December 2021 - tpm2 - Ml01.01.Org

Re: tpm2_nvdefine fails with inconsistent attributes...

by Kenneth Goldman

My guess is that you do not set the TPMA_NVA_PLATFORMCREATE attribute. The IBM utility sets it for you when the platform hierarchy authorizes the command, since it must be set. -- Ken Goldman kgoldman(a)us.ibm.com 914-945-2415 (862-2415) From: "Sievert, James" <james.sievert(a)bsci.com> To: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org> Date: 12/03/2021 09:37 AM Subject: [EXTERNAL] [tpm2] tpm2_nvdefine fails with inconsistent attributes... Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following command which is returning an inconsistent attributes error: bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1 ‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍ Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following command which is returning an inconsistent attributes error: bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1 WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:333:Esys_NV_DefineSpace_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x00000182) ERROR: Failed to define NV area at index 0x1000025 ERROR: Esys_NV_DefineSpace(0x182) - tpm:handle(1):inconsistent attributes ERROR: Unable to run tpm2_nvdefine and yes, I am attempting to define the index using the platform hierarchy. ? This does work using the IBM utilities. Here are the current properties: bsci@ip-10-132-42-225:~$ tpm2_getcap properties-variable TPM2_PT_PERSISTENT: ownerAuthSet: 0 endorsementAuthSet: 0 lockoutAuthSet: 0 reserved1: 0 disableClear: 0 inLockout: 0 tpmGeneratedEPS: 0 reserved2: 0 TPM2_PT_STARTUP_CLEAR: phEnable: 1 shEnable: 1 ehEnable: 1 phEnableNV: 1 reserved1: 0 orderly: 0 TPM2_PT_HR_NV_INDEX: 0x6 TPM2_PT_HR_LOADED: 0x0 TPM2_PT_HR_LOADED_AVAIL: 0x3 TPM2_PT_HR_ACTIVE: 0x0 TPM2_PT_HR_ACTIVE_AVAIL: 0x40 TPM2_PT_HR_TRANSIENT_AVAIL: 0x3 TPM2_PT_HR_PERSISTENT: 0x0 TPM2_PT_HR_PERSISTENT_AVAIL: 0x11 TPM2_PT_NV_COUNTERS: 0x0 TPM2_PT_NV_COUNTERS_AVAIL: 0xD TPM2_PT_ALGORITHM_SET: 0x0 TPM2_PT_LOADED_CURVES: 0x2 TPM2_PT_LOCKOUT_COUNTER: 0x0 TPM2_PT_MAX_AUTH_FAIL: 0x20 TPM2_PT_LOCKOUT_INTERVAL: 0x1C20 TPM2_PT_LOCKOUT_RECOVERY: 0x15180 TPM2_PT_AUDIT_COUNTER_0: 0x0 TPM2_PT_AUDIT_COUNTER_1: 0x0 Any insight would be appreciated. Thanks!_______________________________________________ tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to tpm2-leave(a)lists.01.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

2 weeks, 1 day

3
2
0 / 0

tpm2_create sealing object without user data

by luc.riedhauser＠bluewin.ch

Hi, My goal is to verify the integrity of a file (its hash is 962f4b6aeb8b2d74dc595257cb4384fc266283816acc4940622f29ad748bcb6e) with a pcr policy. But I do not need to include a secret user data. So here is what I've done so far: - tpm2_pcrreset 16 - tpm2_pcrextend 16:sha256=962f4b6aeb8b2d74dc595257cb4384fc266283816acc4940622f29ad748bcb6e - `tpm2_createprimary -C o -G rsa2048 -c primary` - `tpm2_startauthsession -S session` - `tpm2_policypcr -S session -l sha256:16 -L pcr16_policy` - `tpm2_flushcontext session` - `tpm2_create -C primary -g sha256 -u pcr16.pub -r pcr16.priv -L pcr16_policy` => here I do NOT include any user data - `tpm2_load -C primary -u pcr16.pub -r pcr16.priv -c pcr16` - `tpm2_evictcontrol -c pcr16 0x81010000 -C o` Until now I've created a sealing object that I stored on the NV-RAM. Now I want to verify the file against the policy I've just created. So I reset PCR16, hash my file again and extend PCR16 with the new hash. - And now start a policy session with `tpm2_startauthsession --policy-session -S session` - `tpm2_policypcr -S session -l sha256:16` to include the PCR value into the session Now comes the problem - tpm2_unseal -p session:session -c 0x81010000 returns an ERROR: WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:98:Esys_Unseal() Esys Finish ErrorCode (0x0000018a) ERROR: Esys_Unseal(0x18A) - tpm:handle(1):the type of the value is not appropriate for the use ERROR: Unable to run tpm2_unseal I'm pretty sure that this comes from the fact that I did not include any user data when creating the sealing object. So my question: If I just want to verify the integrity of a file, is unseal still the right command?

1 month

1
0
0 / 0

tpm2_flushcontext stuck

by Han

Hi, I'm using tpm2-tools 5.0 in Debian 11 Bullseye based Raspberry Pi OS. I'm trying to run tpm2_flushcontext but the command got stuck and it's not showing anything. Is the data in TPM corrupted? How can I check? $ sudo tpm2_flushcontext 0x80000000 < no output at all and stuck here > (note: the handle 0x80000000 was obtained from previous command output when I was running previous version tpm2-tools 3.1.3 on Debian 10 Buster based OS: $ sudo tpm2_createprimary -H o -g sha256 -G ecc -C context.out ObjectAttribute: 0x00030072 CreatePrimary Succeed ! Handle: 0x80000000)

1 month

5
15
0 / 0

How to remove contexts using tpm2-tools v3.1.3?

by Han

Hi, I'm new to tpm2-tools and am using tpm2-tools version 3.1.3 on Raspberry Pi CM4. It turns out it doesn't have tpm2_flushcontext which was added in v4.0. Is there any other tools in tpm2-tools 3.1.3 that can remove contexts? My goal is to free up some memory in TPM as it returned the following error: $ tpm2_rc_decode 0x902 error layer hex: 0x0 identifier: TSS2_TPM_RC_LAYER description: Error produced by the TPM format 0 warning code hex: 0x02 name: TPM2_RC_OBJECT_MEMORY description: out of memory for object contexts -- Thanks Han

1 month, 1 week

2
3
0 / 0

tpm2-tools: renaming directory doc to docs

by Roberts, William C

Github will pick up certain files, like README.md or CODE_OF_CONDUCT.md if they are in a directory called docs. The GH feature does not seem to support directory doc, as currently set up. Does anyone object to the move of directory docs to docs, ie git mv doc docs?

1 month, 1 week

1
0
0 / 0

[RC] tpm2-pytss 1.0.0-rc0

by Roberts, William C

Hello, I am pleased to announce the release of the tpm2-pytss (python bindings and utilities) version 1.0.0 RC 0 with the following CHANGELOG: ## [1.0.0-rc0] - 2021-12-13 ### Added - Bindings to the Enanced System (ESAPI) API. - Bindings to the Feature (FAPI) API . - Bindings to Dynamic TCTI Loading (TCTILdr) API . - Bindings to Marshalling and Unmarshalling (MU) API. - Bindings to rc-decode. - tpm2-tools context file loading support. - TSS2 PEM format support. This file format is used in OpenSSL Engine and Provider projects. - Utility routines for: TPM Less Make Credential, sensitive wrapping and unwrapping (import and duplication helpers). The release can be found here: - https://pypi.org/project/tpm2-pytss/1.0.0rc0/

1 month, 1 week

1
0
0 / 0

Re: {External} Re: tpm2_nvdefine fails with inconsistent attributes...

by Roberts, William C

No reason sounds like an easy enough feature to add. Do you want to send a patch up? ________________________________ From: Sievert, James <james.sievert(a)bsci.com> Sent: Friday, December 3, 2021 9:10 AM To: Kenneth Goldman <kgoldman(a)us.ibm.com> Cc: tpm2(a)lists.01.org <tpm2(a)lists.01.org> Subject: [tpm2] Re: {External} Re: tpm2_nvdefine fails with inconsistent attributes... That was it. Thanks, Ken. According to the documentation for tpm2_nvdefine, the defaults for the platform hierarchy are PPREAD and PPWRITE. Strangely, PLATFORMCREATE is not included. The following is sufficient: tpm2_nvdefine 0x01000025 -C p -s 1 -a "ppwrite|ppread|platformcreate" Is there some reason the defaults for the platform hierarchy don’t include PLATFORMCREATE? From: Kenneth Goldman <kgoldman(a)us.ibm.com> Sent: Friday, December 3, 2021 9:52 AM To: Sievert, James <james.sievert(a)bsci.com> Cc: tpm2(a)lists.01.org Subject: {External} [tpm2] Re: tpm2_nvdefine fails with inconsistent attributes... My guess is that you do not set the TPMA_NVA_PLATFORMCREATE attribute. The IBM utility sets it for you when the platform hierarchy authorizes the command, since it must be set. -- Ken Goldman kgoldman(a)us.ibm.com<mailto:kgoldman@us.ibm.com> 914-945-2415 (862-2415) [Inactive hide details for "Sievert, James" ---12/03/2021 09:37:25 AM---Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m i]"Sievert, James" ---12/03/2021 09:37:25 AM---Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following command which is returnin From: "Sievert, James" <james.sievert(a)bsci.com<mailto:james.sievert@bsci.com>> To: "tpm2(a)lists.01.org<mailto:tpm2@lists.01.org>" <tpm2(a)lists.01.org<mailto:tpm2@lists.01.org>> Date: 12/03/2021 09:37 AM Subject: [EXTERNAL] [tpm2] tpm2_nvdefine fails with inconsistent attributes... ________________________________ Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following command which is returning an inconsistent attributes error: bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1 ‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍ Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following command which is returning an inconsistent attributes error: bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1 WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:333:Esys_NV_DefineSpace_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x00000182) ERROR: Failed to define NV area at index 0x1000025 ERROR: Esys_NV_DefineSpace(0x182) - tpm:handle(1):inconsistent attributes ERROR: Unable to run tpm2_nvdefine and yes, I am attempting to define the index using the platform hierarchy. ? This does work using the IBM utilities. Here are the current properties: bsci@ip-10-132-42-225:~$ tpm2_getcap properties-variable TPM2_PT_PERSISTENT: ownerAuthSet: 0 endorsementAuthSet: 0 lockoutAuthSet: 0 reserved1: 0 disableClear: 0 inLockout: 0 tpmGeneratedEPS: 0 reserved2: 0 TPM2_PT_STARTUP_CLEAR: phEnable: 1 shEnable: 1 ehEnable: 1 phEnableNV: 1 reserved1: 0 orderly: 0 TPM2_PT_HR_NV_INDEX: 0x6 TPM2_PT_HR_LOADED: 0x0 TPM2_PT_HR_LOADED_AVAIL: 0x3 TPM2_PT_HR_ACTIVE: 0x0 TPM2_PT_HR_ACTIVE_AVAIL: 0x40 TPM2_PT_HR_TRANSIENT_AVAIL: 0x3 TPM2_PT_HR_PERSISTENT: 0x0 TPM2_PT_HR_PERSISTENT_AVAIL: 0x11 TPM2_PT_NV_COUNTERS: 0x0 TPM2_PT_NV_COUNTERS_AVAIL: 0xD TPM2_PT_ALGORITHM_SET: 0x0 TPM2_PT_LOADED_CURVES: 0x2 TPM2_PT_LOCKOUT_COUNTER: 0x0 TPM2_PT_MAX_AUTH_FAIL: 0x20 TPM2_PT_LOCKOUT_INTERVAL: 0x1C20 TPM2_PT_LOCKOUT_RECOVERY: 0x15180 TPM2_PT_AUDIT_COUNTER_0: 0x0 TPM2_PT_AUDIT_COUNTER_1: 0x0 Any insight would be appreciated. Thanks!_______________________________________________ tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2@lists.01.org> To unsubscribe send an email to tpm2-leave(a)lists.01.org<mailto:tpm2-leave@lists.01.org> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

1 month, 3 weeks

1
0
0 / 0

"tpm2_import" Integrity Check issue on a Big Endian 32 Bit Platform

by Rajkumar K Sivasamy

Hello Team I am trying to use tpm2_import on a Big Endian 32 Bit platform and running into following error: -------------------------------------------------------------------------------------------------------------------------------- *Command: * 1. openssl genrsa -out private.pem 2048 2. tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv *Error:* ERROR:esys:src/tss2-esys/api/Esys_Import.c:110:Esys_Import() Esys Finish ErrorCode (0x000003df) ERROR: Esys_HMAC(0x3DF) - tpm:parameter(3):integrity check failed ERROR: Unable to run tpm2_import -------------------------------------------------------------------------------------------------------------------------------- Need pointers to debug this issue. Have any of you come across this error with tpm2_import on Big Endian 32 Bit Platform? Do we have a fix Or can you provide inputs on the source where I can look at for further debugging? Thanks Raj

1 month, 3 weeks

3
6
0 / 0

tpm2_nvdefine fails with inconsistent attributes...

by Sievert, James

Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following command which is returning an inconsistent attributes error: bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1 WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:333:Esys_NV_DefineSpace_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x00000182) ERROR: Failed to define NV area at index 0x1000025 ERROR: Esys_NV_DefineSpace(0x182) - tpm:handle(1):inconsistent attributes ERROR: Unable to run tpm2_nvdefine and yes, I am attempting to define the index using the platform hierarchy. 😊 This does work using the IBM utilities. Here are the current properties: bsci@ip-10-132-42-225:~$ tpm2_getcap properties-variable TPM2_PT_PERSISTENT: ownerAuthSet: 0 endorsementAuthSet: 0 lockoutAuthSet: 0 reserved1: 0 disableClear: 0 inLockout: 0 tpmGeneratedEPS: 0 reserved2: 0 TPM2_PT_STARTUP_CLEAR: phEnable: 1 shEnable: 1 ehEnable: 1 phEnableNV: 1 reserved1: 0 orderly: 0 TPM2_PT_HR_NV_INDEX: 0x6 TPM2_PT_HR_LOADED: 0x0 TPM2_PT_HR_LOADED_AVAIL: 0x3 TPM2_PT_HR_ACTIVE: 0x0 TPM2_PT_HR_ACTIVE_AVAIL: 0x40 TPM2_PT_HR_TRANSIENT_AVAIL: 0x3 TPM2_PT_HR_PERSISTENT: 0x0 TPM2_PT_HR_PERSISTENT_AVAIL: 0x11 TPM2_PT_NV_COUNTERS: 0x0 TPM2_PT_NV_COUNTERS_AVAIL: 0xD TPM2_PT_ALGORITHM_SET: 0x0 TPM2_PT_LOADED_CURVES: 0x2 TPM2_PT_LOCKOUT_COUNTER: 0x0 TPM2_PT_MAX_AUTH_FAIL: 0x20 TPM2_PT_LOCKOUT_INTERVAL: 0x1C20 TPM2_PT_LOCKOUT_RECOVERY: 0x15180 TPM2_PT_AUDIT_COUNTER_0: 0x0 TPM2_PT_AUDIT_COUNTER_1: 0x0 Any insight would be appreciated. Thanks!

1 month, 3 weeks

1
0
0 / 0

2022

2021

2020

2019

2018

2017

tpm2 December 2021