Possible TPM uses in fprintd/libfprint
by Benjamin Berg
Hi,
I was wondering if someone has ideas about integrating the TPM with
Fingerprint readers.
Recently I started looking into supporting Secure Device Connection
Protocol (SDCP, [1]) in libfprint. The general idea is to verify that
the Fingerprint reader can be trusted, but I initially also imagined
that further use-cases like unsealing data in a TPM may be possible
(e.g. to retrieve disk encryption keys).
However, looking into it more, my current conclusion is that there is
little to no advantage to use the TPM. At least not unless one also has
a trusted (userspace) program which is capable of signing TPM
authorizations. One could easily offload the required parts into a
small helper, but that may require ensuring it runs in a trusted
execution environment.
Microsoft seems to run relevant parts as trustlets that are walled off
from the rest of the system. That seems sensible to me, but it also
means requiring all the infrastructure for execution and signing and I
doubt that is feasible currently.
Right now I'll probably go the way of not using the TPM at all. But I
am really not an expert for this. So should someone see scenarios where
a TPM is actually helpful in this context, then I would like to hear
about them.
Benjamin
PS: A quick summary of how SDCP works:
* Device has a private ECC key that signs the firmware and ephemeral
keys during boot (and is inaccessible afterwards)
* A certificate proofs that this key was provisioned in factory
* Device builds a shared secret with the host (s)
* Device sends id, HMAC_SHA256(s, "identify" || nonce || id)
when the finger "id" was presented.
* The HMAC proofs knowledge of the shared secret and authorizes the
print.
[1] https://github.com/microsoft/SecureDeviceConnectionProtocol/wiki/Secure-D...
1 week, 2 days
How to use a salted HMAC session with Esys_TR_FromTPMPublic ?
by Diego Santa Cruz
Hi there,
I am using Esys_TR_FromTPMPublic() in an application to get a Esys TR handle for an NV-index, it works well when I use no sessions but the ESYS spec recommends to use a salted HMAC session when reading NV-index with this command.
But when I use a salted HMAC session I get an "attribute mismatch" error on the session from the TPM. Looking through the library specification I understand that the NV_ReadPublic command, which is used by Esys_TR_FromTPMPublic(), only accepts audit and encrypting sessions, but not simple salted HMAC sessions.
So how should I go about using Esys_TR_FromTPMPublic() with salted HMAC sessions? Or how should I go about ensuring the data I get from the TPM (e.g., name) for the NV-index can be trusted?
BTW, the tpm2-tss version installed on my test system is 2.3.2
Thanks,
Diego
--
Diego Santa Cruz, PhD
Technology Architect
spinetix.com
1 year, 9 months
Configure tss2_esys libs and header file locations?
by Millsap, Michael G
Hello,
I'm building TPM2 TSS & Tools in a container, similar to building it to create a package, and Tools is failing because it can't find the esys libs and header file. Is there a './configure' option to point to the location where I have them? The TSS install doc documents many configure options, but the tools install doc doesn't.
Thanks,
Mike
1 year, 9 months
tpm2-totp v0.3.0_rc0
by Jonas Witschel
Hi everyone,
I have published a release candidate for tpm2-totp 0.3.0:
https://github.com/tpm2-software/tpm2-totp/releases/tag/v0.3.0_rc0
This release features the following changes:
- New option --label to specify the label to use in the TOTP authenticator app.
- User-friendly error messages for common error conditions.
- Support for running the integration tests with the swtpm simulator.
Any testing and feedback is very welcome.
Cheers,
Jonas
1 year, 9 months
Building tpm2-tss-3.0.1-rc0 on OmniOS?
by John Connett
I'm attempting to build tpm2-tss-3.0.1-rc0 on the latest version of
OmniOS (https://omniosce.org/).
$ cat /etc/os-release
NAME="OmniOS"
PRETTY_NAME="OmniOS Community Edition v11 r151034r"
CPE_NAME="cpe:/o:omniosce:omnios:11:151034:18"
ID=omnios
VERSION=r151034r
VERSION_ID=r151034r
BUILD_ID=151034.18.2020.08.29
HOME_URL="https://omniosce.org/"
SUPPORT_URL="https://omniosce.org/"
BUG_REPORT_URL="https://github.com/omniosorg/omnios-build/issues/new"
$
I think I have the prerequisites installed either from the release or
from pkgsrc (https://pkgsrc.joyent.com/). I have also set the following
environment variables:
export PATH=/opt/local/sbin:/opt/local/bin:$PATH
export MANPATH=/opt/local/man:/usr/share/man
export PKG_CONFIG_PATH=/opt/local/lib/pkgconfig
export MAKE=gmake
I have made the following modification to recognise the OS:
$ diff -u configure.ac.orig configure.ac
--- configure.ac.orig Wed Sep 9 08:01:43 2020
+++ configure.ac Thu Sep 10 10:53:18 2020
@@ -44,6 +44,11 @@
HOSTOS='BSD'
LIBSOCKET_LDFLAGS=""
;;
+ *solaris*)
+ HOSTOS='SOLARIS'
+ ADD_COMPILER_FLAG([-D__EXTENSIONS__])
+ LIBSOCKET_LDFLAGS="-lsocket -lnsl"
+ ;;
*)
#Assume linux
HOSTOS='Linux'
$
This is what I see when I run bootstrap:
$ ./bootstrap
Generating file lists: src_vars.mk
aclocal: installing 'm4/libtool.m4' from '/usr/share/aclocal/libtool.m4'
aclocal: installing 'm4/ltdl.m4' from '/usr/share/aclocal/ltdl.m4'
aclocal: installing 'm4/ltoptions.m4' from '/usr/share/aclocal/ltoptions.m4'
aclocal: installing 'm4/ltsugar.m4' from '/usr/share/aclocal/ltsugar.m4'
aclocal: installing 'm4/ltversion.m4' from '/usr/share/aclocal/ltversion.m4'
aclocal: installing 'm4/lt~obsolete.m4' from
'/usr/share/aclocal/lt~obsolete.m4'
aclocal: installing 'm4/pkg.m4' from '/usr/share/aclocal/pkg.m4'
libtoolize: putting auxiliary files in '.'.
libtoolize: linking file './ltmain.sh'
configure.ac:21: error: possibly undefined macro: AC_SUBST
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:68: error: possibly undefined macro: AS_IF
configure.ac:101: error: possibly undefined macro: AC_MSG_ERROR
configure.ac:130: error: possibly undefined macro: AC_MSG_WARN
autoreconf: /usr/bin/autoconf failed with exit status: 1
$
I don't have much experience with autotools. Can anyone spot if I have
made an obvious mistake. The first error reported is for this line:
AC_SUBST([DISTCHECK_CONFIGURE_FLAGS],[$ac_configure_args])
I am aware of other issues with OmniOS: make => gmake; tar => gtar;
doesn't have _DIRENT_HAVE_D_TYPE defined; requires explicit use of
"#include <stdarg.h>" on more files. However, there seems a good chance
it could be made to work with the simulators (OmniOS doesn't yet have a
TPM2 device driver).
Has anyone else tried building on other flavours of Illumos/Solaris?
--
John
1 year, 9 months
