February 2021 - tpm2 - Ml01.01.Org

[RFC] OpenSSL 3.0 Integration (tpm2-openssl) for Review

by Petr Gotthard

Hello, As you probably already know, a new OpenSSL 3.0 is under development, which will heavily change the API for integrating external cipher providers, such as the TPM2. "Engines" will be replaced by "Providers". To pioneer this change I refactored the tpm2-tss-engine into a Provider, which is now available as a new project: https://github.com/tpm2-software/tpm2-openssl It works with the latest OpenSSL master branch (to be openssl-3.0.0-alpha13) only. The TPM2 Provider retains most functions of the TPM2 Engine (ECC is yet to be implemented) and preserves the 'TSS2 PRIVATE KEY' file format. In addition to that, the new API enabled some cool features, such as signatures using a restricted signing key or a direct usage of handles to persistent keys. A full list of currently available features is in the project README.md file. Are there any other TPM2 features that should be available via the OpenSSL 3.0? Right now the OpenSSL 3.0 is in an "alfa" phase, which allows API changes. This is an ongoing opportunity for us to make sure the OpenSSL API has all the functions the TPM2 needs, because the integration is not always straightforward. Once a "beta" phase is reached only bug fixes will be allowed and new features or breaking changes will have to wait. Thus, we should integrate and test as much as we can before the OpenSSL feature freeze. Please, review the README.md and/or test the Provider (project tpm2-openssl) and create a new GitHub Issue if you are missing something or if something does not work as expected. Of course, other feedback is welcome too. Kind Regards, Petr

7 months, 3 weeks

1
0
0 / 0

Error on service tpm2-abrmd start

by Kenneth Goldman

Two questions actually, trying to run the Intel TSS with a SW TPM 1 Instructions for a project say to run service tpm2-abrmd start When I do that, I get * Starting TPM2 Access Broker and Resource Management Daemon tpm2-abrmd ** (process:19039): WARNING **: 18:06:45.480: tcti_conf before: "device:/dev/tpm0" ** (tpm2-abrmd:19039): WARNING **: 18:06:45.488: tcti_conf after: "device:/dev/tpm0" Refusing to run as root. Pass --allow-root if you know what you are doing. This probably fails because I don't have /dev/tpm0,ight? 2 Later instructions says to sudo -u tss /usr/local/sbin/tpm2-abrmd --tcti=mssim & which fails because I don't have tpm2-abrmd. I did install the packages - Ubuntu 20. 3 Finally, if I'm using the SW TPM, can I simply skip the abrmd complexity and somehow point the Intel TSS to the SW TPM socket. -- Ken Goldman kgoldman(a)us.ibm.com 914-945-2415 (862-2415)

8 months

5
11
0 / 0

building tpm tools - only built one tool?

by Kenneth Goldman

https://github.com/tpm2-software/tpm2-tools/blob/master/doc/INSTALL.md says in part ./tools/tpm2_getrandom 4 The tools directory has .c and .o files, but apparently only one executable, called 'tpm2'. Does tpm2 now wrap the tools? Did something go wrong in the build? Will something change when I install? -- Ken Goldman kgoldman(a)us.ibm.com 914-945-2415 (862-2415)

8 months

3
2
0 / 0

policies in conjunctive normal form

by narcis2004＠yahoo.com

Question: is it possible to structure a policy using tpm2-tools in the following form? policy = (a OR b) AND (c OR d) - where a, b, c, d are simple pcr policies. I tried this, and apparently creating an *AND* of policy *OR* did not work as i thought. "and.policy" will contain the hash of the second tpm2_policyor instead of generating a new hash tpm2_startauthsession --session session.ctx tpm2_policyor --session session.ctx sha256:a.policy,b.policy tpm2_policyor --session session.ctx sha256:c.policy,d.policy --policy and.policy tpm2_flushcontext session.ctx Plan B would be to structure the policy in the equivalent disjunctive normal form, which works but is less scalable. i.e.: policy = (a AND c) OR (a AND d) OR (b AND c) OR (b AND d) Thanks, Narcis

8 months, 1 week

2
1
1 / 0

[RELEASE] tpm2-abrmd 2.4.0

by Roberts, William C

Hello, I would like to announce the release of tpm2-abrmd version 2.4.0 with the following changelog: 2.4.0 - 2021-02-08 Added - configure option --enable-asan which will cause the build to produce ASAN enabled binaries. - CI runs with clang enable asan for tests. - Service start depends on systemd device unit: dev-tpm0.device. - Testing support with swtpm. Fixed - Numerous memory leaks. - udev settle service deprecation warnings. - StandardOutput=syslog deprecation warnings. Changed - StandardOutput=syslog removed from systemd service file as syslog is deprecated since systemd version 246. - Requires tpm2-tss version 2.4.0 or greater for udev TAG=systemd rules. Removed - valgrind configure options. - usage of udev settle service. The release can be found here: https://github.com/tpm2-software/tpm2-abrmd/releases/tag/2.4.0 Thanks, Bill

8 months, 2 weeks

1
0
0 / 0

Calculating name of created AK- server side

by kuba.michal.n＠gmail.com

Hello! I would like to know if it is possible to calculate name of AK generated by host on a remote server? I have read about remote attestation. To ensure the AK matches EK we have to make credential using name of the AK. To achieve this we have to either: a) calculate name of the AK on server b) receive name of the AK from host and believe it's a name for a proper AK Am I missing something? I have searched for explanation in docs posted on TCG's site, but I just can't find anything useful for nameAlg. I would be thankful for any help or advice :D

8 months, 3 weeks

2
4
2 / 0

2021

2020

2019

2018

2017

tpm2 February 2021