Re: Re-provision TPM
by Steven Clark
On Linux one of the absolute worst-case options to nuke a TPM and start
over is to use the sysfs PPI interface to the TPM:
Issue a clear request like:
echo 5 > /sys/class/tpm/tpm0/ppi/request
and reboot. You then confirm that you really do want the BIOS to wipe the
TPM and it's done. If something has set auths and you don't know what it
is, this a pretty decent last resort if you've got the support.
3 months, 3 weeks
Re-provision TPM
by Anthony Arrascue
Hello,
I am learning about the TSS and TPM techonologies.
I have provisioned the TPM with the default settings, which means I am now using the ECC profile (P_ECCP256SHA256).
However, encryption was a requirement I needed to fulfill. I just didn't know that ECC encryption is currently not supported and now I realize RSA would be a better fit for me.
So here is my question:
* I see there is another profile in /usr/local/etc/tpm2-tss/fapi-profiles, namely P_RSA2048SHA256.json. Is there a way I can encrypt using the RSA profile instead of the ECC one? I tried to re-run tss2_provision, after setting it in fapi-config.json, but it seems this is not the way to proceed. I get the message that the TPM has been already provisioned. What is the correct way of "changing" profile? Is it even possible or do I need to reset the TPM?
Thank you for your help.
Anthony Arrascue
3 months, 3 weeks
Fapi_Decrypt using auth value
by Anthony Arrascue
Hello,
I am learning about encryption / decryption using Fapi.
For that purpose, I create a key using tss2_createkey and use tss2_encrypt / tss2_decrypt (and their Fapi equivalents).
tss2_ createkey has the argument -a, --authValue to set up a decryption password.
With tss2_encrypt I generate the cipher text.
The problem is with the decryption process. When I decrypt with tss2_decrypt I got asked for that authValue. If it is given correctly it decrypts the cipher text. However, Fapi_Decrypt will fail throwing an authorization error.
I was wondering how to programmatically enter the authValue? Fapi_Decrypt has no arguments to pass it. Maybe through the FAPI_CONTEXT?
Using TPM2-TSS v. 2.4.x
TPM2-TOOLS v. 4.X
Thank you for any possible help.
Best,
Anthony Arrascue
--------------------------------------
neuroloop GmbH
Breisacher Str. 86, 79110 Freiburg, Germany
aarrascue(a)neuroloop.de<mailto:aarrascue@neuroloop.de>
neuroloop.de
3 months, 3 weeks
tpm2-tss fapi tests failing with new openssl
by Petr Gotthard
Hello,
I have troubles debugging the FAPI tests. I am seeing error messages "Could not open file or uri for loading certificate", but I have no idea where these are coming from. For example, in "tpm2-tss/test/integration/fapi-data-crypt-rsa.log" I see
Could not open file or uri for loading certificate from /home/petr/projects/tpm2-tss/test/integration/fapi-data-crypt-rsa.fint_ekcert.crt
C05DA65E427F0000:error:80000002:system library:file_open:No such file or directory::0:calling stat(/home/petr/projects/tpm2-tss/test/integration/fapi-data-crypt-rsa.fint_ekcert.crt)
Unable to load certificate
Could not open file or uri for loading certificate from /home/petr/projects/tpm2-tss/test/integration/fapi-data-crypt-rsa.fint_ekecccert.crt
C08D22FEE77F0000:error:80000002:system library:file_open:No such file or directory::0:calling stat(/home/petr/projects/tpm2-tss/test/integration/fapi-data-crypt-rsa.fint_ekecccert.crt)
Unable to load certificate
cat: /home/petr/projects/tpm2-tss/test/integration/fapi-data-crypt-rsa.fint_ekcert.crt: No such file or directory
WARNING:test:test/helper/tpm_writeekcert.c:92:main() Cert input size is 0
WARNING:test:test/helper/tpm_writeekcert.c:95:main() Define NV cert with nv index: 1c00002
cat: /home/petr/projects/tpm2-tss/test/integration/fapi-data-crypt-rsa.fint_ekecccert.crt: No such file or directory
WARNING:test:test/helper/tpm_writeekcert.c:92:main() Cert input size is 0
WARNING:test:test/helper/tpm_writeekcert.c:95:main() Define NV cert with nv index: 1c0000a
Execute the test script
The "tpm2-tss/test/integration/fapi-data-crypt-rsa.fint_ca.log" indicates(?) these files should(?) have been created:
Creating ekcert for /home/petr/projects/tpm2-tss/test/integration/fapi-data-crypt-rsa.fint_ekpub.pem => /home/petr/projects/tpm2-tss/test/integration/fapi-data-crypt-rsa.fint_ekcert.crt
Creating ekcert for /home/petr/projects/tpm2-tss/test/integration/fapi-data-crypt-rsa.fint_ekeccpub.pem => /home/petr/projects/tpm2-tss/test/integration/fapi-data-crypt-rsa.fint_ekecccert.crt
But the certificates are not there. The PEM keys yes, the CRT files no.
I tried to find which openssl(?) command does this certificate creation, but it is somewhere well hidden.
This is not a bug in the tpm2-tss. I am using the new OpenSSL 3.0 and my heavily modified tpm2-tss code. The bug is in one of these two-- I have just serious troubles finding it.
Could you please give me some hint where should I look? Where is the command generating these certificates, please?
Kind Regards,
Petr
3 months, 3 weeks
Sample applications
by @rubynerd
Hi all,
I'm looking to build an application which creates a key on a TPM & uses the
TPM to decrypt some application initialisation secrets delivered to the
application via a control-plane, which verifies the key the TPM will use is
on a TPM.
I'm struggling to find any sample applications/explanations/cookbooks for
tmp2-tools to prototype out how this would work — in fact, I can't find an
explainer of how to convert a key from "tss" format to PEM format. Is there
something I've missed, or is there a sample TPM application or something
kicking about I can refer to? I'm aware there are specification PDF's, but
these are unapproachable to someone with attention-span disabilities.
Thanks,
Luke
4 months
Essay Writing Help
by kasperkos04@gmail.com
I recently read a book of 50 Shades of Raw and asked us that we should write a report on the book. Since I will be doing it for the first time and do not know how to do it. I turned for help to a professional writing platform that leaves their work here https://cheap-essay-writing.com/book-report.html
4 months, 1 week
Example with multifactor authentication available?
by Felix Rubio Dalmau
Hi everybody!
I am still learning about tpm and tpm2-tools. Following the advice from William Roberts, I set the authentication policy up as AND(pcr, password) by doing the following:
# create a policy that requires the pcr and the password
tpm2_startauthsession -S session.dat
tpm2_policypcr -S session.dat -l "sha1:0,1,2,3" -L policy.dat
tpm2_policypassword -S session.dat -L policy.dat
tpm2_flushcontext session.dat
# and the sealing goes with
echo mysecret | tpm2_create -C primary.ctx -u key.pub -r key.priv -i- -p password -L policy.dat
William suggested I should set up a signed policy so that when UEFI gets updated I can regenerate the policy and not find myself lock out off the system, which I understand, but the problem is: to prevent from further unlock attemps, after unsealing the secret protected by that policy, I will extend one of the pcr registers... so, if I generate the pcr policy with the live system, I will be using pcr values that have been altered.
Now, I have thought in either forcing the EFI updates to happen during the system boot (I download the update, recreate a initramfs including it, and during the following boot, in the unlocking script, the UEFI gets updated and the policy gets created before unlocking), or in having a multi factor authentication that allows me to get in with either the previous policy or with another policy composed by the previous password and a rescue password. In this case, AND(password1, OR(password2, pcr)), I have written the following statements:
# session for auth based on pcr
tpm2_startauthsession -S session.dat
tpm2_policypcr -S session.dat -l "sha256:0,1" -L policy.pcr
tpm2_flushcontext session.dat
rm session.dat
# session for auth based on rescue password
tpm2_startauthsession -S session.dat
tpm2_policypassword -S session.dat -L policy.rescue
tpm2_flushcontext session.dat
rm session.dat
# compound both policies using OR and require always the password
tpm2_startauthsession -S session.dat
tpm2_policyor -S session.dat -L policy.dat sha256:policy.pcr,policy.rescue
tpm2_policypassword -S session.dat -L policy.dat
tpm2_flushcontext session.dat
rm session.dat
I think this is ok, but then.. I do not see how to initialize the password policies. Is there any example similar to what I want to achieve?
Thank you!
Felix
4 months, 1 week
Java support for TPM2 ?
by Ted Kim
Folks,
Does anyone know of any current projects to support Java with TPM2 ?
I saw TSS.Java over at Microsoft TSS.MSR (last commit 7 months ago).
But aside from that I only saw projects which look really old (several
years since last update).
Any leads ?
Thanks,
-ted
--
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515
4 months, 2 weeks
All is conected poster-presentation-guidelines
by zoett25@gmail.com
Hello and nice to meet you))
I prepare a new kind of studying work. And during understanding this theme I realize that all is conected poster-presentation-guidelines. But at first when you prepare this have understood and do everything separately. But only then combine everything in one. You also can find more information about it here https://prime-essay.net/poster-presentation-guidelines I hope that it can be useful for some of you))
4 months, 2 weeks
Dropping OSSL 1.0.2 support
by Roberts, William C
With OpenSSL 3.0 in alpha releases and soon to be beta releases, we have undergone looking at the work it will take to port to openssl 3.0. 3.0 essentially forces our hands away from the lower level APIs and into the EVP api's, AFAIK. Because of this, supporting openssl 1.0.2 will be more difficult. OSSL 1.0.2 is EOL, and most distros I am aware of that have 1.0.2 are EOL as well.
So the question is, if we kill OSSL < 1.1.0 support, how many folks will be disrupted by that?
Thanks,
Bill
4 months, 2 weeks
