How to use a salted HMAC session with Esys_TR_FromTPMPublic ?
by Diego Santa Cruz
Hi there,
I am using Esys_TR_FromTPMPublic() in an application to get a Esys TR handle for an NV-index, it works well when I use no sessions but the ESYS spec recommends to use a salted HMAC session when reading NV-index with this command.
But when I use a salted HMAC session I get an "attribute mismatch" error on the session from the TPM. Looking through the library specification I understand that the NV_ReadPublic command, which is used by Esys_TR_FromTPMPublic(), only accepts audit and encrypting sessions, but not simple salted HMAC sessions.
So how should I go about using Esys_TR_FromTPMPublic() with salted HMAC sessions? Or how should I go about ensuring the data I get from the TPM (e.g., name) for the NV-index can be trusted?
BTW, the tpm2-tss version installed on my test system is 2.3.2
Thanks,
Diego
--
Diego Santa Cruz, PhD
Technology Architect
spinetix.com
5 months, 1 week
Configure tss2_esys libs and header file locations?
by Millsap, Michael G
Hello,
I'm building TPM2 TSS & Tools in a container, similar to building it to create a package, and Tools is failing because it can't find the esys libs and header file. Is there a './configure' option to point to the location where I have them? The TSS install doc documents many configure options, but the tools install doc doesn't.
Thanks,
Mike
5 months, 1 week
tpm2-totp v0.3.0_rc0
by Jonas Witschel
Hi everyone,
I have published a release candidate for tpm2-totp 0.3.0:
https://github.com/tpm2-software/tpm2-totp/releases/tag/v0.3.0_rc0
This release features the following changes:
- New option --label to specify the label to use in the TOTP authenticator app.
- User-friendly error messages for common error conditions.
- Support for running the integration tests with the swtpm simulator.
Any testing and feedback is very welcome.
Cheers,
Jonas
5 months, 2 weeks
Building tpm2-tss-3.0.1-rc0 on OmniOS?
by John Connett
I'm attempting to build tpm2-tss-3.0.1-rc0 on the latest version of
OmniOS (https://omniosce.org/).
$ cat /etc/os-release
NAME="OmniOS"
PRETTY_NAME="OmniOS Community Edition v11 r151034r"
CPE_NAME="cpe:/o:omniosce:omnios:11:151034:18"
ID=omnios
VERSION=r151034r
VERSION_ID=r151034r
BUILD_ID=151034.18.2020.08.29
HOME_URL="https://omniosce.org/"
SUPPORT_URL="https://omniosce.org/"
BUG_REPORT_URL="https://github.com/omniosorg/omnios-build/issues/new"
$
I think I have the prerequisites installed either from the release or
from pkgsrc (https://pkgsrc.joyent.com/). I have also set the following
environment variables:
export PATH=/opt/local/sbin:/opt/local/bin:$PATH
export MANPATH=/opt/local/man:/usr/share/man
export PKG_CONFIG_PATH=/opt/local/lib/pkgconfig
export MAKE=gmake
I have made the following modification to recognise the OS:
$ diff -u configure.ac.orig configure.ac
--- configure.ac.orig Wed Sep 9 08:01:43 2020
+++ configure.ac Thu Sep 10 10:53:18 2020
@@ -44,6 +44,11 @@
HOSTOS='BSD'
LIBSOCKET_LDFLAGS=""
;;
+ *solaris*)
+ HOSTOS='SOLARIS'
+ ADD_COMPILER_FLAG([-D__EXTENSIONS__])
+ LIBSOCKET_LDFLAGS="-lsocket -lnsl"
+ ;;
*)
#Assume linux
HOSTOS='Linux'
$
This is what I see when I run bootstrap:
$ ./bootstrap
Generating file lists: src_vars.mk
aclocal: installing 'm4/libtool.m4' from '/usr/share/aclocal/libtool.m4'
aclocal: installing 'm4/ltdl.m4' from '/usr/share/aclocal/ltdl.m4'
aclocal: installing 'm4/ltoptions.m4' from '/usr/share/aclocal/ltoptions.m4'
aclocal: installing 'm4/ltsugar.m4' from '/usr/share/aclocal/ltsugar.m4'
aclocal: installing 'm4/ltversion.m4' from '/usr/share/aclocal/ltversion.m4'
aclocal: installing 'm4/lt~obsolete.m4' from
'/usr/share/aclocal/lt~obsolete.m4'
aclocal: installing 'm4/pkg.m4' from '/usr/share/aclocal/pkg.m4'
libtoolize: putting auxiliary files in '.'.
libtoolize: linking file './ltmain.sh'
configure.ac:21: error: possibly undefined macro: AC_SUBST
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:68: error: possibly undefined macro: AS_IF
configure.ac:101: error: possibly undefined macro: AC_MSG_ERROR
configure.ac:130: error: possibly undefined macro: AC_MSG_WARN
autoreconf: /usr/bin/autoconf failed with exit status: 1
$
I don't have much experience with autotools. Can anyone spot if I have
made an obvious mistake. The first error reported is for this line:
AC_SUBST([DISTCHECK_CONFIGURE_FLAGS],[$ac_configure_args])
I am aware of other issues with OmniOS: make => gmake; tar => gtar;
doesn't have _DIRENT_HAVE_D_TYPE defined; requires explicit use of
"#include <stdarg.h>" on more files. However, there seems a good chance
it could be made to work with the simulators (OmniOS doesn't yet have a
TPM2 device driver).
Has anyone else tried building on other flavours of Illumos/Solaris?
--
John
5 months, 2 weeks
unable to take ownership of TPM2.0 device
by Chenxi Z
Hi,
I am encountering an issue that TPM2 device in DA lockout mode, and I am unable to take ownership or unlock it.
Could anyone help me how to resolve it?
TPM2 tools version:
[root@myhost ~]# rpm -qa | grep tpm2
tpm2-tss-1.0.
tpm2-abrmd-1.0
tpm2-tools-1.1
[root@myhost ~]# tpm2_dump_capability -c properties-variable
TPM_PT_PERSISTENT:
ownerAuthSet: clear
endorsementAuthSet: clear
lockoutAuthSet: clear
reserved1: clear
disableClear: clear
inLockout: clear
tpmGeneratedEPS: clear
reserved2: clear
TPM_PT_STARTUP_CLEAR:
phEnable: set
shEnable: set
ehEnable: set
phEnableNV: set
reserved1: clear
orderly: clear
TPM_PT_HR_NV_INDEX: 0x00000008
TPM_PT_HR_LOADED: 0x00000000
TPM_PT_HR_LOADED_AVAIL: 0x00000004
TPM_PT_HR_ACTIVE: 0x00000000
TPM_PT_HR_ACTIVE_AVAIL: 0x00000040
TPM_PT_HR_TRANSIENT_AVAIL: 0x00000005
TPM_PT_HR_PERSISTENT: 0x00000001
TPM_PT_HR_PERSISTENT_AVAIL: 0x00000007
TPM_PT_NV_COUNTERS: 0x00000000
TPM_PT_NV_COUNTERS_AVAIL: 0x00000008
TPM_PT_ALGORITHM_SET: 0x00000000
TPM_PT_LOADED_CURVES: 0x00000003
TPM_PT_LOCKOUT_COUNTER: 0x00000000
TPM_PT_MAX_AUTH_FAIL: 0x00000020
TPM_PT_LOCKOUT_INTERVAL: 0x00001c20
TPM_PT_LOCKOUT_RECOVERY: 0x00015180
TPM_PT_NV_WRITE_RECOVERY: 0x00000000
TPM_PT_AUDIT_COUNTER_0: 0x00000000
TPM_PT_AUDIT_COUNTER_1: 0x00000000
Here is the issue:
[root@myhost ~]# tpm2_takeownership -c -L <PWD> -O <PWD> -E <PWD>
ERROR: Clearing Failed! TPM error code: 0x921
[root@myhost ~]# tpm2_dictionarylockout -c --lockout-passwd <PWD>
ERROR: 0x921 Error clearing dictionary lockout.
5 months, 2 weeks