July 2021 - tpm2 - Ml01.01.Org

by scott.r.eisele＠gmail.com

Hi everyone! I'm trying to use a TPM to secure ssh keys, following the example here: https://incenp.org/notes/2020/tpm-based-ssh-key.html First, is this a standard way to secure ssh keys? Or is there another method that is preferred? Assuming this method is acceptable, I made it to the point of extracting the public key from the PKCS11 token but ran into an issue. $ ssh-keygen -vvv -D /usr/local/lib/libtpm2_pkcs11.so > tpm2key1.pub WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:226:Fapi_List_Finish() Profile of path not provisioned: /HS/SRK ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List ERROR: Listing FAPI token objects failed. debug1: provider /usr/local/lib/libtpm2_pkcs11.so: manufacturerID <tpm2-software.github.io> cryptokiVersion 2.40 libraryDescription <TPM2.0 Cryptoki> libraryVersion 0.0 debug1: provider /usr/local/lib/libtpm2_pkcs11.so slot 0: label <firstToken> manufacturerID <Infineon> model <SLB9670> serial <000000000000000> flags 0x40d debug1: have 1 keys debug2: pkcs11_register_provider: ignoring uninitialised token in provider /usr/local/lib/libtpm2_pkcs11.so slot 1 debug1: pkcs11_k11_free: parent 0xaaaaf0703630 ptr 0xaaaaf06ed350 idx 1 debug1: pkcs11_provider_unref: 0xaaaaf0692300 refcount 2 debug1: pkcs11_provider_finalize: 0xaaaaf0692300 refcount 1 valid 1 debug1: pkcs11_provider_unref: 0xaaaaf0692300 refcount 1 I then tried running Fapi_List() directly: $ sudo tss2_list WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:216:Fapi_List_Finish() Path not found: ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List Fapi_List(0x60034) - fapi:Provisioning was not executed. And assumed that provisioning was required. So I attempted that: $ sudo tss2_provision ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:520:Fapi_Provision_Finish() ErrorCode (0x0006000b) SRK persistent handle already defined ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:168:Fapi_Provision() ErrorCode (0x0006000b) Provision Fapi_Provision(0x6000B) - fapi:A parameter has a bad value At this point, I'm at a loss as to what the state of the TPM is and how to properly provision it and establish the Storage Hierarchy. I've looked at https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisi... but it's not clear to me how to apply it. Any help would be great. Thanks! My platform configuration is: raspberry pi 3b+ Infineon OPTIGA™ TPM SLx 9670 ubuntu 20.04 tpm2-tss-3.1.0 tpm2-tools-5.1.1 tpm2-abrmd-2.4.0 tpm2-pkcs11-1.6.0

5 months, 3 weeks

3
3
0 / 0

Is the tpm2_create command safe against sniffing attacks?

by Joseph Lee (ZeronsoftN)

Hello, https://pulsesecurity.co.nz/articles/TPM-sniffing In this article, can see that communication with the TPM is vulnerable to sniffing if not careful. https://tpm2-software.github.io/2020/04/13/Disk-Encryption.html Is the disk encryption described in tpm2-software's blog safe against these attacks? tpm2_createprimary -Q -C o -c prim.ctx dd if=/dev/urandom bs=1 count=32 status=none | tpm2_create -Q -g sha256 -u seal.pub -r seal.priv -i- -C prim.ctx tpm2_load -Q -C prim.ctx -u seal.pub -r seal.priv -n seal.name -c seal.ctx tpm2_evictcontrol -C o -c seal.ctx 0x81010001 My question is: 1. Is there a tool in linux that can sniff communication with the current system's TPM? 2. How to encrypt communications if the methods described above are not secure? It seems that encryption is possible through tpm2_startauthsession , but I do not know how to apply it to tpm2_create (The -S option simply did not work.) Thank you.

5 months, 3 weeks

2
1
0 / 0

Luxurious 2/3/4Bhk Apartments & Penthouse in Ace Divino at Greater noida

by Ravi Sharma

Ace has a growing array of various exceptional private ventures and now they showcase one of the ongoing projectsin Noida Extension. Project Ace Divino has an excellent site plan and format configuration, guaranteed to provide a cool, dynamic, energetic and secure gated experience.If you have any Query visit Now:- http://acedivino.org/

5 months, 3 weeks

1
1
0 / 0

Is the tpm2_create command safe against sniffing attacks?

by Joseph Lee (ZeronsoftN)

Hello, https://tpm2-software.github.io/2020/04/13/Disk-Encryption.html

5 months, 4 weeks

1
0
0 / 0

Re: Want to use c++ to get TPM Serial Number - how do it?

by Roberts, William C

Getting the EK is not as easy as one would expect, it depends on how the TPM manufacturer provisions it. Some require that you generate the EK and then get a hash and look it up online, some store it in NV indices. IIRC, Infineon TPM's store them in NV incidces. The tpm2_getekcertificate tool looks in the following NV indices: #define RSA_EK_CERT_NV_INDEX 0x01C00002 #define ECC_EK_CERT_NV_INDEX 0x01C0000A Since the EK is a primary key, you usually need to create it with a template defined in the link below. This will then create a key that matches the manufacturer generated EK Certificate. IIRC the NV indices and templates needed are covered in: - https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_Credential_P... So this would involve a NV read using the C API would look like calling the function Esys_NV_Read(). ________________________________ From: Andy Purcell <andy_purcell(a)keysight.com> Sent: Tuesday, July 20, 2021 12:18 PM To: tpm2(a)lists.01.org <tpm2(a)lists.01.org> Subject: [tpm2] Want to use c++ to get TPM Serial Number - how do it? I have a need to use C++ to obtain the unique TPM information – like a Serial Number. My system is running Windows 10/64. This is on an HP Desktop PC with TPM 2.0 chip. I can use PowerShell Get-TpmEndorsementKeyInfo -hashalgorithm sha256 To get this output: … ManufacturerCertificates : {[Subject] TPMVersion=id:073E, TPMModel=SLB 9670 TPM2.0, TPMManufacturer=id:49465800 [Issuer] CN=Infineon OPTIGA(TM) RSA Manufacturing CA 034, OU=OPTIGA(TM) TPM2.0, O=Infineon Technologies AG, C=DE … [Serial Number] 4880DE8E [Thumbprint] B8395DA6A1D661C8CCD35D47E3DA6E9532EFFEC4 But how can I get this same Serial Number information using C++? ap

6 months, 1 week

1
0
0 / 0

Want to use c++ to get TPM Serial Number - how do it?

by Andy Purcell

I have a need to use C++ to obtain the unique TPM information - like a Serial Number. My system is running Windows 10/64. This is on an HP Desktop PC with TPM 2.0 chip. I can use PowerShell Get-TpmEndorsementKeyInfo -hashalgorithm sha256 To get this output: ... ManufacturerCertificates : {[Subject] TPMVersion=id:073E, TPMModel=SLB 9670 TPM2.0, TPMManufacturer=id:49465800 [Issuer] CN=Infineon OPTIGA(TM) RSA Manufacturing CA 034, OU=OPTIGA(TM) TPM2.0, O=Infineon Technologies AG, C=DE ... [Serial Number] 4880DE8E [Thumbprint] B8395DA6A1D661C8CCD35D47E3DA6E9532EFFEC4 But how can I get this same Serial Number information using C++? ap

6 months, 1 week

1
0
0 / 0

TPM, ECDAA and FIDO

by vincebezzina＠3dsecurempi.com

Hi All New to TPM. Trying to verify the signature for TPM attestation. Does TPM use ECDAA for signatures ? Is there a way to verify such a signature in Java ? Hopefully questions on the right forum. Information on ECDAA is very thin.

6 months, 2 weeks

1
0
0 / 0

2022

2021

2020

2019

2018

2017

tpm2 July 2021