March 2018 - tpm2 - Ml01.01.Org

by Yasuhiro Hosoda

MY name is Yasuhiro Hosoda. I am developing a program using TSS1.0(Nov１．2016). I encountered a problem with PolicySecret error 0x98e and need help. My program uses tpmtest.cpp as a base of development. The situation is as follows: 1 Create TPM Keys like this. EK ｜-------- ｜ | MK AK ｜ SK 2 Execute PolicySecret twice using HMAC session. At first, it ends without error. Then it ends with 0x98e For clarification, I print out the values of Virtual Handle and Real Handle. The value of Virtual/Real Handles differ at 2nd excution of the command. (See NO 25/26 Below) I understand that the resource manager assigns Virtual Handle and my program calculates HMAC using that handles. On the other hand, TPM may calculate HMAC using Real Handle. That is my hypothesis. Any suggestion about the usage of Session Handle? NO Command Virtual/Real Handle LOC 1. CreatePrimary(EK) real=80000000, virtual=80000000 8381 2. HierarchyChangeAuth1 8421 3. HierarchyChangeAuth2 8431 4. StartAuthSession(Policy) real=3000000, virtual=3000000 8480 5. PolicySecret(ENDORSEMENT) 8494 6. Create(MK) 8515 7. PolicySecret(ENDORSEMENT) 8529 8. Load(MK) real=80000001, virtual=80000001 8542 9. Evict(MK) 8552 10. Create(SK) 8590 11. Load(SK) real=80000001, virtual=80000002 8598 12. PolicySecret(ENDORSEMENT) 8609 13. Create(AK) 8635 14. PolicySecret(ENDORSEMENT) 8645 15. Load(AK) real=80000001, virtual=80000003 8655 16. FlushContext(POLICY) 8664 17. StartAuthSession(POLICY) real=3000000, virtual=3000000 8668 18. StartAuthSession(HMAC) real=2000001, virtual=2000001 8678 19. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004 3706 20. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000005 3706 21. PolicySecret(SK) 8711 22. FlushContext(HMAC) 8717 23. FlushContext(POLICY) 8724 24. CertifyCreation(SK) 8738 25. StartAuthSession(POLICY) real=3000000, virtual=3000001 8745 26. StartAuthSession(HMAC) real=2000001, virtual=2000000 8754 27. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005 8782 28. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000004 8782 29. PolicySecret(SK) 8789 The whole source program can be found here. https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2.txt Kind regards, -- Yasuhiro Hosoda NTT Electronics Corporation （NEL) Security Support Project

1 year, 8 months

3
16
0 / 0

[ANNOUNCE] Brace yourself: API & ABI incompatible changes in coming!

by Philip Tricca

Hello, We're getting pretty close to an RC0 for the next major release of the TSS2 libraries. Before we can make RCo though there are a number of changes that still need to be made to the header files to bring them in line with the latest TPM2 and TSS2 specifications. We've just started rolling these out and during this time, due to the nature of the changes, we'll be breaking backward compatibility (API and ABI both). If you're following along at home you've probably seen changes to the TCTI headers and implemnetation happening in rapid succession over the last few days (when our CI isn't down). Expect similar changes to happen in the rest of the public headers over the course of this week. These changes will likely cause some issues for downstream projects but feel free to get on the list and we'll help sort things out. Regards, Philip

2 years, 2 months

1
2
0 / 0

noDA

by Al Munyandy, MunessparanX

Hi, I'm looking for command to check "noDA" status and also command to set "noDA" to clear. May I know where I could get the list of command to use for TPM2 tools. Thanks! Regards, munes

2 years, 3 months

2
1
0 / 0

tpm2-abrmd configure syntax error near expected token AX_VALGRIND_DFLT

by Anderson, Daniel

If you get this error building tpm2-abrmd during ./configure: ./configure: line 13634: syntax error near unexpected token sgcheck,' ./configure: line 13634:AX_VALGRIND_DFLT(sgcheck, off)' The problem is your version of Linux does not have the latest and greatest autoconf-archive package. In my case the current Ubuntu 16.04.4 ("xenial") LTS package autoconf-archive is too old (version 20150925-1). But the future Ubuntu 17.10 LTS ("artful") has a newer version that works OK: 20170928-2. Here's a workaround until the new Ubuntu LTS version is released (or you can switch to Ubuntu development releases). It grabs a newer version of ax_valgrind_check.m4 with m4 macro AX_VALGRIND_DFLT defined. Details in https://github.com/tpm2-software/tpm2-abrmd/issues/404 Dan cd /usr/share/aclocal cp -p ax_valgrind_check.m4 ax_valgrind_check.m4.ori mkdir tmp cd tmp wget http://mirrors.kernel.org/ubuntu/pool/universe/a/autoconf-archive/autocon... dpkg-deb -R autoconf-archive_20170321-1_all.deb tmp cp tmp/usr/share/aclocal/ax_valgrind_check.m4 .. ls -l /usr/share/aclocal/ax_valgrind_check.m4* cd .. rm -rf tmp

2 years, 3 months

1
0
0 / 0

Initialization fails with error 0xb000b

by Moneeb Azhar

Hey, I am getting the following error on execution: ubuntu:~/Desktop$ sudo tpm2-abrmd --allow-root --tcti=libtcti-socket.so ** (tpm2-abrmd:36554): WARNING **: failed to dlopen library: libtcti-socket.so ** (tpm2-abrmd:36554): CRITICAL **: TCTI initialization failed: 0xb000b Same error if i execute as tss: $ sudo -u tss tpm2-abrmd --tcti=libtcti-socket.so [sudo] password for wisn: ** (tpm2-abrmd:38290): WARNING **: failed to dlopen library: libtcti-socket.so ** (tpm2-abrmd:38290): CRITICAL **: TCTI initialization failed: 0xb000b I did ldconfig after installation with no effect. I created a gist of the installation steps I took, in case this helps: https://gist.github.com/moneeb777/ceabfad71462d4ffc3e0c25a9da2b2ff Can someone guide me with this? Regards, Moneeb

2 years, 3 months

2
2
0 / 0

Problem with Infineon Iridium SLB 9670 TPM2.0

by madprops＠gmx.net

2 years, 3 months

5
10
0 / 0

How to protect and encrypt communication between host and TPM

by Tomasz Przybysz

Hi, we are working on TPM2.0 integration with our devices. We use Infineon TPM 2.0 chip and It works as expect. We are using tpm2-tss 1.4.0 library. We want to use transient RSA key generated inside device. Key is of course protected by its parent password, but we want to protect i2c communication between host and tpm chip. We want communication be encrypted, we don't want to send parent's password or key's password in clear text. We have found good example tpmclient.int.cpp, but there is an example how to encrypt access to the NV Index. There is no anything about RSA keys. How to call Tss2_Sys_Create for creating RSA key and then set password to use with session protected by TPM2_SE_HMAC and password. In the example there is StartAuthSessionWithParams and StartAuthSession. There is KDFa function called but we need something shared password to create session key. Which shared keys ? Is this parent's key password or keys password ? Thanks in advance, Tom

2 years, 3 months

3
6
0 / 0

Patch to the Microsoft/IBM TPM 2.0 Simulator on SourceForge

by Anderson, Daniel

Here is a patch I wrote to the Microsoft/IBM TPM 2.0 Simulator on SourceForge: https://gist.github.com/dantpm/a15fa70e94b28dee96a77c9d1bb70387 It makes the simulator "dual stack"-it listens to both IPv4 and IPv6 connection requests and tries to connect to a series of IP addresses (instead of the common method of only trying the first address returned in a hostname lookup). I also submitted this patch as issue #6 to the TPM 2.0 Simulator SourceForge project: https://sourceforge.net/p/ibmswtpm2/tickets/6/ The patch may look weird because the original source uses a mixture of spaces and 4-character tabs (which may expand to 8 characters, depending on how you view it). The source also has a mixture of coding styles. Dan

2 years, 3 months

1
0
0 / 0

[ANNOUNCE] tpm2-abrmd version 1.3.1

by Philip Tricca

Hello, The recent 1.3.0 release of the tpm2-abrmd had a packaging error that slipped through the cracks. Many thanks to Javier for the fix. Now that this is resolved I've created a 1.3.1_rc0 tag in the git repo to mark the beginning of the review process for the 1.3.1 bugfix release: https://github.com/tpm2-software/tpm2-abrmd/releases/tag/1.3.1_rc0 Regards, Philip

2 years, 3 months

2
1
0 / 0

tpm2_quote and "safe"

by Ian Oliver

Hi, other than various clock errors what causes the safe flag to be set to 1 as written into the output of tpm2_quote ? We're seeing some odd behaviour from some machines where safe is always set to 1 (Lenovo laptop) and on other servers occasionally safe is set to 1 and then returning to 0 on subsequent quotes. For example, we might take a number of quotes over time, eg: 5 minutes apart. One of those quotes will have safe set to 1, the others are all 0. During this time the machine will *not* have experienced a reboot/reset nor - as far as we can tell - any form of powersave or shutdown. We've also noticed that safe gets set to 1 only on some quotes, eg: when quoting sha256:16,17,18 for the DRTM measurements. The machines are all Xeon-E5 based servers, TPM2.0, tpm2_tools 1.3-rc2 installed, Ubuntu 17.04 with 4.13 kernel Any information appreciated here, thanks Ian -- *Dr. Ian Oliver* =============================== Privacy Engineering: via Amazon <http://www.amazon.co.uk/dp/1497569710> *Twitter: @i_j_oliver*

2 years, 4 months

2
4
0 / 0

2020

2019

2018

2017

tpm2 March 2018