Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    whooo
    @whooo
    zhangjiashen: using tpm2_evictcontrol with some others options, which I don't recall
    Jiashen zhang
    @zhangjiashen
    @whooo sudo tpm2_evictcontrol -C o -c 0x81010001 seems work for me
    whooo
    @whooo
    great!
    Jiashen zhang
    @zhangjiashen
    Thank you so much!
    Prateek
    @prathyks

    Hi Everyone,
    Am trying to use go-tpm (https://github.com/google/go-tpm) to load ECC keypair that was generated using tpm2-tss openssl-engine. Problems I faced initially were go-tpm doesn't have ESYS API implementation that tpm2-tss uses. So it cannot directly decode the TSS blob that is written to file. I was able to decode the TSS blob stored using asn1 decoding and was able to obtain public and private blobs which are in the form of TPM2B_PUBLIC and TPM2B_PRIVATE respectively. But am now hitting some error while loading these private and public blobs with this error.

    the type of the value is not appropriate for the use

    Any inputs on what to debug next.?

    x-logic
    @x-logic-iot
    Hello , I am trying to store some random key to the TPM. The key should never leave the TPM unencrypted, and when it leaves the TPM encrypted, it is encrypted with a key that only the TPM can derive/know. Any ideas which commands should I use?
    whooo
    @whooo
    x-logic-iot: that's the default if the TPM generate the key and you use the right key attribute (TPMA_OBJECT_FIXEDTPM)
    Jiashen zhang
    @zhangjiashen
    hi I am working on disk encrytion feature with PCR sealing on TPM2, I am curious anyone knows how to handle updates, should I unsealing key before updates?
    Teri Lenard
    @terilenard
    Hello, does anyone know/have some useful python code examples on how to properly use the tpm2-pytss module? Thank you!
    whooo
    @whooo
    terilenard: are you using the latest release or the current master branch?
    Teri Lenard
    @terilenard
    @whooo 0.1.9
    whooo
    @whooo
    terilenard: I would recommend you to try the master branch as the bindings have been redone and extra useful stuff added
    Teri Lenard
    @terilenard
    oh, ok, thank you for the pointer :thumbsup: @whooo
    whooo
    @whooo
    terilenard: when it comes to examples, you can check the tests, otherwise if you have any specific thing you want to do I might be able to help out
    Teri Lenard
    @terilenard
    @whooo Thats the first thing I did. But from just a first read it seems that I haven't wrapped my head around them.
    @whooo I was looking for something similar on how the C API has :D
    whooo
    @whooo
    terilenard: you could check the documentation for the ESAPI class, I think most, if not all methods are documentated and they are wrappers around the Esys C API but making it all more pythonic
    Teri Lenard
    @terilenard
    will sure have a look on the ESAPI @whooo
    x-logic
    @x-logic-iot
    After using tpm2_import, which command to use to get the key out? tpm2_export doesn't exist anymore
    ouidrich
    @kuhlmann.markus:matrix.kusys.de
    [m]

    Hi all,

    Im trying to use the tpm2-pkcs11 library, to use an application key generated from go-attestation.
    During the linking step (tpm2_ptool link) I get the following error: The primary object (id: 1) is persistent and the TSS Engine key does not have a persistent parent, got: 0x-7effffff
    I hope, someone can help me with this one.
    Thanks in advance!

    whooo
    @whooo
    kuhlmann.markus:matrix.kusys.de: my guess would be that the two different tools use different serialization formats for the keys
    ouidrich
    @kuhlmann.markus:matrix.kusys.de
    [m]

    Hey, tanks for your answer @whooo . I already checked some things and already found the following:

    When I generate a key with the following sequence, the same error occurs:
    tpm2_clear
    tpm2_createprimary -c primary.ctx
    tpm2_evictcontrol -c primary.ctx 0x81000001
    tpm2tss-genkey -P 0x81000001 tss2key-rsa2048.pem
    pid="$(tpm2_ptool init --primary-handle=0x81000001 --path=~/teststore | grep id | cut -d' ' -f 2-2)"
    tpm2_ptool addtoken --pid=$pid --sopin=mysopin --userpin=myuserpin --label=mytoken --path=~/teststore
    tpm2_ptool link --path ~/teststore --label=mytoken --userpin=myuserpin --key-label="link-key" tss2key-rsa2048.pem

    Im completely unsure whats going wrong here, but the key generated with tpm2tss-genkey -P 0x81000001 tss2key-rsa2048.pem also contains zu parent 0x-7effffff and thats what ptool is complaining about.

    And: Im absolutely certain, this command sequence has worked some time ago.
    whooo
    @whooo
    ah, I see now, the parent in your tpm2tss key has a negative value
    you need to regenerate the ASN1 data and make sure it's not saved with an signed integer
    ouidrich
    @kuhlmann.markus:matrix.kusys.de
    [m]
    How would I do this? Im only using the tpm2tss-genkey binary. It seems the behaviour of this binary has chenged.
    ouidrich
    @kuhlmann.markus:matrix.kusys.de
    [m]

    Quick example:

    tpm2tss-genkey -P 0x81000001 tss2key-rsa2048.pem

    leads to:

    cat tss2key-rsa2048.pem | openssl asn1parse 0:d=0 hl=4 l= 498 cons: SEQUENCE 4:d=1 hl=2 l= 6 prim: OBJECT :2.23.133.10.1.3 12:d=1 hl=2 l= 3 cons: cont [ 0 ] 14:d=2 hl=2 l= 1 prim: BOOLEAN :1 17:d=1 hl=2 l= 4 prim: INTEGER :-7EFFFFFF 23:d=1 hl=4 l= 280 prim: OCTET STRING [HEX DUMP]:01160001000B000604720000001000100800000100010100DE1CDA08CC409E552B6705FB9B225F47521B5FC6F5AFA39FE45CA2C86ADF68DF8AB3471871BC4586A24C905A6847C8347C3CA09317D9C67A4C53620736E8DF2A3DD8229413AE41F0B9B9B73016E1A66A9EE9EF18B792D83C4CF0BA9EDFBB6DB821D1CA499A25F4F8564D1E6691F179812424671BEB68A8907C170FABFB49E66883DD503A3DE17B1BB3FC89687FE80DE905F3A48A73AEB6FFF668E4DBC280037F4155BEB95973E0B03FBF48B85799192DEB50C86F0CC841C26851C19BAF2886B6400B345C0761021E434736595AFB5435FAB6BE77A6972281CF18889D2CD0A3325DB74703E8E4F8821A68AFE196260BB54A3B8081FCD25BD047F98F4AC0536891 307:d=1 hl=3 l= 192 prim: OCTET STRING [HEX DUMP]:00BE0020CD2F67F8DBD7ACA355CC1BDB61950FCCBECF9B41A185CE63324594C7B27F11F8001066E3A38CB951FA7E006B06BA9CA413589AE239F352359FE69C99328C9D36C7436BACFAF9B9EBF92BF2F95B589A4F1B5C7F6711E37DC5EFD5C341926D9B4B766682D60D555EC19F56B7FC6CD5ECF4195F0EDA01868E1457BF5899B08A3FC8FE33232C751BB34CAB4D8551B0AE448A528A3A848EC82A487713F493817F03500151F4BFB8E3146D5372399C7C3867E7BA46E531B25C8A8F48B3A3EB

    whooo
    @whooo
    sorry, I misread something
    whooo
    @whooo
    which relase of tpm2-pkcs11 are you using?
    release*
    ouidrich
    @kuhlmann.markus:matrix.kusys.de
    [m]
    At the moment Im on 1.5.0-23-g77b1188
    same behaviour with 1.6.0.
    whooo
    @whooo
    yeah
    the encoding by tpm2-tss-engine is weird (I found your issues)
    ouidrich
    @kuhlmann.markus:matrix.kusys.de
    [m]
    I dont even understand where the problem actually is. I would guess in tss-engine, since it seems its behaviour has changed.
    whooo
    @whooo
    there doesn't seem to be any unsigned integer encoding in DER/BER, but tpm2-tss-engine assumes there is it seems
    ouidrich
    @kuhlmann.markus:matrix.kusys.de
    [m]
    OK, thanks for your analysis so far! What would you suggest to proceed here?
    whooo
    @whooo
    I'll see if I can hack together some python code that fix the encoding, as a workaround
    ouidrich
    @kuhlmann.markus:matrix.kusys.de
    [m]
    That would be awesome.
    ok, the pasting went weird
    it will be gone in a day, so save it
    ouidrich
    @kuhlmann.markus:matrix.kusys.de
    [m]

    Awesome! Thank you so much!

    0:d=0 hl=4 l= 499 cons: SEQUENCE 4:d=1 hl=2 l= 6 prim: OBJECT :2.23.133.10.1.3 12:d=1 hl=2 l= 3 cons: cont [ 0 ] 14:d=2 hl=2 l= 1 prim: BOOLEAN :255 17:d=1 hl=2 l= 5 prim: INTEGER :81000001 24:d=1 hl=4 l= 280 prim: OCTET STRING [HEX DUMP]:01160001000B000400720000001000100800000000000100A45B396F4CD98C124A59EDBA59D485F0BD08A11FBF84EEA6FD2E9247B0205002DB35EDDAC24393E3521C2B76D452FFCCAAC06E25BD1579FDE91E2B978295681AB2571F14B229FC88DBEF7E34DD63481586A24A5B23EB8651FE71ABD7BF9F78554C653CFEC876C7AC7449F4DB0F92BF675D2A5AEF19B9976FDCD6708E6CB1F14D7B3E585DBFABF18C9F0461E02F740AA2957FE10AC0CD9738AF8D8FFC37164D007BE91ECA5AEE5AC7E6618D687B6ED3F953ECCAAF6CF3F8905BA1252DA84E063D7BCB7B67541315CD2AAF903E94D7C90D151CEBA922DAF2A958374F74E1CF7C24E6D0AD7F25D811712DB5CFACF5607AA8F9B6381314BDF2E8A7B011E354DDFDC9 308:d=1 hl=3 l= 192 prim: OCTET STRING [HEX DUMP]:00BE0020567B223CE94BA3FCA686B2145E65010C3E5B2E85462FD815FD11B2FEB155E67F00103F4A1118AFD9E868641C0403D5726C5F4A3CC787A0E9D05727C86ECAAB7995AA86F46BC5B2771C2BFA064E277A2F7A18DB8C45FFEB95A7CC9E4BA32C586E7690A5FB34A754AC5795AC878067EF5FB28C1514D808B10BF57E2CFD38C11D7E8A462FE5C5869205B14A3BECC788DF1D9CB9EA65D763E230EB47111B3338C778C16733849411A520B7BB5D1E679C7CD74E3A9B172E82FCC0EFD17AAC

    whooo
    @whooo
    great!
    ouidrich
    @kuhlmann.markus:matrix.kusys.de
    [m]
    Very nice. Linking the key now also works! Thanks man you saved my day! 🙏
    whooo
    @whooo
    good to hear! what are you working on (in more abstract terms)
    ouidrich
    @kuhlmann.markus:matrix.kusys.de
    [m]
    We want to have a device bound ID, secured by the TPM. We are now having all the attestation stuff taken care of by go-attestation, to prove, the key is really living in the TPM and is unexportable. We then generate a CSR and get a certificate. We then use the PKCS11 SC for mutual TLS against a few of our webservices.
    whooo
    @whooo
    ah, cool
    kileel
    @kileel:matrix.org
    [m]
    Does anyone know if its possible to increase the time interval in TPM2-TOTP for more than 30 seconds? I'm having trouble finding info