Lost/blocked when trying to setup a symmetric decryption/encryption scheme using the tpm...
by Felix Rubio
Hi everybody!
I am giving a try in setting up an encryption system for one of my
computers, by making use of the TPM 2.0. I am completely stuck for two
days now, and... maybe somebody can give me a hand?
My first experiment was to seal the disk encryption key, using a PCR
policy. This worked:
a) To seal the key
tpm2_takeownership -c
tpm2_pcrlist -L sha1:0,1,7 -o pcr_state.bin
tpm2_createpolicy -P -L sha1:0,1,7 -F pcr_state.bin -f policy.bin
tpm2_createprimary -H e -g sha1 -G rsa
tpm2_create -g sha256 -G keyedhash -u key.pub -r key.priv -H
0x80000000 -L policy.bin -A "fixedtpm|fixedparent|noda|adminwithpolicy"
-I /dev/shm/key.bin
tpm2_load -H 0x80000000 -u key.pub -r key.priv
tpm2_evictcontrol -A o -H 0x80000001 -S 0x81010002
b) to unseal it:
tpm2_unseal -H 0x81010002 -L sha1:0,1,7 > key.bin
However, in case the TPM has an issue (or I need to restore a backup,
use a rescue disk, etc.), I want to give it another twist: to use the
TPM to encrypt/decrypt a regular ascii string... still tying it to the
pcr registers. And... I do not manage to get it right. I have been
looking for two days around on the internet, and I do not get to find an
example doing something similar to what I need (I am running tpm2-tools
3.1 on debian stable). I know I can just seal an ascii passphrase and
use my previous approach... but I'd really like to understand how it
should be done.
Regards!
Felix
2 weeks, 4 days
tpm2-tools, tpm2-pkcs11, and OpenSSL 3.0
by Jerry Snitselaar
Both tpm2-tools and tpm2-pkcs11 make use of some functions that are
being deprecated in openssl 3.0. Are there plans to move away from using
those deprecated functions? Currently tpm2-tools will build with
-Wno-error=deprecated-declarations, but tpm2-pkcs11 trips over
EVP_PKEY_get0_EC_KEY now returning a const EC_KEY *, and ECDSA_do_verify
taking a non const parameter. Someone suggested doing something like:
EVP_PKEY_CTX *pctx = NULL;
if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
goto fail;
}
if (EVP_PKEY_verify_init(pctx) != 1 ||
EVP_PKEY_verify(pctx, sigbuf, siglen,
dgstbuf, dgstlen) != 1) {
goto fail;
}
fail:
EVP_PKEY_CTX_free(pctx);
but I imagine the ASN.1 framing stuff mentioned in do_sig_verify_ec()
would still be an issue, yes? I don't know openssl, so I don't know
if you could get away with casting the pointer to EC_KEY *.
There is work going on to support openssl 3.0 in RHEL9, so this came up.
Regards,
Jerry
3 weeks, 3 days
Re: tpm2-tools, tpm2-pkcs11, and OpenSSL 3.0
by Petr Gotthard
I spent some time with OpenSSL 3.0 so I could help.
In generall, all EC_KEY and RSA_KEY functions are deprecated for public use as this is a low-level API. There is no easy fix though-- the low-level functions need to be replaced by the high-level EVP API and there is no simple 1:1 mapping. The affected functions need to be rewritten almost completely, but in case of tpm2-tools and tpm2-pkcs11 the impact is not so high.
The good thing is that the EVP API is not(!) new. It has been there since OpenSSL 1.1.0, so one could write an implementation that works with both OpenSSL 1.1.x and OpenSSL 3.0. In fact, the OpenSSL 3.0 aims to have a very limited impact on "well-behaved" applications that refrain from using the (now deprecated) low-level APIs. An app that uses the EVP API from 1.1.x shall work with the 3.0 too.
The crucial question is: is it acceptable to require the OpenSSL 1.1.1 as the minimum version for tpm2-tools and tpm2-pkcs11?
The OpenSSL release strategy indicates the OpenSSL 1.1.1 is now the _only_ supported version! The 1.0.2 is no longer supported and also the 1.1.0 is no longer supported.
https://www.openssl.org/policies/releasestrat.html
Maintaining the support for the EOL OpenSSL (prior 1.1.1) would make the support for OpenSSL 3.0 more complicated, harder to review and maintain.
Even the tpm2-tools RELEASE.md says that "supporting an EOL crypto library is not a good idea".
https://github.com/tpm2-software/tpm2-tools/blob/master/doc/RELEASE.md#op...
So, my recommendation would be to set OpenSSL 1.1.1 as the minimum version and then simply rewrite the affected functions using the EVP API from 1.1.1, which works also in 3.0. What do you think?
Regards,
Petr
______________________________________________________________
> Od: "Roberts, William C" <william.c.roberts(a)intel.com>
> Komu: "Jerry Snitselaar" <jsnitsel(a)redhat.com>, "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>
> Datum: 25.05.2021 01:41
> Předmět: [tpm2] Re: tpm2-tools, tpm2-pkcs11, and OpenSSL 3.0
>
I can look at compiling with OpenSSL 3.0, I haven't even tried yet. But I would imagineit's all fixable. I don't see anything in the do_sig_verify that requires a non-const key. I would imagineit's just as simple as updating the call sites to match the signatures.I filed bugs: - https://github.com/tpm2-software/tpm2-pkcs11/issues/686 <https://github.com/tpm2-software/tpm2-pkcs11/issues/686> - https://github.com/tpm2-software/tpm2-tools/issues/2737 <https://github.com/tpm2-software/tpm2-tools/issues/2737>We'll try to get to these soon, as I would imagine distros are eager to start the process of transitioning over.BillFrom: Jerry Snitselaar <jsnitsel(a)redhat.com>
Sent: Monday, May 24, 2021 4:34 PM
To: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] tpm2-tools, tpm2-pkcs11, and OpenSSL 3.0
Both tpm2-tools and tpm2-pkcs11 make use of some functions that are
being deprecated in openssl 3.0. Are there plans to move away from using
those deprecated functions? Currently tpm2-tools will build with
-Wno-error=deprecated-declarations, but tpm2-pkcs11 trips over
EVP_PKEY_get0_EC_KEY now returning a const EC_KEY *, and ECDSA_do_verify
taking a non const parameter. Someone suggested doing something like:
EVP_PKEY_CTX *pctx = NULL;
if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
goto fail;
}
if (EVP_PKEY_verify_init(pctx) != 1 ||
EVP_PKEY_verify(pctx, sigbuf, siglen,
dgstbuf, dgstlen) != 1) {
goto fail;
}
fail:
EVP_PKEY_CTX_free(pctx);
but I imagine the ASN.1 framing stuff mentioned in do_sig_verify_ec()
would still be an issue, yes? I don't know openssl, so I don't know
if you could get away with casting the pointer to EC_KEY *.
There is work going on to support openssl 3.0 in RHEL9, so this came up.
Regards,
Jerry
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
----------
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
3 weeks, 4 days
[Release] tpm2-tools v5.1
by Imran Desai
Hello all,
Pleased to announce the release of tpm2-tools v5.1
You can find the release here https://github.com/tpm2-software/tpm2-tools/releases/tag/5.1
Hightlights from the release:
Build
Dependency-update: Minimum tpm2-tss version dependency bumped to 3.1.0
Dependency-update: Minimum tpm2-abrmd version dependency bumped to 2.4.0
tpm2_eventlog: Fix build errors on 64 bit arm systems.
tpm2_checkquote: Fix build on 32b little-endian platforms.
Fixes builds on CentOS 7 which notably has an ancient version of
GCC: 4.8.5 and an older version of OSSL, 1.0.2
Configure handles searching for python executable more gracefully, thus
just having python3, will work.
Moved to GitHub Actions for CI testing.
Added fedora-32 to CI testing configurations and related fixes.
FreeBSD testing is bumped up to version 12.2
Fix compiler and packaging warnings for OpenSuse builds.
configure: make build gnu99.
configure: make -Wbool-compare non fatal.
configure: only use -Werror for non-release builds
tss2:
Support in tools for PolicyRef inclusion in policy search per latest TSS.
Support to use TPM objects protected by a policy with PolicySigned.
Enable backward compatibility to old Fapi callback API.
Fix PCR selection for tss2 quote.
Support policy signed policies by implementing Fapi_SetSignCB.
Command/ response parameter support for auditing and pHash policies:
lib/tpm2_util.c: Add method to determine hashing alg for cp/rphash
Add support to calculate rphash for tpm2_create, tpm2_activatecredential,
tpm2_certify, tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps,
tpm2_changepps, tpm2_nvdefine, tpm2_nvextend, tpm2_unseal
Add support to calculate cphash for tpm2_changeeps, tpm2_changepps.
Session-support:
tpm2_sessionconfig: Add tool to display and configure session attributes.
tpm2_getrandom: Fix— session input was hardcoded for audit-only
tpm2_startauthsession: Add option to specify the bind object and its
authorization value.
tpm2_startauthsession: support for bounded-only session.
tpm2_startauthsession: support for salted-only session.
tpm2_startauthsession: add option to specify an hmac session type.
Add support for specifying non-authorization sessions for audit and
parameter encryption for tpm2_getrandom, tpm2_create, tpm2_nvextend,
tpm2_nvdefine, tpm2_unseal, tpm2_activatecredential, tpm2_certify,
tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps, tpm2_changepps.
tpm2_eventlog:
Support for event type: EV_IPL extensively used by the Shim and Grub.
Support for event type: EV_EFI_GPT_EVENT to parse.
UEFI_PARTITION_TABLE_HEADER and UEFI_PARTITION_ENTRY.
Support for event type: EFI_SIGNATURE_LIST, which contains one or more
EFI_SIGNATURE_DATA.
Support for event type EV_EFI_VARIABLE_AUTHORITY.
Parse UEFI_PLATFORM_FIRMWARE_BLOB structure that the CRTM MUST put into
the Event Log entry TCG_PCR_EVENT2.event field for event types
EV_POST_CODE, EV_S_CRTM_CONTENTS, and EV_EFI_PLATFORM_FIRMWARE_BLOB.
Parse secureboot variable to indicate enable as 'Yes'.
Parse BootOrder variable to a more readable format.
Parse Boot variables per EFI_LOAD_OPTION described in more details in
UEFI Spec Section 3.1.3
Parse Device-path in a readable format using the efivar library.
Support for logs longer than 64 kilobytes.
Perform verification for event types where digest can be verified from
their event payload.
Better support for multiline strings.
Fix handling of event log EV_POST_CODE data where field is empty and len
is specified.
scripts/utils: Add a utility to read the cert chain of embedded CA.
tpm2_getekcertificate: Fix tool failing to return error/non-zero for HTTP 404.
tpm2_nvdefine: allow setting hash algorithm by command line parameter for NV
indices set in extend mode.
tpm2_duplicate, tpm2_import: support duplicating non-TPM keys to a remote TPM
without first requiring them to be loaded to a local TPM.
tpm2_dictionarylockout: Fix issue where setting value for one parameter caused
to reset the others.
tpm2_getpolicydigest: Add new tool to enable TPM2_CC_PolicyGetDigest.
Fix segfault where optind > argc.
tools/tpm2_checkquote: fix missing initializer
tpm2_convert: fix EVP_EncodeUpdate usage for OSSL < 1.1.0
openssl: fix EVP_ENCODE_CTX_(new|free)
test: Add support for swTPM simulator to the testing framework and make it the
default if mssim isn't available.
tpm2_unseal:
Added option --rphash=FILE to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
tpm2_nvextend:
Added option --rphash=FILE to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
tpm2_nvdefine:
Added option --rphash=FILE to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
tpm2_changepps:
Added option --cphash=FILE to specify ile path to record the hash
of the command parameters. This is commonly termed as cpHash.
Added option --rphash=FILE to specify ile path to record the hash
Added option -S, --session to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
tpm2_changeeps:
Added option --cphash=FILE to specify ile path to record the hash
of the command parameters. This is commonly termed as cpHash.
Added option --rphash=FILE to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
Added option -S, --session to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
tpm2_changeauth:
Added option --rphash=FILE to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
Added option -S, --session to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
tpm2_certifycreation:
Added option --rphash=FILE to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
Added option -S, --session to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
tpm2_certify:
Added option --rphash=FILE to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
Added option -S, --session to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
tpm2_activatecredential:
Added option --rphash=FILE to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
Added option -S, --session to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
tpm2_create:
Added option --rphash=FILE to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
tpm2_unseal:
Added option -S, --session to specify auxiliary sessions for
audit and encryption.
tpm2_nvdefine:
Added option -S, --session to specify auxiliary sessions for
audit and encryption.
tpm2_nvextend:
Added option -S, --session to specify auxilary sessions for
audit and encryption.
3 weeks, 4 days
[Release] tpm2-tools v4.3.1
by Imran Desai
Hello all,
Pleased to announce the release of tpm2-tools version 4.3.1.
You can find it here: https://github.com/tpm2-software/tpm2-tools/releases/tag/4.3.1
1. tpm2_dictionarylockout: Fix issue where setting value reset other parameters.
2. tpm2_create.c: Fix an issue where userwithauth attr cleared if policy specified.
3. tss2_quote: Tool now correctly supports to quote against a list of passed PCR registers.
4. Fix fapi-branch-select integration test to correctly use the PolicyRef parameter (triggered by recent bug-fix in tpm2-tss).
5. Fix an outdated parameter in the fapi-provision integration test. 6. tpm2_getekcertificate: Fix tool failing to return error/non-zero for HTTP 404. We'd appreciate your feedback.
Thanks and regards,
Imran Desai
1 month
Best CBD Oils For Dogs With Arthritis
by craigpetrus420@gmail.com
Feline Arthritis (FAA) affects millions of canines worldwide. In cats, it manifests as stiffness and decreased appetite, while in dogs it results in inflammation of the joints. This condition is generally mild, and responds well to dietary management and relatively low doses of NSAIDs (non-steroidal anti-inflammatory drugs). However, for more severe cases of arthritis, including the arthritic condition that affects doggies, CBD pet oils may be an appropriate choice, as it contains a high level of plant sterols.
Visit: https://dailycbd.com/en/best-cbd/oil-for-dogs/arthritis/
1 month
[RELEASE] tpm2-tss v3.1.0
by Roberts, William C
Hello,
I would like to announce the release of tpm2-tss version 3.1.0. Their were no changes over rc2.
The release can be found here:
- https://github.com/tpm2-software/tpm2-tss/releases/tag/3.1.0
Thanks,
Bill
1 month
[RELEASE] tpm2-tss v3.0.4
by Roberts, William C
Hello,
I would like to announce the release of tpm2-tss version 3.0.4. There were no changes over rc2.
The release can be found here:
- https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.4
Thanks,
Bill
1 month
[RELEASE] tpm2-tss v2.4.6
by Roberts, William C
Hello,
I would like to announce the release of tpm2-tss version 2.4.6. There were no changes over rc2.
The release can be found here:
- https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.6
Thanks,
Bill
1 month
tpm2_quote - unexpected TPM commands - from where?
by Kenneth Goldman
The application is running a quote with this (python wrapped) command:
['tpm2_quote', '-c', '/var/lib/keylime/secure/tmpptoera_c', '-l',
'sha256:15,16,22', '-q', '645442426a4c3456786a4b767465424432357659', '-m',
'/tmp/tmprc17whih', '-s', '/tmp/tmp9vlpv1k2', '-o', '/tmp/tmpd3tl0nxn',
'-g', 'sha256', '-p', 'T5dKvXj1wGIFbp5brLUz']
Even with the implicit HMAC session, I would expect
startauthsession 02000000
loadcontext 80000000 (the quote key)
quote with session 02000000 and key 80000000
flushcontext 80000000
flushcontext 02000000
I see this. Is there something wrong with the call, is there a lot more
implicit in the quote tool, or is abrmd doing a lot of extra calls?
1 - It keeps loading and flushing the key and the session.
2 - It contextsave the key a few times, but it was already context saved
before the command started
3 - There's an unexpected getcapability, and a really unexpected readpublic
4 - A PCR read at the end
StartAuthSession: 02000000 OK
ContextSave: 02000000 ???
ContextLoad: 80000000 OK
ContextSave: 80000000 ???
FlushContext: 80000000 really unexpected
GetCapability: 00000005 unexpected
ContextLoad: 80000000 ??? because of the flushcontext
ReadPublic: objectHandle 80000000 really unexpected
ContextSave: 80000000 ???
FlushContext: 80000000 really unexpected
ContextLoad: 80000000 ??? because of the flushcontext
ContextLoad: 02000000 ??? because of the save
Quote with Session 0 handle 02000000 OK
signHandle 80000000
ContextSave: 02000000 ???
ContextSave: 80000000 ???
FlushContext: 80000000 OK
PCR_Read: unexpected
FlushContext: 02000000 OK
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
1 month
