I am working for Collabora on a list of patches in the Chromeos kernel.
I want to check if I can upstream those patches to the mainline kernel.
There is one patch  to ignore the case that the 'selftest' command failed
when adding the '/dev/tpm' device. The idea is that userspace could still interact with the
device to some extent event if it fails.
I was wandering how do I test such a case.
I thought that I can test it with a tpm emulator and change the emulator code
to fail on 'selftest'.
I am new to TPM and still know little about it so I thought maybe
some of the people here have better ideas?
Thanks a lot,
I had some problems getting the Endorsement Key Certificate on a server using a TPM 2.0 Infineon SLB 9670.
Version of the TPM2 Tools are 4.3 tagged release, compiled from source.
The TPM seems to have the cert in the expected handle (0x1C00002 RSA, 0x1C0000a ECC)
$ tpm2_getcap handles-nv-index
I initially tried to get that with the tpm2_getekcertificate, but when I run the tool, it returns an exit code 0, and a string saying that the cert could not be found
$ tpm2_createek -G rsa -u ek.pub -c key.ctx
$ tpm2_getekcertificate -u ek.pub
Certificate not found
$ echo $?
Then, I executed the tool with --verbose mode, and I saw that is trying to pull the cert from ekop.intel.com.
I could not find the url for Infineon.
Later, I found this post https://www.infineonforums.com/threads/6044-Optiga-Endorsement-Credential...
and I could use that to retrieve the cert from the handle:
$ tpm2_nvread 0x1c00002 > nvread.1c00002.crt
$ tpm2_nvread 0x1c0000a > nvread.1c0000a.crt
So, a couple of questions and comments:
1. I noticed that the latest master tpm2_getekcertificate man page specifies that it will fetch the cert from the nvindex now. So, with the next release, getting the nvindex cert with tpm2_getekcertificate should work right? Also, is this version returning non 0 exit code if the cert was not found?
2. Does Infineon provides a server for fetching the EK Cert? Having that service is important if you are doing bulk operations over several servers.
It took some time to get this figured out for us, so I think any help future users can get in the UX of using this tools is valuable!
I'm trying to find a specific type of guideline and/or certification relating to TPM-based (software) product, and wasn't able to find what I'm looking for here (so far), or at other sites I was advised to check out (i.e. , ), so I'm reaching out here for guidance/advice.
Are there companies or programs (i.e. formally recognized or recommended by TCG or a similar authority) that pen-test/assess the quality of a software-based solution that depends on a TPM (i.e. 2.0) chip? Or, failing that, are there guidelines or certification/assessment programs for qualifying software solutions (i.e. Linux-based) that make use of a TPM device?
I'm putting together some proof-of-concept examples, and while the design seems sound, it's my opinion that the person implementing the solution shouldn't be the same person assessing it for weaknesses. It's effectively a measured-boot-based solution to support full disk encryption via LUKS, and later, remote attestation. I started considering the topic after coming across a post , which strikes me as a bit of a "gotcha" (i.e. secret can be unsealed due to accidentally leaving a blank/default password enabled; "oops").
Any documentation/guides/resources that can help with assessing the quality of a s/w-based solution and "keeping it on the rails" is appreciated.
1. "TPMDeveloper - Topics", <https://developers.tpm.dev/topics>, last accessed 2020-11-16.
2. "Trusted Computing Group - Resources", <https://trustedcomputinggroup.org/resources?>, last accessed 2020-11-16.
3. "Unsealing data despite PCR policy", <https://github.com/tpm2-software/tpm2-tools/issues/1123>, last accessed 2020-11-16.
I would like to announce the release of tpm2-pkcs11 version 1.5.0 with the following changelog:
### 1.5.0 - 2020-11-16
* C_Decrypt: Fix CKM_RSA_PKCS11 scheme not removing PKCS v1.5 block padding from returned plaintext.
* C_Digest/C_DigestFinal: Fix Section 5.2 style returns.
* C_OpenSession: fix valid session handles starting at 0, 0 is invalid per the spec.
* C_OpenSession: fix handle issuance bug where handles could be exhausted at out of bounds.
* Support swtpm in testing infrastructure.
* Fix C_Encrypt/C_Decrypt interface not setting size when output buffer in NULL.
* Fix warning ../configure: line 14383: ]: command not found
* Fix CKM_RSA_PKCS_PSS mechanism.
* C_GetMechanismList: Fix index 0 of the returned list being invalid.
* C_GetMechanismInfo: Fix errors like ERROR: Unknown mechanism, got: 0xd.
* Docs: use full paths from project root to help fix 404 errors.
* tpm2_ptool init to attempt to persistent created primary object at 0x81000001 and fallback to
first available address on failure.
The release can be found here: