November 2019 - tpm2 - Ml01.01.Org

[tpm2][tpm2-abrmd]tpm2-abrmd.service may run before udev rule.

by Steven Clark

I've created a situation where systemd starts with most of the root filesystem in disk cache already (as a side effect) and discovered that tpm2-abrmd.service has no After or Requires directives. Systemd was running tpm2-abrmd,service before the udev rule had chowned the tpm device and as a result it was hanging until the 5-second restart countdown finished. The following patch fixed it for me, by forcing the resource manager to wait until udev settled. Patch is against 2.2.0 but should be easy to port. --- dist/tpm2-abrmd.service.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dist/tpm2-abrmd.service.in b/dist/tpm2-abrmd.service.in index 00aa031..4300cb3 100644 --- a/dist/tpm2-abrmd.service.in +++ b/dist/tpm2-abrmd.service.in @@ -1,5 +1,7 @@ [Unit] Description=TPM2 Access Broker and Resource Management Daemon +After=systemd-udev-settle.service +Requires=systemd-udev-settle.service [Service] Type=dbus

7 months

3
7
0 / 0

wpa_supplicant fails to use tpm2_pkcs11 key

by Ignacio Jaureguiberry

I'm trying to use pkcs11 to authenticate a Wifi client using wpa_supplicant against a radius server (EAP-TLS auth using server and client certificates, no password) using a tpm2 private key. I've installed tpm2-tss 2.3.x branch, tpm2-tools master and tpm2-pkcs11 master. System is ubuntu server 18.04. I'm using p11tools and opensc to add pkcs11 support to wpa. All software except tpm2-* are from official ubuntu repositories. I ran the pkcs11 store initialization as specified in the docs: ``` tpm2_ptool init tpm2_ptool addtoken --pid=1 --sopin=mysopin --userpin=myuserpin --label=label tpm2_ptool addkey --algorithm rsa2048 --label label --userpin myuserpin ``` I've created a CSR using the tpm2 key: ``` openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:model=Intel;manufacturer=Intel;serial=0000000000000000;token=label;id=%37%61%61%37%62%33%33%33%35%62%37%64%62%37%37%30;object=3;type=secret-key;pin-value=myuserpin" -out client5.csr ``` Then moved the CSR to the radius server to create the certificate. The result of some steps is a client_tpm.pem file. Finally I'm running wpa_supplicant with this wpa.conf config file: ``` # Configure OpenSSL to load the PKCS#11 engine and tpm2-pkcs11 module pkcs11_engine_path=/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so pkcs11_module_path=/usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so network={ ssid="TPMAP" key_mgmt=WPA-EAP eap=TLS identity="testing" # use OpenSSL PKCS#11 engine for this network engine=1 engine_id="pkcs11" pin="myuserpin" # select the private key on ID (output from p11tool above) key_id="62356461333863313935373361313763" # CA certificate and client signed certificate paths ca_cert="/root/wpa_supplicant/ca.pem" client_cert="/root/wpa_supplicant/client_tpm.pem" } ``` ``` TPM2_PKCS11_LOG_LEVEL=2 wpa_supplicant -c wpa.conf -i wlp1s0 ``` This doesn't work, output (truncated to relevant section only) is: ``` wlp1s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp1s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp1s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK wlp1s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 INFO on line: "390" in file: "src/pkcs11.c": enter "C_GetFunctionList" INFO on line: "390" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0 INFO on line: "378" in file: "src/pkcs11.c": enter "C_Initialize" INFO on line: "1737" in file: "src/lib/db.c": Using sqlite3 DB: "/root/.tpm2_pkcs11/tpm2_pkcs11.sqlite3" INFO on line: "337" in file: "src/lib/tpm.c": tcti=(null) INFO on line: "378" in file: "src/pkcs11.c": return "C_Initialize" value: 0 INFO on line: "386" in file: "src/pkcs11.c": enter "C_GetInfo" WARNING on line: "56" in file: "src/lib/general.c": Could not strtoul(6c80e77): Success INFO on line: "386" in file: "src/pkcs11.c": return "C_GetInfo" value: 0 INFO on line: "394" in file: "src/pkcs11.c": enter "C_GetSlotList" INFO on line: "394" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0 INFO on line: "394" in file: "src/pkcs11.c": enter "C_GetSlotList" INFO on line: "394" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0 INFO on line: "398" in file: "src/pkcs11.c": enter "C_GetSlotInfo" INFO on line: "398" in file: "src/pkcs11.c": return "C_GetSlotInfo" value: 0 INFO on line: "402" in file: "src/pkcs11.c": enter "C_GetTokenInfo" INFO on line: "402" in file: "src/pkcs11.c": return "C_GetTokenInfo" value: 0 INFO on line: "430" in file: "src/pkcs11.c": enter "C_OpenSession" INFO on line: "430" in file: "src/pkcs11.c": return "C_OpenSession" value: 0 INFO on line: "486" in file: "src/pkcs11.c": enter "C_FindObjectsInit" INFO on line: "486" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0 INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects" INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0 INFO on line: "494" in file: "src/pkcs11.c": enter "C_FindObjectsFinal" INFO on line: "494" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0 INFO on line: "486" in file: "src/pkcs11.c": enter "C_FindObjectsInit" INFO on line: "486" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0 INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects" INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0 INFO on line: "494" in file: "src/pkcs11.c": enter "C_FindObjectsFinal" INFO on line: "494" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0 INFO on line: "486" in file: "src/pkcs11.c": enter "C_FindObjectsInit" INFO on line: "486" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0 INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects" INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0 INFO on line: "494" in file: "src/pkcs11.c": enter "C_FindObjectsFinal" INFO on line: "494" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0 INFO on line: "442" in file: "src/pkcs11.c": enter "C_GetSessionInfo" INFO on line: "442" in file: "src/pkcs11.c": return "C_GetSessionInfo" value: 0 INFO on line: "454" in file: "src/pkcs11.c": enter "C_Login" INFO on line: "454" in file: "src/pkcs11.c": return "C_Login" value: 0 INFO on line: "486" in file: "src/pkcs11.c": enter "C_FindObjectsInit" INFO on line: "486" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0 INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects" INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects" INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects" INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0 INFO on line: "494" in file: "src/pkcs11.c": enter "C_FindObjectsFinal" INFO on line: "494" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue" INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0 wlp1s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected wlp1s0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin(a)example.org/CN=Example Certificate Authority' hash=4953d5815718f3e6c082969bd950d84c1b8dbba87cb45c4b15335387b34abdb8 wlp1s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin(a)example.org' hash=677cee54ddad924c818909397a5b3d1a8ff64d45ab8796648d47aa5fdc2d3f8f INFO on line: "550" in file: "src/pkcs11.c": enter "C_SignInit" INFO on line: "550" in file: "src/pkcs11.c": return "C_SignInit" value: 112 SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error OpenSSL: openssl_handshake - SSL_connect error:8207A070:PKCS#11 module:pkcs11_private_encrypt:Mechanism invalid OpenSSL: pending error: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib ^Cnl80211: deinit ifname=p2p-dev-wlp1s0 disabled_11b_rates=0 p2p-dev-wlp1s0: CTRL-EVENT-TERMINATING wlp1s0: CTRL-EVENT-DISCONNECTED bssid=58:6d:8f:9d:2f:9e reason=3 locally_generated=1 nl80211: deinit ifname=wlp1s0 disabled_11b_rates=0 wlp1s0: CTRL-EVENT-TERMINATING INFO on line: "438" in file: "src/pkcs11.c": enter "C_CloseAllSessions" INFO on line: "438" in file: "src/pkcs11.c": return "C_CloseAllSessions" value: 0 ``` I've found some related issues, but I'm not sure it's the same problem: https://bugzilla.redhat.com/show_bug.cgi?id=1685470 https://forums.openvpn.net/viewtopic.php?f=6&t=28181 http://openssl.6102.n7.nabble.com/Issue-with-smartcard-authentication-for... They mention that OpenSSL is expecting a raw signature and pkcs11 is returning something else, but I'm not certain if this is actually the case and if so, how can I fix it. Can anyone give me pointer on what else to try? Is this an OpenSSL bug or can be solved from the tpm2-pkcs11 side?

7 months, 2 weeks

5
15
0 / 0

RSA encryption - tpm2_getpubak

by Frederick Gotham

I'm using the latest version of 'tmp2-tools' and I'm trying to follow an example I found online of doing RSA encryption/decryption inside the TPM2 chip. The example uses "tpm2_getpubek" and "tpm2_getpubak". As these tools no longer exist, what has replaced them?

7 months, 2 weeks

2
1
0 / 0

Is there a way to get the name for an NV index in tpm2_tools?

by Steven Clark

I can't seem to find a way to to get the name for an NV index using any of the tpm2_tools, at least in 4.x . Does one of these commands let me see it the way tpm2_readpublic does for persistent objects and context blobs? Or is there a way to get a name out of the initial write to the handle like tpm2_load?

7 months, 2 weeks

2
7
0 / 0

TPM 2.0 over TCP/IP

by pneumiller＠directstream.com

The IBM TPM 2.0 simulator uses TCP/IP to carry the TPM 2.0 commands. Where is this protocol specified? I noticed wireshark decodes it. Is there an IETF RFC or some other standard? Thanks, Phil

7 months, 3 weeks

2
1
0 / 0

[RELEASE] tpm2-tools v4.1

by Imran Desai

Hello, I am happy to announce the release of tpm2-tools v4.1 Some highlights of this release are as follows. * New tools added to support commands: TPM2_CertifyCreation, TPM2_ChangeEPS, TPM2_ChangePPS, TPM2_ClockRateAdjust, TPM2_GetTime, TPM2_NV_Certify, TPM2_NV_Extend, TPM2_NV_Setbits, TPM2_NV_UndefineSpaceSpecial, TPM2_NV_Writelock, TPM2_PolicyAuthorizeNV, TPM2_PolicyAuthValue, TPM2_PolicyCounterTimer, TPM2_PolicyNameHash, TPM2_PolicyNV, TPM2_NV_Written, TPM2_PolicySigned, TPM2_PolicyTemplate, TPM2_PolicyTicket, TPM2_ReadClock, TPM2_ClockSet, TPM2_SetPrimaryPolicy, TPM2_Shutdown. * Resource manager dependency updated: tpm2-abrmd v2.3.0 * Bug fixes and additional options to existing tools. 1. tpm2_checkquote: Fix YAML bug 2. tpm2_policysecret: Add options to specify expiration, ticket, timeout, qualification data. 3. tpm2_create/ tpm2_createprimary: Add options to specify creation-data, creation-ticket, creation-hash, outside-info, pcr-list 4. Skip/notify of action that man pages will not install if pandoc is missing. 5. Support "tpmt" as public key output format that saves the TPMT structure. 6. Add support for specifying NV index type when specifying NV attributes. 7. Fixed routine files_load_bytes_from_buffer_or_file_or_stdin where it can read one short of a UINT16 and overflow when buffer isn't a UINT16. 8. Fix precedence issue with bitwise operator order int tpm2_getcap 9. tpm2_util.c: Fix an issue int variable size was checked against uint 10. pcr.c: Fix buffer length issue to support all defined hash algorithm Please see the changelog for additional details of this release.

7 months, 3 weeks

1
0
0 / 0

Approaching 100 hours of troubleshooting

by Frederick Gotham

Hi I'm trying to get the TPM2 working in embedded Linux, and I've been troubleshooting for nearly two weeks now. I thought it would be a good idea to get the latest releases of the following packages: tpm2-tss tpm2-tools tpm2-tss-engine And also the latest commit of: tpm2-pkcs11 All I have succeeded in doing so far is getting random numbers from the TPM2 chip. I haven't be able to store (or retrieve) keys, nor have I been able to encrypt or decrypt data. The first problem I'm having is that the command line options for the tools (and also scripts) have been changed several times. Every time I try to follow an example I find on the web, I get "unrecognised option -C". In order to try follow examples I find online, I have repeatedly upgraded and downgraded my versions of the packages, sometimes even mixing old tools with new tools (sometimes even rewinding to an historical commit in Github between official releases). Can someone please suggest what are the best stable versions of these packages for working with embedded Linux? Another thing: When my device boots up, I can go into the BIOS where I see a lot of options for Trusted Platform. I'm not exactly sure what these options actually do. Can someone advise me which settings in particular to watch out for? I see one about fTPM but I'm not sure what it does.

7 months, 3 weeks

4
9
0 / 0

Importing AES key protected by PolicyAuthorize

by Andrey Larionov

Hello. First of all i would like to thank all the contributors of project for such tremendous work of creating really pleasant experience for such complicated topic. Previously asked this question via github issue. So just closed it and crsossposting to mailing list. I'm trying to permanently import AES key into TPM. And use sequence of commands for this tpm2_import -C -G aes -i -r -u tpm2_load -C -u -r -n -c tpm2_evictcontrol -c And this works fine. But whet i try to import key protected by a policy, generated with tpm2_policyauthorize, via -L argument in tpm2_import i got this error message, which i think irrelevant, because i don't import duplicated key. ERROR: Expected SymSeed to be specified via "-s", missing option. Did i misunderstand something? Is it achievable? Also, i think this CLI parameter, -L, in tpm2_import could have better documentation. It's unclear what policy should be specified, and how it would be used. I'll try to clarify my needs: I would like to provision many TPM2 devices with same, externaly generated, AES key in Platform Hierarchy (but only AES key should be same, primary objects and parent objects should differs). I need this key to be persisted inside TPM. I would like to have this AES key protected by flexible policy (TPM2_PolicyAuthorize), to be accessed in target system with obtainable policy. So i expect to use this sequence (briefly, without session management commands): tpm2_createprimary tpm2_loadexternal tpm2_policyauthorize tpm2_import tpm2_load tpm2_evictcontrol What am i missing here?

7 months, 3 weeks

2
3
0 / 0

Available as a newsgroup? (gmane)

by Frederick Gotham

Hi Is this mailing list available as a newsgroup? I would like to browse it and post to it from my favourite news reader, Xnews. If it's not available as a newsgroup, I think you should see about getting it added to news.gmane.org, as this server has 10's of 1000's of mailing list made available as newsgroups (e.g. linux kernel, boost, openssl). Frederick

7 months, 3 weeks

2
1
0 / 0

raspi tpm in lockdown

by Dennis Knorr

Hi, i tried to play with an tpm from letstrust.de. i played around a bit, but now it seems to be in lockdown: https://pastebin.com/S59y4tQk but i am SURE that i have the correct password. Any Idea what i did wrong? anything i can do? i could remove the tpm chip from the raspberry? would that help i hope you can help me. Dennis

7 months, 3 weeks

4
4
0 / 0

2020

2019

2018

2017

tpm2 November 2019