February 2019 - tpm2 - Ml01.01.Org

by Tricca, Philip B

Hello, There was a race condition fixed in the tabrmd last week. Fixes were merged into both the 1.x and 2.x branches. I've just signed tags for bug fix releases of both: https://github.com/tpm2-software/tpm2-abrmd/releases/tag/1.3.3_rc0 https://github.com/tpm2-software/tpm2-abrmd/releases/tag/2.1.1_rc0 Please send feedback during the RC window if you have any. Regards, Philip

8 months, 1 week

1
1
0 / 0

when SPI controller is DMA mode, TPM can not work

by Sherry Zhang(BJ-RD)

HI All, X86, kernel4.16: SPI port0 flash is used to boot BIOS. SPI port1 flash is a device. SPI port2 is connected with TPM. I set the SPI controller is DMA mode, port0/1 flash can work well. devmem 0xfed40000 OS hang and reboot can not work .So I poweroff. Does anyone know what is cause? ????? ????????????????????????????????????????????????????? CONFIDENTIAL NOTE: This email contains confidential or legally privileged information and is for the sole use of its intended recipient. Any unauthorized review, use, copying or forwarding of this email or the content of this email is strictly prohibited.

8 months, 2 weeks

3
2
0 / 0

Re: [tpm2] tpm2 Digest, Vol 20, Issue 17

by Desai, Imran

@Petko Manolov here is the output from my platform with fTPM or PTT as the TPM and I found everything functional openssl genrsa -out signing_key_private.pem 2048 Generating RSA private key, 2048 bit long modulus ..+++ ............+++ e is 65537 (0x10001) openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout writing RSA key tpm2_loadexternal -G rsa -a o -u signing_key_public.pem -o signing_key.ctx -n signing_key.name handle: 0x800000FF name: 0x000b4edf4140b498c3ef6a496f98f0d034712786753e5677a22663816b612b075dba tpm2_pcrlist -L sha256:0 -o pcr0.sha256 sha256: 0 : 0x16F10FB8CDE64A05CF2CED6B30F35FF063E3CF1F4A9E95A99A98FA1F4D3A42CF tpm2_startauthsession -S session.ctx session-handle: 0x3000000 tpm2_policypcr -S session.ctx -L sha256:0 -F pcr0.sha256 -f pcr.policy policy-digest: 0x31FDC9AA71500875760FC2FF37862C932FDFF48E10F1A648D1EAFDD49B35F015 tpm2_flushcontext -S session.ctx openssl dgst -sha256 -sign signing_key_private.pem -out pcr.signature pcr.policy tpm2_startauthsession -S session.ctx session-handle: 0x3000000 tpm2_policyauthorize -S session.ctx -o authorized.policy -f pcr.policy -n signing_key.name b09780f1e8afcb441ce7ba2bd040114ce5c062f7325b9c49dfb21a86bf8a4531 tpm2_flushcontext -S session.ctx tpm2_createprimary -Q -a o -g sha256 -G rsa -o prim.ctx -P owner tpm2_create -Q -g sha256 -u sealing_pubkey.pub -r sealing_prikey.pub -I- -C prim.ctx -L authorized.policy <<< "secret to seal" tpm2_verifysignature -c signing_key.ctx -G sha256 -m pcr.policy -s pcr.signature -t verification.tkt -f rsassa tpm2_startauthsession -a -S session.ctx session-handle: 0x3000000 tpm2_policypcr -Q -S session.ctx -L sha256:0 -f pcr.policy tpm2_policyauthorize -S session.ctx -o authorized.policy -f pcr.policy -n signing_key.name -t verification.tkt b09780f1e8afcb441ce7ba2bd040114ce5c062f7325b9c49dfb21a86bf8a4531 tpm2_load -Q -C prim.ctx -u sealing_pubkey.pub -r sealing_prikey.pub -o sealing_key.ctx unsealed=`tpm2_unseal -p "session:session.ctx" -c sealing_key.ctx` echo $unsealed secret to seal tpm2_flushcontext -S session.ctx tpm2_getcap -c properties-fixed | grep -i vendor_string -A2 TPM2_PT_VENDOR_STRING_1: raw: 0x496E7465 value: "Inte" TPM2_PT_VENDOR_STRING_2: raw: 0x6C000000 value: "l" TPM2_PT_VENDOR_STRING_3: raw: 0x0 value: "" TPM2_PT_VENDOR_STRING_4: raw: 0x0 value: "" tpm2_getcap --version tool="tpm2_getcap" version="3.0.2-734-g253e290" tctis="dynamic" tcti-default=tabrmd dlclose=enabled On 2/22/19, 9:21 AM, "tpm2 on behalf of tpm2-request(a)lists.01.org" <tpm2-bounces(a)lists.01.org on behalf of tpm2-request(a)lists.01.org> wrote: Send tpm2 mailing list submissions to tpm2(a)lists.01.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.01.org/mailman/listinfo/tpm2 or, via email, send a message with subject or body 'help' to tpm2-request(a)lists.01.org You can reach the person managing the list at tpm2-owner(a)lists.01.org When replying, please edit your Subject line so it is more specific than "Re: Contents of tpm2 digest..." Today's Topics: 1. Re: tpm2 Digest, Vol 20, Issue 16 (Desai, Imran) 2. tpm2-tss-engine (for OpenSSL) v1.0.0-rc0 (Fuchs, Andreas) 3. tpm2-totp v0.1.0-rc0 (Fuchs, Andreas) 4. tpm2_encryptdecrypt : other mode than the persistent key (Gael GUEGAN) ---------------------------------------------------------------------- Message: 1 Date: Thu, 21 Feb 2019 20:18:25 +0000 From: "Desai, Imran" <imran.desai(a)intel.com> To: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org> Subject: Re: [tpm2] tpm2 Digest, Vol 20, Issue 16 Message-ID: <688D07BB9E3A9E4A852BA1336D1910FF83EFCBCB(a)fmsmsx104.amr.corp.intel.com> Content-Type: text/plain; charset="us-ascii" Persistent handles start with hex 81xxxxxx ________________________________________ From: tpm2 [tpm2-bounces(a)lists.01.org] on behalf of tpm2-request(a)lists.01.org [tpm2-request(a)lists.01.org] Sent: Thursday, February 21, 2019 1:00 PM To: tpm2(a)lists.01.org Subject: tpm2 Digest, Vol 20, Issue 16 Send tpm2 mailing list submissions to tpm2(a)lists.01.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.01.org/mailman/listinfo/tpm2 or, via email, send a message with subject or body 'help' to tpm2-request(a)lists.01.org You can reach the person managing the list at tpm2-owner(a)lists.01.org When replying, please edit your Subject line so it is more specific than "Re: Contents of tpm2 digest..." Today's Topics: 1. Roadblock using TPM2 for mounting filesystems (martin doc) 2. Re: facilitating BIOS update with seamless PCR policy change (Petko Manolov) ---------------------------------------------------------------------- Message: 1 Date: Thu, 21 Feb 2019 01:18:10 +0000 From: martin doc <db1280(a)hotmail.com> To: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org> Subject: [tpm2] Roadblock using TPM2 for mounting filesystems Message-ID: <SL2P216MB0266A71D9099EBA6243311BCC27E0(a)SL2P216MB0266.KORP216.PROD.OUTLOOK.COM> Content-Type: text/plain; charset="iso-8859-1" I'm trying to get TPM2 working with encrypted filesystems on CentOS 7. I started out using this page as a guide: https://threat.tevora.com/secure-boot-tpm-2/ but some of the CLI has changed. The commands I've used are: # dmesg | grep tpm_tis [ 1.919443] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1B, rev-id 16) # tpm2_createpolicy -P -L sha1:0,2,3,7 -F pcrs.bin -f policy.digest # tpm2_createprimary -H e -g sha1 -G rsa -C primary.context ObjectAttribute: 0x00030072 CreatePrimary Succeed ! Handle: 0x800000ff # dd if=/dev/urandom of=/tmp/secret.bin bs=32 count=1 # tpm2_create -g sha256 -G keyedhash -u obj.pub -r obj.priv -c primary.context -L policy.digest -A "noda|adminwithpolicy|fixedparent|fixedtpm" -I /tmp/secret.bin Load object into the TPM # tpm2_load -c primary.context -u obj.pub -r obj.priv -C load.context Load succ. LoadedHandle: 0x80000100 But the final step fails: # tpm2_evictcontrol -A o -c load.context -S 0x80000100 persistentHandle: 0x80000100 ERROR: EvictControl failed, error code: 0x1c4 # tpm2_rc_decode 0x1c4 error layer hex: 0x0 identifier: TSS2_TPM_ERROR_LEVEL description: Error produced by the TPM format 1 error code hex: 0x04 identifier: TPM_RC_VALUE description: value is out of range or is not correct for the context parameter hex: 0x100 identifier: TPM_RC_1 description: (null) The error description is a clue that the "-S #" is not right. It also doens't work if I use the handle value for the primary. Is there another step in here that I'm missing? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.01.org/pipermail/tpm2/attachments/20190221/124e306a/attachme...> ------------------------------ Message: 2 Date: Thu, 21 Feb 2019 15:12:45 +0200 From: Petko Manolov <sti(a)nucleusys.com> To: "Roberts, William C" <william.c.roberts(a)intel.com> Cc: "Desai, Imran" <imran.desai(a)intel.com>, "tpm2(a)lists.01.org" <tpm2(a)lists.01.org> Subject: Re: [tpm2] facilitating BIOS update with seamless PCR policy change Message-ID: <20190221131245.GA2213@p310> Content-Type: text/plain; charset=us-ascii Hi, Yet another update: the same script works fine on dTPM, regardless of the type of PCR bank used - sha1 or sha256. I am currently trying to debug Esys_Unseal(0x8F) - invalid nonce size or nonce value mismatch problem. Any suggestions where shall i start looking at? thanks, Petko On 19-02-20 15:05:33, Petko Manolov wrote: > Hello, > > Just FYI - another fTPM is giving me the same error: > > WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error > ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:101:Esys_Unseal() Esys Finish ErrorCode (0x0000008f) > ERROR: Esys_Unseal(0x8F) - tpm:handle(unk):invalid nonce size or nonce value mismatch > ERROR: Unseal failed! > ERROR: Unable to run tpm2_unseal > > The machine is LENOVO P310, BIOS FWKT97A 11/08/2018, Sunrise Point-H chipset. > Could you please give me some pointers as to how this could be worked around? > > > thanks, > Petko > > > On 19-02-18 10:20:26, Petko Manolov wrote: > > I am sorry that this didn't go through because of the attached script. I'm > > embedding it to this email so i'd like to apologize about the bloat. > > > > --- > > > > #!/bin/bash > > > > source common.sh > > > > # Create a signing authority > > openssl genrsa -out signing_key_private.pem 2048 > > openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout > > tpm2_loadexternal -G rsa -a o -u signing_key_public.pem -o signing_key.ctx \ > > -n signing_key.name > > > > echo "Signing authority created" > > > > # Create a policy to be authorized like a pcr policy: > > tpm2_pcrlist -L $PCRS -o pcrs.sha256 > > tpm2_startauthsession -S session.ctx > > tpm2_policypcr -S session.ctx -L $PCRS -F pcrs.sha256 -f pcr.policy > > tpm2_flushcontext -S session.ctx > > rm -f session.ctx > > > > echo "pcr policy created" > > > > # Sign the policy > > openssl dgst -sha256 -sign signing_key_private.pem -out pcr.signature pcr.policy > > > > echo "policy is signed" > > > > # Authorize the policy in the policy digest: > > tpm2_startauthsession -S session.ctx > > tpm2_policyauthorize -S session.ctx -o authorized.policy -f pcr.policy \ > > -n signing_key.name > > tpm2_flushcontext -S session.ctx > > rm -f session.ctx > > > > echo "policy authorized" > > > > # Create a TPM object like a sealing object with the authorized policy > > # based authentication: > > echo "secret to seal 123" > secret_file > > tpm2_createprimary -Q -a o -g sha256 -G rsa -o prim.ctx > > tpm2_create -Q -g sha256 -u sealing_pubkey.pub -r sealing_prikey.pub \ > > -I secret_file -C prim.ctx -L authorized.policy > > > > echo "sealing object created" > > > > # Satisfy policy and unseal the secret: > > tpm2_verifysignature -c signing_key.ctx -G sha256 -m pcr.policy \ > > -s pcr.signature -t verification.tkt -f rsassa > > tpm2_startauthsession -a -S session.ctx > > tpm2_policypcr -Q -S session.ctx -L $PCRS -f pcr.policy > > tpm2_policyauthorize -S session.ctx -o authorized.policy -f pcr.policy \ > > -n signing_key.name -t verification.tkt > > tpm2_load -Q -C prim.ctx -u sealing_pubkey.pub -r sealing_prikey.pub \ > > -o sealing_key.ctx > > tpm2_unseal -p "session:session.ctx" -c sealing_key.ctx -o unsealed > > cat unsealed > > tpm2_flushcontext -S session.ctx > > rm -f session.ctx unsealed > > > > echo "the end" > > > > --- > > > > > > thanks, > > Petko > > > > > > On 19-02-18 09:48:37, Petko Manolov wrote: > > > Hello again, > > > > > > I managed to get authorized PCR policies to work for me. The attached script > > > works fine on my thinkpad and on rpi3 with Infineon's SLB9670 SPI TPM2. > > > > > > However, i stumbled upon a problem with an fTPM implementation in a very recent > > > AMI BIOS. Everything seems to be working properly, until i get tpm2_unseal to > > > give me the error below. The tpm2-tools is built with at-the-time tip of git > > > commit id: > > > > > > 872076e1b31f22b18391c6761d47575a93891cd7 > > > > > > tpm2_unseal -v: > > > > > > tool="tpm2_unseal" version="3.0.2-858-g88956e75" tctis="dynamic" tcti-default=tabrmd dlclose=enabled > > > > > > tpm-tss is v2.1.0 and tpm-abrmd is v2.0.3. Unfortunately the error message does > > > not mean much for me so any help will be greatly appreciated. > > > > > > > > > thanks, > > > Petko > > > > > > > > > > > > --- > > > > > > Generating RSA private key, 2048 bit long modulus > > > ..............................+++++ > > > ...........................................+++++ > > > e is 65537 (0x10001) > > > writing RSA key > > > transient-context: signing_key.ctx > > > name: 0x000b5e069ba4b591842c25155d812f635970dabe7cee663aff121088940f88e2da80 > > > Signing authority created > > > sha256: > > > 0 : 0x647992CBC9EEBF49D367559D870620C324B1A4307EB2A6166F1ACEC0DC186AEA > > > 1 : 0x519B03509291B643DA7FEC4407FFC47C1C18AF706A611ECA1C159D4608342338 > > > 2 : 0x369BB94CEB4A1DF8E76720141B64C57EC70E6C620F07B27E335E70AD2DDC25DB > > > 3 : 0x369BB94CEB4A1DF8E76720141B64C57EC70E6C620F07B27E335E70AD2DDC25DB > > > session-context: session.ctx > > > policy-digest: 0x22035897291FE4681D7800685BFC5C73EBCBB88C7A579AB20C2E345A9815FDFE > > > pcr policy created > > > policy is signed > > > session-context: session.ctx > > > 45a41a53c9f74f09b72151af6ffdd199fe1129eff2b749b8e481b6b21f2281f1 > > > policy authorized > > > sealing object created > > > session-context: session.ctx > > > 45a41a53c9f74f09b72151af6ffdd199fe1129eff2b749b8e481b6b21f2281f1 > > > WARNING:esys:../tpm2-tss/src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error > > > ERROR:esys:../tpm2-tss/src/tss2-esys/api/Esys_Unseal.c:101:Esys_Unseal() Esys Finish ErrorCode (0x0000008f) > > > ERROR: Esys_Unseal(0x8F) - tpm:handle(unk):invalid nonce size or nonce value mismatch > > > ERROR: Unseal failed! > > > ERROR: Unable to run tpm2_unseal > > > cat: unsealed: No such file or directory > > > the end > > > > > > _______________________________________________ > > tpm2 mailing list > > tpm2(a)lists.01.org > > https://lists.01.org/mailman/listinfo/tpm2 > > > _______________________________________________ > tpm2 mailing list > tpm2(a)lists.01.org > https://lists.01.org/mailman/listinfo/tpm2 > ------------------------------ Subject: Digest Footer _______________________________________________ tpm2 mailing list tpm2(a)lists.01.org https://lists.01.org/mailman/listinfo/tpm2 ------------------------------ End of tpm2 Digest, Vol 20, Issue 16 ************************************ ------------------------------ Message: 2 Date: Fri, 22 Feb 2019 11:02:39 +0000 From: "Fuchs, Andreas" <andreas.fuchs(a)sit.fraunhofer.de> To: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org> Subject: [tpm2] tpm2-tss-engine (for OpenSSL) v1.0.0-rc0 Message-ID: <9F48E1A823B03B4790B7E6E69430724D0162E56DED(a)exch2010c.sit.fraunhofer.de> Content-Type: text/plain; charset="us-ascii" Hello all, the first release candidate for the first stable version of the tpm2-tss-engine 1.0.0-rc0 is out: https://github.com/tpm2-software/tpm2-tss-engine/releases/tag/v1.0.0-rc0 Please give it some rigorous testing and review, given that it is the first stable version to appear. Any feedback is highly appreciated. Thanks a lot, Andreas ------------------------------ Message: 3 Date: Fri, 22 Feb 2019 11:02:42 +0000 From: "Fuchs, Andreas" <andreas.fuchs(a)sit.fraunhofer.de> To: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org> Subject: [tpm2] tpm2-totp v0.1.0-rc0 Message-ID: <9F48E1A823B03B4790B7E6E69430724D0162E56DF4(a)exch2010c.sit.fraunhofer.de> Content-Type: text/plain; charset="us-ascii" Hello all, the first release candidate for the first unstable version of tpm2-totp 0.1.0-rc0 is out: https://github.com/tpm2-software/tpm2-totp/releases/tag/v0.1.0-rc0 Please give it some rigorous testing and review, given that it is the first version to appear. Any feedback is highly appreciated. Thanks a lot, Andreas ------------------------------ Message: 4 Date: Fri, 22 Feb 2019 16:21:04 +0000 From: Gael GUEGAN <Gael.Guegan(a)non.se.com> To: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org> Subject: [tpm2] tpm2_encryptdecrypt : other mode than the persistent key Message-ID: <VI1PR04MB5424E6EB722498DFF8B16B54DC7F0(a)VI1PR04MB5424.eurprd04.prod.outlook.com> Content-Type: text/plain; charset="us-ascii" When using the command : **tpm2_encryptdecrypt**, should we be able to cipher with a different mode than the one specified in the key ? For example, if I have created a persistent **aes256cfb** : ```shell Tpm2_listpersistent - handle: 0x81000001 name-alg: value: sha256 raw: 0xb attributes: value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign raw: 0x60072 type: value: symcipher raw: 0x25 sym-alg: value: aes raw: 0x6 sym-mode: value: ctr raw: 0x40 sym-keybits: 128 symcipher: 873f743994e47004602011039322b108b49318c305b4f5eeace36b1fe634e36d tpm2_encryptdecrypt -c 0x81000001 -I data.txt -o enc_data.txt -G cbc ERROR: Esys_EncryptDecrypt(0x2C9) - tpm:parameter(2):mode of operation not supported ``` This does not work ... ```shell tpm2_encryptdecrypt -c 0x8100001 -I data.txt -o enc_data.txt -G cfb ``` This works ... Why the option -G exists, if it is to specified a mode already present in the key ? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.01.org/pipermail/tpm2/attachments/20190222/9161c08b/attachme...> ------------------------------ Subject: Digest Footer _______________________________________________ tpm2 mailing list tpm2(a)lists.01.org https://lists.01.org/mailman/listinfo/tpm2 ------------------------------ End of tpm2 Digest, Vol 20, Issue 17 ************************************

8 months, 2 weeks

2
1
0 / 0

TSS-Engine store primary key in TPM

by Bastian Fraune

Hey guys, thanks for the great contributions to the Linux TPM2 and TSS Software! We are working with the TSS-Engine for OpenSSL and wonder how it is possible to create RSA keys, where the private key remains in the TPM. Did we understood something wrong with the OpenSSL for TPM impl? Thanks in advance, best, Bastian Fraune

8 months, 3 weeks

2
1
0 / 0

tpm2_encryptdecrypt : other mode than the persistent key

by Gael GUEGAN

When using the command : **tpm2_encryptdecrypt**, should we be able to cipher with a different mode than the one specified in the key ? For example, if I have created a persistent **aes256cfb** : ```shell Tpm2_listpersistent - handle: 0x81000001 name-alg: value: sha256 raw: 0xb attributes: value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign raw: 0x60072 type: value: symcipher raw: 0x25 sym-alg: value: aes raw: 0x6 sym-mode: value: ctr raw: 0x40 sym-keybits: 128 symcipher: 873f743994e47004602011039322b108b49318c305b4f5eeace36b1fe634e36d tpm2_encryptdecrypt -c 0x81000001 -I data.txt -o enc_data.txt -G cbc ERROR: Esys_EncryptDecrypt(0x2C9) - tpm:parameter(2):mode of operation not supported ``` This does not work ... ```shell tpm2_encryptdecrypt -c 0x8100001 -I data.txt -o enc_data.txt -G cfb ``` This works ... Why the option -G exists, if it is to specified a mode already present in the key ?

8 months, 3 weeks

2
2
0 / 0

tpm2-totp v0.1.0-rc0

by Fuchs, Andreas

Hello all, the first release candidate for the first unstable version of tpm2-totp 0.1.0-rc0 is out: https://github.com/tpm2-software/tpm2-totp/releases/tag/v0.1.0-rc0 Please give it some rigorous testing and review, given that it is the first version to appear. Any feedback is highly appreciated. Thanks a lot, Andreas

8 months, 3 weeks

1
0
0 / 0

tpm2-tss-engine (for OpenSSL) v1.0.0-rc0

by Fuchs, Andreas

Hello all, the first release candidate for the first stable version of the tpm2-tss-engine 1.0.0-rc0 is out: https://github.com/tpm2-software/tpm2-tss-engine/releases/tag/v1.0.0-rc0 Please give it some rigorous testing and review, given that it is the first stable version to appear. Any feedback is highly appreciated. Thanks a lot, Andreas

8 months, 3 weeks

1
0
0 / 0

Re: [tpm2] tpm2 Digest, Vol 20, Issue 16

by Desai, Imran

Persistent handles start with hex 81xxxxxx ________________________________________ From: tpm2 [tpm2-bounces(a)lists.01.org] on behalf of tpm2-request(a)lists.01.org [tpm2-request(a)lists.01.org] Sent: Thursday, February 21, 2019 1:00 PM To: tpm2(a)lists.01.org Subject: tpm2 Digest, Vol 20, Issue 16 Send tpm2 mailing list submissions to tpm2(a)lists.01.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.01.org/mailman/listinfo/tpm2 or, via email, send a message with subject or body 'help' to tpm2-request(a)lists.01.org You can reach the person managing the list at tpm2-owner(a)lists.01.org When replying, please edit your Subject line so it is more specific than "Re: Contents of tpm2 digest..." Today's Topics: 1. Roadblock using TPM2 for mounting filesystems (martin doc) 2. Re: facilitating BIOS update with seamless PCR policy change (Petko Manolov) ---------------------------------------------------------------------- Message: 1 Date: Thu, 21 Feb 2019 01:18:10 +0000 From: martin doc <db1280(a)hotmail.com> To: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org> Subject: [tpm2] Roadblock using TPM2 for mounting filesystems Message-ID: <SL2P216MB0266A71D9099EBA6243311BCC27E0(a)SL2P216MB0266.KORP216.PROD.OUTLOOK.COM> Content-Type: text/plain; charset="iso-8859-1" I'm trying to get TPM2 working with encrypted filesystems on CentOS 7. I started out using this page as a guide: https://threat.tevora.com/secure-boot-tpm-2/ but some of the CLI has changed. The commands I've used are: # dmesg | grep tpm_tis [ 1.919443] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1B, rev-id 16) # tpm2_createpolicy -P -L sha1:0,2,3,7 -F pcrs.bin -f policy.digest # tpm2_createprimary -H e -g sha1 -G rsa -C primary.context ObjectAttribute: 0x00030072 CreatePrimary Succeed ! Handle: 0x800000ff # dd if=/dev/urandom of=/tmp/secret.bin bs=32 count=1 # tpm2_create -g sha256 -G keyedhash -u obj.pub -r obj.priv -c primary.context -L policy.digest -A "noda|adminwithpolicy|fixedparent|fixedtpm" -I /tmp/secret.bin Load object into the TPM # tpm2_load -c primary.context -u obj.pub -r obj.priv -C load.context Load succ. LoadedHandle: 0x80000100 But the final step fails: # tpm2_evictcontrol -A o -c load.context -S 0x80000100 persistentHandle: 0x80000100 ERROR: EvictControl failed, error code: 0x1c4 # tpm2_rc_decode 0x1c4 error layer hex: 0x0 identifier: TSS2_TPM_ERROR_LEVEL description: Error produced by the TPM format 1 error code hex: 0x04 identifier: TPM_RC_VALUE description: value is out of range or is not correct for the context parameter hex: 0x100 identifier: TPM_RC_1 description: (null) The error description is a clue that the "-S #" is not right. It also doens't work if I use the handle value for the primary. Is there another step in here that I'm missing?

8 months, 3 weeks

1
0
0 / 0

facilitating BIOS update with seamless PCR policy change

by Petko Manolov

Hello guys, I'm trying to devise a way to change the PCR policy used to seal certain key into TPM2 in case of BIOS change. So far i've run into this article (along with the references it suggests): https://github.com/tpm2-software/tpm2-tss/issues/487 However, i did not find a definitive answer there. Could someone please elaborate or point me in the right direction i can read more about how to authorize the new PCR policy? thanks a bunch, Petko

8 months, 3 weeks

3
8
0 / 0

Roadblock using TPM2 for mounting filesystems

by martin doc

I'm trying to get TPM2 working with encrypted filesystems on CentOS 7. I started out using this page as a guide: https://threat.tevora.com/secure-boot-tpm-2/ but some of the CLI has changed. The commands I've used are: # dmesg | grep tpm_tis [ 1.919443] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1B, rev-id 16) # tpm2_createpolicy -P -L sha1:0,2,3,7 -F pcrs.bin -f policy.digest # tpm2_createprimary -H e -g sha1 -G rsa -C primary.context ObjectAttribute: 0x00030072 CreatePrimary Succeed ! Handle: 0x800000ff # dd if=/dev/urandom of=/tmp/secret.bin bs=32 count=1 # tpm2_create -g sha256 -G keyedhash -u obj.pub -r obj.priv -c primary.context -L policy.digest -A "noda|adminwithpolicy|fixedparent|fixedtpm" -I /tmp/secret.bin Load object into the TPM # tpm2_load -c primary.context -u obj.pub -r obj.priv -C load.context Load succ. LoadedHandle: 0x80000100 But the final step fails: # tpm2_evictcontrol -A o -c load.context -S 0x80000100 persistentHandle: 0x80000100 ERROR: EvictControl failed, error code: 0x1c4 # tpm2_rc_decode 0x1c4 error layer hex: 0x0 identifier: TSS2_TPM_ERROR_LEVEL description: Error produced by the TPM format 1 error code hex: 0x04 identifier: TPM_RC_VALUE description: value is out of range or is not correct for the context parameter hex: 0x100 identifier: TPM_RC_1 description: (null) The error description is a clue that the "-S #" is not right. It also doens't work if I use the handle value for the primary. Is there another step in here that I'm missing?

8 months, 3 weeks

1
0
0 / 0

2019

2018

2017

tpm2 February 2019