Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    GenuineGuineapig
    @GenuineGuineapig
    I've asked the same question on IRC, but got advised to ask here. I have a question regarding the FAPI Policy Editor (https://tpm2-software.github.io/fapipolicies/). What's the difference between the entries in uppercase and the same ones in lowercase? And why is there also the same just with POLICY prepended to the actual name?
    For example: Password has as types: Password, PASSWORD, PolicyPassword, POLICYPASSWORD
    Mukund Jampala
    @jbmukund
    Hi, I am a little blocked: not able a sign with the child signing key I generated. Is there anything special I need to do to be able to sign with a child signing key.
    Do I need to do Esys_StartAuthSession?
    The pseudo-code looks like this: https://pastebin.com/h2ncptS4
    Please advise how best to proceed.
    patkaczm
    @patkaczm

    Hello, I'm struggling with reading data from nv memory.
    Data was set using tpm2-tools in this way:
    tpm2_nvdefine 0x01400100 -C p -s 1379 -a 0x42076001
    tpm2_nvwrite 0x01400100 -C p -i some_cert.data
    and reading looks like:
    tpm2_nvread 0x1400100 -C o -o /tmp/certificate_name.pem

    For some reasons, I need to do the same operation using tss-esapi.
    I'm trying to achieve this in that way https://pastebin.com/g2bjKR8r but constantly getting an error:

    WARNING:esys:src/tss2-esys/api/Esys_NV_Read.c:315:Esys_NV_Read_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_NV_Read.c:105:Esys_NV_Read() Esys Finish ErrorCode (0x000001c4)

    Do you have any clue why this is not working?

    Btw. I'm using swtpm for testing purposes
    littlefish2009
    @littlefish2009

    Hi, we are studying to use FAPI to create TPM keys. It was working fine with the owner hierarchy, using the key path like: /P_ECCP256SHA256/HS/SRK/mySigningKey. But we could not find any working key path to create keys with platform hierarchy (HP), like using /P_ECCP256SHA256/HP/mySigningKey, etc. We always got an error like below:

    ERROR:fapi:src/tss2-fapi/fapi_util.c:263:init_explicit_key_path() Hierarchy cannot be determined.

    We also checked the source code directly in https://github.com/tpm2-software/tpm2-tss/blob/master/src/tss2-fapi/fapi_util.c to check init_explicit_key_path. But we did not see any hint for the correct key path for platform hierarchy (HP).

    We would appreciate any help or pointers to support platform hierarchy keys in FAPI. Thanks a lot!

    GenuineGuineapig
    @GenuineGuineapig
    Are you in the role of an OEM? Usually you won't be able to do stuff in the platform or endorsement hierarchy, as these are reservered for the OEM who builds the hostplattform (e.g. the motherboard manufactor) or the tpm manufactor (in the case of the endorsement hierarchy). I'm quite new to TPMs, so if anyone knows better -- feel free to correct me.
    littlefish2009
    @littlefish2009
    Thanks for your reply @GenuineGuineapig . We are in the business of producing industrial PC's. So in a sense, we are indeed in the role of a manufacturer. Actually, we were able to create keys in platform hierarchy with the tpm-tools like tpm2_create, and tpm2_load. But we are looking for ways to do the same tasks programmatically, and are getting stuck in finding the correct key path for FAPI/TSS.
    GenuineGuineapig
    @GenuineGuineapig
    OK, in that case I won't be of much help I guess. You might risk a look at the source of the tool, however. Maybe that can help you guys? https://github.com/tpm2-software/tpm2-tools/blob/master/tools/tpm2_create.c
    littlefish2009
    @littlefish2009
    Thanks! @GenuineGuineapig . Indeed digging deep into tpm2_create.c's code will be our next step and we know that it should work as all source code are open source. But the tpm2_create code are much lower level, and preferably if we could get it working with the higher leve API FAPI, it would be better as FAPI is supposed to be an easier API to use, which suit us as we are just users of the TPM and our use cases are quite simple :)
    littlefish2009
    @littlefish2009

    Hi, we are studying to use FAPI to create TPM keys. It was working fine with the owner hierarchy, using the key path like: /P_ECCP256SHA256/HS/SRK/mySigningKey. But we could not find any working key path to create keys with platform hierarchy (HP), like using /P_ECCP256SHA256/HP/mySigningKey, etc. We always got an error like below:

    ERROR:fapi:src/tss2-fapi/fapi_util.c:263:init_explicit_key_path() Hierarchy cannot be determined.

    We also checked the source code directly in https://github.com/tpm2-software/tpm2-tss/blob/master/src/tss2-fapi/fapi_util.c to check init_explicit_key_path. But we did not see any hint for the correct key path for platform hierarchy (HP).

    Again, we would appreciate any help or pointers to construct key path for platform hierarchy keys to be used in FAPI. Thanks a lot!

    Mukund Jampala
    @jbmukund
    Is there someone familiar with inPublic portion of Esys API? I would like to know what should it look when trying to create a signing key (sha256). I can create the key fine but have trouble signing with it when using
    .publicArea = {
    .type = TPM2_ALG_RSA,
    .nameAlg = TPM2_ALG_SHA256, <<<<
    whooo
    @whooo
    what's the objectAttributes, what's the signing scheme and what error do you get
    Mukund Jampala
    @jbmukund

    @whooo , 

    TPM2B_PUBLIC inPublic = {
    .size = 0,
    .publicArea = {
        .type = TPM2_ALG_RSA,
       //  .nameAlg = TPM2_ALG_SHA1,
        .nameAlg = TPM2_ALG_SHA256,
    // I thought this was something that was failing but this morning it does not
    // clean -> reboot -> still works. 
    // It was too late in the day. I might done something silly.
        .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
                             TPMA_OBJECT_SIGN_ENCRYPT |
                             TPMA_OBJECT_FIXEDTPM |
                             TPMA_OBJECT_FIXEDPARENT |
                             TPMA_OBJECT_SENSITIVEDATAORIGIN),
        .authPolicy = {
             .size = 0,
         },
        .parameters.rsaDetail = {
             .symmetric = {
                 .algorithm = TPM2_ALG_NULL,
                 // .algorithm = TPM2_ALG_AES,
                 .keyBits.aes = 128,
                 .mode.aes = TPM2_ALG_CFB},
             .scheme = {
           .scheme = TPM2_ALG_NULL,
                  .details = {}
              },
             .keyBits = 2048,
             .exponent = 0,
         },
        .unique.rsa = {
             .size = 0,
             .buffer = {},
         },
    },
};

    I think It was too late in the night and I was not compiling the code properly or something. Now it works.
    What I am on not sure though is why is there is a symmetric key in the inPublic structure? What is purpose of it?

    Mukund Jampala
    @jbmukund
    Is there any sample code for tpm2_tss stack application others than tpm2-tools?
    tpm2-tools seems to be too may calls to go thru to get to the botttom on one simple thing. I am looking for some simple applications that will do it all in one clean shot
    Hanson Char
    @hansonchar

    Suppose the same set of PCR values are obtained via the following two commands:

    tpm2_quote --key-context rsa_ak.ctx \
  --message pcr_quote.plain --signature pcr_quote.signature --qualification abc123 --hash-algorithm sha256 \
  --pcr-list sha1:0,1,2+sha256:0,1,2 \
  --pcr pcr-by-quote.bin

tpm2_pcrread sha1:0,1,2+sha256:0,1,2 \
  -o pcr-by-pcrread.bin

    Do we expect the output files pcr-by-quote.bin and pcr-by-pcrread.bin to have the same content?

    Turns out the two files are not the same, but naively I'd think they should be the same. Hence the question. I wonder why the differences. (I am using tpm2-tools/master tip at commit 8f2955c)
    drvarun
    @drvarun
    Hi guys, A quick question, I have generated bunch of primary keys using TPM (ESAPI). I want to issue certificates for them using, let's say openssl. For that I need one CSR per key to be signed by the CA using openssl. So, how can I generate CSR using TPM? I only have the public keys which can be exported. Also, is it possible to generate the certificate for a key without CSR?
    choraleprelude
    @choraleprelude

    Hi guys, A quick question, I have generated bunch of primary keys using TPM (ESAPI). I want to issue certificates for them using, let's say openssl. For that I need one CSR per key to be signed by the CA using openssl. So, how can I generate CSR using TPM? I only have the public keys which can be exported. Also, is it possible to generate the certificate for a key without CSR?

    Suggest to check this discussions: https://security.stackexchange.com/questions/82284/create-certificate-without-private-key-with-openssl . There is a force_pubkey flag in openssl to deal with the issue you are facing.

    Ken Goldman
    @kgold2
    I'm late to this, but please avoid evictcontrol. The TPM has very few key slots, and they should be reserved for places where there is no disk or other non-volatile storage.
    The typical design pattern is that 'create' returns a public and private part. Feed them to 'load' to put them in TPM volatile memory, and flush them when you're done.
    Serialize them (marshal) and store them on disk. Read them back (unmarshal) whenever you want to load them
    Jade
    @lf-
    I've followed the https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/INITIALIZING.md, and I'm having some fun with errors. In particular, I want to get rid of that FAPI error. So I tried actually initializing it with tss2_provision per the documents i found, yet:
    ~ » tss2_provision
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:520:Fapi_Provision_Finish() ErrorCode (0x0006000b) SRK persistent handle already defined
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:168:Fapi_Provision() ErrorCode (0x0006000b) Provision
Fapi_Provision(0x6000B) - fapi:A parameter has a bad value
~ » ssh-keygen -D /usr/lib/pkcs11/libtpm2_pkcs11.so -vvvvv
WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:226:Fapi_List_Finish() Profile of path not provisioned: /HS/SRK
ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List
ERROR: Listing FAPI token objects failed.
debug1: provider /usr/lib/pkcs11/libtpm2_pkcs11.so: manufacturerID <tpm2-software.github.io> cryptokiVersion 2.40 libraryDescription <TPM2.0 Cryptoki> libraryVersion 0.0
debug1: provider /usr/lib/pkcs11/libtpm2_pkcs11.so slot 0: label <tok> manufacturerID <AMD> model <AMD> serial <000000000000000> flags 0x40d
debug2: pkcs11_fetch_keys: provider /usr/lib/pkcs11/libtpm2_pkcs11.so slot 0: ECDSA SHA256:B/QY8izlhmE7ULASCHe8h52wNM92hZKNTmktqGwOHyo
debug1: have 1 keys
debug2: pkcs11_register_provider: ignoring uninitialised token in provider /usr/lib/pkcs11/libtpm2_pkcs11.so slot 1
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBB13xiBH+laTgFIAyVpltNnz1YB3wWLb11xlR4GgacZrh7k6VxEv3TJm8XCP3uwY/YTAcSsLm7X+qpgi5iJmAbxo5zQ/2vyM7CC8xhDH1J4doo1nRqFTCGFuUqte+qpTgg==
debug1: pkcs11_k11_free: parent 0x56082100d440 ptr 0x560821002730 idx 1
debug1: pkcs11_provider_unref: 0x560820f86ce0 refcount 2
debug1: pkcs11_provider_finalize: 0x560820f86ce0 refcount 1 valid 1
debug1: pkcs11_provider_unref: 0x560820f86ce0 refcount 1
    this is confusing to me because the second command says some SRK thing isn't provisioned, and the first says it is and thinks that's a problem
    Jade
    @lf-
    ooo creative new issue now that i grabbed the git version:
    ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:1473:Fapi_Provision_Finish() ErrorCode (0x00060025) No EK certifcate found for current crypto profile found. You may want to switch the profile in fapi-config or set the ek_cert_less or ek_cert_file options in fapi-config. See also https://tpm2-software.github.io/2020/07/22/Fapi_Crypto_Profiles.html
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:168:Fapi_Provision() ErrorCode (0x00060025) Provision
Fapi_Provision(0x60025) - fapi:No certificate
    littlefish2009
    @littlefish2009

    @kgold2 , It's great to see you here! We are seeing the same errors as below with FAPI to create keys for platform hierarchy. Do you have any suggestions on how to build a key path for platform hierarchy for use with FAPI?

    Hi, we are studying to use FAPI to create TPM keys. It was working fine with the owner hierarchy, using the key path like: /P_ECCP256SHA256/HS/SRK/mySigningKey. But we could not find any working key path to create keys with platform hierarchy (HP), like using /P_ECCP256SHA256/HP/mySigningKey, etc. We always got an error like below:

    ERROR:fapi:src/tss2-fapi/fapi_util.c:263:init_explicit_key_path() Hierarchy cannot be determined.

    We also checked the source code directly in https://github.com/tpm2-software/tpm2-tss/blob/master/src/tss2-fapi/fapi_util.c to check init_explicit_key_path. But we did not see any hint for the correct key path for platform hierarchy (HP).

    We would appreciate any help or pointers to support platform hierarchy keys in FAPI. Thanks a lot!

    Jade
    @lf-

    ooo creative new issue now that i grabbed the git version:

    ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:1473:Fapi_Provision_Finish() ErrorCode (0x00060025) No EK certifcate found for current crypto profile found. You may want to switch the profile in fapi-config or set the ek_cert_less or ek_cert_file options in fapi-config. See also https://tpm2-software.github.io/2020/07/22/Fapi_Crypto_Profiles.html
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:168:Fapi_Provision() ErrorCode (0x00060025) Provision
Fapi_Provision(0x60025) - fapi:No certificate

    Alright, I fixed it by doing crimes (ek_cert_less). and then it was in dictionary lockout because Reasons, which I also had to fix

    Jade
    @lf-
    ah fun i learned the hard way that ecc keys do a size mismatch error :/ but rsa works, and i have my ssh key working now 🎉
    Nicolas Iooss
    @fishilico
    @lf- it looks like you are encountering this issue: tpm2-software/tpm2-pkcs11#655

    ah fun i learned the hard way that ecc keys do a size mismatch error :/ but rsa works, and i have my ssh key working now

    what do you mean by "mismatch error"? Which size are you using? ecc256 should work fine

    Jade
    @lf-
    This:
    ~ » ssh -vvvvv test@smol
<...>
debug1: provider /usr/lib/pkcs11/libtpm2_pkcs11.so: manufacturerID <tpm2-software.github.io> cryptokiVersion 2.40 libraryDescription <TPM2.0 Cryptoki> libraryVersion 0.0
debug1: provider /usr/lib/pkcs11/libtpm2_pkcs11.so slot 0: label <tok> manufacturerID <AMD> model <AMD> serial <000000000000000> flags 0x40d
debug2: pkcs11_fetch_keys: provider /usr/lib/pkcs11/libtpm2_pkcs11.so slot 0: RSA SHA256:vd0gPDeneK2xq10kdyGtdX/guKHcLvD2hVazKv11CIs
debug1: have 1 keys
debug2: pkcs11_fetch_keys: provider /usr/lib/pkcs11/libtpm2_pkcs11.so slot 0: ECDSA SHA256:rm0O25KPtoIqAExbGOLFeyKEPvi6z/Tz7pZvz0KOF1o
debug1: have 2 keys
debug2: pkcs11_fetch_keys: provider /usr/lib/pkcs11/libtpm2_pkcs11.so slot 0: ECDSA SHA256:O0snPouuKCRFisUdWQvthcqqYlDYquB+xL833DZtdwc
debug1: have 3 keys
debug2: pkcs11_register_provider: ignoring uninitialised token in provider /usr/lib/pkcs11/libtpm2_pkcs11.so slot 1
<...>
debug1: Server accepts key: sshecc384 ECDSA SHA256:O0snPouuKCRFisUdWQvthcqqYlDYquB+xL833DZtdwc token
debug3: sign_and_send_pubkey: ECDSA SHA256:O0snPouuKCRFisUdWQvthcqqYlDYquB+xL833DZtdwc
debug3: sign_and_send_pubkey: signing using ecdsa-sha2-nistp384 SHA256:O0snPouuKCRFisUdWQvthcqqYlDYquB+xL833DZtdwc
Enter PIN for 'tok':
debug1: pkcs11_k11_free: parent 0x55a7ce8f1e60 ptr (nil) idx 1
debug1: pkcs11_check_obj_bool_attrib: provider 0x55a7ce870500 slot 0 object 5: attrib 514 = 0
WARNING:esys:src/tss2-esys/api/Esys_Sign.c:311:Esys_Sign_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x000001d5)
ERROR: Esys_Sign: tpm:parameter(1):structure is the wrong size
debug1: pkcs11_k11_free: parent 0x55a7ce8f9db0 ptr (nil) idx 1
C_Sign failed: 5
debug1: identity_sign: sshkey_sign: error in libcrypto
sign_and_send_pubkey: signing failed for ECDSA "sshecc384": error in libcrypto
debug1: pkcs11_k11_free: parent 0x55a7ce8fb1b0 ptr (nil) idx 1
    indeed it works fine on ecc256, just ecc384 fails
    Nicolas Iooss
    @fishilico
    ecc384 works for me, on Arch Linux with tpm2-pkcs11 1.6.0 and openssh 8.6p1. Which versions are you using?
    Jade
    @lf-
    also archlinux, tpm2-pkcs11 1.6.0, openssh 8.6p1, tpm2-{tss,tools} git from like 2 days ago
    Jade
    @lf-
    I also had some funny stuff going on with tss2_provision with using ecc384 and to get it to provision, I had to set the fapi config to use the profile rsa2048, so it may be a tpm side issue maybe?? it's an AMD fTPM
    I grabbed non git versions from the arch repo, which are tools 5.1-1, tss 3.1.0-1
    same error
    Nicolas Iooss
    @fishilico

    Could you try with an emulated TPM ? For example I am using

    sudo pacman -S swtpm tpm2-abrmd
swtpm socket --tpm2 --daemon \
    --server port=2321 --ctrl type=tcp,port=2322 \
    --flags not-need-init --tpmstate dir=/tmp \
    --log file=/tmp/swtpm.log,level=5
tpm2-abrmd --tcti swtpm:host=127.0.0.1,port=2321 &
export TPM2TOOLS_TCTI=tabrmd:bus_type=system

    and then there are some environment variables (which I do not remember right now) to use tpm2_ptool and tpm2-pkcs11 with this, without touching your $HOME/.tpm2-pkcs11/

    Jade
    @lf-
    works fine
    Nicolas Iooss
    @fishilico
    Also, ERROR:esys:src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x000001d5) does not seem to be a standard error code. The standard ones are defined in https://github.com/tpm2-software/tpm2-tss/blob/473f17def1fe650609263af48c0b49250cec6309/include/tss2/tss2_tpm2_types.h#L273-L395 . So it smells like an issue in your TPM
    Jade
    @lf-
    :(
    I could i guess do a bios update and see if that fixes it, but those have some seriously annoying side effects and may also wipe tpm (unsure about that)
    Nicolas Iooss
    @fishilico
    maybe it expects to only use SHA384 when using ecc384, and OpenSSH is using SHA256 with ecc384? I do not know how to test this
    Jade
    @lf-
    hm. it might be in the debug log
    https://gist.github.com/68d3eaded4ec4ea46c20d3054f5e17ef here's a log
    but yeah I may have a crack at a bios update. I would not be super super mad if I lost tpm content, although it would be unfortunate
    Nicolas Iooss
    @fishilico
    oh, in fact I was wrong. ERROR:esys:src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x000001d5) is a standard error, which is decoded right after, ERROR: Esys_Sign: tpm:parameter(1):structure is the wrong size (it is TPM2_RC_1=0x100 + TPM2_RC_FMT1=0x080 + TPM2_RC_P=0x040 + TPM2_RC_SIZE=0x015)
    Jade
    @lf-

    but yeah I may have a crack at a bios update. I would not be super super mad if I lost tpm content, although it would be unfortunate

    hm. time to go wipe my bootloader contents because firmware updates Do That on this computer 🙃

    Jade
    @lf-
    it wiped bootloader and tpm both, lolll