#24 Support for TPMs with depracated ordinals

closed-fixed
Kent Yoder
5
2007-11-02
2007-09-17
Kent Yoder
No

My Infineon 1.2 system is not configured to let the public part of the
EK be read without authorization. Tspi_TPM_GetPubEndorsementKey
without the owner-auth flag fails. This is fine and arguably the right
policy.

But it also fails with the flag TRUE and correct owner auth supplied.
That's because Trousers uses the older TPM_OwnerReadPubek command
instead of the newer TPM_OwnerReadInternalPub which is used in 1.2 to
read both the SRK and EK. Unfortunately the Infineon guys are quick on
the trigger and have removed support for TPM_OwnerReadPubek. I don't
see what the problem is, it's deprecated but that seems to be just a
matter of eliminating redundancy and slightly cleaning up the API, to
have one function to read both of the keys instead of separate ones.
But Infineon does not support any of the deprecated functions.

So I thought I'd try setting the PUBEK to be readable without owner auth, using
Tspi_TPM_SetStatus (hTPM, TSS_TPMSTATUS_DISABLEPUBEKREAD, FALSE);
(which does of course take owner auth), as a workaround.

Unfortunately that call did not work either! Trousers uses
TPM_DisablePubekRead which has, once again, been deprecated, so of
course Infineon would never want to support such a tainted function.
It is now supposed to be done, I think, using TPM_SetCapability with
TPM_SET_PERM_FLAGS and TPM_PF_READPUBEK, to enable that flag. Again I
don't see any security reason to stop supporting the old function, it
is just a matter of redundancy, so it is unfortunate that Infineon has
been so quick to eliminate the deprecated functionality.

The same thing happened with TPM_LoadKey, there was nothing wrong with
it security-wise, it just wasn't as convenient as it might have been
for TSS writers, but Infineon cut off support for it and so hasn't
worked with Trousers until the most recent 0.3.0 release. Pretty
frustrating!

Anyway I wanted to mention these functions as candidates for the next
round of 1.2 cleanups.

Discussion

  • Kent Yoder
    Kent Yoder
    2007-09-24

    Logged In: YES
    user_id=1168529
    Originator: YES

    In addition to changes in the TSP to remove TPM_OwnerReadPubEk on TPM 1.2s, update the TSP to use FlushSpecific in places calling TPM_Terminate_Handle.

     
  • Kent Yoder
    Kent Yoder
    2007-11-02

    • status: open --> closed-fixed
     
  • Kent Yoder
    Kent Yoder
    2007-11-02

    Logged In: YES
    user_id=1168529
    Originator: YES

    this should be fixed in trousers 0.3.1. Please re-open if not.