MY name is Yasuhiro Hosoda.
I am developing a program using TSS1.0(Nov1.2016).
I encountered a problem with PolicySecret error 0x98e and need help.
My program uses tpmtest.cpp as a base of development.
The situation is as follows:
1 Create TPM Keys like this.
EK
|--------
| |
MK AK
|
SK
2 Execute PolicySecret twice using HMAC session. At first, it ends
without error. Then it ends with 0x98e
For clarification, I print out the values of Virtual Handle and Real Handle.
The value of Virtual/Real Handles differ at 2nd excution of the command.
(See NO 25/26 Below)
I understand that the resource manager assigns Virtual Handle and my
program calculates HMAC using that handles.
On the other hand, TPM may calculate HMAC using Real Handle.
That is my hypothesis.
Any suggestion about the usage of Session Handle?
NO Command Virtual/Real Handle LOC
1. CreatePrimary(EK) real=80000000, virtual=80000000 8381
2. HierarchyChangeAuth1 8421
3. HierarchyChangeAuth2 8431
4. StartAuthSession(Policy) real=3000000, virtual=3000000 8480
5. PolicySecret(ENDORSEMENT) 8494
6. Create(MK) 8515
7. PolicySecret(ENDORSEMENT) 8529
8. Load(MK) real=80000001, virtual=80000001 8542
9. Evict(MK) 8552
10. Create(SK) 8590
11. Load(SK) real=80000001, virtual=80000002 8598
12. PolicySecret(ENDORSEMENT) 8609
13. Create(AK) 8635
14. PolicySecret(ENDORSEMENT) 8645
15. Load(AK) real=80000001, virtual=80000003 8655
16. FlushContext(POLICY) 8664
17. StartAuthSession(POLICY) real=3000000, virtual=3000000 8668
18. StartAuthSession(HMAC) real=2000001, virtual=2000001 8678
19. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004 3706
20. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000005 3706
21. PolicySecret(SK) 8711
22. FlushContext(HMAC) 8717
23. FlushContext(POLICY) 8724
24. CertifyCreation(SK) 8738
25. StartAuthSession(POLICY) real=3000000, virtual=3000001 8745
26. StartAuthSession(HMAC) real=2000001, virtual=2000000 8754
27. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005 8782
28. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000004 8782
29. PolicySecret(SK) 8789
The whole source program can be found here.
https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2.txt
Kind regards,
--
Yasuhiro Hosoda
NTT Electronics Corporation (NEL)
Security Support Project
Hello,
We're getting pretty close to an RC0 for the next major release of the
TSS2 libraries. Before we can make RCo though there are a number of
changes that still need to be made to the header files to bring them
in line with the latest TPM2 and TSS2 specifications. We've just
started rolling these out and during this time, due to the nature of
the changes, we'll be breaking backward compatibility (API and ABI
both).
If you're following along at home you've probably seen changes to the
TCTI headers and implemnetation happening in rapid succession over the
last few days (when our CI isn't down). Expect similar changes to
happen in the rest of the public headers over the course of this week.
These changes will likely cause some issues for downstream projects but
feel free to get on the list and we'll help sort things out.
Regards,
Philip
Hi,
I'm looking for command to check "noDA" status and also command to set "noDA" to clear.
May I know where I could get the list of command to use for TPM2 tools.
Thanks!
Regards,
munes
If you get this error building tpm2-abrmd during ./configure:
./configure: line 13634: syntax error near unexpected token sgcheck,' ./configure: line 13634:AX_VALGRIND_DFLT(sgcheck, off)'
The problem is your version of Linux does not have the latest and greatest autoconf-archive package. In my case the current Ubuntu 16.04.4 ("xenial") LTS package autoconf-archive is too old (version 20150925-1).
But the future Ubuntu 17.10 LTS ("artful") has a newer version that works OK: 20170928-2.
Here's a workaround until the new Ubuntu LTS version is released (or you can switch to Ubuntu development releases). It grabs a newer version of ax_valgrind_check.m4 with m4 macro AX_VALGRIND_DFLT defined.
Details in https://github.com/tpm2-software/tpm2-abrmd/issues/404
Dan
cd /usr/share/aclocal
cp -p ax_valgrind_check.m4 ax_valgrind_check.m4.ori
mkdir tmp
cd tmp
wget http://mirrors.kernel.org/ubuntu/pool/universe/a/autoconf-archive/autocon...
dpkg-deb -R autoconf-archive_20170321-1_all.deb tmp
cp tmp/usr/share/aclocal/ax_valgrind_check.m4 ..
ls -l /usr/share/aclocal/ax_valgrind_check.m4*
cd ..
rm -rf tmp
Hey,
I am getting the following error on execution:
ubuntu:~/Desktop$ sudo tpm2-abrmd --allow-root --tcti=libtcti-socket.so
** (tpm2-abrmd:36554): WARNING **: failed to dlopen library: libtcti-socket.so
** (tpm2-abrmd:36554): CRITICAL **: TCTI initialization failed: 0xb000b
Same error if i execute as tss:
$ sudo -u tss tpm2-abrmd --tcti=libtcti-socket.so
[sudo] password for wisn:
** (tpm2-abrmd:38290): WARNING **: failed to dlopen library: libtcti-socket.so
** (tpm2-abrmd:38290): CRITICAL **: TCTI initialization failed: 0xb000b
I did ldconfig after installation with no effect. I created a gist of the installation steps I took, in case this helps: https://gist.github.com/moneeb777/ceabfad71462d4ffc3e0c25a9da2b2ff
Can someone guide me with this?
Regards,
Moneeb
Hi, we are working on TPM2.0 integration with our devices.
We use Infineon TPM 2.0 chip and It works as expect.
We are using tpm2-tss 1.4.0 library.
We want to use transient RSA key generated inside device. Key is of
course protected by its parent password,
but we want to protect i2c communication between host and tpm chip. We
want communication be encrypted, we don't want to send
parent's password or key's password in clear text.
We have found good example tpmclient.int.cpp, but there is an example
how to encrypt access to the NV Index. There is no anything about RSA keys.
How to call Tss2_Sys_Create for creating RSA key and then set password
to use with session protected by TPM2_SE_HMAC and password.
In the example there is StartAuthSessionWithParams and StartAuthSession.
There is KDFa function called but we need something shared password to
create session key.
Which shared keys ? Is this parent's key password or keys password ?
Thanks in advance,
Tom
Here is a patch I wrote to the Microsoft/IBM TPM 2.0 Simulator on SourceForge:
https://gist.github.com/dantpm/a15fa70e94b28dee96a77c9d1bb70387
It makes the simulator "dual stack"-it listens to both IPv4 and IPv6 connection requests and tries to connect to a series of IP addresses (instead of the common method of only trying the first address returned in a hostname lookup).
I also submitted this patch as issue #6 to the TPM 2.0 Simulator SourceForge project:
https://sourceforge.net/p/ibmswtpm2/tickets/6/
The patch may look weird because the original source uses a mixture of spaces and 4-character tabs (which may expand to 8 characters, depending on how you view it). The source also has a mixture of coding styles.
Dan
Hello,
The recent 1.3.0 release of the tpm2-abrmd had a packaging error that
slipped through the cracks. Many thanks to Javier for the fix. Now that
this is resolved I've created a 1.3.1_rc0 tag in the git repo to mark
the beginning of the review process for the 1.3.1 bugfix release:
https://github.com/tpm2-software/tpm2-abrmd/releases/tag/1.3.1_rc0
Regards,
Philip
Hi,
other than various clock errors what causes the safe flag to be set to 1 as
written into the output of tpm2_quote ?
We're seeing some odd behaviour from some machines where safe is always set
to 1 (Lenovo laptop) and on other servers occasionally safe is set to 1 and
then returning to 0 on subsequent quotes.
For example, we might take a number of quotes over time, eg: 5 minutes
apart. One of those quotes will have safe set to 1, the others are all 0.
During this time the machine will *not* have experienced a reboot/reset nor
- as far as we can tell - any form of powersave or shutdown. We've also
noticed that safe gets set to 1 only on some quotes, eg: when quoting
sha256:16,17,18 for the DRTM measurements.
The machines are all Xeon-E5 based servers, TPM2.0, tpm2_tools 1.3-rc2
installed, Ubuntu 17.04 with 4.13 kernel
Any information appreciated here,
thanks
Ian
--
*Dr. Ian Oliver*
===============================
Privacy Engineering: via Amazon <http://www.amazon.co.uk/dp/1497569710>
*Twitter: @i_j_oliver*