Possible TPM uses in fprintd/libfprint
by Benjamin Berg
Hi,
I was wondering if someone has ideas about integrating the TPM with
Fingerprint readers.
Recently I started looking into supporting Secure Device Connection
Protocol (SDCP, [1]) in libfprint. The general idea is to verify that
the Fingerprint reader can be trusted, but I initially also imagined
that further use-cases like unsealing data in a TPM may be possible
(e.g. to retrieve disk encryption keys).
However, looking into it more, my current conclusion is that there is
little to no advantage to use the TPM. At least not unless one also has
a trusted (userspace) program which is capable of signing TPM
authorizations. One could easily offload the required parts into a
small helper, but that may require ensuring it runs in a trusted
execution environment.
Microsoft seems to run relevant parts as trustlets that are walled off
from the rest of the system. That seems sensible to me, but it also
means requiring all the infrastructure for execution and signing and I
doubt that is feasible currently.
Right now I'll probably go the way of not using the TPM at all. But I
am really not an expert for this. So should someone see scenarios where
a TPM is actually helpful in this context, then I would like to hear
about them.
Benjamin
PS: A quick summary of how SDCP works:
* Device has a private ECC key that signs the firmware and ephemeral
keys during boot (and is inaccessible afterwards)
* A certificate proofs that this key was provisioned in factory
* Device builds a shared secret with the host (s)
* Device sends id, HMAC_SHA256(s, "identify" || nonce || id)
when the finger "id" was presented.
* The HMAC proofs knowledge of the shared secret and authorizes the
print.
[1] https://github.com/microsoft/SecureDeviceConnectionProtocol/wiki/Secure-D...
1 week, 3 days
Calculating name of created AK- server side
by kuba.michal.n@gmail.com
Hello!
I would like to know if it is possible to calculate name of AK generated by host on a remote server? I have read about remote attestation. To ensure the AK matches EK we have to make credential using name of the AK. To achieve this we have to either:
a) calculate name of the AK on server
b) receive name of the AK from host and believe it's a name for a proper AK
Am I missing something?
I have searched for explanation in docs posted on TCG's site, but I just can't find anything useful for nameAlg.
I would be thankful for any help or advice :D
2 weeks
abrmd crashing - how to debug?
by Kenneth Goldman
Ubuntu focal with WSL, abrmd compiled from source
After about 5 minutes of sending commands, abrmd crashes. I originally
found it with keylime, but I can reproduce it with a simple bash loop on
pcrread.
abrmd exits, the tool output is:
** (process:21067): CRITICAL **: 17:25:10.862: failed to allocate dbus
proxy object: Could not connect: Connection refused
WARNING:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_init() TCTI init for
function 0x7ff5f6dbbe10 failed with a0008
WARNING:tcti:src/tss2-tcti/tctildr.c:109:tcti_from_info() Could not
initialize TCTI named: tcti-abrmd
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not
initialize TCTI file: tabrmd
ERROR:tcti:src/tss2-tcti/tctildr.c:416:Tss2_TctiLdr_Initialize_Ex() Failed
to instantiate TCTI
ERROR: Could not load tcti, got: "tabrmd:bus_name=com.intel.tss2.Tabrmd"
How would I debug?
I would expect that nothing that a single application does should crash
abrmd.
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
2 months, 2 weeks
tpm2_flushcontext stuck
by Han
Hi,
I'm using tpm2-tools 5.0 in Debian 11 Bullseye based Raspberry Pi OS. I'm
trying to run tpm2_flushcontext but the command got stuck and it's not
showing anything. Is the data in TPM corrupted? How can I check?
$ sudo tpm2_flushcontext 0x80000000
< no output at all and stuck here >
(note: the handle 0x80000000 was obtained from previous command output when
I was running previous version tpm2-tools 3.1.3 on Debian 10 Buster based
OS:
$ sudo tpm2_createprimary -H o -g sha256 -G ecc -C context.out
ObjectAttribute: 0x00030072
CreatePrimary Succeed ! Handle: 0x80000000)
3 months
Re-provision TPM
by Anthony Arrascue
Hello,
I am learning about the TSS and TPM techonologies.
I have provisioned the TPM with the default settings, which means I am now using the ECC profile (P_ECCP256SHA256).
However, encryption was a requirement I needed to fulfill. I just didn't know that ECC encryption is currently not supported and now I realize RSA would be a better fit for me.
So here is my question:
* I see there is another profile in /usr/local/etc/tpm2-tss/fapi-profiles, namely P_RSA2048SHA256.json. Is there a way I can encrypt using the RSA profile instead of the ECC one? I tried to re-run tss2_provision, after setting it in fapi-config.json, but it seems this is not the way to proceed. I get the message that the TPM has been already provisioned. What is the correct way of "changing" profile? Is it even possible or do I need to reset the TPM?
Thank you for your help.
Anthony Arrascue
4 months, 2 weeks
Re: tpm2_nvdefine fails with inconsistent attributes...
by Kenneth Goldman
My guess is that you do not set the TPMA_NVA_PLATFORMCREATE attribute.
The IBM utility sets it for you when the platform hierarchy authorizes the
command, since it must be set.
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
From: "Sievert, James" <james.sievert(a)bsci.com>
To: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>
Date: 12/03/2021 09:37 AM
Subject: [EXTERNAL] [tpm2] tpm2_nvdefine fails with inconsistent
attributes...
Hi, I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following
command which is returning an inconsistent attributes error:
bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1
Hi,
I’m using tpm2-tools 4.1.1 on Ubuntu 20.04. I’m issuing the following
command which is returning an inconsistent attributes error:
bsci@ip-10-132-42-225:~$ tpm2_nvdefine 0x1000025 -C p -s 1
WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:333:Esys_NV_DefineSpace_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace()
Esys Finish ErrorCode (0x00000182)
ERROR: Failed to define NV area at index 0x1000025
ERROR: Esys_NV_DefineSpace(0x182) - tpm:handle(1):inconsistent attributes
ERROR: Unable to run tpm2_nvdefine
and yes, I am attempting to define the index using the platform hierarchy.
? This does work using the IBM utilities.
Here are the current properties:
bsci@ip-10-132-42-225:~$ tpm2_getcap properties-variable
TPM2_PT_PERSISTENT:
ownerAuthSet: 0
endorsementAuthSet: 0
lockoutAuthSet: 0
reserved1: 0
disableClear: 0
inLockout: 0
tpmGeneratedEPS: 0
reserved2: 0
TPM2_PT_STARTUP_CLEAR:
phEnable: 1
shEnable: 1
ehEnable: 1
phEnableNV: 1
reserved1: 0
orderly: 0
TPM2_PT_HR_NV_INDEX: 0x6
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x3
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x3
TPM2_PT_HR_PERSISTENT: 0x0
TPM2_PT_HR_PERSISTENT_AVAIL: 0x11
TPM2_PT_NV_COUNTERS: 0x0
TPM2_PT_NV_COUNTERS_AVAIL: 0xD
TPM2_PT_ALGORITHM_SET: 0x0
TPM2_PT_LOADED_CURVES: 0x2
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0x20
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
TPM2_PT_LOCKOUT_RECOVERY: 0x15180
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0
Any insight would be appreciated.
Thanks!_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
5 months, 3 weeks
tpm2_create sealing object without user data
by luc.riedhauser@bluewin.ch
Hi,
My goal is to verify the integrity of a file (its hash is 962f4b6aeb8b2d74dc595257cb4384fc266283816acc4940622f29ad748bcb6e) with a pcr policy. But I do not need to include a secret user data. So here is what I've done so far:
- tpm2_pcrreset 16
- tpm2_pcrextend 16:sha256=962f4b6aeb8b2d74dc595257cb4384fc266283816acc4940622f29ad748bcb6e
- `tpm2_createprimary -C o -G rsa2048 -c primary`
- `tpm2_startauthsession -S session`
- `tpm2_policypcr -S session -l sha256:16 -L pcr16_policy`
- `tpm2_flushcontext session`
- `tpm2_create -C primary -g sha256 -u pcr16.pub -r pcr16.priv -L pcr16_policy` => here I do NOT include any user data
- `tpm2_load -C primary -u pcr16.pub -r pcr16.priv -c pcr16`
- `tpm2_evictcontrol -c pcr16 0x81010000 -C o`
Until now I've created a sealing object that I stored on the NV-RAM. Now I want to verify the file against the policy I've just created. So I reset PCR16, hash my file again and extend PCR16 with the new hash.
- And now start a policy session with `tpm2_startauthsession --policy-session -S session`
- `tpm2_policypcr -S session -l sha256:16` to include the PCR value into the session
Now comes the problem
- tpm2_unseal -p session:session -c 0x81010000
returns an ERROR:
WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:98:Esys_Unseal() Esys Finish ErrorCode (0x0000018a)
ERROR: Esys_Unseal(0x18A) - tpm:handle(1):the type of the value is not appropriate for the use
ERROR: Unable to run tpm2_unseal
I'm pretty sure that this comes from the fact that I did not include any user data when creating the sealing object.
So my question: If I just want to verify the integrity of a file, is unseal still the right command?
6 months, 1 week
How to remove contexts using tpm2-tools v3.1.3?
by Han
Hi,
I'm new to tpm2-tools and am using tpm2-tools version 3.1.3 on Raspberry Pi
CM4. It turns out it doesn't have tpm2_flushcontext which was added in
v4.0. Is there any other tools in tpm2-tools 3.1.3 that can remove
contexts? My goal is to free up some memory in TPM as it returned the
following error:
$ tpm2_rc_decode 0x902
error layer
hex: 0x0
identifier: TSS2_TPM_RC_LAYER
description: Error produced by the TPM
format 0 warning code
hex: 0x02
name: TPM2_RC_OBJECT_MEMORY
description: out of memory for object contexts
--
Thanks
Han
6 months, 2 weeks
tpm2-tools: renaming directory doc to docs
by Roberts, William C
Github will pick up certain files, like README.md or CODE_OF_CONDUCT.md if they are in a directory called docs. The GH feature does not seem to support
directory doc, as currently set up. Does anyone object to the move of directory docs to docs, ie git mv doc docs?
6 months, 2 weeks
[RC] tpm2-pytss 1.0.0-rc0
by Roberts, William C
Hello,
I am pleased to announce the release of the tpm2-pytss (python bindings and utilities) version 1.0.0 RC 0 with the following CHANGELOG:
## [1.0.0-rc0] - 2021-12-13
### Added
- Bindings to the Enanced System (ESAPI) API.
- Bindings to the Feature (FAPI) API .
- Bindings to Dynamic TCTI Loading (TCTILdr) API .
- Bindings to Marshalling and Unmarshalling (MU) API.
- Bindings to rc-decode.
- tpm2-tools context file loading support.
- TSS2 PEM format support. This file format is used in OpenSSL Engine and Provider projects.
- Utility routines for: TPM Less Make Credential, sensitive wrapping and unwrapping (import and duplication helpers).
The release can be found here:
- https://pypi.org/project/tpm2-pytss/1.0.0rc0/
6 months, 2 weeks