[tpm2][tpm2-abrmd]tpm2-abrmd.service may run before udev rule.
by Steven Clark
I've created a situation where systemd starts with most of the root
filesystem in disk cache already (as a side effect) and discovered
that tpm2-abrmd.service has no After or Requires directives. Systemd
was running tpm2-abrmd,service before the udev rule had chowned the
tpm device and as a result it was hanging until the 5-second restart
countdown finished. The following patch fixed it for me, by forcing
the resource manager to wait until udev settled. Patch is against
2.2.0 but should be easy to port.
---
dist/tpm2-abrmd.service.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/dist/tpm2-abrmd.service.in b/dist/tpm2-abrmd.service.in
index 00aa031..4300cb3 100644
--- a/dist/tpm2-abrmd.service.in
+++ b/dist/tpm2-abrmd.service.in
@@ -1,5 +1,7 @@
[Unit]
Description=TPM2 Access Broker and Resource Management Daemon
+After=systemd-udev-settle.service
+Requires=systemd-udev-settle.service
[Service]
Type=dbus
2 years, 6 months
wpa_supplicant fails to use tpm2_pkcs11 key
by Ignacio Jaureguiberry
I'm trying to use pkcs11 to authenticate a Wifi client using wpa_supplicant against a radius server (EAP-TLS auth using server and client certificates, no password) using a tpm2 private key.
I've installed tpm2-tss 2.3.x branch, tpm2-tools master and tpm2-pkcs11 master. System is ubuntu server 18.04. I'm using p11tools and opensc to add pkcs11 support to wpa. All software except tpm2-* are from official ubuntu repositories.
I ran the pkcs11 store initialization as specified in the docs:
```
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --sopin=mysopin --userpin=myuserpin --label=label
tpm2_ptool addkey --algorithm rsa2048 --label label --userpin myuserpin
```
I've created a CSR using the tpm2 key:
```
openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:model=Intel;manufacturer=Intel;serial=0000000000000000;token=label;id=%37%61%61%37%62%33%33%33%35%62%37%64%62%37%37%30;object=3;type=secret-key;pin-value=myuserpin" -out client5.csr
```
Then moved the CSR to the radius server to create the certificate. The result of some steps is a client_tpm.pem file.
Finally I'm running wpa_supplicant with this wpa.conf config file:
```
# Configure OpenSSL to load the PKCS#11 engine and tpm2-pkcs11 module
pkcs11_engine_path=/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
pkcs11_module_path=/usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so
network={
ssid="TPMAP"
key_mgmt=WPA-EAP
eap=TLS
identity="testing"
# use OpenSSL PKCS#11 engine for this network
engine=1
engine_id="pkcs11"
pin="myuserpin"
# select the private key on ID (output from p11tool above)
key_id="62356461333863313935373361313763"
# CA certificate and client signed certificate paths
ca_cert="/root/wpa_supplicant/ca.pem"
client_cert="/root/wpa_supplicant/client_tpm.pem"
}
```
```
TPM2_PKCS11_LOG_LEVEL=2 wpa_supplicant -c wpa.conf -i wlp1s0
```
This doesn't work, output (truncated to relevant section only) is:
```
wlp1s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp1s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp1s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
wlp1s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
INFO on line: "390" in file: "src/pkcs11.c": enter "C_GetFunctionList"
INFO on line: "390" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0
INFO on line: "378" in file: "src/pkcs11.c": enter "C_Initialize"
INFO on line: "1737" in file: "src/lib/db.c": Using sqlite3 DB: "/root/.tpm2_pkcs11/tpm2_pkcs11.sqlite3"
INFO on line: "337" in file: "src/lib/tpm.c": tcti=(null)
INFO on line: "378" in file: "src/pkcs11.c": return "C_Initialize" value: 0
INFO on line: "386" in file: "src/pkcs11.c": enter "C_GetInfo"
WARNING on line: "56" in file: "src/lib/general.c": Could not strtoul(6c80e77): Success
INFO on line: "386" in file: "src/pkcs11.c": return "C_GetInfo" value: 0
INFO on line: "394" in file: "src/pkcs11.c": enter "C_GetSlotList"
INFO on line: "394" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0
INFO on line: "394" in file: "src/pkcs11.c": enter "C_GetSlotList"
INFO on line: "394" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0
INFO on line: "398" in file: "src/pkcs11.c": enter "C_GetSlotInfo"
INFO on line: "398" in file: "src/pkcs11.c": return "C_GetSlotInfo" value: 0
INFO on line: "402" in file: "src/pkcs11.c": enter "C_GetTokenInfo"
INFO on line: "402" in file: "src/pkcs11.c": return "C_GetTokenInfo" value: 0
INFO on line: "430" in file: "src/pkcs11.c": enter "C_OpenSession"
INFO on line: "430" in file: "src/pkcs11.c": return "C_OpenSession" value: 0
INFO on line: "486" in file: "src/pkcs11.c": enter "C_FindObjectsInit"
INFO on line: "486" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0
INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
INFO on line: "494" in file: "src/pkcs11.c": enter "C_FindObjectsFinal"
INFO on line: "494" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0
INFO on line: "486" in file: "src/pkcs11.c": enter "C_FindObjectsInit"
INFO on line: "486" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0
INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
INFO on line: "494" in file: "src/pkcs11.c": enter "C_FindObjectsFinal"
INFO on line: "494" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0
INFO on line: "486" in file: "src/pkcs11.c": enter "C_FindObjectsInit"
INFO on line: "486" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0
INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
INFO on line: "494" in file: "src/pkcs11.c": enter "C_FindObjectsFinal"
INFO on line: "494" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0
INFO on line: "442" in file: "src/pkcs11.c": enter "C_GetSessionInfo"
INFO on line: "442" in file: "src/pkcs11.c": return "C_GetSessionInfo" value: 0
INFO on line: "454" in file: "src/pkcs11.c": enter "C_Login"
INFO on line: "454" in file: "src/pkcs11.c": return "C_Login" value: 0
INFO on line: "486" in file: "src/pkcs11.c": enter "C_FindObjectsInit"
INFO on line: "486" in file: "src/pkcs11.c": return "C_FindObjectsInit" value: 0
INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "490" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "490" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
INFO on line: "494" in file: "src/pkcs11.c": enter "C_FindObjectsFinal"
INFO on line: "494" in file: "src/pkcs11.c": return "C_FindObjectsFinal" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
INFO on line: "478" in file: "src/pkcs11.c": enter "C_GetAttributeValue"
INFO on line: "478" in file: "src/pkcs11.c": return "C_GetAttributeValue" value: 0
wlp1s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
wlp1s0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin(a)example.org/CN=Example Certificate Authority' hash=4953d5815718f3e6c082969bd950d84c1b8dbba87cb45c4b15335387b34abdb8
wlp1s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin(a)example.org' hash=677cee54ddad924c818909397a5b3d1a8ff64d45ab8796648d47aa5fdc2d3f8f
INFO on line: "550" in file: "src/pkcs11.c": enter "C_SignInit"
INFO on line: "550" in file: "src/pkcs11.c": return "C_SignInit" value: 112
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error
OpenSSL: openssl_handshake - SSL_connect error:8207A070:PKCS#11 module:pkcs11_private_encrypt:Mechanism invalid
OpenSSL: pending error: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
^Cnl80211: deinit ifname=p2p-dev-wlp1s0 disabled_11b_rates=0
p2p-dev-wlp1s0: CTRL-EVENT-TERMINATING
wlp1s0: CTRL-EVENT-DISCONNECTED bssid=58:6d:8f:9d:2f:9e reason=3 locally_generated=1
nl80211: deinit ifname=wlp1s0 disabled_11b_rates=0
wlp1s0: CTRL-EVENT-TERMINATING
INFO on line: "438" in file: "src/pkcs11.c": enter "C_CloseAllSessions"
INFO on line: "438" in file: "src/pkcs11.c": return "C_CloseAllSessions" value: 0
```
I've found some related issues, but I'm not sure it's the same problem:
https://bugzilla.redhat.com/show_bug.cgi?id=1685470
https://forums.openvpn.net/viewtopic.php?f=6&t=28181
http://openssl.6102.n7.nabble.com/Issue-with-smartcard-authentication-for...
They mention that OpenSSL is expecting a raw signature and pkcs11 is returning something else, but I'm not certain if this is actually the case and if so, how can I fix it.
Can anyone give me pointer on what else to try? Is this an OpenSSL bug or can be solved from the tpm2-pkcs11 side?
2 years, 6 months
RSA encryption - tpm2_getpubak
by Frederick Gotham
I'm using the latest version of 'tmp2-tools' and I'm trying to follow
an example I found online of doing RSA encryption/decryption inside
the TPM2 chip.
The example uses "tpm2_getpubek" and "tpm2_getpubak".
As these tools no longer exist, what has replaced them?
2 years, 7 months
Is there a way to get the name for an NV index in tpm2_tools?
by Steven Clark
I can't seem to find a way to to get the name for an NV index using
any of the tpm2_tools, at least in 4.x . Does one of these commands
let me see it the way tpm2_readpublic does for persistent objects and
context blobs? Or is there a way to get a name out of the initial
write to the handle like tpm2_load?
2 years, 7 months
TPM 2.0 over TCP/IP
by pneumiller@directstream.com
The IBM TPM 2.0 simulator uses TCP/IP to carry the TPM 2.0 commands. Where is this protocol specified? I noticed wireshark decodes it. Is there an IETF RFC or some other standard?
Thanks,
Phil
2 years, 7 months
[RELEASE] tpm2-tools v4.1
by Imran Desai
Hello,
I am happy to announce the release of tpm2-tools v4.1
Some highlights of this release are as follows.
* New tools added to support commands:
TPM2_CertifyCreation, TPM2_ChangeEPS, TPM2_ChangePPS, TPM2_ClockRateAdjust,
TPM2_GetTime, TPM2_NV_Certify, TPM2_NV_Extend, TPM2_NV_Setbits,
TPM2_NV_UndefineSpaceSpecial, TPM2_NV_Writelock, TPM2_PolicyAuthorizeNV,
TPM2_PolicyAuthValue, TPM2_PolicyCounterTimer, TPM2_PolicyNameHash,
TPM2_PolicyNV, TPM2_NV_Written, TPM2_PolicySigned, TPM2_PolicyTemplate,
TPM2_PolicyTicket, TPM2_ReadClock, TPM2_ClockSet, TPM2_SetPrimaryPolicy,
TPM2_Shutdown.
* Resource manager dependency updated: tpm2-abrmd v2.3.0
* Bug fixes and additional options to existing tools.
1. tpm2_checkquote: Fix YAML bug
2. tpm2_policysecret: Add options to specify expiration, ticket, timeout,
qualification data.
3. tpm2_create/ tpm2_createprimary: Add options to specify creation-data,
creation-ticket, creation-hash, outside-info, pcr-list
4. Skip/notify of action that man pages will not install if pandoc is missing.
5. Support "tpmt" as public key output format that saves the TPMT structure.
6. Add support for specifying NV index type when specifying NV attributes.
7. Fixed routine files_load_bytes_from_buffer_or_file_or_stdin where it can read
one short of a UINT16 and overflow when buffer isn't a UINT16.
8. Fix precedence issue with bitwise operator order int tpm2_getcap
9. tpm2_util.c: Fix an issue int variable size was checked against uint
10. pcr.c: Fix buffer length issue to support all defined hash algorithm
Please see the changelog for additional details of this release.
2 years, 7 months
Approaching 100 hours of troubleshooting
by Frederick Gotham
Hi
I'm trying to get the TPM2 working in embedded Linux, and I've been
troubleshooting for nearly two weeks now.
I thought it would be a good idea to get the latest releases of the
following packages:
tpm2-tss
tpm2-tools
tpm2-tss-engine
And also the latest commit of: tpm2-pkcs11
All I have succeeded in doing so far is getting random numbers from the
TPM2 chip. I haven't be able to store (or retrieve) keys, nor have I been
able to encrypt or decrypt data.
The first problem I'm having is that the command line options for the tools
(and also scripts) have been changed several times. Every time I try to
follow an example I find on the web, I get "unrecognised option -C".
In order to try follow examples I find online, I have repeatedly upgraded
and downgraded my versions of the packages, sometimes even mixing old tools
with new tools (sometimes even rewinding to an historical commit in Github
between official releases).
Can someone please suggest what are the best stable versions of these
packages for working with embedded Linux?
Another thing:
When my device boots up, I can go into the BIOS where I see a lot of
options for Trusted Platform. I'm not exactly sure what these options
actually do. Can someone advise me which settings in particular to watch
out for? I see one about fTPM but I'm not sure what it does.
2 years, 7 months
Importing AES key protected by PolicyAuthorize
by Andrey Larionov
Hello. First of all i would like to thank all the contributors of project
for such tremendous work of creating really pleasant experience for such
complicated topic.
Previously asked this question via github issue. So just closed it and
crsossposting to mailing list.
I'm trying to permanently import AES key into TPM. And use sequence of
commands for this
tpm2_import -C -G aes -i -r -u
tpm2_load -C -u -r -n -c
tpm2_evictcontrol -c
And this works fine. But whet i try to import key protected by a policy,
generated with tpm2_policyauthorize, via -L argument in tpm2_import i got
this error message, which i think irrelevant, because i don't import
duplicated key.
ERROR: Expected SymSeed to be specified via "-s", missing option.
Did i misunderstand something? Is it achievable?
Also, i think this CLI parameter, -L, in tpm2_import could have better
documentation. It's unclear what policy should be specified, and how it
would be used.
I'll try to clarify my needs:
I would like to provision many TPM2 devices with same, externaly generated,
AES key in Platform Hierarchy (but only AES key should be same, primary
objects and parent objects should differs).
I need this key to be persisted inside TPM.
I would like to have this AES key protected by flexible policy
(TPM2_PolicyAuthorize), to be accessed in target system with obtainable
policy.
So i expect to use this sequence (briefly, without session management
commands):
tpm2_createprimary
tpm2_loadexternal
tpm2_policyauthorize
tpm2_import
tpm2_load
tpm2_evictcontrol
What am i missing here?
2 years, 7 months
Available as a newsgroup? (gmane)
by Frederick Gotham
Hi
Is this mailing list available as a newsgroup? I would like to browse
it and post to it from my favourite news reader, Xnews.
If it's not available as a newsgroup, I think you should see about
getting it added to news.gmane.org, as this server has 10's of 1000's
of mailing list made available as newsgroups (e.g. linux kernel,
boost, openssl).
Frederick
2 years, 7 months
raspi tpm in lockdown
by Dennis Knorr
Hi,
i tried to play with an tpm from letstrust.de. i played around a bit,
but now it seems to be in lockdown:
https://pastebin.com/S59y4tQk
but i am SURE that i have the correct password. Any Idea what i did
wrong? anything i can do? i could remove the tpm chip from the
raspberry? would that help
i hope you can help me.
Dennis
2 years, 7 months