October 2021 - tpm2 - Ml01.01.Org

Re: CMP error: cannot duplicate context:2306 tpm:warn(2.0): out of memory for object contexts

by Petr Gotthard

Bill, we solved this particular issue, but I expect more resource-related troubles are yet to come. Example 1: OpenSSL often duplicates hash sequences: To hash sequences A,B,C1 and then A,B,C2 they first hash A,B, then duplicate/fork the hash sequence and then complete the hash first for C1 and then for C2. This is a great performance optimization, but when too many dup (forks) are made, the TPM runs out of objects. Example 2: The CMP key update needs 4 objects to operate (old client key, new client key, server key and hash sequence), but the kernel RM (tpm_space.context_tbl) allows only 3 objects. (If I am right.) In general, the OpenSSL code often pre-loads or caches objects, which will be used later, which causes troubles with the space-constrained TPM. I was not sure whether the tpm2-openssl provider should act as another level of a resource manager and swap the objects to simulate more space than available on the TPM hardware, or whether this is something the resource manager could/should do. It's definitely a nice problem to think about and most likely something which will need to be addressed in the tpm2-openssl 2.0 Petr ______________________________________________________________ > Od: "Roberts, William C" <william.c.roberts(a)intel.com> > Komu: "Chris Newman" <chris(a)mode51.software>, "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>, "Petr Gotthard" <petr.gotthard(a)centrum.cz> > Datum: 08.10.2021 17:46 > Předmět: [tpm2] Re: CMP error: cannot duplicate context:2306 tpm:warn(2.0): out of memory for object contexts > Thats:tpm2_rc_decode 0x00000902 tpm:warn(2.0): out of memory for object contextsAre you running against a resource manager? You should probably either use /dev/tpmrm0 or tpm2-abrmd.You can set the TCTI via the TPM2OPENSSL_TCTI which AFAICT takes strings like tpm2-tools, so something like:"device:/dev/tpmrm0" or "abrmd". This also might be a bug, the provider is pretty new. Petr any other ideas I am missing? Bill From: Chris Newman <chris(a)mode51.software> Sent: Sunday, October 3, 2021 6:40 PM To: tpm2(a)lists.01.org <tpm2(a)lists.01.org> Subject: [tpm2] CMP error: cannot duplicate context:2306 tpm:warn(2.0): out of memory for object contexts Hi, I create an EK and AK using tpm2_createek, tpm2_createak and tpm2_evictcontrol to persist the AK in 0x81010002. The I use the following command with DigiCert's CMPv2 server: openssl cmp -config /opt/sdk/openssl/current/ssl/openssl.cnf -provider tpm2 -provider default -propquery ?provider=tpm2,tpm2.digest!=yes -cmd ir -server https://demo.one.digicert.com/iot/api/v1/cmp/IOT_1234 <https://demo.one.digicert.com/iot/api/v1/cmp/IOT_1234> -ref 1234 -secret pass:1234 -recipient "/CN=mode51.software" -key handle:0x81010002 -subject "/CN=TestTest" -cacertsout ./capubs.pem -certout ./cl_cert.pem -tls_used -verbosity 8 I get the following error: DIGEST NEW DIGEST INIT DIGEST UPDATE DIGEST DUP DIGEST FINAL DIGEST FREE DIGEST NEW DIGEST INIT DIGEST UPDATE DIGEST NEW DIGEST INIT DIGEST UPDATE DIGEST DUP WARNING:esys:src/tss2-esys/api/Esys_ContextLoad.c:279:Esys_ContextLoad_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish ErrorCode (0x00000902) DIGEST FREE DIGEST FREE DIGEST FREE CMP DEBUG: disconnected from CMP server CMP error: cannot duplicate context:2306 tpm:warn(2.0): out of memory for object contexts CMP error: not able to copy ctx CMP error: internal error CMP error: error sending CMP error: shutdown while in init CMP error: transfer error:request sent: IR, expected response: IP RSA FREE RAND FREE RAND FREE RAND FREE PROVIDER TEARDOWN I've tried tpm2_flushcontext -t. I recompiled tpm2-openssl with the following option and that appears to have worked around the issue: --disable-op-digest Is this what "?provider=tpm2,tpm2.digest!=yes" should effectively do? -- Chris Newman https://mode51.software <https://mode51.software> @mode51software <https://twitter.com/mode51software>

8 months, 2 weeks

2
1
0 / 0

CMP error: cannot duplicate context:2306 tpm:warn(2.0): out of memory for object contexts

by Chris Newman

Hi, I create an EK and AK using tpm2_createek, tpm2_createak and tpm2_evictcontrol to persist the AK in 0x81010002. The I use the following command with DigiCert's CMPv2 server: openssl cmp -config /opt/sdk/openssl/current/ssl/openssl.cnf -provider tpm2 -provider default -propquery ?provider=tpm2,tpm2.digest!=yes -cmd ir -server https://demo.one.digicert.com/iot/api/v1/cmp/IOT_1234 -ref 1234 -secret pass:1234 -recipient "/CN=mode51.software" -key handle:0x81010002 -subject "/CN=TestTest" -cacertsout ./capubs.pem -certout ./cl_cert.pem -tls_used -verbosity 8 I get the following error: DIGEST NEW DIGEST INIT DIGEST UPDATE DIGEST DUP DIGEST FINAL DIGEST FREE DIGEST NEW DIGEST INIT DIGEST UPDATE DIGEST NEW DIGEST INIT DIGEST UPDATE DIGEST DUP WARNING:esys:src/tss2-esys/api/Esys_ContextLoad.c:279:Esys_ContextLoad_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish ErrorCode (0x00000902) DIGEST FREE DIGEST FREE DIGEST FREE CMP DEBUG: disconnected from CMP server *CMP error: cannot duplicate context:2306 tpm:warn(2.0): out of memory for object contexts* CMP error: not able to copy ctx CMP error: internal error CMP error: error sending CMP error: shutdown while in init CMP error: transfer error:request sent: IR, expected response: IP RSA FREE RAND FREE RAND FREE RAND FREE PROVIDER TEARDOWN I've tried tpm2_flushcontext -t. I recompiled tpm2-openssl with the following option and that appears to have worked around the issue: --disable-op-digest Is this what "?provider=tpm2,tpm2.digest!=yes" should effectively do? -- Chris Newman https://mode51.software <https://mode51.software> @mode51software <https://twitter.com/mode51software> mode51 Software Ltd is registered in England and Wales Company Number 13007792 Registered Office 3 Orchard Way, CB24 1AG, UK GPG Encryption key <https://mode51.software/downloads/chrisnewman-mode51-pub-20201111.asc>

8 months, 3 weeks

3
5
0 / 0

How to decrypt a symmetric key in the TPM that was wrapped by an asymmetric key generated by that TPM

by snambakam＠gmail.com

My client host that has the TPM generates a key pair and sends the public key to the server. The server generates a symmetric key that is encrypted by the public key it received and sends the result to the client. I can do decrypt operation to retrieve the symmetric key. How to decrypt the key but keep it in the TPM for a subsequent encrypt/decrypt operation? Thanks!

8 months, 3 weeks

2
2
0 / 0

TCG CodeGen Developer Challenge

by Fuchs, Andreas

HI all, I'm forwarding this email by Chloe who tried to reach the mailinglist: On behalf of the TCG Marketing Work Group, we would like to spread the word about the TCG CodeGen Developers Challenge. May we send the following information to the mailing list, please? Many thanks! “Registration for Trusted Computing Group (TCG)’s Virtual CodeGen Developer Challenge is open now! The week-long event, taking place October 18-22, 2021, will ask developers to create a functional prototype built off a TCG standard. The challenge will provide an opportunity for brilliant talents to create their works with the help of TCG mentors, who will be virtually available throughout the event, while also experiencing the unforgettable thrill of coming together with peers who share the same passion for digital technology and innovation. Competing developers have the chance to win up to US$5,000. The theme of the challenge will be “Pervasive Security and Application of TCG standards in software and hardware development”. Participants will have the opportunity to create solutions that can make an impact for the security community, as well as SW and HW developers seeking to integrate security into their platforms. The challenge is open to both teams and individuals, and whoever impresses the judges most will be awarded. The event is free and open to non-TCG members only, as well as individuals from TCG member companies who have not had an active member login to the technical Work Groups. Registration deadline for the challenge is Monday, October 11, 2021. Register at: https://bit.ly/3FnRT9u For more information on how to get involved, please visit the TCG website. An overview video about participation and the prizes that are up for grabs is also available on YouTube.” Kind regards, Chloe Groom PR Consultant PROACTIVE INTERNATIONAL PR OFFICE: +44 (0)1636 704888 MOBILE: +44 (0)7384254585 TWITTER: @Proactive_PR<http://twitter.com/#!/Proactive_PR> www.proactive-pr.com<http://www.proactive-pr.com/>

8 months, 3 weeks

1
0
0 / 0

Best Soundcloud To Mp3 Converter 2021

by alihanna.us＠gmail.com

https://soundcloudtomp3downloader.net/ is one in all the foremost professionally designed SoundCloud to MP3 converters. The minimalistic style and therefore the easy functions will additional build it one in all the foremost reliable choices ever for SoundCloud uniform resource locator downloader. It permits you to transfer as several files as you wish with none limit. It offers you access to over a hundred twenty five million songs. It offers you access to Associate in Nursing increased expertise with support to convert SoundCloud to mp3. No want for registration is what makes it an excellent selection. If you're curious the way to transfer MP3 from SoundCloud, you merely have to be compelled to paste the uniform resource locator and click on on transfer.

8 months, 3 weeks

1
0
0 / 0

2022

2021

2020

2019

2018

2017

tpm2 October 2021