June 2020 - tpm2 - Ml01.01.Org

by Eduardo Falcão

Hi folks I know this is not a TPM doubt, but it's related and some people may have had this issue. Is there some form to make the digest collected through IMA deterministic? I rebooted my system several times, and on the very beginning of system initialization I've noticed the hash in PCR 10 of TPM is changing. The number of lines initializes equally, but it seems that the order the programs are ran always changes. Any ideas for overcoming this issue? []'s

9 months, 3 weeks

3
10
0 / 0

TPM 2.0 hardware error DA lockout mode

by Chenxi Z

I have the exactly same issue as https://superuser.com/questions/1404738/tpm-2-0-hardware-error-da-lockout... TPM2 tools version v1.1 Tried clearing ownership: linux-host:~ # tpm2_takeownership -c -L lockpass ERROR: Clearing Failed! TPM error code: 0x921 Tried clearing dictionary lockout: linux-host:~ # tpm2_dictionarylockout -c -P lockpass ERROR: 0x921 Error clearing dictionary lockout. Neither works. The error id decode says: linux-host:~ # tpm2_rc_decode 0x921 error layer hex: 0x0 identifier: TSS2_TPM_RC_LEVEL description: Error produced by the TPM format 0 warning code hex: 0x21 name: TPM2_RC_LOCKOUT description: authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode Can't figure out how to get out of this lockout state. Has someone came across same error before? How to fix it? Thanks.

11 months, 3 weeks

4
4
0 / 0

Re: Question: How should I provide "OwnerAuth" on Windows?

by Thompson, Kent

Based on some limited debugging on Windows 10 1809, it appears that Windows does not require the owner auth. Running the application "as administrator" and providing an empty TPM2B_AUTH (with auths[0].sessionHandle = TPM2_RW_PW) allows me to successfully call functions like... Tss2_Sys_NV_DefineSpace Tss2_Sys_NV_UndefineSpace Tss2_Sys_NV_ReadPublic Tss2_Sys_NV_Write Tss2_Sys_StartAuthSession Tss2_Sys_PolicySecret Tss2_Sys_Create Tss2_Sys_FlushContext Tss2_Sys_PolicySecret Tss2_Sys_Load Tss2_Sys_EvictControl

11 months, 3 weeks

1
0
0 / 0

Question: How should I provide "OwnerAuth" on Windows?

by kent.thompson＠intel.com

I've searched through the project's issues but didn't find anything on this topic. Our team is porting the Linux implementation of the 'tpm-provider' (application interface (wraps tpm2-tss for use with golang) to Windows. On Linux we take ownership of the tpm and specify the owner auth password, which is then used for the tpm2-tss function calls (ex. https://github.com/intel-secl/tpm-provider/blob/64cd53d6fd91b50eb011e1e43...). My understanding is that taking ownership is not needed on Windows and I've retrieved the "ownerauth" form the Get-Tpm cmdlet. Base64 decoding that value and passing the 20 bytes for owner auth returns 0x9a2 (TPM_RC_BAD_AUTH). What ownerath value should I pass to tpm2-tss? Duplicated at https://github.com/tpm2-software/tpm2-tss/issues/1767

11 months, 3 weeks

1
0
0 / 0

[RELEASE CANDIDATE] tpm2-pkcs11: 1.3.0-RC0

by Roberts, William C

Hello, I would like to announce tpm2-pkcs11 v1.3.0-RC0, with the following chamngelog: 1.3.0 - 2020-06-29 * C\_CreateObject: Support for CKO\_DATA objects only with CKA\_PRIVATE set to CK\_TRUE. Token defaults to CK\_TRUE. * Fix Tests against simulator that support RSA 3072 keys The release can be found here: - https://github.com/tpm2-software/tpm2-pkcs11/releases/tag/1.3.0-RC0 Thanks, Bill

11 months, 3 weeks

1
0
0 / 0

tpm2-tss 3.0 deprecation of libgcrypt backend

by Fuchs, Andreas

Hi all, we are currently discussing deprecation of the esys libgcrypt backend, keeping only openssl and the upcoming mbed-crypto. If you have any thoughts on that topic, please join the discussion at https://github.com/tpm2-software/tpm2-tss/issues/1676 Thanks, Andreas

11 months, 4 weeks

1
0
0 / 0

[RC] tpm2-tss 2.4.2-rc1

by Fuchs, Andreas

Hi all, I would like to announce tpm2-tss 2.4.2-rc1. The tag can be found here: https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.2-rc1 It contains a lot of updates to FAPI and some bugfix for esys. Please test it. Thanks, Andreas

11 months, 4 weeks

1
0
0 / 0

[ANNOUNCE] Command TCTI

by Roberts, William C

Hello, I'd like to highlight the command tcti's inclusion into the TSS: - https://github.com/tpm2-software/tpm2-tss/pull/1734 What's really cool, if you have tpm2_send on master post PR 2094: - https://github.com/tpm2-software/tpm2-tools/pull/2094 You can use it to run commands on remote machine. For instance, you can Run a tpm command over an SSH tunnel on a remote machine to get the quote. There will be no endianness issues in anything and no worries of how to transmit the data. Another great perk, is that if your device node has a too old version of tpm2-tools, you can just issue a partial update to tpm2_send, or provide some other command suitable. For most devices, something that can read and write a file might be useful, not really sure offhand what that would look like in entirety. Example invocation: tpm2_getrandom -T "cmd:ssh localhost tpm2_send" --hex 4 Thanks, Bill

12 months

1
0
0 / 0

Re: Sharing TPM 2.0 between containers with access policy

by Roberts, William C

> -----Original Message----- > From: Oleksii Moisieiev <Oleksii_Moisieiev(a)epam.com> > Sent: Thursday, June 18, 2020 1:21 PM > To: Struk, Tadeusz <tadeusz.struk(a)intel.com> > Cc: tpm2(a)lists.01.org > Subject: [tpm2] Re: Sharing TPM 2.0 between containers with access policy > > Hello Tadeusz. > > Thank you for the answer. > I've done some investigation and found that passing device /dev/tpmrm0 to the > containers will do the job. Also problem with tpm_clear can be solved by > restriction owner access to the tpm. So each container can use keys in TPM but > talk to owner if any changes is needed. > > I have another question: According to the documentation - TPM is having unique > endoresement key, embedded to the device during manufacturing. So each > module can be identified by this key. > How can I retrieve this key embedded to the TPM module? Only the endorsement hierarchy primary seed (EPS) is embedded at manufacturing time. So Calls to tpm2_createprimary with the proper inputs will yield the same key every time. Calls to tpm2_createek should create this for you. The calls to tpm2_getekcertificate should give you that manufacturer certificate. Details on this process can be found in this spec: - https://trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_E... > > Best regards, > Oleksii. > ________________________________ > > From: Tadeusz Struk <tadeusz.struk(a)intel.com> > Sent: Friday, June 5, 2020 8:16 PM > To: Oleksii Moisieiev <Oleksii_Moisieiev(a)epam.com>; tpm2(a)lists.01.org > <tpm2(a)lists.01.org> > Subject: Re: [tpm2] Sharing TPM 2.0 between containers with access policy > > On 6/5/20 12:52 AM, Oleksii Moisieiev wrote: > > Hello all, > > > > I have an embedded device, with Docker containers based architecture. > > This device is operating by software, installed in separate containers. > > > > > > I would like to share TPM2.0 access between this containers with the > > following restrictions: > > > > 1) Forbid Clear TPM command for the containers; > > 2) Each container should have an access only to the set of keys it owns. > > 3) Each container can create keys, but not overwrite existing keys > > that does not related to this container. > > > > According to the "TCG TSS 2.0 TAB and Resource Manager Specification" > > - TPM Resource manager doesn't implement access restrictions right now. > > I think you could run a separate instance of RM in per container to get > 2 & 3. As for 1, this would need to be prevented on a platform configuration level, > like in BIOS or equivalent. > > Thanks, > -- > Tadeusz

1 year

1
0
0 / 0

Re: Sharing TPM 2.0 between containers with access policy

by Tadeusz Struk

On 6/5/20 12:52 AM, Oleksii Moisieiev wrote: > Hello all, > > I have an embedded device, with Docker containers based architecture. > This device is operating by software, installed in separate containers. > > > I would like to share TPM2.0 access between this containers with the > following restrictions: > > 1) Forbid Clear TPM command for the containers; > 2) Each container should have an access only to the set of keys it owns. > 3) Each container can create keys, but not overwrite existing keys that > does not related to this container. > > According to the "TCG TSS 2.0 TAB and Resource Manager Specification" - > TPM Resource manager doesn't implement access restrictions right now. I think you could run a separate instance of RM in per container to get 2 & 3. As for 1, this would need to be prevented on a platform configuration level, like in BIOS or equivalent. Thanks, -- Tadeusz

1 year

3
2
0 / 0

2021

2020

2019

2018

2017

tpm2 June 2020