tpm2-software / tpm2-software.github.io Goto Github PK

Hi,

I'm just wondering if the main communication channel for IRC is happening on the freenode.net server or if this page should refer to libera.chat IRC server instead (like most FLOSS projects have moved to as well).

Hi. I copied all of commands from this section and pasted into a file tpm.sh:

#! /bin/sh
set -xe
mkdir -p tpm
cd tpm

dd if=/dev/urandom bs=1 count=32 status=none > pass.secret
tpm2_startauthsession -V -S session.ctx
tpm2_policypcr -V -Q -S session.ctx -l sha256:0 -L set2.pcr.policy
tpm2_flushcontext -V session.ctx
openssl genrsa -out signing_key_private.pem 2048
openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout
tpm2_loadexternal -V -G rsa -C o -u signing_key_public.pem -c signing_key.ctx -n signing_key.name
tpm2_startauthsession -V -S session.ctx
tpm2_policyauthorize -V -S session.ctx -L authorized.policy -n signing_key.name -i set2.pcr.policy
tpm2_flushcontext -V session.ctx
cat pass.secret | tpm2_create -V -g sha256 -u auth_pcr_seal_key.pub -r auth_pcr_seal_key.priv -i- -C prim.ctx -L authorized.policy
tpm2_evictcontrol -C o -c 0x81010001
tpm2_load -Q -C prim.ctx -u auth_pcr_seal_key.pub -r auth_pcr_seal_key.priv -n auth_pcr_seal_key.name -c auth_pcr_seal_key.ctx
tpm2_evictcontrol -c auth_pcr_seal_key.ctx 0x81010001 -C o
openssl dgst -sha256 -sign signing_key_private.pem -out set2.pcr.signature set2.pcr.policy
tpm2_loadexternal -G rsa -C o -u signing_key_public.pem -c signing_key.ctx -n signing_key.name
tpm2_verifysignature -c signing_key.ctx -g sha256 -m set2.pcr.policy -s set2.pcr.signature -t verification.tkt -f rsassa
tpm2_startauthsession --policy-session -S session.ctx
tpm2_policypcr -l sha256:0 -S session.ctx
tpm2_policyauthorize -S session.ctx -i set2.pcr.policy -n signing_key.name -t verification.tkt
tpm2_unseal -p session:session.ctx -c 0x81010001
tpm2_flushcontext session.ctx

# clean up
cd -
ls -lash tpm/*
rm -rf tpm

After running the file, I get the following error:

+ mkdir -p tpm
+ cd tpm
+ dd if=/dev/urandom bs=1 count=32 status=none
+ tpm2_startauthsession -V -S session.ctx
INFO on line: "399" in file: "lib/tpm2_session.c": Saved session: ESYS_TR(0x40418487)
INFO on line: "247" in file: "lib/files.c": Save TPMS_CONTEXT->savedHandle: 0x3000000
+ tpm2_policypcr -V -Q -S session.ctx -l sha256:0 -L set2.pcr.policy
INFO on line: "419" in file: "lib/files.c": Assuming tpm context file
INFO on line: "350" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x3000000
INFO on line: "309" in file: "lib/tpm2_session.c": Restored session: ESYS_TR(0x40418487) attrs(0x1)
INFO on line: "399" in file: "lib/tpm2_session.c": Saved session: ESYS_TR(0x40418487)
INFO on line: "247" in file: "lib/files.c": Save TPMS_CONTEXT->savedHandle: 0x3000000
+ tpm2_flushcontext -V session.ctx
INFO on line: "419" in file: "lib/files.c": Assuming tpm context file
INFO on line: "350" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x3000000
INFO on line: "309" in file: "lib/tpm2_session.c": Restored session: ESYS_TR(0x40418487) attrs(0x1)
+ openssl genrsa -out signing_key_private.pem 2048
+ openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout
writing RSA key
+ tpm2_loadexternal -V -G rsa -C o -u signing_key_public.pem -c signing_key.ctx -n signing_key.name
INFO on line: "247" in file: "lib/files.c": Save TPMS_CONTEXT->savedHandle: 0x80000000
name: 000b9b187c67859171866a9b725383a2eec3f595e992ce16647082d2a7edc85f1f10
+ tpm2_startauthsession -V -S session.ctx
INFO on line: "399" in file: "lib/tpm2_session.c": Saved session: ESYS_TR(0x40418487)
INFO on line: "247" in file: "lib/files.c": Save TPMS_CONTEXT->savedHandle: 0x3000000
+ tpm2_policyauthorize -V -S session.ctx -L authorized.policy -n signing_key.name -i set2.pcr.policy
INFO on line: "419" in file: "lib/files.c": Assuming tpm context file
INFO on line: "350" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x3000000
INFO on line: "309" in file: "lib/tpm2_session.c": Restored session: ESYS_TR(0x40418487) attrs(0x1)
cdb3c0eda5a0b2bd2e706f30d8326b3fa85cb9167c8e6ec3f0feaa392458005a
INFO on line: "399" in file: "lib/tpm2_session.c": Saved session: ESYS_TR(0x40418487)
INFO on line: "247" in file: "lib/files.c": Save TPMS_CONTEXT->savedHandle: 0x3000000
+ tpm2_flushcontext -V session.ctx
INFO on line: "419" in file: "lib/files.c": Assuming tpm context file
INFO on line: "350" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x3000000
INFO on line: "309" in file: "lib/tpm2_session.c": Restored session: ESYS_TR(0x40418487) attrs(0x1)
+ + tpm2_create -V -g sha256 -u auth_pcr_seal_key.pub -r auth_pcr_seal_key.priv -i- -C prim.ctx -L authorized.policy
cat pass.secret
INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x0, property: 0x0
ERROR on line: "863" in file: "lib/tpm2_util.c": Incorrect handle value, got: "prim.ctx", expected expected [o|p|e|n|l] or a handle number
ERROR on line: "184" in file: "lib/object.c": Unable to read as BIO file
ERROR on line: "293" in file: "lib/object.c": Unable to fetch public/private portions of TSS PRIVKEY
ERROR on line: "387" in file: "lib/object.c": Cannot make sense of object context "prim.ctx"
ERROR on line: "274" in file: "tools/tpm2_tool.c": Unable to run tpm2_creat

As the project gains more attention, people are asking for release schedules for the different sub projects.
While these might not be 100% fixed dates, a rough schedule would be helpful.
(shall I deploy version 2.2 or wait for 2.3?)
A little bit comparable to ubuntu - you know there will be a new version in october timeframe (where october is sometimes december)

I think I tutorial highlighting TCTI's and in particular, the command TCTI would be nice.

This could link to external talks (like FOSDEM) etc.

Hello,

It looks like the Slack instance requires being employed by Intel Infineon or some other random company. Is this on purpose? Is it supposed to be a community thing?

Thanks!

The dependency matrix proves to be quite helpful as it gives a clear indication which software components work with each other: https://github.com/tpm2-software/tpm2-tools/wiki/Dependency-Matrix

Unfortunately it is currently buried in the wiki of the tools and not regularly updated.
=> Move it to here
=> Update it and include all our software components

This is especially useful, as the software components we host in this organization is growing.

In LUKS disk encryption scheme with pass-phrase stored in TPM2 as the protector.
The link feature branch - https://gitlab.com/cryptsetup/cryptsetup/-/tree/wip-tpm
give a 404

The Getting Started page has no content, should we delete it or populate it with something?

It lists "libsecret/gnome-keyring" under "Software with direct TPM 2.0 support", when clearly there is no such support.

Link leads to dead GSoC 2021 issue which ends with, as far as I can tell, nothing. And even if it would be merged into libsecret, it would still require additional work on the UI part and related services to make it work with gnome keyring.

Please update the docs and move it to "Ideas for adding TPM 2.0 support" or else no one might consider working on this any further.

I have observed today a issue with the Fapi-Policy webpage.

Steps to reproduce the issue:

1. Go to https://tpm2-software.github.io/fapipolicies/
2. Enter "description"
3. Check "policyDigests"
4. Click 'Digest Value" button
5. After a few seconds the page crashes and displays the error code: STATUS_STACK_OVERFLOW

This behavior also happens when clicking the "PolicyAuthorization" button.

Thank you for sharing your valuable insights.

I read Protecting Secrets At Tpm Interface article and tried the demo script while capturing packets using SWTPM simulator. And then I found that unsealed secret is not encrypted.

I think that adding --enable-encrypt option to tpm2_sessionconfig command fixes this.

--- a/_posts/2021-02-17-Protecting-secrets-at-TPM-interface.md
+++ b/_posts/2021-02-17-Protecting-secrets-at-TPM-interface.md
@@ -231,7 +231,7 @@ setup_salted_param_encrypt_session_with_ek() {
     --tpmkey-context ek.ctx
     rm -f ek.ctx
 
-    tpm2_sessionconfig -Q  salted_session.ctx --enable-decrypt
+    tpm2_sessionconfig -Q  salted_session.ctx --enable-decrypt --enable-encrypt
 }
 
 #

Here is the result.

If this fix is suitable, I can also submit a merge request. Thanks.

Registration for Trusted Computing Group (TCG)’s Virtual CodeGen Developer Challenge is open now! The week-long event, taking place October 18-22, 2021, will ask developers to create a functional prototype built off a TCG standard. The challenge will provide an opportunity for brilliant talents to create their works with the help of TCG mentors, who will be virtually available throughout the event, while also experiencing the unforgettable thrill of coming together with peers who share the same passion for digital technology and innovation. Competing developers have the chance to win up to US$5,000.

The theme of the challenge will be “Pervasive Security and Application of TCG standards in software and hardware development”. Participants will have the opportunity to create solutions that can make an impact for the security community, as well as SW and HW developers seeking to integrate security into their platforms. The challenge is open to both teams and individuals, and whoever impresses the judges most will be awarded. The event is free and open to non-TCG members only, as well as individuals from TCG member companies who have not had an active member login to the technical Work Groups.

Registration deadline for the challenge is Monday, October 11, 2021. Register at: https://bit.ly/3FnRT9u

For more information on how to get involved, please visit the TCG website. An overview video about participation and the prizes that are up for grabs is also available on YouTube.

Can we update:

• https://tpm2-software.github.io/tpm2-tss/getting-started/2019/12/18/Remote-Attestation.html

To include a simple example using tools. Things like keylime pie are better for production use, but it would be helpful for those trying to make sense of it all.

The tpm2 tools commands used for the device attestation article do not work with the newest versions:
https://tpm2-software.github.io/2020/06/12/Remote-Attestation-With-tpm2-tools.html#attestation-goals

For things like numbers, why do we need the type selectors of hex or UINT32? These seem to do nothing as the data is dropped as is and quoted in the JSON policy. So it ends up as a string anyways. Wouldn't something like "0x30", "48", and "060" convert the same with strtoul semantics and base set to 0? If you want the type to be input natively as a json number I think only base10 is allowed so the tool can just take the value as a string, plop it through strtoul with base 0 and then output it in the json unquoted.

Maybe these were leftover branches that were created at the onset of the repository setup. Going forward pull request mechanism from the user repository should work just fine.