Possible TPM uses in fprintd/libfprint
by Benjamin Berg
Hi,
I was wondering if someone has ideas about integrating the TPM with
Fingerprint readers.
Recently I started looking into supporting Secure Device Connection
Protocol (SDCP, [1]) in libfprint. The general idea is to verify that
the Fingerprint reader can be trusted, but I initially also imagined
that further use-cases like unsealing data in a TPM may be possible
(e.g. to retrieve disk encryption keys).
However, looking into it more, my current conclusion is that there is
little to no advantage to use the TPM. At least not unless one also has
a trusted (userspace) program which is capable of signing TPM
authorizations. One could easily offload the required parts into a
small helper, but that may require ensuring it runs in a trusted
execution environment.
Microsoft seems to run relevant parts as trustlets that are walled off
from the rest of the system. That seems sensible to me, but it also
means requiring all the infrastructure for execution and signing and I
doubt that is feasible currently.
Right now I'll probably go the way of not using the TPM at all. But I
am really not an expert for this. So should someone see scenarios where
a TPM is actually helpful in this context, then I would like to hear
about them.
Benjamin
PS: A quick summary of how SDCP works:
* Device has a private ECC key that signs the firmware and ephemeral
keys during boot (and is inaccessible afterwards)
* A certificate proofs that this key was provisioned in factory
* Device builds a shared secret with the host (s)
* Device sends id, HMAC_SHA256(s, "identify" || nonce || id)
when the finger "id" was presented.
* The HMAC proofs knowledge of the shared secret and authorizes the
print.
[1] https://github.com/microsoft/SecureDeviceConnectionProtocol/wiki/Secure-D...
1 week, 2 days
Calculating name of created AK- server side
by kuba.michal.n@gmail.com
Hello!
I would like to know if it is possible to calculate name of AK generated by host on a remote server? I have read about remote attestation. To ensure the AK matches EK we have to make credential using name of the AK. To achieve this we have to either:
a) calculate name of the AK on server
b) receive name of the AK from host and believe it's a name for a proper AK
Am I missing something?
I have searched for explanation in docs posted on TCG's site, but I just can't find anything useful for nameAlg.
I would be thankful for any help or advice :D
1 week, 5 days
abrmd crashing - how to debug?
by Kenneth Goldman
Ubuntu focal with WSL, abrmd compiled from source
After about 5 minutes of sending commands, abrmd crashes. I originally
found it with keylime, but I can reproduce it with a simple bash loop on
pcrread.
abrmd exits, the tool output is:
** (process:21067): CRITICAL **: 17:25:10.862: failed to allocate dbus
proxy object: Could not connect: Connection refused
WARNING:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_init() TCTI init for
function 0x7ff5f6dbbe10 failed with a0008
WARNING:tcti:src/tss2-tcti/tctildr.c:109:tcti_from_info() Could not
initialize TCTI named: tcti-abrmd
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not
initialize TCTI file: tabrmd
ERROR:tcti:src/tss2-tcti/tctildr.c:416:Tss2_TctiLdr_Initialize_Ex() Failed
to instantiate TCTI
ERROR: Could not load tcti, got: "tabrmd:bus_name=com.intel.tss2.Tabrmd"
How would I debug?
I would expect that nothing that a single application does should crash
abrmd.
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
2 months, 2 weeks
FAPI Provision Could not open: /HN
by Roberts, William C
I have never been able to run a successfull tss2 provision command (ever), the most current error is this:
$ tss2 provision
ERROR:fapijson:src/tss2-fapi/ifapi_json_serialize.c:529:ifapi_json_IFAPI_OBJECT_serialize() Invalid call get_json ErrorCode (0x00060001)
ERROR:fapi:src/tss2-fapi/ifapi_keystore.c:710:ifapi_keystore_store_async() ErrorCode (0x00060001) Object for /home/wcrobert/.local/share/tpm2-tss/user/keystore//P_ECCP256SHA256/HN/object.json could not be serialized.
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:1290:Fapi_Provision_Finish() ErrorCode (0x00060001) Could not open: /HN
WARNING:fapi:src/tss2-fapi/ifapi_io.c:421:ifapi_io_remove_directories() Removing: /usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256/HS/SRK/object.json
WARNING:fapi:src/tss2-fapi/ifapi_io.c:421:ifapi_io_remove_directories() Removing: /usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256/HS/object.json
WARNING:fapi:src/tss2-fapi/ifapi_io.c:421:ifapi_io_remove_directories() Removing: /usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256/LOCKOUT/object.json
WARNING:fapi:src/tss2-fapi/ifapi_io.c:421:ifapi_io_remove_directories() Removing: /usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256/HE/EK/object.json
WARNING:fapi:src/tss2-fapi/ifapi_io.c:421:ifapi_io_remove_directories() Removing: /usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256/HE/object.json
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:168:Fapi_Provision() ErrorCode (0x00060001) Provision
Fapi_Provision(0x60001) - fapi:Catch all for all errors not otherwise specified
Any ideas?
System Details Below:
tpm2-tss version
pkg-config --modversion tss2-fapi
3.1.0-dev
tpm2-tss$ git describe 3.0.0-136-gc651d559d036
tpm2-tools version:
tss2 getrandom --version
tool="getrandom" version="5.0-92-g46ffe7eed571"
I have a working connection to a swtpm via tpm2-abrmd as confirmed by:'
tpm2 getrandom --hex --tcti=tabrmd 4
I have modified my /usr/local/etc/tpm2-tss/fapi-config.json to include:
"ek_cert_less" : "yes"
"tcti": "tabrmd"
My user wcrobert is part of tss group:
$groups
wcrobert adm cdrom sudo dip plugdev lpadmin sambashare kvm libvirt tss docker
1 year, 3 months
does "unique-data" really work?
by Ted Kim
Folks,
Does unique-data option really work?
It did not seem to work for me in that the keys with different
"unique-data" seem identical.
If it does work, what version is needed?
Thanks,
-ted
--
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515
1 year, 3 months
Dockerhub images gone, use Github Container Registry
by Roberts, William C
Dockerhub is no longer, all the images are on Github Container registry:
https://github.com/orgs/tpm2-software/packages
Update your docker pull URLs to:
docker pull ghcr.io/tpm2-software/<image name>
Where <image name> was the tag name in the older Docker image land.
I meant to drop the Docker Hub a while ago, as those images were not getting updated once Dockerhub switched its billing model. When they did that,
the project had to move to Github Actions and the Github Container Registry.
Just as a warning for anyone using them, they are really intended for the CI systems and have never been evaluated beyond that
capacity. Use at your own risk and know they can disappear at any time.
1 year, 3 months
tpm2-abrmd bootstrap error
by Kenneth Goldman
Does anyone have working instructions to build abrmd from source on Ubuntu
16 xenial?
I did this,
http://ftpmirror.gnu.org/autoconf-archive/autoconf-archive-2019.01.06.tar.xz
fix, then got this:
libtoolize: putting auxiliary files in '.'.
libtoolize: linking file './ltmain.sh'
configure.ac:10: installing './compile'
configure.ac:13: installing './config.guess'
configure.ac:13: installing './config.sub'
configure.ac:15: installing './install-sh'
configure.ac:15: installing './missing'
aminclude_static.am:126: warning: .PHONY was already defined in condition
TRUE, which includes condition AUTOCONF_CODE_COVERAGE_2019_01_06 ...
Makefile.am:175: 'aminclude_static.am' included from here
Makefile.am:6: ... '.PHONY' previously defined here
Makefile.am:182: warning: AM_DISTCHECK_CONFIGURE_FLAGS multiply defined in
condition AUTOCONF_CODE_COVERAGE_2019_01_06 and CODE_COVERAGE_ENABLED ...
aminclude_static.am:100: ... 'AM_DISTCHECK_CONFIGURE_FLAGS' previously
defined here
Makefile.am:175: 'aminclude_static.am' included from here
Makefile.am: installing './depcomp'
parallel-tests: installing './test-driver'
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
1 year, 3 months
