tpm2-tss question
by Yasuhiro Hosoda
MY name is Yasuhiro Hosoda.
I am developing a program using TSS1.0(Nov1.2016).
I encountered a problem with PolicySecret error 0x98e and need help.
My program uses tpmtest.cpp as a base of development.
The situation is as follows:
1 Create TPM Keys like this.
EK
|--------
| |
MK AK
|
SK
2 Execute PolicySecret twice using HMAC session. At first, it ends
without error. Then it ends with 0x98e
For clarification, I print out the values of Virtual Handle and Real Handle.
The value of Virtual/Real Handles differ at 2nd excution of the command.
(See NO 25/26 Below)
I understand that the resource manager assigns Virtual Handle and my
program calculates HMAC using that handles.
On the other hand, TPM may calculate HMAC using Real Handle.
That is my hypothesis.
Any suggestion about the usage of Session Handle?
NO Command Virtual/Real Handle LOC
1. CreatePrimary(EK) real=80000000, virtual=80000000 8381
2. HierarchyChangeAuth1 8421
3. HierarchyChangeAuth2 8431
4. StartAuthSession(Policy) real=3000000, virtual=3000000 8480
5. PolicySecret(ENDORSEMENT) 8494
6. Create(MK) 8515
7. PolicySecret(ENDORSEMENT) 8529
8. Load(MK) real=80000001, virtual=80000001 8542
9. Evict(MK) 8552
10. Create(SK) 8590
11. Load(SK) real=80000001, virtual=80000002 8598
12. PolicySecret(ENDORSEMENT) 8609
13. Create(AK) 8635
14. PolicySecret(ENDORSEMENT) 8645
15. Load(AK) real=80000001, virtual=80000003 8655
16. FlushContext(POLICY) 8664
17. StartAuthSession(POLICY) real=3000000, virtual=3000000 8668
18. StartAuthSession(HMAC) real=2000001, virtual=2000001 8678
19. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004 3706
20. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000005 3706
21. PolicySecret(SK) 8711
22. FlushContext(HMAC) 8717
23. FlushContext(POLICY) 8724
24. CertifyCreation(SK) 8738
25. StartAuthSession(POLICY) real=3000000, virtual=3000001 8745
26. StartAuthSession(HMAC) real=2000001, virtual=2000000 8754
27. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005 8782
28. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000004 8782
29. PolicySecret(SK) 8789
The whole source program can be found here.
https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2.txt
Kind regards,
--
Yasuhiro Hosoda
NTT Electronics Corporation (NEL)
Security Support Project
1 year, 4 months
ESAPI StartAuthSession
by Davide Rutigliano
Hello everyone,
I'm in trouble with Esys_StartAuthSession because I receive continuously
this error and I cannot understand why:
"""
ERROR:esys_iutil:esapi/esapi_util/esys_iutil.c:879:esys_GetResourceObject()
Error: Esys handle does not exist (70018).
ERROR:esys:esapi/esapi/Esys_StartAuthSession.c:124:Esys_StartAuthSession()
Error in async function ErrorCode (0x00070018)
TPM2_StartAuthSession failed with 0x70018
"""
I suppose I'm doing something wrong with session handles but I don't know
what.
Could someone help me please?
Thanks in advance,
Davide Rutigliano.
1 year, 8 months
tpm support on Intel NUCs
by Duncan.Palmer@data61.csiro.au
Apologies if this is slightly OT for this list...
We're running the tpm2 tools in Intel NUCs (a NUC5i7RYH to be exact), using Linux kernel 4.4.59 (shipped by Ubuntu as 4.4.0-77). The tpm drivers on this kernel don't work out of the box, and I had to put in a fairly nasty hack to make them work. The same driver now does not work on a newer NUC7i7 model. Are other people using NUCs, and if so, are you having similar issues?
Cheers,
Dunk
Duncan Palmer
Senior Software Engineer | Autonomous Systems
Data61 | CSIRO
E duncan.palmer(a)csiro.au
Queensland Centre for Advanced Technologies (QCAT),
1 Technology Court, Pullenvale QLD, 4069
www.data61.csiro.au<http://my.csiro.au/Business-Units/Operations/Communication/CSIRO-Branding...>
CSIRO's Digital Productivity business unit and NICTA have joined forces to create digital powerhouse Data61
1 year, 9 months
[ANNOUNCE] Brace yourself: API & ABI incompatible changes in coming!
by Philip Tricca
Hello,
We're getting pretty close to an RC0 for the next major release of the
TSS2 libraries. Before we can make RCo though there are a number of
changes that still need to be made to the header files to bring them
in line with the latest TPM2 and TSS2 specifications. We've just
started rolling these out and during this time, due to the nature of
the changes, we'll be breaking backward compatibility (API and ABI
both).
If you're following along at home you've probably seen changes to the
TCTI headers and implemnetation happening in rapid succession over the
last few days (when our CI isn't down). Expect similar changes to
happen in the rest of the public headers over the course of this week.
These changes will likely cause some issues for downstream projects but
feel free to get on the list and we'll help sort things out.
Regards,
Philip
1 year, 10 months
NVRAM_write, BUFFER_SIZE is 0
by Ian Oliver
Hi,
we're having problems writing to NV_RAM with tpm2_nvwrite. We can define
areas but not write
*$ tpm2_nvlist*
0x1800005:
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: ownerwrite|policywrite|ownerread|written
value: 0xA000220
size: 32
*$ echo -n "hello" | tpm2_nvwrite -x 0x1800005 -a 0x40000001 -V*
INFO on line: "135" in file: "tools/tpm2_nvwrite.c": The data(size=0) to be
written:
INFO on line: "149" in file: "tools/tpm2_nvwrite.c": Success to write NV
area at index 0x1800005 (25165829) offset 0x0.
INFO on line: "135" in file: "tools/tpm2_nvwrite.c": The data(size=0) to be
written:
INFO on line: "149" in file: "tools/tpm2_nvwrite.c": Success to write NV
area at index 0x1800005 (25165829) offset 0x0.
INFO on line: "135" in file: "tools/tpm2_nvwrite.c": The data(size=0) to be
written:
INFO on line: "149" in file: "tools/tpm2_nvwrite.c": Success to write NV
area at index 0x1800005 (25165829) offset 0x0.
INFO on line: "135" in file: "tools/tpm2_nvwrite.c": The data(size=0) to be
written:
INFO on line: "149" in file: "tools/tpm2_nvwrite.c": Success to write NV
area at index 0x1800005 (25165829) offset 0x0.
INFO on line: "135" in file: "tools/tpm2_nvwrite.c": The data(size=0) to be
written:
INFO on line: "149" in file: "tools/tpm2_nvwrite.c": Success to write NV
area at index 0x1800005 (25165829) offset 0x0.
…
Which loops infinitely
Relevant parts of the tpm2-tools and tpm2-tss code:
*file: tpm2_nvwrite.c*
113 res = tpm2_util_nv_max_buffer_size(sapi_context, &max_data_size);
The call to tpm2_nv_read_public should get the *TPM_PT_NV_BUFFER_MAX
*capability
but and store it to *max_data_size*.
In that part of the code max_data_size gets set to 0 and that causes the
loop above.
The TPM_PT_NV_BUFFER_MAX seems not to be defined in the capabilities for
this device: Infineon TPM 2.0 9665 as reported by tpm2_cap.
t.
Ian
--
*Dr. Ian Oliver*
===============================
Privacy Engineering: via Amazon <http://www.amazon.co.uk/dp/1497569710>
*Twitter: @i_j_oliver*
1 year, 10 months
[RELEASE] tpm2-tools 3.0.4 available
by Javier Martinez Canillas
Release 3.0.4 of tpm2-tools is now available at:
https://github.com/tpm2-software/tpm2-tools/releases/tag/3.0.4
Changelog:
3.0.4 - 2018-04-30
* Fix save and load for TPM2B_PRIVATE object.
* Use a default buffer size for tpm2_nv{read,write} if the TPM reports a 0 size.
* Fix --verbose and --version options crossover.
* Generate man pages from markdown and include them in the distribution tarball.
* Print usage summary if tools are executed with no options or man page can't be displayed.
1 year, 10 months
tpm2_pcrlist fails: Failed to intialize tcti context: 0x1
by Scheie, Peter M
When I run tpm2_pcrlist, I get "ERROR: Failed to initialize tcti context: 0x1". tpm2-abrmd is running (which is necessary, right?). This is with an actual tpm, not the simulator. Measured boot via tboot.gz is working successfully. What am I missing or doing wrong?
Thanks.
Peter
1 year, 10 months
tpm2-tools not working on SWTPM + QEMU + OVMF
by Stênio Araújo
Hi,
I have setup an environment with SWTPM, QEMU and OVMF to have TPM capabilities on my Guest VMs.
I have swtpm with tpm2 enabled, as I have OVMF.
My Guest VM is running Ubuntu 16.04. I installed the libraries and tools within https://github.com/tpm2-software .
I was able to start tpm2-abrmd successfully, but when I run tpm2_pcrlist (or any other tpm2_* command) I get the following error:
** (process:2430): WARNING **: Failed to create connection with service: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 1 matched rules; type="method_call", sender=":1.17" (uid=0 pid=2430 comm="tpm2_pcrlist ") interface="com.intel.tss2.TctiTabrmd" member="CreateConnection" error name="(unset)" requested_reply="0" destination=":1.18" (uid=999 pid=2433 comm="/usr/local/sbin/tpm2-abrmd ")
ERROR: tcti init allocation routine failed for library: "tabrmd" options: "(null)"
ERROR: Could not load tcti, got: "tabrmd"
Would that probably be an issue with the tpm2 tools I am installing on the Guest? Or would it be something else?
Thank you,
1 year, 10 months
Re: [tpm2] uriparser dependency
by Anderson, Daniel
Please don't try and parse the host part or restrict the host to IPv4 addresses. This will allow hostnames and IPv6.
In other words, just pass everything after the host= part. Also consider making port optional with a default (12345?).
This would allow things such as:
host=10.11.12.13
host=foo.bar.com,port=12345
host=2001:470:7b:5e7::2,port=12345
Dan
1 year, 10 months
