Possible TPM uses in fprintd/libfprint
by Benjamin Berg
Hi,
I was wondering if someone has ideas about integrating the TPM with
Fingerprint readers.
Recently I started looking into supporting Secure Device Connection
Protocol (SDCP, [1]) in libfprint. The general idea is to verify that
the Fingerprint reader can be trusted, but I initially also imagined
that further use-cases like unsealing data in a TPM may be possible
(e.g. to retrieve disk encryption keys).
However, looking into it more, my current conclusion is that there is
little to no advantage to use the TPM. At least not unless one also has
a trusted (userspace) program which is capable of signing TPM
authorizations. One could easily offload the required parts into a
small helper, but that may require ensuring it runs in a trusted
execution environment.
Microsoft seems to run relevant parts as trustlets that are walled off
from the rest of the system. That seems sensible to me, but it also
means requiring all the infrastructure for execution and signing and I
doubt that is feasible currently.
Right now I'll probably go the way of not using the TPM at all. But I
am really not an expert for this. So should someone see scenarios where
a TPM is actually helpful in this context, then I would like to hear
about them.
Benjamin
PS: A quick summary of how SDCP works:
* Device has a private ECC key that signs the firmware and ephemeral
keys during boot (and is inaccessible afterwards)
* A certificate proofs that this key was provisioned in factory
* Device builds a shared secret with the host (s)
* Device sends id, HMAC_SHA256(s, "identify" || nonce || id)
when the finger "id" was presented.
* The HMAC proofs knowledge of the shared secret and authorizes the
print.
[1] https://github.com/microsoft/SecureDeviceConnectionProtocol/wiki/Secure-D...
1 week, 2 days
Re: TPM2 TSS on Android
by Roberts, William C
The example Andreas shows is built using a "Blueprint" file. It was part of the switch that occurred
to in-aosp-tree projects when they went to this Ninja Kata build system. However, AFAIK, the NDK
has stayed Make. So that example, won't really be a drop in for an NDK build. I can throw together
a proper Android.mk and add it to the project. We can probably setup a built in Github Actions for
it as well.
> -----Original Message-----
> From: Phani Srinivas <phani.srinivas(a)in.abb.com>
> Sent: Friday, December 25, 2020 1:37 AM
> To: Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de>; tpm2(a)lists.01.org
> Subject: [tpm2] Re: TPM2 TSS on Android
>
> Hello Andreas,
>
>
>
> Thank you for the links, will follow them and see if it works for us and
>
> post on this forum the feedback.
>
>
>
> Regards
>
> Phani Srinivas S
>
>
>
> From: Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de>
> Sent: Tuesday, December 22, 2020 4:18 PM
> To: Phani Srinivas <phani.srinivas(a)in.abb.com>; tpm2(a)lists.01.org
> Subject: RE: TPM2 TSS on Android
>
>
>
> This email originated from outside of your organization. Please do not
> click on links or open attachments unless you recognize the sender and know the
> content is safe.
>
>
>
> In terms of calling the tss from java you might then want to look at tpm2-swig
>
> for bindings: https://github.com/tpm2-software/tpm2-swig
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.c
> om%2Ftpm2-software%2Ftpm2-
> swig&data=04%7C01%7Cphani.srinivas%40in.abb.com%7C6846451297664907e5ba
> 08d8a6670c45%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637442308
> 817499576%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l
> uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=AVD9sR8I9jU7eRe9w6
> tUOgLJVLe%2Bz4Kpm5IAibUP9dc%3D&reserved=0>
>
>
>
> Cheers,
>
> Andreas
>
> ________________________________
>
> From: Florian.Schreiner(a)infineon.com <mailto:Florian.Schreiner@infineon.com>
> [Florian.Schreiner(a)infineon.com]
> Sent: Monday, December 21, 2020 12:04
> To: phani.srinivas(a)in.abb.com <mailto:phani.srinivas@in.abb.com> ;
> tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> Subject: [tpm2] Re: TPM2 TSS on Android
>
> Hi Phani,
>
>
>
> after a quick research, I have found the following:
> https://android.googlesource.com/platform/external/tpm2-tss/
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fandroid.
> googlesource.com%2Fplatform%2Fexternal%2Ftpm2-
> tss%2F&data=04%7C01%7Cphani.srinivas%40in.abb.com%7C6846451297664907e5
> ba08d8a6670c45%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C6374423
> 08817509567%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
> V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=UFmq4RNyalzYbG
> %2F1kopjBi98R%2BCTTZlWZcr12B38oAA%3D&reserved=0>
>
> I would be curious to get to know if that fits to your request.
>
>
>
> Best,
>
> Florian
>
>
>
> From: Phani Srinivas <phani.srinivas(a)in.abb.com
> <mailto:phani.srinivas@in.abb.com> >
> Sent: Samstag, 19. Dezember 2020 09:24
> To: tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> Subject: [tpm2] TPM2 TSS on Android
>
>
>
> Caution: This e-mail originated outside Infineon Technologies. Do not click on links
> or open attachments unless you validate it is safe
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoto.infi
> neon.com%2FSocialEngineering&data=04%7C01%7Cphani.srinivas%40in.abb.com
> %7C6846451297664907e5ba08d8a6670c45%7C372ee9e09ce04033a64ac07073a91e
> cd%7C0%7C0%7C637442308817509567%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&s
> data=LRPYzyge%2F0biY%2F2sw75R5p0HDniEVH2qPEOSyyEn6KE%3D&reserved=0
> > .
>
>
>
> Hello All,
>
>
>
> We are trying to use TPM2.0 on Android, would like to port TPM2 TSS on to it,
>
> could any of you suggest any tutorials on the NDK Build compilation of TPM2 TSS
> and relevant details to use TPM2 TSS on Android
>
>
>
> Regards
>
> Phani Srinivas S
1 year, 5 months
Ensure the link between an unrestricted signing key and a TPM
by Auriga7
Hi,
I would like to know how i can certiffy that a non restricted signing key belongs to a real TPM in the same way that an AIK key can guarantee it is from a TPM using EK and the EK certificate of the TPM. I've tried using the makecredential and activatecredential commands of tpm2-tools on a non restricted signing key created with the create command. However those commands seems to only work for an AIK key created using createak command. How can I create a non restricted signing key and then ensure that this key is linked to real TPM using the tpm2-tools.
Thank you.
1 year, 6 months
Re: TPM2 TSS on Android
by Florian.Schreiner@infineon.com
Hi Phani,
after a quick research, I have found the following: https://android.googlesource.com/platform/external/tpm2-tss/
I would be curious to get to know if that fits to your request.
Best,
Florian
From: Phani Srinivas <phani.srinivas(a)in.abb.com>
Sent: Samstag, 19. Dezember 2020 09:24
To: tpm2(a)lists.01.org
Subject: [tpm2] TPM2 TSS on Android
Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe<https://goto.infineon.com/SocialEngineering>.
Hello All,
We are trying to use TPM2.0 on Android, would like to port TPM2 TSS on to it,
could any of you suggest any tutorials on the NDK Build compilation of TPM2 TSS and relevant details to use TPM2 TSS on Android
Regards
Phani Srinivas S
1 year, 6 months
TPM2 TSS on Android
by Phani Srinivas
Hello All,
We are trying to use TPM2.0 on Android, would like to port TPM2 TSS on to it,
could any of you suggest any tutorials on the NDK Build compilation of TPM2 TSS and relevant details to use TPM2 TSS on Android
Regards
Phani Srinivas S
1 year, 6 months
tpm2_pcrread is not working because of tcti-abrmd
by Chenxi Z
Hi,
Can I know why tpm2 tools is not working. Below are logs. Thank you for the help in advace.
[root@myhost ~]# tpm2_pcrread
** (process:3459977): WARNING **: 17:05:49.915: Failed to create connection with service: Timeout was reached
WARNING:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_init() TCTI init for function 0x7f0481c01ac0 failed with a0008
WARNING:tcti:src/tss2-tcti/tctildr.c:109:tcti_from_info() Could not initialize TCTI named: tcti-abrmd
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:150:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0
(and hangs)
[root@myhost ~]# cat /etc/os-release
NAME="CentOS Linux"
VERSION="8 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
... ...
Version info:
[root@myhost~]# rpm -qa | grep tpm2
tpm2-tss-2.4.3.x86_64
tpm2-tools-4.3.0.x86_64
tpm2-abrmd-2.3.3.x86_64
[root@myhost ~]# service tpm2-abrmd status
Redirecting to /bin/systemctl status tpm2-abrmd.service
● tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon
Loaded: loaded (/usr/lib/systemd/system/tpm2-abrmd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2020-12-14 16:48:42 PST; 15min ago
Main PID: 3422797 (tpm2-abrmd)
IO: 0B read, 0B written
Tasks: 4
Memory: 2.0M
CPU: 49ms
CGroup: /system.slice/tpm2-abrmd.service
└─3422797 /usr/sbin/tpm2-abrmd
Warning: journal has been rotated since unit was started, output may be incomplete.
Thanks,
Chenxi
1 year, 6 months
how to gracefuly stop tpm2-abrmd daemon
by Chenxi Z
Can I know how to gracefully stop tpm2-abrmd daemon or force to stop it?
From the log below, I see the deamon was not able to be stopped and auto restarted.
[root@hostname-1 ~]# service tpm2-abrmd stop
Redirecting to /bin/systemctl stop tpm2-abrmd.service
(It takes about 3-5 minutes and returns back to console)
[root@hostname-1 ~]# service tpm2-abrmd status
● tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon
Loaded: loaded (/usr/lib/systemd/system/tpm2-abrmd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-12-15 15:02:49 PST; 1min 36s ago
Main PID: 3389167 (tpm2-abrmd)
IO: 0B read, 0B written
Tasks: 4
Memory: 1.5M
CPU: 16ms
CGroup: /system.slice/tpm2-abrmd.service
└─3389167 /usr/sbin/tpm2-abrmd
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: ipc_frontend_connect
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: tcti_set_property
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: Allocating 0x1050 bytes for SAPI context
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: tpm2_set_property
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: tpm2_set_property
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: tpm2_init_tpm
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: Got proxy object for DBus daemon.
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: on_bus_acquired: com.intel.tss2.Tabrmd
Dec 15 15:02:49 hostname-1 systemd[1]: Started TPM2 Access Broker and Resource Management Daemon
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: on_name_acquired: com.intel.tss2.Tabrmd
~
[root@hostname-1~]# journalctl -u tpm2-abrmd -e
-- Logs begin at Tue 2020-12-15 15:00:03 PST, end at Tue 2020-12-15 15:03:24 PST. --
Dec 15 15:01:15 hostname-1 systemd[1]: Stopping TPM2 Access Broker and Resource Management Daemon...
Dec 15 15:02:45 hostname-1 systemd[1]: tpm2-abrmd.service: State 'stop-sigterm' timed out. Killing.
Dec 15 15:02:45 hostname-1 systemd[1]: tpm2-abrmd.service: Killing process 3370307 (tpm2-abrmd) with signal SIGKILL.
Dec 15 15:02:45 hostname-1 systemd[1]: tpm2-abrmd.service: Killing process 3370308 (tpm2-abrmd) with signal SIGKILL.
Dec 15 15:02:45 hostname-1 systemd[1]: tpm2-abrmd.service: Killing process 3370309 (gmain) with signal SIGKILL.
Dec 15 15:02:45 hostname-1 systemd[1]: tpm2-abrmd.service: Killing process 3370311 (gdbus) with signal SIGKILL.
Dec 15 15:02:45 hostname-1 systemd[1]: tpm2-abrmd.service: Main process exited, code=killed, status=9/KILL
Dec 15 15:02:45 hostname-1 systemd[1]: tpm2-abrmd.service: Failed with result 'timeout'.
Dec 15 15:02:45 hostname-1 systemd[1]: Stopped TPM2 Access Broker and Resource Management Daemon.
Dec 15 15:02:49 hostname-1 systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon... <————— tpm2-abrmd auto restarted here
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: tabrmd startup
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: tcti_conf before: "device:/dev/tpm0"
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: logging to stdout
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: tcti_conf after: "device:/dev/tpm0"
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: entering g_main_loop
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: init_thread_func start
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: random_class_init
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: opening entropy source: /dev/urandom
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: reading from entropy source: /dev/urandom
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: connection_manager_set_property
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: max_connections: 27
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: IpcFrontendDbus set bus_name: com.intel.tss2.Tabrmd
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: ipc_frontend_connect
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: tcti_set_property
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: Allocating 0x1050 bytes for SAPI context
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: tpm2_set_property
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: tpm2_set_property
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: tpm2_init_tpm
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: Got proxy object for DBus daemon.
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: on_bus_acquired: com.intel.tss2.Tabrmd
Dec 15 15:02:49 hostname-1 systemd[1]: Started TPM2 Access Broker and Resource Management Daemon.
Dec 15 15:02:49 hostname-1 tpm2-abrmd[3389167]: on_name_acquired: com.intel.tss2.Tabrmd
[root@hostname-1~]# rpm -qa | grep tpm2
tpm2-tss-2.4.3.x86_64
tpm2-tools-4.3.0.x86_64
tpm2-abrmd-2.3.3.x86_64
[root@hostname-1 ~]# cat /etc/os-release
NAME="CentOS Linux"
VERSION="8 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
... ...
1 year, 6 months
Ways to implement setLocality in tabrmd
by mingyic4@uci.edu
Hello all,
I'm trying to implement the setLocality in tabrmd.
The comment says "Set the locality for the Connection object."
I've found in the command_source_on_new_connection functions,
it sets a callback for the istream in the Connection object.
So I retrieved the ostream from the Connection,
and tried to write sth. to trigger this callback.
But nothing happens.
I wonder is the thoughts right or there's sth. more need to do.
Any comments or advice would be appreciated, thanks!
1 year, 6 months
Proper way to create a owner-write, any-read TPM2 nvindex?
by Paul Moore
Hello all,
I'm trying to define a TPM2 nvindex that is only writable when
authenticated with the owner password, but is readable by anyone,
regardless of authentication. Through a combination of looking at the
docs and some trial-and-error I've arrived at the following:
% tpm2_nvdefine -a "ownerwrite|ownerread|authread" -P $PASSWD $NVINDEX
... which leaves me with two questions:
* Is this the recommended way to define an owner-write, any-read TPM2 nvindex?
* Why do I need to specify "authread", and is this correct? Quickly
skimming the TPM2 specs, I'm still a bit puzzled by the meaning of
"authread"/TPMA_NV_AUTHREAD.
Any comments, advice, etc. would be appreciated - thanks!
--
paul moore
www.paul-moore.com
1 year, 6 months
Help combining multiple policy assertions (logical AND)
by Paul Moore
Hello,
I'm currently attempting to combine multiple policy assertions
together using a logical AND into a single signed policy that can be
used to control access to a TPM2 nvindex. I currently have a working
simple example with a single policy assertion based on PCR values, but
I'm struggling trying to add an additional policy assertion (I would
like to control access both based on PCR values and a second nvindex
value).
My current, single assertion example is shown below, any help you can
provide on how to add a tpm2_policynv assertion would be greatly appreciated.
*** locking/sealing the nvindex
tpm2_pcrread $PCRS -o /tmp/pcr.bin
tpm2_startauthsession -S /tmp/session.ctx
tpm2_policypcr -S /tmp/session.ctx \
-l $PCRS -f /tmp/pcr.bin -L /tmp/pcr.policy
tpm2_policyauthorize -S /tmp/session.ctx \
-L /tmp/nvindex.policy -n signing_key.name
tpm2_nvdefine -a "ownerwrite|ownerread|policyread" \
-P $PASSWD -L /tmp/nvindex.policy $NVINDEX
tpm2_flushcontext /tmp/session.ctx
openssl dgst -sha256 --sign signing_key_private.pem \
-out pcr.signature /tmp/pcr.policy
echo "storedsecret" | tpm2_nvwrite -C o -P $PASSWD \
-i- $NVINDEX
*** reading the nvindex using the signed policy
tpm2_loadexternal -C o -G rsa -u signing_key_public.pem \
-c /tmp/key.ctx -n /tmp/key.name
tpm2_startauthsession -S /tmp/session.ctx --policy-session
tpm2_policypcr -S /tmp/session.ctx \
-l $PCRS -L /tmp/pcr.policy
tpm2_verifysignature -c /tmp/key.ctx \
-f rsassa -g sha256 \
-m /tmp/pcr.policy -s pcr.signature -t /tmp/sigverify.tkt
tpm2_policyauthorize -S /tmp/session.ctx \
-i /tmp/pcr.policy -n /tmp/key.name -t /tmp/sigverify.tkt
tpm2_nvread -P "session:/tmp/session.ctx" -s 64 $NVINDEX
tpm2_flushcontext /tmp/session.ctx
rm -f /tmp/sigverify.tkt
--
paul moore
www.paul-moore.com
1 year, 6 months