September 2020 - tpm2

by John Connett

Is there an Ubuntu 3rd party repository for tpm2 binary packages? They can be very useful. For example, Visual Studio Code is available from the official Microsoft Apt repositories (https://code.visualstudio.com/docs/setup/linux).

1 year

1
0
0 / 0

[RELEASE / SECURITY] tpm2-tss 2.4.3 & 3.0.1

by Fuchs, Andreas

Hi all, releases tpm2-tss 2.4.3 and 3.0.1 are now available: https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.3 https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.1 They include a fix for CVE-2020-24455. That bug concerns the PolicyPCR elements in FAPI that sometimes just ommited PCR tests if currentPCRs or currentPCRandBanks was used. ALL of these objects (keys and NV indices an hierarchyPolicies) need to be recreated. This will be a very short RC and I will push the final release tomorrow. Thanks, Andreas

1 year

1
0
0 / 0

[RC / SECURITY] tpm2-tss 2.4.3-rc2 & 3.0.1-rc2

by Fuchs, Andreas

Hi all, tpm2-tss 2.4.3-rc2 and 3.0.1-rc2 are now available: https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.3-rc2 https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.1-rc2 Please not that these rcs include a fix for CVE-2020-24455. That bug concerns the PolicyPCR elements in FAPI that sometimes just ommited PCR tests if currentPCRs or currentPCRandBanks was used. ALL of these objects (keys and NV indices an hierarchyPolicies) need to be recreated. This will be a very short RC and I will push the final release tomorrow. Thanks, Andreas

1 year

1
0
0 / 0

How to use a salted HMAC session with Esys_TR_FromTPMPublic ?

by Diego Santa Cruz

Hi there, I am using Esys_TR_FromTPMPublic() in an application to get a Esys TR handle for an NV-index, it works well when I use no sessions but the ESYS spec recommends to use a salted HMAC session when reading NV-index with this command. But when I use a salted HMAC session I get an "attribute mismatch" error on the session from the TPM. Looking through the library specification I understand that the NV_ReadPublic command, which is used by Esys_TR_FromTPMPublic(), only accepts audit and encrypting sessions, but not simple salted HMAC sessions. So how should I go about using Esys_TR_FromTPMPublic() with salted HMAC sessions? Or how should I go about ensuring the data I get from the TPM (e.g., name) for the NV-index can be trusted? BTW, the tpm2-tss version installed on my test system is 2.3.2 Thanks, Diego -- Diego Santa Cruz, PhD Technology Architect spinetix.com

1 year

1
0
0 / 0

Re: Configure tss2_esys libs and header file locations?

by Millsap, Michael G

Disregard, I realized I needed to run './configure --help' to obtain the config settings. -Mike

1 year

1
0
0 / 0

Configure tss2_esys libs and header file locations?

by Millsap, Michael G

Hello, I'm building TPM2 TSS & Tools in a container, similar to building it to create a package, and Tools is failing because it can't find the esys libs and header file. Is there a './configure' option to point to the location where I have them? The TSS install doc documents many configure options, but the tools install doc doesn't. Thanks, Mike

1 year

1
0
0 / 0

tpm2-totp v0.3.0_rc0

by Jonas Witschel

Hi everyone, I have published a release candidate for tpm2-totp 0.3.0: https://github.com/tpm2-software/tpm2-totp/releases/tag/v0.3.0_rc0 This release features the following changes: - New option --label to specify the label to use in the TOTP authenticator app. - User-friendly error messages for common error conditions. - Support for running the integration tests with the swtpm simulator. Any testing and feedback is very welcome. Cheers, Jonas

1 year, 1 month

1
1
0 / 0

[RELEASE CANDIDATE] tpm2-tss 2.4.3-rc1 3.0.1-rc1

by Fuchs, Andreas

Hi all, I announce the rc1 for the stable branches of tpm2-tss 2.4.x and 3.0.x. They can be found here: https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.3-rc1 https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.1-rc1 Changes include: Fix for FAPI NV creation with custom index values Happy testing, Andreas

1 year, 1 month

1
0
0 / 0

Building tpm2-tss-3.0.1-rc0 on OmniOS?

by John Connett

I'm attempting to build tpm2-tss-3.0.1-rc0 on the latest version of OmniOS (https://omniosce.org/). $ cat /etc/os-release NAME="OmniOS" PRETTY_NAME="OmniOS Community Edition v11 r151034r" CPE_NAME="cpe:/o:omniosce:omnios:11:151034:18" ID=omnios VERSION=r151034r VERSION_ID=r151034r BUILD_ID=151034.18.2020.08.29 HOME_URL="https://omniosce.org/" SUPPORT_URL="https://omniosce.org/" BUG_REPORT_URL="https://github.com/omniosorg/omnios-build/issues/new" $ I think I have the prerequisites installed either from the release or from pkgsrc (https://pkgsrc.joyent.com/). I have also set the following environment variables: export PATH=/opt/local/sbin:/opt/local/bin:$PATH export MANPATH=/opt/local/man:/usr/share/man export PKG_CONFIG_PATH=/opt/local/lib/pkgconfig export MAKE=gmake I have made the following modification to recognise the OS: $ diff -u configure.ac.orig configure.ac --- configure.ac.orig Wed Sep 9 08:01:43 2020 +++ configure.ac Thu Sep 10 10:53:18 2020 @@ -44,6 +44,11 @@ HOSTOS='BSD' LIBSOCKET_LDFLAGS="" ;; + *solaris*) + HOSTOS='SOLARIS' + ADD_COMPILER_FLAG([-D__EXTENSIONS__]) + LIBSOCKET_LDFLAGS="-lsocket -lnsl" + ;; *) #Assume linux HOSTOS='Linux' $ This is what I see when I run bootstrap: $ ./bootstrap Generating file lists: src_vars.mk aclocal: installing 'm4/libtool.m4' from '/usr/share/aclocal/libtool.m4' aclocal: installing 'm4/ltdl.m4' from '/usr/share/aclocal/ltdl.m4' aclocal: installing 'm4/ltoptions.m4' from '/usr/share/aclocal/ltoptions.m4' aclocal: installing 'm4/ltsugar.m4' from '/usr/share/aclocal/ltsugar.m4' aclocal: installing 'm4/ltversion.m4' from '/usr/share/aclocal/ltversion.m4' aclocal: installing 'm4/lt~obsolete.m4' from '/usr/share/aclocal/lt~obsolete.m4' aclocal: installing 'm4/pkg.m4' from '/usr/share/aclocal/pkg.m4' libtoolize: putting auxiliary files in '.'. libtoolize: linking file './ltmain.sh' configure.ac:21: error: possibly undefined macro: AC_SUBST If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. configure.ac:68: error: possibly undefined macro: AS_IF configure.ac:101: error: possibly undefined macro: AC_MSG_ERROR configure.ac:130: error: possibly undefined macro: AC_MSG_WARN autoreconf: /usr/bin/autoconf failed with exit status: 1 $ I don't have much experience with autotools. Can anyone spot if I have made an obvious mistake. The first error reported is for this line: AC_SUBST([DISTCHECK_CONFIGURE_FLAGS],[$ac_configure_args]) I am aware of other issues with OmniOS: make => gmake; tar => gtar; doesn't have _DIRENT_HAVE_D_TYPE defined; requires explicit use of "#include <stdarg.h>" on more files. However, there seems a good chance it could be made to work with the simulators (OmniOS doesn't yet have a TPM2 device driver). Has anyone else tried building on other flavours of Illumos/Solaris? -- John

1 year, 1 month

1
0
0 / 0

unable to take ownership of TPM2.0 device

by Chenxi Z

Hi, I am encountering an issue that TPM2 device in DA lockout mode, and I am unable to take ownership or unlock it. Could anyone help me how to resolve it? TPM2 tools version: [root@myhost ~]# rpm -qa | grep tpm2 tpm2-tss-1.0. tpm2-abrmd-1.0 tpm2-tools-1.1 [root@myhost ~]# tpm2_dump_capability -c properties-variable TPM_PT_PERSISTENT: ownerAuthSet: clear endorsementAuthSet: clear lockoutAuthSet: clear reserved1: clear disableClear: clear inLockout: clear tpmGeneratedEPS: clear reserved2: clear TPM_PT_STARTUP_CLEAR: phEnable: set shEnable: set ehEnable: set phEnableNV: set reserved1: clear orderly: clear TPM_PT_HR_NV_INDEX: 0x00000008 TPM_PT_HR_LOADED: 0x00000000 TPM_PT_HR_LOADED_AVAIL: 0x00000004 TPM_PT_HR_ACTIVE: 0x00000000 TPM_PT_HR_ACTIVE_AVAIL: 0x00000040 TPM_PT_HR_TRANSIENT_AVAIL: 0x00000005 TPM_PT_HR_PERSISTENT: 0x00000001 TPM_PT_HR_PERSISTENT_AVAIL: 0x00000007 TPM_PT_NV_COUNTERS: 0x00000000 TPM_PT_NV_COUNTERS_AVAIL: 0x00000008 TPM_PT_ALGORITHM_SET: 0x00000000 TPM_PT_LOADED_CURVES: 0x00000003 TPM_PT_LOCKOUT_COUNTER: 0x00000000 TPM_PT_MAX_AUTH_FAIL: 0x00000020 TPM_PT_LOCKOUT_INTERVAL: 0x00001c20 TPM_PT_LOCKOUT_RECOVERY: 0x00015180 TPM_PT_NV_WRITE_RECOVERY: 0x00000000 TPM_PT_AUDIT_COUNTER_0: 0x00000000 TPM_PT_AUDIT_COUNTER_1: 0x00000000 Here is the issue: [root@myhost ~]# tpm2_takeownership -c -L <PWD> -O <PWD> -E <PWD> ERROR: Clearing Failed! TPM error code: 0x921 [root@myhost ~]# tpm2_dictionarylockout -c --lockout-passwd <PWD> ERROR: 0x921 Error clearing dictionary lockout.

1 year, 1 month

3
3
0 / 0

2021

2020

2019

2018

2017

tpm2 September 2020