July 2020 - tpm2 - Ml01.01.Org

by Benjamin Berg

Hi, I was wondering if someone has ideas about integrating the TPM with Fingerprint readers. Recently I started looking into supporting Secure Device Connection Protocol (SDCP, [1]) in libfprint. The general idea is to verify that the Fingerprint reader can be trusted, but I initially also imagined that further use-cases like unsealing data in a TPM may be possible (e.g. to retrieve disk encryption keys). However, looking into it more, my current conclusion is that there is little to no advantage to use the TPM. At least not unless one also has a trusted (userspace) program which is capable of signing TPM authorizations. One could easily offload the required parts into a small helper, but that may require ensuring it runs in a trusted execution environment. Microsoft seems to run relevant parts as trustlets that are walled off from the rest of the system. That seems sensible to me, but it also means requiring all the infrastructure for execution and signing and I doubt that is feasible currently. Right now I'll probably go the way of not using the TPM at all. But I am really not an expert for this. So should someone see scenarios where a TPM is actually helpful in this context, then I would like to hear about them. Benjamin PS: A quick summary of how SDCP works: * Device has a private ECC key that signs the firmware and ephemeral keys during boot (and is inaccessible afterwards) * A certificate proofs that this key was provisioned in factory * Device builds a shared secret with the host (s) * Device sends id, HMAC_SHA256(s, "identify" || nonce || id) when the finger "id" was presented. * The HMAC proofs knowledge of the shared secret and authorizes the print. [1] https://github.com/microsoft/SecureDeviceConnectionProtocol/wiki/Secure-D...

1 week, 2 days

4
6
0 / 0

IMA determinism

by Eduardo Falcão

Hi folks I know this is not a TPM doubt, but it's related and some people may have had this issue. Is there some form to make the digest collected through IMA deterministic? I rebooted my system several times, and on the very beginning of system initialization I've noticed the hash in PCR 10 of TPM is changing. The number of lines initializes equally, but it seems that the order the programs are ran always changes. Any ideas for overcoming this issue? []'s

1 year, 10 months

3
10
0 / 0

Re: Persistent key protection

by Roberts, William C

+ Imran, he might have some additional suggestions. > -----Original Message----- > From: Ionut Mihalcea <Ionut.Mihalcea(a)arm.com> > Sent: Monday, July 27, 2020 6:30 AM > To: tpm2(a)lists.01.org > Subject: [tpm2] Persistent key protection > > Hello all, > > > > I've been trying to identify any TPM authorization features that could be used in > a user-space persistent key store with hardware backing, but it appears that > simply storing the key context, preferably on an encrypted filesystem, is the best > solution I could come up with. Keys could have an auth value of their own, but > that value must then be stored as well, and any other authorization mechanism > ends up reducing to an (indirect) "auth" value that has to be persisted. Yes and no. Depends on how you set up the key. You would probably want to lock it to a PCR Policy, or something like policy signed. Where you can sign a policy with a key on your server And send down a PCR policy. This way if PCR's change, you just update your policy. This would be fixed to measured system state. > > > > The threat I'm trying to work against is simply leaking the persisted key material, You can set up attributes on the key so that it cannot be exported from the TPM. You would want fixedtpm and fixedparent in your attribute set. > allowing the attacker to load and use the keys (assuming they're authorized to > use the hierarchy that the keys belong to). You could lock It to PCR state. Hopefully a mis measure would occur causing the key not to be available. You could even store an auth value secret on the server, and require the client to perform an attestation before sending the secret to unlock it. > > > > Am I missing something, or is this due to TPM authorization features being aimed > more at lower levels of the stack? > > > > Best regards, > > Ionut > > > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended recipient, > please notify the sender immediately and do not disclose the contents to any > other person, use it for any purpose, or store or copy the information in any > medium. Thank you.

1 year, 11 months

1
0
0 / 0

[RELEASE] tpm2-pkcs11 release 1.3.1

by Roberts, William C

Hello, I would like to announce tpm2-pkcs11 version 1.3.1 with the following changelog: 1.3.1 - 2020-07-27 Fix double free. The release can be found here: - https://github.com/tpm2-software/tpm2-pkcs11/releases/tag/1.3.1 Thanks, Bill

1 year, 11 months

1
0
0 / 0

Re: Persistent key protection

by Florian.Schreiner＠infineon.com

Hi Ionut, this is an interesting request and I hope I understand it correctly. I think the question should be better asked in the TCG because it refers to TPM functional capabilities and not so much related to the TSS stack. The TSS stack provides the TPM authorization functionalities to the host software. The architecture of the host software (e.g. execution separation, privileges) and hardware (virtualization, TEE) can then be combined to be validated in the TPM authorization. I think an important point is that the authorization secret requires anyway only a lower security level, because it allows an attacker only to use a key, but not to extract the private key. The extraction of a private key is more critical, because it would be then entirely be compromised as any further misuse can't be blocked anymore. The loss of an authorization secret still makes it possible to reconfigure the authorization of the key in the TPM so that after that the misuse of the key is not possible anymore. It therefore depends on the use case if an additional protection of the authorization secret is required. In order to enable further protection of the authorization secret, the TPM currently supports at least these Authorization policy elements currently: - PCR State - Locality - "Physical Presence" - Asymmetric signature - Specific objects - Symmetric shared secret - Duplication - Time Limited - NV Written - Specific Command - Contents of NV Furthermore there is the ACT concept (Authenticated Countdown Timer). For example the authorizations for Locality and PCR state might provide the authorization features that you are looking for (e.g. sealing). They can be combined with Secure Boot. For both there are concepts and implementations available for x86 platforms. However for non-x86 systems it would be an interesting topic to define a proposal or concept, how this can be integrated. Another (simpler) solution depending on your overall system might be to store the authorization secret (e.g. a password) on another partner device nearby. In this case the local system with the TPM doesn't store the authorization password anymore and therefore an attacker can't extract it. There are then for example 2 options to use the key: - Only the partner device can load and use the key in the TPM of the local system. Results of the TPM commands are securely transferred to the partner device (Remote TPM Sessions). - Only when the local system was booted up correctly (e.g. using authentication, hardware validation, attestation), the partner device transfers the authorization secret the local device. The local device would have stored the key only in volatile memory, so that an attacker could Best, Florian From: Ionut Mihalcea <Ionut.Mihalcea(a)arm.com> Sent: Montag, 27. Juli 2020 13:30 To: tpm2(a)lists.01.org Subject: [tpm2] Persistent key protection Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe<http://iweb.infineon.com/en-US/Support/security/CDC/pse/Pages/pce.aspx>. Hello all, I've been trying to identify any TPM authorization features that could be used in a user-space persistent key store with hardware backing, but it appears that simply storing the key context, preferably on an encrypted filesystem, is the best solution I could come up with. Keys could have an auth value of their own, but that value must then be stored as well, and any other authorization mechanism ends up reducing to an (indirect) "auth" value that has to be persisted. The threat I'm trying to work against is simply leaking the persisted key material, allowing the attacker to load and use the keys (assuming they're authorized to use the hierarchy that the keys belong to). Am I missing something, or is this due to TPM authorization features being aimed more at lower levels of the stack? Best regards, Ionut IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

1 year, 11 months

1
0
0 / 0

Persistent key protection

by Ionut Mihalcea

Hello all, I’ve been trying to identify any TPM authorization features that could be used in a user-space persistent key store with hardware backing, but it appears that simply storing the key context, preferably on an encrypted filesystem, is the best solution I could come up with. Keys could have an auth value of their own, but that value must then be stored as well, and any other authorization mechanism ends up reducing to an (indirect) “auth” value that has to be persisted. The threat I’m trying to work against is simply leaking the persisted key material, allowing the attacker to load and use the keys (assuming they’re authorized to use the hierarchy that the keys belong to). Am I missing something, or is this due to TPM authorization features being aimed more at lower levels of the stack? Best regards, Ionut IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

1 year, 11 months

1
0
0 / 0

Information Needed on FAPI Usage

by phani.srinivas＠in.abb.com

Hello All, Need information Regarding the FAPI for the following • Does FAPI_createKey support symmetric key creation • Is there any Template for the crypto profile used in FAPI • How to specify the Unique value in the profile while creating the SRK • Can multiple profiles be used in FAPI and provisioned individually Regards Phani

1 year, 11 months

3
3
0 / 0

[RELEASE CANDIDATE] tpm2-pkcs11: 1.3.1-RC0

by Roberts, William C

Hello, I would like to announce the 1.3.1-RC0 release of the tpm2-pkcs11 project. The release can be found here: https://github.com/tpm2-software/tpm2-pkcs11/releases/tag/1.3.1-RC0 With the following changelog: 1.3.1-RC0 - 2020-07-21 * Fix double free. Thanks, Bill

1 year, 11 months

1
0
0 / 0

Re: Help required in using the FAPI

by Roberts, William C

Don't know why this came through from owners list, Adding back the mailing list. My response inline below. > -----Original Message----- > From: Roberts, William C > Sent: Monday, July 20, 2020 2:11 PM > To: Phani Srinivas <phani.srinivas(a)in.abb.com>; tpm2-owner(a)lists.01.org > Subject: RE: Help required in using the FAPI > > > > > -----Original Message----- > > From: Phani Srinivas <phani.srinivas(a)in.abb.com> > > Sent: Monday, July 20, 2020 12:49 PM > > To: tpm2-owner(a)lists.01.org > > Subject: Help required in using the FAPI > > > > Hello All, > > > > > > > > Need support in using the FAPI layer of TSS, have some questions > > related to it after started using the git hub project > > > > > > > > * Does FAPI_createKey support symmetric key creation > > No, as most TPMs don't support symmetric key operations via encrypdecrypt > interface. > > > * Is there any Template for the crypto profile used in FAPI > > Yes, see: > https://github.com/tpm2-software/tpm2-tss/tree/master/dist/fapi-profiles > > > * How to specify the Unique value in the profile while creating the SRK > > I don't think there is.... the SRK follows the EK but with a few changes. > https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0- > Provisioning-Guidance-Published-v1r1.pdf > https://trustedcomputinggroup.org/wp- > content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf > > So the unique values come from reading the NV index and it looks like > ifapi_init_primary_async() handles that case. > https://github.com/tpm2-software/tpm2- > tss/blob/72ecf7c1eec2c40f9daf93f9ac3eaedc5afb95e0/src/tss2-fapi/fapi_util.c > > > * Can multiple profiles be used in FAPI and provisioned individually > > Not sure, but you can set the fapi config in use via TSS2_FAPICONF. So you can > have N setups, but one is system Wide default. > > > > > > > > > Regards > > > > Phani Srinivas S > > > > R&D Principal Engineer, ABB > > > >

1 year, 11 months

1
0
0 / 0

tpm2-tss v3.0.0-rc0

by Tadeusz Struk

Hello, I'm happy to announce the first release candidate for tpm2-tss v3.0.0. It can be found here: https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.0-rc0 There are two backwards compatibility breaking changes between 3.0.0 and 2.4.x. As always all the changes and fixes are listed in the CHANGELOG.md file. Any feedback welcomed. Thanks, -- Tadeusz

1 year, 11 months

1
0
0 / 0

2022

2021

2020

2019

2018

2017

tpm2 July 2020