Menu
▾
▴
Re: [TrouSerS-users] TSP Transport Session
|
From: Michael D. <do...@in...> - 2013-01-18 14:12:51
|
Hey Kent, your first two patches fixed the hang on CloseSignTransport, and now I get an error-code back at least: 0x00003126: Invalid handle. Is there anything special one has to pay attention to, when executing commands in the transport? Applying the last patch however makes me unable to even connect to a context and returns: 0x00002004: Internal Software Error I haven't had time to check, if it is a simple error and what causes it, so I can't say much more right now, other than, that it creates an error. If I figure it out I ll let you know. Thank you for your help so far, Michael On 17/01/2013 23:27, Kent Yoder wrote: > On Thu, Jan 17, 2013 at 12:59 PM, Kent Yoder <shp...@gm...> wrote: >>> I'm interested to know what you see in your testcase after applying >>> these patches. I get a 0x22 (invalid auth handle) return code from >>> Tspi_Context_CloseSignTransport, which I can't yet explain. I'm on an >>> STM TPM here. >> Ok, I see what's happening now. The code sets up an exclusive >> transport session, which means that while its open, any TPM command >> that executes outside the TS will force a close of the TS. This >> includes commands sent down by the tcsd during normal operations, for >> things like asking the TPM which keys it has loaded. This is what >> happens in this case, the tcsd asks the TPM which keys it has loaded >> during key management, terminating the session before close. Because >> there's a signing key involved in closing and signing the session >> hash, this might *always* happen. :-( > Got a fix for you. :-) Please test the attached patch. Also make > sure you've set > > enforce_exclusive_transport = 1 > > in /etc/tcsd.conf, so that it doesn't ignore the fact that you want an > exclusive session. > > Thanks, > Kent > >> I've opened a defect against the tcsd [1] to look into better support for ETS. >> >> Kent >> >> [1] https://sourceforge.net/tracker/?func=detail&aid=3601290&group_id=126012&atid=704358 >> >> >>> Kent >>> >>>> fairly sure, that the key I am using (which is an AIK) has been loaded >>>> correctly, and that I correctly initialized the validation structure as >>>> well as the context, because I can quote within the same context using >>>> the same code for initializing them. >>>> >>>> I am using: >>>> >>>> Ubuntu 11.04 (have to for compatibility reasons with other software) >>>> trousers0.3.5-2_i386.deb (haven't seen anything on the update logs, that >>>> would possibly fix this in future versions) >>>> Atmel TPM v1.2 (capabilities include one transport session) >>>> gcc 4.5.2 >>>> >>>> I will attach a piece of code to the bottom, which produces the error >>>> with my system setup. I cleaned it from any unrelated code and at the >>>> moment it is not executing anything within the transport. However the >>>> same problem occurs, when executing TPM-commands during the transport. >>>> >>>> Calling >>>> >>>> gcc -ltspi -Wall -o ttest cleanTransportCall.c >>>> >>>> on my source file should give no warning, or at least I do not get any. >>>> >>>> Best regards, >>>> >>>> Michael Dorner >>>> >>>> >>>> >>>> ########### Code for cleanTransportCall.c:############################## >>>> >>>> /* >>>> * cleanTransportCall.c >>>> * >>>> * Created on: Jan 7, 2013 >>>> * Author: michaeldorner >>>> * Purpose: Bugreport CloseSignTransport >>>> * >>>> */ >>>> #include <stdio.h> >>>> #include <string.h> >>>> #include <stdlib.h> >>>> #include <sys/types.h> >>>> #include <tss/platform.h> >>>> #include <tss/tspi.h> >>>> #include <trousers/trousers.h> >>>> //challener debug macro (from tutorial) >>>> #define DBG(message,tResult)printf("(Line%d, %s)%s returned 0x%08x. %s >>>> \n", __LINE__,__func__,message, tResult, >>>> (char*)Trspi_Error_String(tResult)) >>>> >>>> //declarations, supporting only plaintext secrets here >>>> TSS_RESULT context_init(TSS_HCONTEXT *phContext); >>>> TSS_RESULT srk_tpm_init(TSS_HCONTEXT *phContext, TSS_HKEY *phSRK, >>>> char* srk_auth, TSS_HTPM *phTPM, char* owner_auth); >>>> TSS_RESULT load_aik(TSS_HCONTEXT *hContext, TSS_HKEY *srk, TSS_HKEY >>>> *hAIK, >>>> TSS_UUID aik_uuid, char* aik_auth); >>>> int main(int argc, char **agrv) { >>>> printf("entered main\n"); >>>> TSS_HCONTEXT hContext; >>>> TSS_HTPM hTPM; >>>> TSS_HKEY hSRK, hAIKey; >>>> TSS_VALIDATION vData; >>>> TSS_RESULT result; >>>> BYTE nonce[20]; >>>> int size = 20; >>>> //modify this code to select own aik >>>> TSS_UUID aik_uuid = { 0, 0, 0, 0, 0, { 0, 0, 0, 0, 0, 12 } }; >>>> if ((result = context_init(&hContext)) != TSS_SUCCESS) { >>>> exit(result); >>>> } >>>> if ((result = srk_tpm_init(&hContext, &hSRK, "password", &hTPM, >>>> "password")) >>>> != TSS_SUCCESS) { >>>> exit(result); >>>> } >>>> vData.ulExternalDataLength = size; >>>> vData.rgbExternalData = nonce; >>>> if ((result = load_aik(&hContext, &hSRK, &hAIKey, aik_uuid, NULL )) >>>> != TSS_SUCCESS) { >>>> exit(result); >>>> } >>>> //set the nonce as external data >>>> printf("starting transport session\n"); >>>> if ((result = Tspi_SetAttribUint32(hContext, >>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT, TSS_TSPATTRIB_CONTEXTTRANS_CONTROL, >>>> TSS_TSPATTRIB_ENABLE_TRANSPORT)) != TSS_SUCCESS) { >>>> exit(result); >>>> } >>>> if ((result = Tspi_SetAttribUint32(hContext, >>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT, TSS_TSPATTRIB_CONTEXTTRANS_MODE, >>>> TSS_TSPATTRIB_TRANSPORT_NO_DEFAULT_ENCRYPTION)) != TSS_SUCCESS) { >>>> exit(result); >>>> } >>>> if ((result = Tspi_SetAttribUint32(hContext, >>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT, TSS_TSPATTRIB_CONTEXTTRANS_MODE, >>>> TSS_TSPATTRIB_TRANSPORT_EXCLUSIVE)) != TSS_SUCCESS) { >>>> exit(result); >>>> } >>>> if ((result = Tspi_SetAttribUint32(hContext, >>>> TSS_TSPATTRIB_CONTEXT_TRANSPORT, TSS_TSPATTRIB_CONTEXTTRANS_MODE, >>>> TSS_TSPATTRIB_TRANSPORT_AUTHENTIC_CHANNEL)) != TSS_SUCCESS) { >>>> exit(result); >>>> } >>>> //encapsulated commands start >>>> >>>> >>>> >>>> //encapsulated commands end >>>> printf("calling closeSignTransport\n"); >>>> if ((result = Tspi_Context_CloseSignTransport(hContext, hAIKey, >>>> &vData)) >>>> != TSS_SUCCESS) { >>>> DBG("closing transport", result); >>>> exit(result); >>>> } >>>> Tspi_Context_FreeMemory(hContext, NULL); >>>> Tspi_Context_Close(hContext); >>>> DBG("leaving main", result); >>>> exit(result); >>>> } >>>> >>>> //helpers >>>> /* >>>> * this function takes an uninitalized tpmobject, srk and context and >>>> initializes/loads it >>>> */ >>>> TSS_RESULT context_init(TSS_HCONTEXT *phContext) { >>>> printf("entered context_init\n"); >>>> TSS_RESULT result; >>>> //create context and connect to it >>>> if ((result = Tspi_Context_Create(phContext)) != TSS_SUCCESS) { >>>> return (result); >>>> } >>>> if ((result = Tspi_Context_Connect(*phContext, NULL )) != TSS_SUCCESS) >>>> { >>>> return (result); >>>> } >>>> DBG("leaving context_init", result); >>>> return result; >>>> } >>>> >>>> TSS_RESULT srk_tpm_init(TSS_HCONTEXT *phContext, TSS_HKEY *phSRK, >>>> char* srk_auth, TSS_HTPM *phTPM, char* owner_auth) { >>>> TSS_RESULT result; >>>> TSS_HPOLICY hSRKPolicy, hTPMPolicy; >>>> TSS_UUID UUID_SRK = TSS_UUID_SRK; >>>> if ((result = Tspi_Context_LoadKeyByUUID(*phContext, >>>> TSS_PS_TYPE_SYSTEM, >>>> UUID_SRK, phSRK)) != TSS_SUCCESS) { >>>> return (result); >>>> } >>>> //create policy object for the SRK and assign it >>>> if ((result = Tspi_Context_CreateObject(*phContext, >>>> TSS_OBJECT_TYPE_POLICY, >>>> TSS_POLICY_USAGE, &hSRKPolicy)) != TSS_SUCCESS) { >>>> return (result); >>>> } >>>> if ((result = Tspi_Policy_SetSecret(hSRKPolicy, TSS_SECRET_MODE_PLAIN, >>>> strlen(srk_auth), (BYTE *) srk_auth)) != TSS_SUCCESS) { >>>> return (result); >>>> } >>>> if ((result = Tspi_Policy_AssignToObject(hSRKPolicy, *phSRK)) != >>>> TSS_SUCCESS) { >>>> return (result); >>>> } >>>> >>>> if ((result = Tspi_Context_GetTpmObject(*phContext, phTPM)) != >>>> TSS_SUCCESS) { >>>> return (result); >>>> } >>>> if ((result = Tspi_Context_CreateObject(*phContext, >>>> TSS_OBJECT_TYPE_POLICY, >>>> TSS_POLICY_USAGE, &hTPMPolicy)) != TSS_SUCCESS) { >>>> return (result); >>>> } >>>> if ((result = Tspi_Policy_SetSecret(hTPMPolicy, TSS_SECRET_MODE_PLAIN, >>>> strlen(owner_auth), (BYTE *) owner_auth)) != TSS_SUCCESS) { >>>> return (result); >>>> } >>>> if ((result = Tspi_Policy_AssignToObject(hTPMPolicy, *phTPM)) != >>>> TSS_SUCCESS) { >>>> return (result); >>>> } >>>> return result; >>>> } >>>> >>>> /* >>>> * load an attestation key by its UUID, the context has to be connected >>>> and the srk has to be loaded >>>> */ >>>> TSS_RESULT load_aik(TSS_HCONTEXT *hContext, TSS_HKEY *srk, TSS_HKEY >>>> *hAIK, >>>> TSS_UUID aik_uuid, char *aik_auth) { >>>> printf("entered load_aik_by_uuid\n"); >>>> TSS_RESULT result; >>>> TSS_HPOLICY hAIKPolicy; >>>> if ((result = Tspi_Context_LoadKeyByUUID(*hContext, TSS_PS_TYPE_SYSTEM, >>>> aik_uuid, hAIK)) != TSS_SUCCESS) { >>>> return (result); >>>> } >>>> if ((result = Tspi_GetPolicyObject(*hAIK, TSS_POLICY_USAGE, >>>> &hAIKPolicy)) >>>> != TSS_SUCCESS) { >>>> return (result); >>>> } >>>> //if using an AIK generated from the privacyCA.com code, it has NULL as >>>> plain secret >>>> if (aik_auth != NULL ) { >>>> if ((result = Tspi_Policy_SetSecret(hAIKPolicy, TSS_SECRET_MODE_PLAIN, >>>> strlen(aik_auth), (BYTE*) aik_auth)) != TSS_SUCCESS) { >>>> return (result); >>>> } >>>> } else { >>>> if ((result = Tspi_Policy_SetSecret(hAIKPolicy, TSS_SECRET_MODE_PLAIN, >>>> 0, NULL )) != TSS_SUCCESS) { >>>> return (result); >>>> } >>>> } >>>> DBG("leaving load_aik_by_uuid", result); >>>> return (result); >>>> } >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and >>>> much more. Get web development skills now with LearnDevNow - >>>> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. >>>> SALE $99.99 this month only -- learn more at: >>>> http://p.sf.net/sfu/learnmore_122812 >>>> _______________________________________________ >>>> TrouSerS-users mailing list >>>> Tro...@li... >>>> https://lists.sourceforge.net/lists/listinfo/trousers-users |