I am pleased to announce the release of the tpm2-pytss (python bindings and utilities) version 1.0.0 RC 1 with the following CHANGELOG over RC0:
## [1.0.0-rc1] - 2022-01-10
- Misspellings in Code on things like RuntimeError.
- Fix documentation of ESAPI methods and exceptions.
- Double ESAPI.Close call resulting in "Esys_Finalize() Finalizing NULL context."
- type hint for verify_signature was an int, should be a str.
- Parent cdata memory being freed when no parent reference. This causes sub-field references to parent cdata to
- in util method unwrap, fix variable `encdupsens` does not exist, it is `decsens` instead.
- Renamed ESAPI.set_auth to ESAPI.tr_set_auth for consistenency.
- Use None over 0 for default auth_handle.
- Check for bad type enum type in ESAPI.load_blob.
- Support for deprecation of `TPM2_RH_PW` in tpm2-tss with proper TPM2_RS_PW attribute.
The release can be found here:
Sorry for the long delay on this RC period, we wanted to make sure we got as much bugs and broken things before the
1.0 release to help minimize breaking changes in the future.
I was wondering if someone has ideas about integrating the TPM with
Recently I started looking into supporting Secure Device Connection
Protocol (SDCP, ) in libfprint. The general idea is to verify that
the Fingerprint reader can be trusted, but I initially also imagined
that further use-cases like unsealing data in a TPM may be possible
(e.g. to retrieve disk encryption keys).
However, looking into it more, my current conclusion is that there is
little to no advantage to use the TPM. At least not unless one also has
a trusted (userspace) program which is capable of signing TPM
authorizations. One could easily offload the required parts into a
small helper, but that may require ensuring it runs in a trusted
Microsoft seems to run relevant parts as trustlets that are walled off
from the rest of the system. That seems sensible to me, but it also
means requiring all the infrastructure for execution and signing and I
doubt that is feasible currently.
Right now I'll probably go the way of not using the TPM at all. But I
am really not an expert for this. So should someone see scenarios where
a TPM is actually helpful in this context, then I would like to hear
PS: A quick summary of how SDCP works:
* Device has a private ECC key that signs the firmware and ephemeral
keys during boot (and is inaccessible afterwards)
* A certificate proofs that this key was provisioned in factory
* Device builds a shared secret with the host (s)
* Device sends id, HMAC_SHA256(s, "identify" || nonce || id)
when the finger "id" was presented.
* The HMAC proofs knowledge of the shared secret and authorizes the
I am struggling to figure out how the following scenario could work:
let's say I have a C application where I created a persistent key pair
via Fapi_CreateKey(), the key can be identified by its path,
typically something like "HS/SRK/mykey".
Now, let's assume I need to use that key from OpenSSL as well, via the engine
option, i.e. "-engine tpm2tss", what I am failing to understand is - how do
I pass the path/key identifier, to tell OpenSSL which key to use?
All examples in the tpm2-tss-engine README somehow assume that you first
used tpm2tss-genkey which produces an actual key file in the fs, and then
this file is being used in OpenSSL?
tpm2tss-genkey -a rsa -s 2048 mykey
openssl rsa -engine tpm2tss -inform engine -in mykey -pubout -outform pem -out mykey.pub
openssl pkeyutl -pubin -inkey mykey.pub -in mydata -encrypt -out mycipher
openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -decrypt -in mycipher -out mydata
I naively tried passing "-in HS/SRK/mykey", but of course it did not work.
So what is the correct way to do it, if the key has not been generated using
tpm2tss-genkey, but if the key has been created via the Fapi_CreateKey()
My actual scenario is, that my application is using libmosquitto which in
turn needs to use the private key which I have in TPM. The library uses OpenSSL
and allows to pass equivalents of "-engine" and "-keyform" parameters to the
OpenSSL library. The question however remains the same as with the above
command line example - how do I select the key, if "mykey" is not a file, but
something that is stored in TPM?
I am not an expert in any of those TPM or security related questions, so I may
very well misunderstand how this is supposed to work overall, so far I was not
able to figure it out by studying the docs, I hope someone has a hint for me.
I’m trying to create a primary key using an authenticated and encrypted session.
I looked at the man page for tpm2_createprimary https://github.com/tpm2-software/tpm2-tools/blob/1226b5333e0f051edf677397...
It does not seem to be possible - there is no way to specify the session to use.
However, it is possible to do this in the IBM TSS equivalent https://www.mankier.com/1/tsscreateprimary
I noticed you can specify a session for other commands though, like tpm2_create, but not with tpm2_createprimary.
Is this a missing feature or am I missing some fundamental understanding?