Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    ms_learner
    @mslearner
    test
    I am new to TPM software and trying to figure out how to use FAPI in c code. Is there a self contained example of C code that gets a random number from TPM using FAPI?
    Manuel
    @m4nu3l-00
    You can look here:
    https://github.com/tpm2-software/tpm2-tss/blob/master/test/integration/fapi-get-random.int.c
    Harish Nagaraju
    @harishnagaraju
    I am working on TPM2 for SSH connectivity using tpm2 infineon board for Raspberry pi ; I am newbie in this; what is the usage of tss2 and tpm2 tools ; does both at one point execute similar commands?
    patkaczm
    @patkaczm
    Hi, I'm using ESAPI for quite a while but faced with an issue and cannot find the answer.
    For some reasons the command Esys_GetCapability(context, ..., capData) returns err code: 655370 which means tcti:IO failure
    I wonder whether should I call Esys_Free on capData or not in case of Esys_GetCapability failure?
    Heinrich Hofelmann
    @heinrich.hofelmann_gitlab

    Hi, I am new to TPMs and wanted to try pytss to connect to a TPM simulator, e.g. ms-tpm which I got already set up. Unfortunately, I could not find any getting started guide or basic example of pytss, so I don't know how and where to start.
    I only found this stackoverflow question which refers to some example in the documentation, but this site does not exist anymore.

    I really would appreciate any help and explanation on how to start with pytss and connect to a TPM simulator to perform a basic operation like signing some bytes :)

    whooo
    @whooo
    heinrich.hofelmann_gitlab: there are some examples in tpm2-software/tpm2-pytss#317 but those might not cover what you want to do, the tests in test/ covers most of the API but might not be as readable as good examples
    Heinrich Hofelmann
    @heinrich.hofelmann_gitlab
    @whooo thank you for the hint.
    Can pytss somehow be used under windows?
    whooo
    @whooo
    I don't know of anyone that have tried, and it isn't tested against windows
    Heinrich Hofelmann
    @heinrich.hofelmann_gitlab
    What is the best way to work with simulated TPMs and Python on windows, then?
    whooo
    @whooo
    while I haven't used that, check https://github.com/microsoft/TSS.MSR
    Harish Nagaraju
    @harishnagaraju
    I am trying to enable TPM2 on nginx server on pi ; I have getting this error: anyone come across this, some pointers please:
    nginx: [emerg] cannot load certificate key "/tpm.key": PEM_read_bio_PrivateKey() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: ANY PRIVATE KEY)
    My certificate and key generations all working fine
    whooo
    @whooo
    what does your nginx configuration look like?
    Harish Nagaraju
    @harishnagaraju
    tpm2tss-genkey -a rsa -s 2048 tpm.key
    server {}
    server { listen 443 ssl
    server_name local host
    ssl_certificate /mypath/tpm.crt
    ssl_certificate_key /mypath/tpm.key
    ssl_protocols TLSv1 1.1 1.2.....
    ssl_ciphers HIGH:!aNULL:!MD5
    ssl_verify_clien on
    whooo
    @whooo
    I'm not to familiar with either nginx or tpm2-tss-engine, but I suspect you need to specify the engine somewhere in the config
    Harish Nagaraju
    @harishnagaraju
    on the top i have the standard
    user www-data
    worker_processess auto;
    pid /run/nginx.pid;
    include /etc/nginx/modules-enabled/*.conf;
    ssl_engine tpm2tss
    whooo
    @whooo
    and can the user which nginx runs as access the TPM? depending on your setup it's either via tpm2-abrmd or /dev/tpmrm0
    and ssl_certificate_key should probablye be engine:tpm2tss:/mypath/tpm.key if I understand the examples correctly
    Harish Nagaraju
    @harishnagaraju
    no
    i have not used that keywords
    whooo
    @whooo
    well, checking those two things would be my recommendation
    Harish Nagaraju
    @harishnagaraju

    in /etc/ssl/openssl.cnf
    i have set
    engine_id = tpm2tss
    SET_TCTI = device:/dev/tpmrm0

    I have been using this with TPM Infineon hardware;
    TPM2TOOLS_TCTI = device:/dev/tpmrm0

    https://blog.salrashid.dev/articles/2021/nginx_with_tpm_ssl/
    I have used above blog for real hardware but not working
    whooo
    @whooo
    in the blog, ssl_certificate_key engine:tpm2tss:/root/tpm_certs/tpm.key; is used, not just the path to the key
    Harish Nagaraju
    @harishnagaraju
    Thanks for pointing it out. I missed it ; Thank you very much ; I am through
    Nagarjun
    @narjuncs:matrix.org
    [m]

    Hi, I am facing an issue with tpm2_rsadecrypt after reboot

    Following are the TPM commands sequence,

    tpm2_changeauth -c o ownerauth -> Changing the authorization of storage hierarchy
    tpm2_createprimary -P ownerauth -p primarykey -c prim.ctx -> Creating a primary key tpm2_evictcontrol -C o -c prim.ctx 0x81000000 -P ownerauth -> Storing Primary key to TPM NVRAM persistent storage using reserved handle
    tpm2_create -P primarykey -p childkey -C prim.ctx -u key.pub -r key.priv -> Creating a child key under primary key and storing to disk
    tpm2_load -P primarykey -C prim.ctx -u key.pub -r key.priv -c key.ctx -> Loading child key under primary key in TPM

    echo "my message" > msg.dat
    tpm2_rsaencrypt -c key.ctx -o msg.enc msg.dat -> encrypt message using child key in TPM
    tpm2_rsadecrypt -p childkey -c key.ctx -o msg.ptext msg.enc -> Decrypt message using child key in TPM
    cat msg.ptext

    After reboot again load the

    tpm2_load -P primarykey -C 0x81000000 -u key.pub -r key.priv -c key.ctx -> Load primary key and child key in to TPM after reboot
    tpm2_rsadecrypt -p childkey -c key.ctx -o msg.ptext msg.enc -> Decrypt operation failing after reboot
    WARNING:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:305:Esys_RSA_Decrypt_Finish() Received TPM Error
    ERROR:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:102:Esys_RSA_Decrypt() Esys Finish ErrorCode (0x00000084)
    ERROR: Esys_RSA_Decrypt(0x84) - tpm:handle(unk):value is out of range or is not correct for the context
    ERROR: Unable to run tpm2_rsadecrypt

    could someone please help here
    somethingsilly22
    @somethingsilly22:matrix.org
    [m]
    Whenever I try to probe my tpm I get TPM error (30), and all of the commands that start with tpm don't work. The ones that start with tpm2 do. Any debugging tips?
    Are tpm 2 devices backwards compatible with 1.2
    somethingsilly22
    @somethingsilly22:matrix.org
    [m]
    Now I'm getting timeouts tpm tpm0: tpm_try_transmit: send(): error -62
    somethingsilly22
    @somethingsilly22:matrix.org
    [m]
    All of the tpm2 commands hang and dmesg keeps showing errno -62 (timer expired)
    Manuel
    @m4nu3l-00
    Has anyone used Esys_Sign() with digest size besides 20?
    With these: TPM2B_DIGEST digest = {
    .size = 20,
    .buffer = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10,
    11, 12, 13, 14, 15, 16, 17, 18, 19, 20}
    };
    i am getting no error. But adding or removing one number i get:
    ERROR:esys:src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x000001d5)
    which means structure is the wrong size. Any idea how to fix this?
    whooo
    @whooo
    m4nu3l-00: the size needs to match the digest algorithm defined in inScheme
    Manuel
    @m4nu3l-00
    @whooo Thank you. Atm i got TPMT_SIG_SCHEME inScheme = { .scheme = TPM2_ALG_NULL };
    What alg would you recommend?
    whooo
    @whooo
    then it probably depends on the scheme defined in public part of the key, but the digest size is tied to which ever hash algorithm is used by the signature scheme
    Manuel
    @m4nu3l-00
    Oh, i am using SHA1, makes sense. Thank you!
    choraleprelude
    @choraleprelude
    FYI, there are some sample code here re: Esys_Sign() ... https://github.com/choraleprelude/tpm-api-examples/blob/main/TCG.TSS.ESAPI/esapi_sign_persistent_key.c
    Manuel
    @m4nu3l-00
    Thank you! Already got it running
    Igor Borisoglebski
    @igor-borisoglebski

    Hey folks, anyone has any idea why I would get the errors below? This happens on initramfs, but when in the system I don't get this error and can access tpm

    ERROR:tcti:src/tss2-tcti-device.c:440:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory
    WARNING:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_init() TCTI init for function 0x7f689fca8140 failed with a000a
    WARNING:tcti:src/tss2-tcti/tctildr.c:109:tcti_from_info() Could not initialize TCTI named: tcti-device
    ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0
    ERROR:tcti:src/tss2-tcti-device.c:440:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory
    WARNING:tcti:src/tss2-tcti/tctildr.c:79:tcti_from_init() TCTI init for function 0x7f689fca8140 failed with a000a
    WARNING:tcti:src/tss2-tcti/tctildr.c:109:tcti_from_info() Could not initialize TCTI named: tcti-device
    ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0
    ERROR:tcti:src/tss2-tcti/tctildr-dl.c:254:tctildr_get_default() No standard TCTI could be loaded
    ERROR:tcti:src/tss2-tcti/tctildr.c:416:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
    ERROR:esys:src/tss2-esys/esys_contect.c:69:Esys_Initialize() Initialize default tcti. ErrorCode (0x000a000a)
    ERROR in pcr_unseal (src/libtpm2-initramfs-tool.c:390): 0x000a000a

    Igor Borisoglebski
    @igor-borisoglebski
    well, it turns out the tpm drivers weren't loaded so I had to include them in /etc/initramfs-tools/modules
    kuldeepmarker-eaton
    @kuldeepmarker-eaton
    Has anyone created any application using the TCG FAPI by creating a yocto recipe?
    4 replies