa key generated using tpm , No padding)
> RSA_private_encrypt(size, from, encrypt, rsa,
> *Result *: If i do cat on "encrypt file" i could see the encrypted
> content. Not sure whether the proper encryption is happening over here by
> using this "priv key" + "rand number".
> During *decryption* , below openssl API will take "ENCRYPTED OUTPUT
> buffer" as input along with "RSA KEY" generated by tpm */
> /* input args : size of (rsa) , output buffer generated by
> RSA_private_encrypt (API) , decrypt - input buffer to store the decrypted
> content ,)
> RSA_public_decrypt(size, encrypt, decrypt, rsa,
> *Result* : Ideally the output buffer of above openssl decrypt API should
> have data of original encrypted "RSA" key generated by tpm. But am getting
> some other encrypted content. Not sure what am i missing here.
> I am looking for *symmetric** kind of encryption* so tried with below
> combination of openssl APIs . Not sure whether am i missing some thing over
> here., do i need to set the PADDING stuff ? or some trying with wrong APIs
> Tried with RSA_private_encrypt () - RSA_private_decrypt
> RSA_private_encrypt () - RSA_public_decrypt
> RSA_public_encrypt () - RSA_public_decrypt
> RSA_pubic_encrypt () - RSA_private_decrypt
> Do the below APIs (reference
> <https://github.com/llubu/mpro/blob/master/crypt/src/aes2.c>) will solve
> my purpose ?
> EVP_EncryptInit_ex ()
> FYI : Below are the two command line API that am currently using for the
> above purpose . Am trying to achieve the above openssl API(s) as a library
> function inside my application:
> # openssl enc -aes-256-cbc -salt -in rsa_key_genby_tpm -out enc_key -k
> # openssl enc -aes-256-cbc -d -in enc_key -out final decrypted_key -k
> *One more query , while giving the input private key to openssl , do i
> need to give the output file of below API(tpm2tss_tpm2data_write()*)* or
> the "RSA" key generated as output using tpm2tss_rsa_genkey(). Since both
> the key output looks different that why i had this doubt ?? Shared the
> below two keys for your reference. *
> *outputfile* : tpm2tss_tpm2data_write () api output file :
> -----BEGIN TSS2 PRIVATE KEY-----
> -----END TSS2 PRIVATE KEY-----
> RSA public key file : below key is the output of
> PEM_write_RSA_PUBKEY(stdout, rsa) API , here this input "rsa" key is the
> output of tpm2tss-rsa-genkey() ;
> -----BEGIN PUBLIC KEY-----
> -----END PUBLIC KEY-----
> *NOTE* : I didn't tried PKCS11 yet :
> https://github.com/OpenSC/libp11/blob/master/examples/auth.c . Will try
> this out and let you know
> On Tue, Apr 28, 2020 at 10:27 PM Roberts, William C <
> william.c.roberts(a)intel.com> wrote:
>> > -----Original Message-----
>> > From: Muthukumar S [mailto:email@example.com]
>> > Sent: Tuesday, April 28, 2020 11:38 AM
>> > To: Roberts, William C <william.c.roberts(a)intel.com>
>> > Cc: tpm2(a)lists.01.org
>> > Subject: Re: [tpm2] Re: Usage of openssl command line API as library
>> > Hi Robert,
>> > Thanks for your quick response.
>> > As you said , I am exactly looking for openssl symmetric key operation.
>> > As said in my intial thead ,below are the implementation that I have
>> done so far in
>> > my application.
>> > 1) created rsa "priv_key" using tpm2tss-rsa-gen key using tpm
>> > 2) created a random key (and saved as input_random_key) using
>> > Esys_GetRandom() using tpm and kept as it is .
>> > 3) By using below openssl s/w APIs ,just want to encrypt the "private
>> key" along
>> > with "random key" and save the encrypted file .
>> > openssl enc -aes-256-cbc -salt -in priv_key -out output_enc_key -k
>> > input_random_key
>> > 4) do decrypt with below openssl command with input "random key" and get
>> > back the "private key"
>> > openssl enc -aes-256-cbc -d -in output_enc_key -out
>> decrypted_output_key -k
>> > input_random_rum
>> > Here comes my query, how to use the above two openssl command line API
>> > an library function inside "c" code.
>> Learn to fish:
>> 1. Google things
>> 2. Look at the openssl commandlets, its open source, trace what they are
>> 3. pkcs11 does some of this as well, look there.
>> Good luck.
>> > On Tue, Apr 28, 2020, 8:12 PM Roberts, William C <
>> > <mailto:firstname.lastname@example.org> wrote:
>> > After you generate the keypair, can't you call:
>> > openssl rsa -in key.pem -pubout -out pubkey.pem
>> > Specifying the inkey and the engine, there are examples in the
>> > Test scripts. Then from there you have a normal public key pem
>> > You can pass to openssl like normal without engine stuff, so it
>> > Use the engine and just do software.
>> > If you want a random key, again just generate it and use the
>> > symmetric
>> > Key operations. So if you wanted to do something like encrypt a
>> file and
>> > share
>> > The decryption key, the steps would be
>> > 1. generate aes key
>> > 2. encrypt the file data
>> > 3. encrypt the key with the public key
>> > 4. decrypt the key with the private key
>> > 5. decrypt the file with the obtained decrypted aes key
>> > > -----Original Message-----
>> > > From: muthu.smk(a)gmail.com <mailto:email@example.com>
>> > [mailto:firstname.lastname@example.org <mailto:email@example.com> ]
>> > > Sent: Tuesday, April 28, 2020 7:33 AM
>> > > To: tpm2(a)lists.01.org <mailto:firstname.lastname@example.org>
>> > > Subject: [tpm2] Re: Usage of openssl command line API as library
>> > function along
>> > > with tpm-tss engine
>> > >
>> > > seems this iesys_crypto_sym_aes_encrypt() API and
>> > iesys_crypto_pk_encrypt()
>> > > API uses TPM for encryption and decryption . What i want is to
>> > pure openssl
>> > > API (s/w based encryption) with the input of tpm generated
>> > priv key
>> > > and random key and do encrypt & decrypt it as explained in the
>> > thread .
>> > > _______________________________________________
>> > > tpm2 mailing list -- tpm2(a)lists.01.org <mailto:
>> > > To unsubscribe send an email to tpm2-leave(a)lists.01.org
>> > leave(a)lists.01.org>
>> > > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
I have below openssl command with tpmengine which generate csr using the private key generated using tpm2tss-genkey.
/* Generating private using below tpm2tss-genkey API*/
tpm2tss-genkey -a rsa -s 2048 tpm2tss_rsa_genkey_2048
/* using below openssl API creating a csr with input key (private key generated by tpm2tss) , via engine tpm2tss */
openssl req -new -engine tpm2tss -keyform engine -out openssl_created_mod_rsa_key.csr -key tpm2tss_rsa_genkey_2048
While creating the similar application what the above tpm2-genkey creation and openssl does using tpm2/tpm2-tss api , am getting my app crash in below signing API . I tried checking the tpm2-tss-engine code which works for openssl to perform tpm2 tss task . But i could not able to get any clue regarding where this "sign" is happening . Since this "sign" is part of csr generation , am not sure how come the command line above openssl api works . Can any one give me some inputs on this .
hi, i am complete newbie to TPM so please excuse me if my question is silly, i wanted to know if anyone uses tpm2_clear command is all the data and keys lost?? so what if a disgrunted employee takes access and clears the TPM how can we recover from this?